PUSH EAX  
...
RETN

31009200 > 5B               POP EBX                         ; KERNEL32.7C581AF6
31009201   E8 59000000      CALL 3100925F                   ; call puts fx ret address on stack (31009206)
31009206   8B6424 08        MOV ESP,DWORD PTR SS:[ESP+8]

3100925F   2BC0             SUB EAX,EAX                  ;eax=0                                ___
31009261   64:FF30          PUSH DWORD PTR FS:[EAX]      ;store old exception handler on stack    |_SEE NOTE
31009264   64:8920          MOV DWORD PTR FS:[EAX],ESP   ;reset except handler struc to stack  ___| 
31009267   B8 78563412      MOV EAX,12345678
3100926C   8703             XCHG DWORD PTR DS:[EBX],EAX  ;raise exception

31009206   8B6424 08        MOV ESP,DWORD PTR SS:[ESP+8]           ;execution resumes here
3100920A   B8 EB040000      MOV EAX,4EB                            ;harmless junk inst with real code inside
3100920F  ^EB FA            JMP SHORT 3100920B                     ;3100920B = EB 04 jmp 31009211  
31009211   64:67:A1 1800    MOV EAX,DWORD PTR FS:[18]              ; 
31009216   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]          ; |- Debugger detection from PEB
31009219   0FB640 02        MOVZX EAX,BYTE PTR DS:[EAX+2]          ;/
3100921D   83F8 00          CMP EAX,0
31009220   75 3C            JNZ SHORT 3100925E                      ;Jmp if DebuggerDetected   
31009222   E8 00000000      CALL 31009227                           ;call opcode Decoder        
31009227   5D               POP EBP                                 ;remove return addr on stack ebp=eip
31009228   81ED 20234000    SUB EBP,402320                          
3100922E   8B85 67234000    MOV EAX,DWORD PTR SS:[EBP+402367]
31009234   0385 6F234000    ADD EAX,DWORD PTR SS:[EBP+40236F]
3100923A   8BF0             MOV ESI,EAX
3100923C   8B85 6B234000    MOV EAX,DWORD PTR SS:[EBP+40236B]
31009242   0385 6F234000    ADD EAX,DWORD PTR SS:[EBP+40236F]
31009248   50               PUSH EAX                                ;OEP for real UPX Stub (still to be decoded)
31009249   8BFE             MOV EDI,ESI
3100924B   33C9             XOR ECX,ECX                             ;ecx=length counter
3100924D   AC               LODS BYTE PTR DS:[ESI]                  ;
3100924E   3285 77234000    XOR AL,BYTE PTR SS:[EBP+402377]         ; |-Decode loop
31009254   AA               STOS BYTE PTR ES:[EDI]                  ;/
31009255   41               INC ECX
31009256   3B8D 73234000    CMP ECX,DWORD PTR SS:[EBP+402373]
3100925C  ^7C EF            JL SHORT 3100924D                        ;More to decode jump back up                    
3100925E   C3               RETN                                     ;if decoder ran then rets to OEP of upx stub
                                                                     ;else goes to junk block
 
31008220   . 60             PUSHAD                                   ;now we are at regular UPX stub
31008221   . BE 00600031    MOV ESI,31006000
31008226   . 8DBE 00B0FFFF  LEA EDI,DWORD PTR DS:[ESI+FFFFB000]
3100822C   . 57             PUSH EDI
3100822D   . 83CD FF        OR EBP,FFFFFFFF
31008230   . EB 10          JMP SHORT 31008242                       ;  31008242
31008232     90             NOP
31008233     90             NOP
31008234     90             NOP
31008235     90             NOP
31008236     90             NOP
31008237     90             NOP